Upload
vuongdan
View
213
Download
0
Embed Size (px)
Citation preview
Unrestricted / © Siemens AG 2015. All Rights Reserved. siemens.com/industrialsecurity
Industrial SecurityReale Gefahren aus dem virtuellen Raum
Helping to increase your resistance to attack
Unrestricted / © Siemens AG 2015. All Rights Reserved.January 2015Page 2 Industrial Security, Reale Gefahren aus dem virtuellen Raum
• The age of cyberattacks
• The concept of Defense-in-Depth
• The Siemens approach
• Awareness is Key
• Outlook: in future cybersecurity will be regulated
Industrial Security
Unrestricted / © Siemens AG 2015. All Rights Reserved.January 2015Page 3 Industrial Security, Reale Gefahren aus dem virtuellen Raum
Security TrendsGlobally we are seeing more network connections than ever before
Source: World Economic Forum, 50 Global Risks
Trends Impacting Security
• Cloud Computing approaches
• Increased use of Mobile Devices
• Wireless Technology
• Reduced Personnel Requirements
• Smart Grid
• The worldwide and remote access to remoteplants, remote machines and mobile applications
• The “Internet of Things”
Unrestricted / © Siemens AG 2015. All Rights Reserved.January 2015Page 4 Industrial Security, Reale Gefahren aus dem virtuellen Raum
Industrial SecurityThe corporate security chain is only as strong as its weakest link
Security Can Fail at Any of these Points
• Employee• Smartphone• Laptops• PC workstations• Network infrastructure• Mobile storage devices• Tablet PC• Computer center• Policies and guidelines• Printer• Production systems
Unrestricted / © Siemens AG 2015. All Rights Reserved.January 2015Page 5 Industrial Security, Reale Gefahren aus dem virtuellen Raum
Industrial SecurityWhy has industrial security become so important?
Main Trends Impacting the Vulnerability of Automation Plants
• Horizontal and vertical Integration at all network levels• Connection of automation networks with IT-Networks and Internet for remote
maintenance• Increased use of open standards and PC-based systems• Possible Threats increased due to these trends:
• Access violation through unauthorized persons• Espionage and manipulation of data• Damages and data loss caused by malware
• Several security incidents reveal the vulnerability of automation plants.
Unrestricted / © Siemens AG 2015. All Rights Reserved.January 2015Page 6 Industrial Security, Reale Gefahren aus dem virtuellen Raum
Industrial SecurityCyber vulnerabilities can affect your plant at many level
The Need to Act Because of Cyber SecurityVulnerabilities
• Loss of intellectual property, recipes,…• Sabotage of production plant• Plant downtime e.g. caused by virus and malware• Manipulation of data or of application software• Unauthorized use of system functions• Regulations and standards for industrial security
require conformance• Regulations:
FDA, NERC CIP, CFATS, CPNI, KRITIS• Standards:
ISA 99, IEC 62443
Unrestricted / © Siemens AG 2015. All Rights Reserved.January 2015Page 7 Industrial Security, Reale Gefahren aus dem virtuellen Raum
The Age ofComputerworms
Cybercrime andFinancial Interests
Politics andCritical Infrastructure
Cyberwarfare-Preparation
Threat analysisEvery three years new developments
CodeRed Slammer Blaster“Hacking for Fun”
Hobbyists
WormsBackdoorsAnti-Virus
HackersBlackHat
Viruses
Responsible Disclosure
Credit Card FraudBotnets Banker Trojans
PhishingAdware SPAM
WebSite Hacking
AnonymousSCADA
RSA BreachDigiNotar APT
Targeted AttacksSony Hack
Zeus SpyEye Rustock“Hacking for Money”
Organized Criminals
Aurora Nitro Stuxnet“Hacking for political and
economic gains”Hacktivists
State sponsored Actors
? ? ?“Development and spreadingof cyberwarface capabilities”
Multiple state- andnon-state actors
Underground exploit market
Systematic remote explorationand reconnaissance of criticalInfrastructures and vendors
Increasing sophistication, focusand brutality/impact of cyber methods
Introduction of malicious, sleepingfunctionality in critical products
?
Number of new malware signatures
Number of published exploitsNumber of published vulnerabilities
2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
Unrestricted / © Siemens AG 2015. All Rights Reserved.January 2015Page 8 Industrial Security, Reale Gefahren aus dem virtuellen Raum
Top 10 threats
Unrestricted / © Siemens AG 2015. All Rights Reserved.January 2015Page 9 Industrial Security, Reale Gefahren aus dem virtuellen Raum
• The age of cyberattacks
• The concept of Defense-in-Depth
• The Siemens approach
• Awareness is Key
• Outlook: in future cybersecurity will be regulated
Industrial Security
Unrestricted / © Siemens AG 2015. All Rights Reserved.January 2015Page 10 Industrial Security, Reale Gefahren aus dem virtuellen Raum
IACS, automation solution, control system
IACS environment / project specific
Independent of IACS environment
Industrial Automation and Control System(IACS)
Operational and Maintenancepolicies and procedures
Product Supplier
SystemIntegrator
Asset Owner
develops
designs and deploys
operates
Control Systemas a combination of
Hostdevices
Networkcomponents ApplicationsEmbedded
devices
is the base for
+Automation solution
Basic Process Control System(BPCS)
Safety Instrumented System(SIS)
Unrestricted / © Siemens AG 2015. All Rights Reserved.January 2015Page 11 Industrial Security, Reale Gefahren aus dem virtuellen Raum
Actual structure of IEC / ISA-62443Main documents to be published
ComponentSystemPolicies and proceduresGeneral
1-1 Terminology, concepts andmodels
1-2 Master glossary of terms andabbreviations
1-3 System security compliancemetrics
IEC / ISA-62443
DefinitionsMetrics
Requirements to secure systemcomponents
Functional requirements Processes / procedures
Requirements placed on securityorganization and processes of the
plant owner and suppliers
Requirements to achieve asecure system
3-3 System security requirementsand security levels
3-1 Security technologies for IACS
2-3 Patch management in the IACSenvironment
4-2 Technical security requirementsfor IACS products
4-1 Product developmentrequirements
2-4 Requirements for IACS solutionsuppliers
3-2 Security risk assessment andsystem design
IS* 08/2013
IS* 4Q14
ID* 4Q13
ID* 4Q13
2-1 Requirements for an IACSsecurity management system
Ed.2.0Profile of
ISO 27001 / 27002
DC* 10/12DC* 2Q13
TR* 4Q14
IS* 2009 TR* 2009
*DC: Draft for Comment*CDV: Committee Draft for Vote
*IS: International Standard*TR: Technical Report
*ID: Initial Draft
DTS* 1Q14Rejected
Unrestricted / © Siemens AG 2015. All Rights Reserved.January 2015Page 12 Industrial Security, Reale Gefahren aus dem virtuellen Raum
Various parts of IEC / ISA-62443are addressing Defense in Depth
ComponentSystemPolicies and proceduresGeneral
IEC / ISA-62443Main partsof IEC 62443
‘Defense in Depth’ involves all stakeholders:Asset Owner, System Integrator, Product Supplier
2-4
3-2
2-1
2-4
3-3
4-2
4-1
Asset Owner
Operational and Maintenancespolicies and procedures
System Integrator
Policies and procedures
3-3Security capabilities of the
Automation Solution
Product Supplier
Development process
Security capabilities of the products
Unrestricted / © Siemens AG 2015. All Rights Reserved.January 2015Page 13 Industrial Security, Reale Gefahren aus dem virtuellen Raum
IACS, automation solution, control system
IACS environment / project specific
Independent of IACS environment
Industrial Automation and Control System(IACS)
Operational and Maintenancepolicies and procedures
Product Supplier
SystemIntegrator
Asset Owner
Control Systemas a combination of
Hostdevices
Networkcomponents ApplicationsEmbedded
devices
is the base for
+Automation solution
Basic Process Control System(BPCS)
Safety Instrumented System(SIS)
4-1
2-4
3-2
3-3
2-1
2-4
3-3
4-2
develops
designs and deploys
operates
Unrestricted / © Siemens AG 2015. All Rights Reserved.January 2015Page 14 Industrial Security, Reale Gefahren aus dem virtuellen Raum
Each stakeholder can create vulnerabilities
IACS environment
Industrial Automation and Control System(IACS)
Operational and Maintenancepolicies and procedures
Product Supplier
SystemIntegrator
Asset Owner
Control Systemas a combination of
Hostdevices
Networkcomponents ApplicationsEmbedded
devices
base for
+Automation solution
Basic Process Control System(BPCS)
Safety Instrumented System(SIS)
Hard coded passwords
Elevation of privileges
Default passwords notchanged
Temporary accounts notdeleted
Invalid accounts notdeleted
Non confidentialpasswords
Example: User Identification and Authentication
Passwords not renewedcan createweaknesses
can createweaknesses
can createweaknesses
develops
designs and deploys
operates
Unrestricted / © Siemens AG 2015. All Rights Reserved.January 2015Page 15 Industrial Security, Reale Gefahren aus dem virtuellen Raum
• The age of cyberattacks
• The concept of Defense-in-Depth
• The Siemens approach
• Awareness is Key
• Outlook: in future cybersecurity will be regulated
Industrial Security
Unrestricted / © Siemens AG 2015. All Rights Reserved.January 2015Page 16 Industrial Security, Reale Gefahren aus dem virtuellen Raum
IACS environment / project specific
Independent of IACS environment
IACS, automation solution, control system
Asset Owner Operational and Maintenancepolicies and procedures
+
Industrial Automation and Control System(IACS)
Siemens is product and solution supplier
Product Supplier
SystemIntegrator
is the base for
Control Systemas a combination of
Hostdevices
Networkcomponents ApplicationsEmbedded
devices
Automation solutionBasic Process Control
System (BPCS)Complementary
Hardware and SoftwareSafety Instrumented
System (SIS)
develops
designs and deploys
operates
Unrestricted / © Siemens AG 2015. All Rights Reserved.January 2015Page 17 Industrial Security, Reale Gefahren aus dem virtuellen Raum
Industrial SecurityThe Defense in Depth Concept
Plant security§ Physical prevention of access to critical areas§ Establishing a Security Management Process
Network security§ Controlled interfaces between office and plant network
e.g. via firewalls§ Further segmentation of plant network
System integrity§ Antivirus and whitelisting software§ System hardening§ Maintenance and update processes§ User authentication for plant or machine operators§ Integrated access protection mechanisms in automation
components
Security solutions in an industrial context must take account of all protection layers
Unrestricted / © Siemens AG 2015. All Rights Reserved.January 2015Page 18 Industrial Security, Reale Gefahren aus dem virtuellen Raum
Industrial SecurityThe Siemens Approach
Siem
ens
Indu
stria
lSec
urity
appr
oach
The Siemens approach is based on five key points
The interfaces are subject to regulations -and are monitored accordingly.
PC-based systems must be protected.
Implementation of Security Management
The control level must be protected.
Communication must be monitored and canbe segmented.
Unrestricted / © Siemens AG 2015. All Rights Reserved.January 2015Page 19 Industrial Security, Reale Gefahren aus dem virtuellen Raum
Industrial SecurityThe Siemens Solution
Industrial Security Services Managed service andconsulting
Security Management Processes and policies
Products & SystemsSecure PCs,controllers andnetworks
§ Integral security in PCs andcontrollers
§ Security products fornetworking and communication
The Siemens solution reduces your risk with a well thought-out security concept
Unrestricted / © Siemens AG 2015. All Rights Reserved.January 2015Page 20 Industrial Security, Reale Gefahren aus dem virtuellen Raum
Step 2:
Implement
Planning, development andimplementation of a holistic
cyber security program
Step 3:
Continuous securityservices
Continuous security throughdetection and proactive
protection
Step-by-step approach for long-term protection of your industrial controlsystem (ICS)
• Vulnerability analysis• Gap analysis• Threat analysis• Risk analysis
• Global Threat Intelligence• Detection and resolution of
incidents• Fast adaptation to changing
threats
• Cyber security training• Development of security
strategies and procedures• Implementation of security
technology
Step 1:
Assess
Information about the securitystatus and development of a
security roadmap
Unrestricted / © Siemens AG 2015. All Rights Reserved.January 2015Page 21 Industrial Security, Reale Gefahren aus dem virtuellen Raum
Industrial SecurityThe Siemens solution for plant security
The interfaces are subject to regulations- and are monitored accordingly.
PC-based systems must be protected.
Implementation of Security Management
The control level must be protected.
Communication must be monitored andcan be segmented.
Plant security
Unrestricted / © Siemens AG 2015. All Rights Reserved.January 2015Page 22 Industrial Security, Reale Gefahren aus dem virtuellen Raum
Industrial SecuritySecurity Management
Security Management is essential for a well thought-out security concept
Security Management Process
• Risk analysis with definition of mitigationmeasures
• Setting up of policies and coordination oforganizational measures
• Coordination of technical measures• Regular / event-based repetition of the risk
analysisTechnicalmeasures
Risk analysis
Validation &improvement
Policies,Organizational
measures
1
2
3
4
Unrestricted / © Siemens AG 2015. All Rights Reserved.January 2015Page 23 Industrial Security, Reale Gefahren aus dem virtuellen Raum
Industrial SecurityThe Siemens Solution for Network Security
Implementierung des Security-Managements
The interfaces are subject to regulations- and are monitored accordingly.
Implementation of Security Management
Network securityPC-based systems must be protected.
Communication must be monitored andcan be segmented.
System Integrity
The control level must be protected.
Unrestricted / © Siemens AG 2015. All Rights Reserved.January 2015Page 24 Industrial Security, Reale Gefahren aus dem virtuellen Raum
Industrial SecuritySecurity Integrated is an essential component of a Defense in Depth concept
Plant security• Access blocked for unauthorized persons• Physical prevention of access to critical components
Network security• Controlled interfaces with SCALANCE firewalls• Further segmentation with Advanced CPs
System integrity• Know-how protection• Copy protection• Protection against manipulation• Access protection• Expanded access protection with CP 1543-1
Siemens products with Security Integrated provide security features such as integratedfirewall, VPN communication, access protection, protection against manipulation.
Unrestricted / © Siemens AG 2015. All Rights Reserved.January 2015Page 25 Industrial Security, Reale Gefahren aus dem virtuellen Raum
Industrial SecuritySIMATIC S7-1500 and the TIA Portal
Security Highlights
The SIMATIC S7-1500 and the TIA Portal provide several security features:• Increased Know-How Protection in STEP 7
Protection of intellectual property and effective investment:• Password protection against unauthorized opening of program blocks in STEP 7 and thus protection against
unauthorized copying of e.g. developed algorithms• Password protection against unauthorized evaluation of the program blocks with external programs
• from the STEP 7 project• from the data of the memory card• from program libraries
• Increased Copy ProtectionProtection against unauthorized reproduction of executable programs:• Binding of single blocks to the serial number of the memory card or PLC• Protection against unauthorized copying of program blocks with STEP 7• Protection against duplicating the project saved on the memory card
Unrestricted / © Siemens AG 2015. All Rights Reserved.January 2015Page 26 Industrial Security, Reale Gefahren aus dem virtuellen Raum
Industrial SecuritySIMATIC S7-1500 and the TIA Portal
Security Highlights
The SIMATIC S7-1500 and the TIA Portal provide several security features:• Increased Access Protection (Authentication)
Extensive protection against unauthorized project changes:• New degree of Protection Level 4 for PLC, complete lockdown (also HMI connections need password) *• Configurable levels of authorization (1-3 with own password)• For accessing over PLC and Communication Module interfaces• General blocking of project parameter changes via the built-in display
• Expanded Access ProtectionExtensive protection against unauthorized project changes:• Via Security CP1543-1 by means of integrated firewall and VPN communication
• Increased Protection against ManipulationProtection of communication against unauthorized manipulation for high plant availability:• Improved protection against manipulated communication by means of digital checksums when accessing controllers• Protection against network attacks such as intrude of faked / recorded network communication (replay attacks)• Protected password transfer for authentication• Detection of manipulated firmware updates by means of digital checksums
* Optimally supported by SIMATIC HMI products and SIMATIC NET OPC Server
Unrestricted / © Siemens AG 2015. All Rights Reserved.January 2015Page 27 Industrial Security, Reale Gefahren aus dem virtuellen Raum
• The age of cyberattacks
• The concept of Defense-in-Depth
• The Siemens approach
• Awareness is Key
• Outlook: in future cybersecurity will be regulated
Industrial Security
Unrestricted / © Siemens AG 2015. All Rights Reserved.January 2015Page 28 Industrial Security, Reale Gefahren aus dem virtuellen Raum
Security Awareness is a basic Element
Industrial Security must be addressed at different levels
Processes
Organization Technical Security
Standardization/Regulations
SecurityAwareness
Unrestricted / © Siemens AG 2015. All Rights Reserved.January 2015Page 29 Industrial Security, Reale Gefahren aus dem virtuellen Raum
… die 10 Top-Tipps der Informationssicherheit
1 Stufen Sie Informationen richtig ein, z.B. als “vertraulich”, und schützen Sie dieseentsprechend
2 Machen Sie Informationen nur denjenigen zugänglich, die diese wirklich benötigen
3 Geben Sie persönliche Passwörter, Zugangscodes oder Ihre PIN/PKI nicht weiter – auchnicht zu Vertretungszwecken
4 Speichern oder versenden Sie vertrauliche Informationen nur verschlüsselt. VerschlüsselnSie Ihre Kommunikation mit Externen
5 Nutzen Sie sichere Entsorgungswege für vertrauliche Informationen, z.B. spezielleContainer, Schredder
6 Führen Sie auf Reisen nur Informationen und Geräte mit, die Sie wirklich brauchen
7 Schützen Sie Informationen vor ungewollten Blicken und unerwünschten Zuhörern, im Büround in der Öffentlichkeit
8 Seien Sie stets vorsichtig und wachsam im Umgang mit dem Internet und mit E-Mails
9 Halten Sie Ihre PC- und Antivirus-Software stets auf dem aktuellen Stand
10 Verständigen Sie sofort Ihren InfoSec Advisor, wenn Sie unsicher sind oder Gefahrvermuten
Unrestricted / © Siemens AG 2015. All Rights Reserved.January 2015Page 30 Industrial Security, Reale Gefahren aus dem virtuellen Raum
• The age of cyberattacks
• The concept of Defense-in-Depth
• The Siemens approach
• Awareness is Key
• Outlook: in future cybersecurity will be regulated
Industrial Security
Unrestricted / © Siemens AG 2015. All Rights Reserved.January 2015Page 31 Industrial Security, Reale Gefahren aus dem virtuellen Raum
Security will be regulated
Unrestricted / © Siemens AG 2015. All Rights Reserved.January 2015Page 32 Industrial Security, Reale Gefahren aus dem virtuellen Raum
Assessment of cybersecurity requires an holistic approach
Cybersecurity protection of IACS
Asset OwnerAsset Owner has the appropriate
operational and maintenance policies and proceduresto operate in a secure fashion an automation solution
Automation solution fulfills the security functionalities requiredby the target protection level of the plant
Automationsolution
operates
Plant
controls
+
SL 1 Protection against casual or coincidental violation
SL 2 Protection against intentional violation using simple means with low resources, generic skills andlow motivation
Protection against intentional violation using sophisticated means with extended resources, IACSspecific skills and high motivation
Protection against intentional violation using sophisticated means with moderate resources, IACSspecific skills and moderate motivationSL 3
SL 4
Unrestricted / © Siemens AG 2015. All Rights Reserved.January 2015Page 33 Industrial Security, Reale Gefahren aus dem virtuellen Raum
Dr. Pierre Kobes
Product and Solution Security Officer
PD TI ATS TM 2
E-Mail: [email protected]
Thank you for your attention!
siemens.com/industrialsecurity
Unrestricted / © Siemens AG 2015. All Rights Reserved.January 2015Page 34 Industrial Security, Reale Gefahren aus dem virtuellen Raum
Industrial SecuritySupport & Service for Industrial Security
Information about Industrial Security
WWW: http://www.siemens.de/industrialsecurity
Email: [email protected]
Contact in Marketing Promotion Industrial Security
Oliver NarrEmail: [email protected]: +49 (911) 895-2442
Contact for Industrial Security Services
Stefan WoronkaEmail: [email protected]: +49 (721) 595-4500
Unrestricted / © Siemens AG 2015. All Rights Reserved.January 2015Page 35 Industrial Security, Reale Gefahren aus dem virtuellen Raum
Industrial SecuritySupport & Service for Industrial Security
SIMATIC System Presales Support Factory Automation
Email: [email protected]
Phone: +49 (911) 895-4646
Contact in Security Product Management Factory Automation
Dirk GebertEmail: [email protected]: +49 (911) 895-2253
Contact for Motion Control
Sven HärtelEmail: [email protected]: +49 (9131) 98-3059
Unrestricted / © Siemens AG 2015. All Rights Reserved.January 2015Page 36 Industrial Security, Reale Gefahren aus dem virtuellen Raum
Industrial SecuritySupport & Service for Industrial Security
SIMATIC System Presales Support Process Automation
Email: [email protected]
Phone: +49 (721) 595-7117
Contact in Security Product Management Process Automation
Jean-Luc GummersbachEmail: [email protected]: +49 (721) 595-8637
Unrestricted / © Siemens AG 2015. All Rights Reserved.January 2015Page 37 Industrial Security, Reale Gefahren aus dem virtuellen Raum
Industrial SecuritySupport & Service for Industrial Security
SIMATIC NET support for Network Security
Email: [email protected]
Phone: +49 (911) 895-2905
Customer Support
WWW: http://support.automation.siemens.com
Phone: +49 (911) 895-7222
Unrestricted / © Siemens AG 2015. All Rights Reserved.January 2015Page 38 Industrial Security, Reale Gefahren aus dem virtuellen Raum
Industrial SecurityAny questions about Network Security??
Contact in Security Product Management Network Security
Franz KöbingerEmail: [email protected]: +49 (911) 895-4912
Contact in Business Development Network Security
Maximilian KorffEmail: [email protected]: +49 (911) 895-2839
Contact in Marketing Promotion Network Security
Christine GaidaE-Mail: [email protected]: +49 (911) 895-2111
Unrestricted / © Siemens AG 2015. All Rights Reserved.January 2015Page 39 Industrial Security, Reale Gefahren aus dem virtuellen Raum
Industrial SecuritySecurity Information
Siemens provides products and solutions with industrial security functions that support the secure operation of plants,solutions, machines, equipment and/or networks. They are important components in a holistic industrial security concept.With this in mind, Siemens’ products and solutions undergo continuous development. Siemens recommends strongly thatyou regularly check for product updates.
For the secure operation of Siemens products and solutions, it is necessary to take suitable preventive action (e.g. cellprotection concept) and integrate each component into a holistic, state-of-the-art industrial security concept. Third-partyproducts that may be in use should also be considered. For more information about industrial security, visithttp://www.siemens.com/industrialsecurity.
To stay informed about product updates as they occur, sign up for a product-specific newsletter. For more information, visithttp://support.automation.siemens.com.
Unrestricted / © Siemens AG 2015. All Rights Reserved.January 2015Page 40 Industrial Security, Reale Gefahren aus dem virtuellen Raum
Dr. Pierre Kobes
Product and Solution Security Officer
PD TI ATS TM 2
E-Mail: [email protected]
Thank you for your attention!
siemens.com/industrialsecurity