CLASS 2016 - Palestra Márcio Santos

Unrestricted / © Siemens AG 2016. All Rights Reserved.

CLASS 2016 Protection of real time industrial communication protocols and its technical impacts

Márcio Santos

SIEMENS

19.05.2016


Who we are?

SIEMENS


Global presence

Close to customers all over the world

3

29%

21%

Share

of total

worldwide

€21.7 billion

73,500

Americas

36%

28%

Share

of total

worldwide

€27.6 billion

98,800

Europe (excluding Germany), CIS,

Africa, Middle East 15%

33%

Share

of total

worldwide

€11.2 billion

114,000

Germany

20%

18%

Share

of total

worldwide

€15.1 billion

61,500

Asia, Australia

Revenue by customer location Employees as of September 30, 2015

All figures refer to continuing operations. CIS: Commonwealth of Independent States

Today Mid term – 2020

Electrification

Automation

Digitalization

Market development (illustrative)


168 years of innovation

Milestones

2015 Somatom Force

2010 Biograph mMR

2013 PLM Software

1881 Electric streetcar

1985 ICE –

top speed

300 km/h

1988 Megabit chip

1962 Thyristors for energy transmission

1974 Computed tomography scanner

1847 Werner von Siemens founds the company

1847 Pointer telegraph

1879 Electric train

1866 Dynamo

1840

1881 Telephone switchboard

1850 1860 1870 1880 1890 1900 1910 1920 1930 1940 1950 1960 1970 1980 1990 2000 2010 2020

1959 Simatic (electronic

automation)

1953 High-purity

silicon

1965 Integrated circuit

1958 Heart

pacemaker

1935 Coaxial cable

1924 Traffic light

2009 World record gas turbine, 370 MW

2000 Wind turbine rotor blades in one cast

2000 syngo user interface

1939 Electron

microscope

4


Brazil presence

Close to customers in a continental country

At present, Siemens employs more than 7,000

employees in Brazil, with 12 manufacturing facilities, 7

R&D centers and 13 regional offices.

5


110 years of innovations

Milestones

1867 1905 1922 1939 1955 1983 2005 2007 2009 2012 2013 2015 2016 2020

1867 Supply and installation of a

telegraph line between Rio de

Janeiro and Rio Grande do Sul.

1905 Founding of Cia. Brazileira de

Eletricidade Siemens-

Schuckertwerke,

in Rio de Janeiro.

1922 Installation of Brazil's 1st automatic

telephone office in Porto Alegre.

1939 Siemens inaugurates in São Paulo

the 1st transformer plant in Brazil.

1955 Installation of Brazil's 1st

automatic telephone office in

Porto Alegre.

1983 Installation of the first of 18

generator rotors at the Itaipu

Hydroelectric Power Plant/

2005 Siemens celebrates its 100th

anniversary in Brazil.

2007 Siemens inaugurates the largest Latin

American energy equipment plant in

Jundiai (São Paulo). 2009 Siemens’ first train modernization and assembly

center of Latin America, in

Cabreúva (São Paulo).

2012 Siemens inaugurates its diagnostic

imaging equipment plant in Joinville

2013 Production and installation of

Siemens' first wind turbines in

Brazil (Trairi, Ceará).

2015 Siemens celebrates its 110th

anniversary in Brazil

2016 Siemens Foundation celebrates its 30th

anniversary

6


Power Generation Services

Flat and market driven organization along the value chain will capture growth

opportunities D

ivis

ion

s (

Glo

ba

l P

&L

)

1) Commonwealth of Independent States

Managing Board

Market Americas

Global

Healthcare

Middle

East, CIS1)

Asia,

Australia

Europe,

Africa

Financial

Services

Power

and Gas

Wind

Power and

Renewables

Mobility

Energy

Management

Building

Technologies

Digital Factory

Process

Industries

and Drives

Healthcare

Separately managed

Corporate Core Corporate Services

PG

MO PS

WP

EM BT DF PD HC SFS

Go

-to

-ma

rke

t

7


Motivation: Real time protocols VS Security

frameworks?

Protection of real time industrial communication protocols


Industrial Communication

Vulnerability disclosures are headline news

9

Industrial Communications do not have any kind

of self protection, says hacker during international

Hacker Conference

Hacking the Grid in 5 steps

Hackers exploit SCADA holes to take full control of

critical infrastructure



5 Simple steps for a successful attack

Control System

Discrete and analog

signals

SCADA Server

Invader

Switch

Now I know:

- The temperature value

- The communication relation

Give me the temperature

The temperature is 35



Now I´m the Man-In-The-Middle

- I can change the temperature

1. Gain network access

2. Sniffer the network packets

3. Discovery the communication relations

4. Redirect the communication traffic

5. Be happy and be ethical

Man-in-the middle attack in 5 simple steps

Powered by

10



Important questions regarding industrial communication

Control System

Discrete and analog

signals

SCADA Server

Invader

Switch




The temperature is 35 1. No network access protection?

2. No data confidentially?

3. No data integrity?

4. No user authentication?

5. Is such configuration common?

5 important questions in this case:

Powered by

11


What is it?

Real Time Control


Home Example

Reservoir level control

Time(s)

Level (L)

Maximum level

Minimum level

Valve

Opened

Valve

Closed

Reaction

Time

Reaction

Time

Ops!!!

Houston, we have a problem!

13


Industrial Example

From discrete signals to intelligent field devices

A long time ago Not so long time ago Now and in the future

14

16 bit control

Discrete and analog

signals

Backplane

I/O

Discrete and analog

signals

32 bit control

Industrial

RS-485 Bus

Communication

Processors

64 bit control

Ethernet Bus

Intelligent field

devices


Application Layer

HTTP SNMP Socket

IP

TCP/UDP

Industrial Communications Vs Real Time Control

How does it work using Ethernet networks?

Sensor system

PLC PC

SNMP/OPC server

Field Devices PC

Internet Explorer

Real-time

Communication

Ethernet

PLC

Ethernet

Cable

ASIC/FPGA

15


Sync

1 ms 1 µs

Several cycles

frozen on the

oscilloscope

Industrial Communications Vs Real Time Control

What are the influences of the network latency in control system?

1 µs jitter

16


Industrial Communications

Differente solutions for different challenges for different factories

- Real time

- Determinism

TCP/IP Até 31.25 ms Up to 250 ms

Real-time Isochronous real-time

10 ms 100ms 10ms

Cycle time

1 ms

Ap

plic

atio

n

Co

mm

un

ica

tio

n

La

ye

rs

Performance reserves Production Line

Tool Machine

Print Machines

Packing Machines

Storage & Logistics

Press

Robot

Layer 2

17


How to protect real time industrial networks?




The Defense in Depth Concept in Detail

DCS/

SCADA*

*DCS: Distributed Control System

SCADA: Supervisory Control and Data Acquisition

Potential

Attack

Plant Security

Physical Security • Physical access to facilities and equipment

Policies & procedures • Security management processes • Operational Guidelines • Business Continuity Management & Disaster Recovery

Network Security

Security cells & DMZ • Secure architecture based on network segmentation

Firewalls and VPN • Implementation of Firewalls as the only access point to a security cell

System Integrity

System hardening • Adapting system to be secure by default User Account Management • Access control based on user rights and privileges Patch Management • Regular implementation of patches and updates

Malware detection and prevention • Anti Virus and Whitelisting



Protection of real time networks (based on layers 3/4)

Typical Layer 3/4 network

PLC

Firewall

Trusted network

Untrusted network

192.168.0.2 192.168.0.3

192.168.0.1

Expected cycle time: 10~20ms

Firewall rules:

Firewall considerations:

- Typical latency: 0.5ms~5ms

- Usually statefull firewall

- Usually only supports layer 3/4 rules

Has the firewall significative influences in the

cycle time and in the system functionality?

No at all in this case!!!

Direction Source Destination Port

Ext->Int 192.168.0.1 192.268.0.2 502

Ext->Int 192.168.0.1 192.268.0.3 502

20




Typical Layer 3/4 network

21

Firewall

Trusted network

Untrusted network

Firewall overall performance depends on:

- Hardware or software implementation

- Others embedded functionalities (VPN, Router)

- Costs (High-End vs Low-End solution)

Source: DataCenters Firewall Comparative Analysis – NSS Labs – 2013




DPI (Data Package Inspection) Firewall

Firewall rules (Layer 3/4):

Direction Source Destination Port

Ext->Int 192.168.0.1 192.268.0.2 502

Ext->Int 192.168.0.1 192.268.0.3 502

Firewall rules (Layer 7):

Destination Register Read Write

192.168.0.2 50001 Allow Allow

192.168.0.3 50001 Allow Deny


-The firewall must be able to recognize and interpret the frames,

applying additional rules protection

- Theoretically more time processing, but not so critical considering

the expected cycle time

Firewall

Trusted network

Untrusted network

192.168.0.2 192.168.0.3

Expected cycle time: 10~20ms

22



Protection of real time networks (based on layer 2)

23

Typical Layer 2 network

PLC

Firewall

Trusted network

Untrusted network 192.168.0.1

08-01-E1-00-FF-01

Expected cycle time: 31.25µs~1ms

Firewall rules:


- Typical latency: 0.5ms~5ms

- Must to support layer 2 rules

Has the firewall significative influences in the

cycle time and in the system functionality?

For sure!!!

Direction Source Destination Service

Type

Ext->Int 08-01-E1-00-FF-01 08-01-E1-00-FF-02 ????

Ext->Int 08-01-E1-00-FF-01 08-01-E1-00-FF-03 ????

192.168.0.2

08-01-E1-00-FF-02

192.168.0.3

08-01-E1-00-FF-03

This kind of

solution is not

feasible nowadays



Protection of real time networks (based on layer 2)

24

Typical Layer 2 network

Firewall Challenges:

- Unaccepted latency

- Device replacement restrictions

- Dynamics firewall rules

- No DPI due to complex semantics

So, it´s not possible to have a secure

environment with industrial control systems due

to performance and functionality restrictions?

Yes, it is possible, but you have to design it

properly!!!

Firewall

Trusted network

Untrusted network


192.168.0.2

08-01-E1-00-FF-02

192.168.0.3

08-01-E1-00-FF-03



ISA-99/IEC-62443 protection recommendations (for all kind of networks)


Secure Automation Cell


ISA-99/IEC-62443 protection recommendations (for all kind of networks)

26

Untrusted network

Trusted network

PLC


Firewall

Unsecure Environment

Benefits

- No influences in the internal and high performing communications

- No restrictions in the control system functionalities

- External access can be controlled in the perimeter protection

- Can be used for monitoring system and engineering system

- Even engineering functions based, on layer 2, can be used in this

case




ISA-99/IEC-62443 protection recommendations (cell to cell communication)

Trusted network

PLC

Internal Communications

- Reliable

- High performance

- Without restrictions


Firewall


Trusted network

Internal Communications

- Reliable

- High performance

- Without restrictions


PLC Firewall

27

Untrusted network

Expected cycle time:

10~1000ms


OPC UA - Unified Architecture




OPC UA – The first industrial protocol with enhanced security functions

29

OPC History - success story

Benefits of OPC UA - Open connectivity

- Plug-and-Play

- Interfaces available from multiple

vendors

- Easy to use

- Secure by birth

- Independent of HW/SW platform

- Can be implemented in small devices




30

Platform Independence OPC UA is designed to be independent of the platform

Using SOAP/XML over HTTP, OPC UA can be deployed on Linux, Windows XP Embedded, VxWorks, Mac, Windows

7 and Classical Windows platforms.

Access via Firewalls and across the Internet OPC UA uses message based security which means messages can be relayed through HTTP, UA TCP port or

any other single port available.




OPC UA

Client

u@#r**ss0+ Hello

Public key of the server certificate

Encryption

Private key of the server certificate

Decryption

Hello

Hi Hi j4#€*s@0+

Decryption

Private key of the client certificate Public key of the client certificate

Encryption

OPC UA

Server

Sequence of encrypted communication Server and client encrypt their messages using the public keys of the partners. These then decrypt the message

again with their private keys

31


OPC UA + PROFINET

The backbone of Industry 4.0



Digital Enterprise

The practical way to Industry 4.0

33


Expected cycle time:

10~1000ms


OPC UA + PROFINET – The Best in class combination


Trusted network

PLC



Trusted network


PLC

Intelligent Field Devices

- PROFINET I/O Devices

- OPC UA Servers

- OPC UA Clients

Intelligent Field Devices

- PROFINET I/O Devices

- OPC UA Servers

- OPC UA Clients

Intelligent Controllers

- PROFINET I/O Controllers

- OPC UA Servers

- OPC UA Clients

Intelligent Controllers

- PROFINET I/O Controllers

- OPC UA Servers

- OPC UA Clients Untrusted network

Corporate Level

Others Secure

Automation Cells

Firewall Firewall

34



OPC UA + PROFINET In Action – ICS Village – CLASS 2016

PLC Firewall

Access

Point

Firewall

Access

Point

SCADA SERVER

Firewall

OPC UA SERVER

DMZ BUS

Process BUS

Corporate BUS

OPC UA CLIENT

35


Summary




Summary for

Overall cycle time and system functionality must be taken into account while design cyber security

systems

PROFINET is the market leader industrial automation protocol based on Ethernet network. Achieving

cycles times of 31.25µs with 1µs jitter

OPC UA is a trend setter protocol in terms of automation connectivity (non real time) and it has

embedded cyber security mechanisms

+

PROFINET + OPC UA is the best in class combination driving perfect solutions for real time

applications and connectivity in the whole factory.

This combination makes possible to create high flexible automation networks without compromising

the cyber security aspects

37

http://www.google.com.br/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=&url=http://www.szxinguo.com/xibox/xibox.htm&psig=AFQjCNHBA7TXU4qY_LYC3JHa5EwxzWay1w&ust=1462906094306266


Márcio Santos

Technical Consultant

SIEMENS Brazil

Phone: +55(11) 9 7244-0552

E-Mail: [email protected]

Visit us during the CLASS 2016 and take advantage to see a real

control system in action and its protection layers provided by

different vendors.

Thank you for your attention!

5/27/2016

CLASS 2016 - Palestra Márcio Santos

Technology

Transcript of CLASS 2016 - Palestra Márcio Santos