iec 62443 security in industrial automation dirk thielker · - change management goal: ensure...
TRANSCRIPT
![Page 1: IEC 62443 Security in Industrial Automation Dirk Thielker · - Change management Goal: Ensure proper and secure operation A 12.2 Protection against malware - Anti-malware measures](https://reader034.vdocuments.us/reader034/viewer/2022042622/5f97a27eac2be47f011442a8/html5/thumbnails/1.jpg)
DATA MANAGEMENT FOR AUTOMATED PRODUCTION
IEC 62443 Security in Industrial Automation
Dirk Thielker
![Page 2: IEC 62443 Security in Industrial Automation Dirk Thielker · - Change management Goal: Ensure proper and secure operation A 12.2 Protection against malware - Anti-malware measures](https://reader034.vdocuments.us/reader034/viewer/2022042622/5f97a27eac2be47f011442a8/html5/thumbnails/2.jpg)
PRIORITIES OF DIFFERENT TYPES OF IT SYSTEM
Industrial IT – AVAILABILITY
▪ Antivirus not possible (slows down the system)
▪ Systems designed to be isolated
▪ Rebooting results in downtime
▪ Low availability of security systems
▪ Physical danger for people or the environment
Office IT – CONFIDENTIALITY
▪ High availability of security systems
▪ Slowing down the system not a major problem
▪ Systems regularly shut down and restarted
▪ Problems rarely result in physical danger
for people or the environment
*Source: AdobeStock_48975872, Fotolia_159173304_sorapolujjin and Siemens AG
![Page 3: IEC 62443 Security in Industrial Automation Dirk Thielker · - Change management Goal: Ensure proper and secure operation A 12.2 Protection against malware - Anti-malware measures](https://reader034.vdocuments.us/reader034/viewer/2022042622/5f97a27eac2be47f011442a8/html5/thumbnails/3.jpg)
IT & OT RISK MANAGMENT - COMMON GROUND
IT – BASIC PROTECTIONBSI 200-3 / ISO 2700x
OT – MACHINE SAFETYMRL 2006/42/EG / ISO 12100ISO 13849
• Overview of dangers• Risk assessment• Evaluation of risks• Handling risks• Integration into the safety concept
DangerSafety
Necessary risk reduction measures
Implemented risk reduction measures
Acceptable risk limit
Remaining riskRisk
![Page 4: IEC 62443 Security in Industrial Automation Dirk Thielker · - Change management Goal: Ensure proper and secure operation A 12.2 Protection against malware - Anti-malware measures](https://reader034.vdocuments.us/reader034/viewer/2022042622/5f97a27eac2be47f011442a8/html5/thumbnails/4.jpg)
IT & OT RISK MANAGMENT - DIFFERENCES
IT – SECURITY47 Sources of risk
OT – SAFETY11 Sources of risk (each with many facets)
![Page 5: IEC 62443 Security in Industrial Automation Dirk Thielker · - Change management Goal: Ensure proper and secure operation A 12.2 Protection against malware - Anti-malware measures](https://reader034.vdocuments.us/reader034/viewer/2022042622/5f97a27eac2be47f011442a8/html5/thumbnails/5.jpg)
CONVERGENCE OF IT AND OT
IT – SECURITY47 Sources of risk
OT – SAFETY11 Sources of risk (each with many facets)
OTIT
+ IT – SECURITY47 Sources of risk
![Page 6: IEC 62443 Security in Industrial Automation Dirk Thielker · - Change management Goal: Ensure proper and secure operation A 12.2 Protection against malware - Anti-malware measures](https://reader034.vdocuments.us/reader034/viewer/2022042622/5f97a27eac2be47f011442a8/html5/thumbnails/6.jpg)
ICS VULNERABILITIES
![Page 7: IEC 62443 Security in Industrial Automation Dirk Thielker · - Change management Goal: Ensure proper and secure operation A 12.2 Protection against malware - Anti-malware measures](https://reader034.vdocuments.us/reader034/viewer/2022042622/5f97a27eac2be47f011442a8/html5/thumbnails/7.jpg)
ICS VULNERABILITIES – NEW IN JUNE 2020
![Page 8: IEC 62443 Security in Industrial Automation Dirk Thielker · - Change management Goal: Ensure proper and secure operation A 12.2 Protection against malware - Anti-malware measures](https://reader034.vdocuments.us/reader034/viewer/2022042622/5f97a27eac2be47f011442a8/html5/thumbnails/8.jpg)
ICS VULNERABILITIES – NEW IN JUNE 2020
![Page 9: IEC 62443 Security in Industrial Automation Dirk Thielker · - Change management Goal: Ensure proper and secure operation A 12.2 Protection against malware - Anti-malware measures](https://reader034.vdocuments.us/reader034/viewer/2022042622/5f97a27eac2be47f011442a8/html5/thumbnails/9.jpg)
ICS VULNERABILITIES – STANDARDS WILL HELP
![Page 10: IEC 62443 Security in Industrial Automation Dirk Thielker · - Change management Goal: Ensure proper and secure operation A 12.2 Protection against malware - Anti-malware measures](https://reader034.vdocuments.us/reader034/viewer/2022042622/5f97a27eac2be47f011442a8/html5/thumbnails/10.jpg)
IEC 62443 DEFENSE IN DEPTH
Organisational measurestaken by the operator
Security functions built-in to componentsby the manufacturers
Protect the facility• Restricted physical access• Rules and processes• Security checks
Protect the network• Segmented network• Firewall• VPN and end-to-end encryption
Protect the system• Detect and defend against attacks• Protect against manipulation• Robust systems / password protection • Patch managment
Measures built-in to systemby the integrator
![Page 11: IEC 62443 Security in Industrial Automation Dirk Thielker · - Change management Goal: Ensure proper and secure operation A 12.2 Protection against malware - Anti-malware measures](https://reader034.vdocuments.us/reader034/viewer/2022042622/5f97a27eac2be47f011442a8/html5/thumbnails/11.jpg)
IEC 62443 DOCUMENTS
Organisational measurestaken by the operator
Measures built-in to systemby the integrator
Security functions built-in to componentsby the manufacturers
![Page 12: IEC 62443 Security in Industrial Automation Dirk Thielker · - Change management Goal: Ensure proper and secure operation A 12.2 Protection against malware - Anti-malware measures](https://reader034.vdocuments.us/reader034/viewer/2022042622/5f97a27eac2be47f011442a8/html5/thumbnails/12.jpg)
EVALUATION OF THE PROTECTION LEVEL
Mat
uri
tyLe
vel
4
3
2
1
1 2 3 4
Security Level
PL 1
PL 2
PL 3
PL 4
2-1 2-4
Policies & Procedures
3-3
System & Components
Pro
tect
ion
Leve
l
![Page 13: IEC 62443 Security in Industrial Automation Dirk Thielker · - Change management Goal: Ensure proper and secure operation A 12.2 Protection against malware - Anti-malware measures](https://reader034.vdocuments.us/reader034/viewer/2022042622/5f97a27eac2be47f011442a8/html5/thumbnails/13.jpg)
Requirement
IEC 62443-2-1A12 Operational policies and procedures
A 12.1 Operational procedures and responsibilites- Documented operating procedures- Change managementGoal: Ensure proper and secure operation
A 12.2 Protection against malware- Anti-malware measuresGoal: Facility is protected against malware
A 12.3 Backup of data
- Valuable intellectual property stored in more than one place
Goal: Data is protected against loss
A 12.4 Logging and monitoring
- Event logging
- Logged information protected
- Administrator and user logs
Goal: Events are logged and traceability is ensured
EXAMPLE 1
REQUIREMENT[…] Technical and organizational protective measures
MUST be defined. […]
IMPLEMENTATION✓ Data backed up in the form of versions of
programming projects✓ Data backup in the form of device uploads✓ Changes DETECTED by comparing consecutive
uploads✓ All the necessary tools and data for fast disaster
recovery
![Page 14: IEC 62443 Security in Industrial Automation Dirk Thielker · - Change management Goal: Ensure proper and secure operation A 12.2 Protection against malware - Anti-malware measures](https://reader034.vdocuments.us/reader034/viewer/2022042622/5f97a27eac2be47f011442a8/html5/thumbnails/14.jpg)
EXAMPLE 2
▪ AUVESY and IRMA® – network scanner
▪ Introduce versiondog: "zero touch"
▪ Passive network scan (no risk)
▪ Active network scan
▪ Detect anomalies
▪ Desired vs. actual project version / program running on device
▪ Desired vs. actual device operation
▪ Desired vs. actual anomaly detection
![Page 15: IEC 62443 Security in Industrial Automation Dirk Thielker · - Change management Goal: Ensure proper and secure operation A 12.2 Protection against malware - Anti-malware measures](https://reader034.vdocuments.us/reader034/viewer/2022042622/5f97a27eac2be47f011442a8/html5/thumbnails/15.jpg)
STUXNET
▪ Malicious manipulation that would have
been detected by versiondog
![Page 16: IEC 62443 Security in Industrial Automation Dirk Thielker · - Change management Goal: Ensure proper and secure operation A 12.2 Protection against malware - Anti-malware measures](https://reader034.vdocuments.us/reader034/viewer/2022042622/5f97a27eac2be47f011442a8/html5/thumbnails/16.jpg)
SECURITY AND SAFETY
Security Safety
![Page 17: IEC 62443 Security in Industrial Automation Dirk Thielker · - Change management Goal: Ensure proper and secure operation A 12.2 Protection against malware - Anti-malware measures](https://reader034.vdocuments.us/reader034/viewer/2022042622/5f97a27eac2be47f011442a8/html5/thumbnails/17.jpg)
BEI FRAGEN STEHE ICH IHNENGERNE ZUR VERFÜGUNG!
IHR ANSPRECHPARTNER:
Dirk Thielker
Thank you for yourattention!