Speed Flexibility Quality Efficiency · IEC 62443 The all encompassing Industrial Security Standard...

Unrestricted © Siemens AG 2018

Drivers of Digitalization

Security

Speed Flexibility Quality Efficiency

11/29/2017 Page 2

IEC 62443 The all

encompassing Industrial

Security Standard

siemens.com Lars Peter Hansen


The Cyber Threat

Why worry?

Source: https://fe-ddis.dk/SiteCollectionDocuments/FE/EfterretningsmaessigeRisikovurderinger/Risikovurdering2015.pdf

Danmark står fortsat over for en meget høj cybertrussel,

særligt fra fremmede stater. Nogle stater forsøger

vedholdende at udføre cyberspionage mod danske

myndigheder og virksomheder, og de gør det stadigt

sværere at opdage deres aktiviteter.

Truslen er derfor særligt rettet mod forskningstunge

virksomheder, inden for bl.a. højteknologi, energi og

medicinalindustrien.

11/29/2017 Page 5

https://fe-ddis.dk/SiteCollectionDocuments/FE/EfterretningsmaessigeRisikovurderinger/Risikovurdering2015.pdf



https://fe-ddis.dk/

https://fe-ddis.dk/


Caught between regulation, requirements, and standards

11/29/2017 Page 10


The all encompassing Industrial Security Standard

Provides greater clarity by clearly defining the roles and responsibilities

11/29/2017 Page 12


What does IEC 62443 provide us with?

11/29/2017 Page 13


IEC 62443 addresses the Defense in Depth concept

• Cell protection, DMZ and

remote maintenance

• Firewall and VPN

• Physical access protection

• Processes and guidelines

• Security service protecting production plants

• System hardening

• Authentication and use administration

• Patch management

• Detection of attacks


IEC 62443 focus on the interfaces between all stakeholders

Asset Owners, Integrators, and

Manufactures

11/29/2017 Page 16


IEC 62443 provide generic network blueprints

How to connect IT with OT How to develop a

segmentation

concept for the

11/29/2017 Page 17


IEC 62443 defines a complete Cyber Security Management System

It is a Risk based approach that covers the setup of a:

security organization and

security processes

security countermeasures

and Implementation

11/29/2017 Page 18


Component System Policies and procedures General

1-1 Terminology, concepts and

models

1-2 Master glossary of terms

and abbreviations

3-3 System security requirements

and security assurance levels

3-2 Security assurance levels

for zones and conduits

3-1 Security technologies for

IACS

2-3 Patch management in the

IACS environment

2-2 Operating an IACS security

program

2-1 Establishing an IACS

security program

1-3 System security compliance

metrics

4-2 Technical security

requirements for IACS products

4-1 Product development

requirements

IEC 62443

Definitions

Metrics

Requirements to the security

organization and processes of the

plant owner and suppliers

Requirements to a secure system Requirements to secure system

components

2-4 Certification of IACS

supplier security policies

The IEC 62443 Structure

Functional requirements Processes / procedures 11/29/2017 Page 19


Phases in product and IACS life cycles

Product life cycle

Product Supplier

IACS life cycle

Asset Owner Asset Owner

(Service provider)

System

Integrator

Asset Owner

Operation / Maintenance Specification Integration / Commissioning Decommissioning

Automation solution

Project application

Configuration, User Management Security measures and settings

Automation solution

Security measures and settings

Operational policies and

procedures

Security targets

Control Systems

Host devices

Network components Applications

Embedded devices

Specification Design Commercialization / maintenance Phase Out

Automation solution

Decommissioning policies and procedures

4-1

2-3 3-3

4-2

2-1 2-3

2-4 3-2

2-1 2-3

3-2

2-4

2-1

2-4 3-3 3-3

11/29/2017 Page 21


Protection Levels

Cover security functionalities and processes

Protection Levels

Security functionalities Security processes

SL 4 Capability to protect against intentional violation using sophisticated means with extended resources, IACS specific skills and high motivation

SL 3 Capability to protect against intentional violation using sophisticated means with moderate resources, IACS specific skills and moderate motivation

Capability to protect against casual or coincidental violation

Capability to protect against intentional violation using simple means with low resources, generic skills and low motivation

SL 2

SL 1

ML 4 Optimized - Process measured, controlled and continuously improved

ML 3

Defined - Process characterized, proactive deployment

Initial - Process unpredictable, poorly controlled and reactive.

Managed - Process characterized , reactive ML 2

ML 1

4

3

2

1 Ma

turi

ty L

eve

l

2 3 4 1

Security Level

PL 2 Protection against intentional violation using simple means with low resources, generic skills and low motivation

Protection against intentional violation using sophisticated means with extended resources, IACS specific skills and high motivation

Protection against intentional violation using sophisticated means with moderate resources, IACS specific skills and moderate motivation PL 3

PL 4

PL 1 Protection against casual or coincidental violation

11/29/2017 Page 23


IEC 62443 Security measures

It is concrete …

PL 1

PL 2

PL 3

PL 4

Revolving doors with card reader and PIN; Video Surveillance and/or IRIS Scanner at door

Revolving doors with card reader

Doors with card reader

Locked building/doors with keys

Awareness training (e.g. Operator Aware. training) Network segmentation

(e.g. VLAN)

Security logging on all systems

Backup / recovery system

Mandatory rules on USB sticks (e.g. Whitelisting) …

…

Automated backup / recovery

No Email, No WWW, etc. in Secure Cell

…

2 PCs (Secure Cell/outside)

…

Remote access with cRSP or equivalent

Monitoring of all human interactions

Dual approval for critical actions

Firewalls with Fail Close(e.g. Next Generation Firewall)

Monitoring of all device activities

Online security functionality verification

…

Persons responsible for security within own organization

Continuous monitoring (e.g. SIEM)

Backup verification

Mandatory security education

…

Physical network segmentation or equivalent (e.g. SCALANCE S) Remote access

restriction (e.g. need to connect principle)

+

Organize

Security

Secure Solution

Design

Secure

Operations

Secure Lifecycle

management

Secure Physical

Access

+

+

11/29/2017 Page 24


Protection Levels

Cover security functionalities and processes

11/29/2017 Page 25


Consequences

Some randomly selected points

Use of VLAN is mandatory Network Hardening is mandatory Managed Switches is mandatory Capability to backup …

Unique identification and authentication A distributed Firewalls concept has to be implemented Inventory and Network Management are mandatory Capability to automate the backup …

Even more….

11/29/2017 Page 26


IEC 62443 3-2

Generic Blueprint

11/29/2017 Page 27


IEC 62443 3-2

Zones and Conduits

Zone Enterprise Network

Zone Plant

Zone Control #1

Conduit

Zone Control #2

PL3 PL2

PL1

Trusted/Untrusted

11/29/2017 Page 28


IEC 62443-3-3

Defines security requirements for industrial control systems

FR 1 – Identification and authentication control

FR 2 – Use control

FR 3 – System integrity

FR 4 – Data confidentiality

FR 5 – Restricted data flow

FR 6 – Timely response to events

FR 7 – Resource availability

7 Foundational Requirements

11/29/2017 Page 29


SRs und REs SL 1 SL 2 SL 3 SL 4

SR 1.1 – Human user identification and authentication

SR 1.1 RE 1 – Unique identification and authentication

SR 1.1 RE 2 – Multifactor authentication for untrusted networks

SR 1.1 RE 3 – Multifactor authentication for all networks

SR 1.2 – Software process and device identification and authentication


SR 1.3 – Account management

SR 1.3 RE 1 – Unified account management

SR 1.4 – Identifier management

SR 1.5 – Authenticator management

SR 1.5 RE 1 – Hardware security for software process identity credentials

SR 1.6 – Wireless access management


FR 1 – Identification and authentication control

System Requirement Overview (Part 1)

11/29/2017 Page 30


What can we offer?

11/29/2017 Page 40


We are Certified !

Product Development, Proces Control System (PCS7) and Sub Station design

11/29/2017 Page 41


Solutions and Services aligned with your needs and budget

Comprehensive, Modular and Scalable Portfolio

Outsource? or

Insource?

11/29/2017 Page 42




Intel Security inside

• IEC 62443 Assessment

• ISO 27001 Assessment

• SIMATIC PCS 7 & WinCC

Assessment

• Risk & Vulnerability Assessment

• Security Awareness Training

• Security Policy Consulting

• Network Security Consulting

• Perimeter Firewall Installation

• Clean Slate Validation

• Anti Virus Installation

• Whitelisting Installation

• System BackUp

• Windows Patch Installation

• Industrial Security Monitoring

• Remote Incident Handling

• Perimeter Firewall Management

• Perimeter Firewall Review

• Anti Virus Management

• Whitelisting Management

• Patch & Vulnerability Management

11/29/2017 Page 43


• Firewalls

• Virtual Private Networks VPN

• Segmentering

• Demilitarized zone DMZ

• Hardening • Authentication

• Cell Protection

Industrial Security

Network Security

11/29/2017 Page 48


Industrial security appliances – SCALANCE S

Variants

SC632-2C SC636-2C S615 SC642-2C SC646-2C

11/29/2017 Page 49


• Central administration of users

and VPN connections

• Encrypted connections based on

OpenVPN

• Logging of access

• Local access management via DI

or SMS

• Simple integration

• Special IT knowledge is not required

SINEMA Remote Connect

The secure access solution

11/29/2017 Page 50


SINEMA RC example of a configuration: Remote service for series machine builders


Remote access to identical machines

• Generates devices with routing / NAT information in SINEMA RC

• Select a device via extremely simple telephone book function in SINEMA RC Client with

one mouse click

• Logging of access and 2-factor authentication and user to agree on

(AGB’s) terms and conditions

• Use of Windows, IOS and Android clients

• Well structured Whitepaper

11/29/2017 Page 51



Well structured Whitepaper

https://support.industry.siemens.com/cs/document/109746841

11/29/2017 Page 52

https://support.industry.siemens.com/cs/document/109746841


Network Security

How do you protect old, vulnerable systems?

• Access protection

• No change in the

existing system

• also with layer 2 protocols

• Adopts IP address and

changes the MAC

address automatically

• Same configuration in all firewalls (global firewall rules)

Old, vulnerable system

SCADA

Ghost Mode

11/29/2017 Page 53


Network Security

Use Hardening!

• Use Password

• Use VLAN

• Disable DCP write

• Enable Management Access

List

• Broadcast limitation

• Disable unused ports

• Enable SNMP V3

11/29/2017 Page 54


Network Security

Use Hardening!

• Use Password

• Use VLAN

• Disable DCP write

• Enable Management Access

List

• Broadcast limitation

• Disable unused ports

• Enable SNMP V3

11/29/2017 Page 55


Industrial Security

System integrity

• Password

protection • Know-how and copy protection

• Access protection

• Virus scanner whitelisting

• Secure communication VPN

and OPC-UA • Deactivation of services and

hardware interfaces

• Windows security patch management*

* https://support.industry.siemens.com/cs/document/18752994?dti=0&lc=en-WW

11/29/2017 Page 56

https://support.industry.siemens.com/cs/document/18752994?dti=0&lc=en-WW




Industrial Security

We have certified products…

11/29/2017 Page 57


Industrial Security

We have certified products… The Dairy situation

11/29/2017 Page 58


SCADA – Controller communication via OPC

And standard setup

SCADA

Controller

11/29/2017 Page 59

http://www.google.dk/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwjiqcHTo5rMAhWENpoKHXNED9UQjRwIBw&url=http://www.ibhsoftec.com/IBH-OPC-Server-Eng&psig=AFQjCNGuS1uPy5W88cSeqPpvhDOsK5bTrQ&ust=1461140754371933



Implement a VPN and firewall concept

SCADA

Controller

Via Security CP-Cards or external

Firewall/VPN getaway for:

- S7 300 and 400

- S7 1200 and 1500

- ET 200SP CPU

- SCALANCE S (for all Controllers)

11/29/2017 Page 60



Via Security CP-Cards or Controller:

-S7-1500, 1500S, 1500T

- ET 200SP CPU

- PLCSIM Adv.

- S7 400 via CP 443-1 OPC-UA

Controller

3. Part SCADA


Implement a OPC-UA concept

11/29/2017 Page 61



11/29/2017 Author / department Page 62



Simple standadized and symbolic Read and Write Controller-data

Access possible Write access possible

SCADA, OPC UA server Controller, OPC UA client

11/29/2017 Page 63


Asset and Network Management +

Overview

It’s a System

Secure the plant Availability

Centralized Monitoring and Management

11/29/2017 Page 65


Asset and Network Management +

SINEMA Server V14

• Firmware

update

• Config. Backup / Restore

• Password

Management

• SNMP Management

• Connection to

MindSphere

• NAT V2 support

11/29/2017 Page 66


SINEMA Server

Communication to all devices

Works with:

• All IP-based devices

• Also 3. part devices

• And PROFIBUS

slaver via S7-300 or S7-

400 CPU’er

SINEMA Server

SNMP PROFINET

DCP LLDP

SIMATIC

11/29/2017 Page 67


SINEMA Server

Local or distributed architecture

SINEMA Server SCADA

Distributed architecture. Up to

50.000 nodes..

Local architecture. From 50 to 500

nodes..

SINEMA

Server

SCADA

11/29/2017 Page 68


SINEMA Server – SCADA integration

Overall diagnostic information via OPC-UA

SINEMA Server SCADA

OPC-UA

11/29/2017 Page 69


SINEMA Server – SCADA integration

Access to Views and Reports via URL’s

SINEMA Server SCADA

https://

11/29/2017 Page 70


Good2Know!

11/29/2017 Page 73


How do you stay up to date?

Subscribe to Siemens RSS Feed: www.industry.siemens.com/topics/global/en/industrial-security/news-alerts/Pages/overview.aspx

Or to ICS-CERT: www.ics-cert.us-cert.gov/ICS-CERT-Feeds

11/29/2017 Page 74

http://www.industry.siemens.com/topics/global/en/industrial-security/news-alerts/Pages/overview.aspx





http://www.ics-cert.us-cert.gov/ICS-CERT-Feeds












Intel Security inside

• IEC 62443 Assessment

• ISO 27001 Assessment

• SIMATIC PCS 7 & WinCC

Assessment

• Risk & Vulnerability Assessment

• Security Awareness Training

• Security Policy Consulting

• Network Security Consulting

• Perimeter Firewall Installation

• Clean Slate Validation

• Anti Virus Installation

• Whitelisting Installation

• System BackUp

• Windows Patch Installation

• Industrial Security Monitoring

• Remote Incident Handling

• Perimeter Firewall Management

• Perimeter Firewall Review

• Anti Virus Management

• Whitelisting Management

• Patch & Vulnerability Management

11/29/2017 Page 75

Unrestricted © Siemens AG 2018 * SVM: Security Vulnerability Monitoring from SIEMENS CERT

Security Vulnerability Information based on MindSphere

1

2 3

App UI with

dashboards, charts

and security

bulletins

App SVM* Service DB

27.000+ components

33.000+ vulnerabilities

MindSphere

Backend /

Algorithm for data

comparison

API

csv file upload with

component list to be

monitored

Web surveillance

and more than

100 various

sources

11/29/2017 Page 76


App UI with dashboards, charts and security bulletins

11/29/2017 Page 77


Get certified!

Global training and certification program

11/29/2017 Page 78


Siemens Industrial Networks Education Program

Our current Training Offer

V1.1 Page 79

http://www.siemens.com/industrial-networks-education







We can offer you

Security Products and Solutions Security Services Security Assessments

Managed Security Industrial SIEM (Security information and event management)

And Cloud based Security Management Training and Physical Security

11/29/2017 Page 80


Products, Services and technology

What can we offer?

Market-leading portfolio for over 25 years1)

1) ARC: Global market research study »Industrial Ethernet Switches«, 2015

Software Security

Siemens

Portfolio

Remote

Wired Wireless

11/29/2017 Page 81


Industrial Ethernet

New Switches

More feauters

Lower prices

Also focus on IP65/67


The extreme flexible switch

SCALANCE XM-400

Up to 24 Gigabit ports enable high data rates for

ring structures and uplinks

+ Pay as you grow …

Expand the amount of ports or upgrade to Layer-3

+

Reduce cabling by - Supplying up

to 16 powered devices with

Power-over-Ethernet+

+

What problem do we solve?

Diagnostics per smart phone or

tablet in existing WLAN using

NFC (Near Field Communication)

+

Choose the FO connectors

flexibly according to customer’s

preference (SC, ST/BFOC or SFP)

+ preventive maintenance Build in reflectometer Scan the cobber cables and

monitor the optical connection and its performance over time

+


The brad new X200 switch family

SCALANCE XC-200, XP-200, XB-200 and XF200


XB XC

XF

XP


The brad new XR300 switch family

SCALANCE XR-300 WG


Optimally priced Ruggedized switch

+


Topologies

New Redundancy

concepts

A IEC62443 related

blueprint

Network Segmentation,

Hardning


L2 Redundancy

Media Redundancy Protocol (MRP)


L2 Redundancy

Media Redundancy with Planned Duplication of frames (MRPD)


Brand New Industrial WLAN products - SCALANCE W

Robust and compact


Space-saving mounting options

flat and book-shelf style, optional adapters

for DIN-rail / 90°mounting

+ Cost-efficent cabling

thanks to Power-over-Ethernet

+

IEEE 802.11n compliant

Up to 300 Mbit/s data rate

+

Robust housing for mounting

outside a cabinet

Protection class IP65 while compact

+


Industrial wireless LAN – SCALANCE W

Simple and fast exchange of defect devices



How do you check a connection?

• The integrated Signal

Recorder is really

cool…



How do you check for disturbance?

• The integrated

Sectrum

Analyzer is super

cool …



Frequency, HW and bumpless redundancy based on PRP

RNA Switch

VLAN – A

VLAN – B

Network – A

Network – B

RNA Switch

IO device

IO controller


Office graded Access Point

SCALANCE W1750D-2IA RJ45 based on IEEE 802.11ac

Page 95

Investment protection

through state-of-the-art technology

+

Reduced costs for cabling

thanks to Power-over-Ethernet

+

Very high data rates

up to 1733 Mbps for high-density applications +

No dedicated controller necessary thanks to integrated virtual controller

for up to 64 access points


+


We has a unique offer -

Expertise in industrial networks


Thank you for your attention

Contact info

Name Phone email

Morten Kromann

+45 2037 3508 [email protected]

Per Krog Christiansen


Lars Peter Hansen


11/29/2017 Page 97

mailto:[email protected]





Speed Flexibility Quality Efficiency · IEC 62443 The all encompassing Industrial Security Standard...

Documents

Transcript of Speed Flexibility Quality Efficiency · IEC 62443 The all encompassing Industrial Security Standard...