Page 1 DF/PD Siemens Belgium-Luxembourg...Accept Vlan1 Vlan2 192.168.2.20 /32 192.168.1.10/32...
Transcript of Page 1 DF/PD Siemens Belgium-Luxembourg...Accept Vlan1 Vlan2 192.168.2.20 /32 192.168.1.10/32...
Page 1 DF/PD Siemens Belgium-Luxembourg
Page 2 DF/PD Siemens Belgium-Luxembourg
The challengeIncreasing Vulnerability
Page 3 DF/PD Siemens Belgium-Luxembourg
The challengeIncreasing Vulnerability
Stuxnet
Page 4 DF/PD Siemens Belgium-Luxembourg
Security TrendsOT security is essential to protect industrial automation
• Horizontal andvertical integration
• Open standards• PC-based systems
Information technologies areused in industrial automation Increased security threats demand action
Loss of intellectual property, recipes …
Plant standstill, e.g. due to viruses or malware
Sabotage in the production plant
Manipulation of data or application software
Unauthorized use of system functions
Compliance with standards and regulations is required
Page 5 DF/PD Siemens Belgium-Luxembourg
The challengeIncreasing Vulnerability
IT-Security
Industrial Security
IT-Security
Industrial Security
What is it all about?Exponentially increasing number of incidents and attacks to companies – with both IT and OT asmain targets.
Digitalisation
Safety &Security
Page 6 DF/PD Siemens Belgium-Luxembourg
What is it all about?Exponentially increasing number of incidents and attacks to companies – with both IT and OT asmain targets
The challengeIncreasing Vulnerability
AvailabilityConfidentialityIntegrity
ConfidentialityIntegrityAvailability
Availability
Installation
Topology
Location of use
Device density
Network failure times < 300 ms
Plant commissioning personnel
Plant-specific
Harsh environment
Low, switches with fewer ports
Second to minute range accepted
Network specialists
Star-shaped
Climate-controlled offices
Large, switches with large number of ports
Investment life cycle Min 5 to15 yearsEvery 2 to 3 years
IT-Security Industrial Security
Page 8 DF/PD Siemens Belgium-Luxembourg
The Digital Factory needs powerful communication networks
High data volumebroad band width - GByte
High speedReal-time communication
Secure connectivityRobust, reliable componentsand networks
Smart assetsIdentification solutionsfor communication betweensmart objects
Requirements of a productionnetwork doesn’t change
Verticalintegration
Horizontal integration
Page 9 DF/PD Siemens Belgium-Luxembourg
The Digital Factory needs intelligent data
??
Page 11 DF/PD Siemens Belgium-Luxembourg
The FactsCyber threats become more specialized
Source: http://www.tuv-sud.com/news-media/news-archive/potential-attackers-can-be-anywhere
Controllers
Firewalls
Honeynet experiment of waterworks linked to the internet (TÜV SÜD – Germany)
EXPERIMENTReal devices and network connected to the internetState of the art security (firewalls etc.)Simulated IO and process
RESULTIn 8 month over 60,000 attemptsAttacks to manipulate, upload and change configurationrouter and PLCsIT and industrial protocols (Modbus, S7) were used
Page 13 DF/PD Siemens Belgium-Luxembourg
Protecting ProductivityThe key to a secure infrastructure: Defense in depth
Great wall
ƒ Impenetrable wallƒ One-layer protectionƒ One point of attack
Defense in depth
ƒ Multi-layer protectionƒ Each layer protects the other layersƒ An attacker must spend time and effort
at each transition
A single protection measure is never enough to withstand a threat!
Page 14 DF/PD Siemens Belgium-Luxembourg
Industrial SecurityThe Siemens Solution
• Physical access protection to the plant andcritical systems
• Security management and policies• Security services for protection of a plant's
entire lifecycle
• Secure remote access to theplant via the Internet or mobilenetworks with VPN
• Protection of the plant / machinenetwork through segmentation
• Secured communication
• Protection of system integrity throughintegrated functions
• Access protection and rightsmanagement
• System Hardning
• Physical access protection to the plant andcritical systems
• Security management and policies• Security services & monitoring
Page 15 DF/PD Siemens Belgium-Luxembourg
Plant securityTypical examples of the real life.
Page 16 DF/PD Siemens Belgium-Luxembourg
Plant SecurityEstablishing a Security Management Process and organization
Security Management is essential for a well thought-out security concept
Security Management Process
• Risk analysis with definition of mitigationmeasures
• Setting up of policies and coordination oforganizational measures
• Coordination of technical measures• Regular / event-based repetition of the risk
analysis
Technicalmeasures
Risk analysis
Validation &improvement
Policies,Organizational
measures
1
2
3
4
Am
ount
oflo
ss
Probability of occurrence
verylow low medium high very
high
verylow
low
medium
high
veryhigh
acceptablerisks
inacceptablerisks
Page 17 DF/PD Siemens Belgium-Luxembourg
Industrial SecurityThe Siemens Solution
• Physical access protection to the plant andcritical systems
• Security management and policies• Security services for protection of a plant's
entire lifecycle
• Secure remote access to theplant via the Internet or mobilenetworks
• Protection of the plant / machinenetwork through segmentation
• Secured communication
• Protection of system integrity throughintegrated functions
• Access protection and rightsmanagement
Page 18 DF/PD Siemens Belgium-Luxembourg
Network securityWe come From isolated production islands…
Page 19 DF/PD Siemens Belgium-Luxembourg
Network securityEverything has to be connected
Internet/ IT
Unmanaged Switch Wireless
Ethernet
ProfinetProfisafe
SCADA
Page 20 DF/PD Siemens Belgium-Luxembourg
Network securitySolution1: Cellprotection with CP
Internet/ IT
Wireless
MRP
CP-card
Page 21 DF/PD Siemens Belgium-Luxembourg
Network securitySolution1: Cellprotection with CP
Internet/ IT
Wireless
MRP
From 1515 ->2 network cardsCP-card
MRP
172/16.0.1
192.168.0.1
172/16.0.2
192.168.0.1
192.168.0.2
192.168.0.3
192.168.0.2
192.168.0.3
In the future: more & moreIP - addresses
Page 22 DF/PD Siemens Belgium-Luxembourg
Network securityCellprotection with CP - Portfolio
S7-1500 S7-300/S7-400 ET200 SP CPU PC
CM 1542-1 CP 343-1/CP443-1 CP 1542SP-1 CP 1616/ 1612/ 1613/1623/ 1626
Cell segmentation
Cell ProtectionS7-1500 S7-1200 S7-300/S7-400 ET200 SP CPU PC
CM 1543-1 CP 1243-1 CP 343-1/CP443-1Advanced
CP 1543SP-1 CP 1628
Page 23 DF/PD Siemens Belgium-Luxembourg
Network securityProfinet should be safe now… Next improvements
Internet/ IT
Wireless
MRP
CP-card
MRP
Page 24 DF/PD Siemens Belgium-Luxembourg
Network securitySolution 2: Segmentation and use VLANS
Internet/ IT
Managed Switches
MRP
CP-card
Segment 1VLAN 11
Segment 2VLAN 12
Segment 3VLAN 13
MRP
SCADA
Page 25 DF/PD Siemens Belgium-Luxembourg
POLL 1What is the smallest switch
we can use to configureVLAN’s ?
ƒ Scalance XB004-1ƒ XC108ƒ XB208ƒ XC208ƒ XM408
Page 26 DF/PD Siemens Belgium-Luxembourg
Future Network portfolio X200 – X300
Laye
r2M
anag
ed
Previous portfolio Future portfolio
XR-300 XR-300(additional versions)
X-300 XC-200New product line
X-200 XB-200
X-200PROXP-200
New product line of theIP65/67 switches
X-200IRT X-200IRT(additional versions)
X-200RNA X-200RNAXF-200BA DNA
Product line Description
XR-300 19" rack switches
X-300X-200
Compact managed previousportfolio
XP-200 Protected (IP65/67) managed
XC-200 Compact managedFuture portfolio
XB-200 Box managed
XF-200 Flat managed
X-200IRT IRT managed switches
X-200RNA Switches for redundantnetwork structures
Page 27 DF/PD Siemens Belgium-Luxembourg
Network securityEach segment is more secure now… Other optimizations?
Internet/ IT
MRP
CP-card
Segment 1VLAN 11
Segment 2VLAN 12
Segment 3VLAN 13
MRP
ScalanceXB/XC200
ScalanceXB/XC200
ScalanceXB/XC200
SCADA
Page 28 DF/PD Siemens Belgium-Luxembourg
SCADAVLAN20
Network securityConfigure PC in another VLAN
Internet/ IT
MRP
CP-card
Segment 1VLAN 11
Segment 2VLAN 12
Segment 3VLAN 13
MRP
ScalanceXB/XC200
ScalanceXB/XC200
ScalanceXB/XC200
Page 29 DF/PD Siemens Belgium-Luxembourg
Network securityAdd a router XM400
Internet/ IT
MRP
CP-card
Segment 1VLAN 11
Segment 2VLAN 12
Segment 3VLAN 13
MRP
ScalanceXB/XC200
ScalanceXM400 Scalance
XB/XC200
SCADASCADAVLAN20
Action From To Source (range) Destination (range) Service
Accept Vlan2 Vlan1 192.168.1.10/32 192.168.2.20/32 Destination port X
Accept Vlan1 Vlan2 192.168.2.20/32 192.168.1.10/32 Destination port X
Page 30 DF/PD Siemens Belgium-Luxembourg
Network securityOther Improvements?
Internet/ IT
MRP
CP-card
Segment 1VLAN 11
Segment 2VLAN 12
Segment 3VLAN 13
MRP
ScalanceXB/XC200
ScalanceXM400 Scalance
XB/XC200
SCADASCADAVLAN20
Page 31 DF/PD Siemens Belgium-Luxembourg
SCADAVLAN20
Network securityOptimization2: Create a production Backbone
Internet/ IT
MRP
CP-card
Segment 1VLAN 11
Segment 2VLAN 12
Segment 3VLAN 13
MRP
Redundant production backbone (MRP)
ScalanceXB/XC200
ScalanceXB/XC200
ScalanceXB/XC200
ScalanceXM400
Page 32 DF/PD Siemens Belgium-Luxembourg
Network securityFirewalls
Innovative technologies to connect safely and securely with your business network
Network Segmentation(security cells)
Firewalls(Front & Back)
VPN Tunnels(IPsec)
Demiliterized Zone(DMZ)
Page 33 DF/PD Siemens Belgium-Luxembourg
Network securitySolution: Install Firewall
Internet/ IT
MRP
CP-card
Segment 1VLAN 11
Segment 2VLAN 12
Segment 3VLAN 13
MRP
Router: Scalance XM400
SCADAVLAN20
Page 34 DF/PD Siemens Belgium-Luxembourg
SCADAVLAN20
Network securityFinal solution
Internet/ IT
MRP
CP-card
Segment 1VLAN 11
Segment 2VLAN 12
Segment 3VLAN 13
MRP
Scalance S
Redundant Production backbone
Page 35 DF/PD Siemens Belgium-Luxembourg
SCADAVLAN20
Network securityFinal solution
Internet/ IT
MRP
CP-card
Segment 1VLAN 11
Segment 2VLAN 12
Segment 3VLAN 13
MRP
Scalance S
Redundant Production backbone
Strong communication networkand basic for digitalization:High speed: Realtime communicationHigh data volumes: BandwidthAvailability: Fast redundancyProtection against IT: SecurityFlexibility: Easy extension
(plug’n’play)Reliable components: Robust
Page 36 DF/PD Siemens Belgium-Luxembourg
Network SecuritySCALANCE S - Portfolio
Product in development Product available
Interfaces 10/100 Mbps 10/100/1000 Mbps
Firewall/routing 100 Mbps 200 Mbps 600 Mbps
VPN 35 Mbps 55 Mbps 120 Mbps
FirewallNATVPN
S615Maximum:64 rules20 VPNs
S612, S623, S627-2MMaximum:256 rules128 VPNs
SC642-2C, SC646-2CMaximum:1000 rules200 VPNs
FirewallNAT
S602Maximum:256 rules
SC632-2C, SC636-2CMaximum:1000 rules
Page 37 DF/PD Siemens Belgium-Luxembourg
Network securityAlternative for cell protection again with CP-cards…
Internet/ IT
Wireless
MRP
CP-card
MRP
Only S7-routing is possible here
Page 38 DF/PD Siemens Belgium-Luxembourg
Network SecurityInstead of CP-cards, scalance S can also be used for cell protection
Page 39 DF/PD Siemens Belgium-Luxembourg
Network SecurityVPN-tunnels
Innovative technologies to connect safely and securely with your business network
Network Segmentation(security cells)
Firewalls(Front & Back)
VPN Tunnels(IPsec)
Demiliterized Zone(DMZ)
Page 40 DF/PD Siemens Belgium-Luxembourg
Network SecurityRemote maintenance with SINEMA RC server
SCALANCE S615SIMATIC S7-1200
SCALANCE S615
Mobilewirelessnetwork
SIMATIC S7-1500
SIMATIC S7-300
Companynetwork
SINEMA RCClient
SINEMARemote Connect
Internet router
Internet connection
Internetrouter
*) As from firmware V4.2
SCALANCE M876-4
Page 41 DF/PD Siemens Belgium-Luxembourg
Network SecurityRemote access with Sinema Remote Connect
Page 42 DF/PD Siemens Belgium-Luxembourg
Configuration example of SINEMA RC: Condition Monitoring
Network SecurityCondition Monitoring
Configuration example SINEMA Remote Connect:Condition Monitoring
Task• Central management of the connections needed to acquire
status/ maintenance data
Solution• Transparent communication structure via standard IP
mechanisms• Connection via various media to the routers in the SCALANCE
M portfolio• Central management of the communication network in SINEMA
RC• Establishment of the VPN tunnel from the field
Benefits• Transparency and overview of the remote maintenance network• Easy, secure operation without specialized IT know-how• Transparent IP communication• Secured remote access (via VPN tunnel)
Page 43 DF/PD Siemens Belgium-Luxembourg
Network SecurityScalance M - Portfolio
WAN interface
IE number of portsDI/DOFW/VPN (IPsec)/ NATOpenVPN *VRRP/HSR/MRP/RSTP *WBMTIA Portal / CLI *KBA** (e1/E1)/ EN50155Data rate
List price
SCALANCE M874-2 SCALANCE M876-3
3G / HSPA+EV-DO41/1yesyesyesyesyesnoup to 14,4 Mbit/sup to 5,76 Mbit/s
2G / EDGE
21/1yesyesyesyesyesnoup to 237 kbit/sup to 237 kbit/s
3G / HSPA+
21/1yesyesyesyesyesnoup to 14,4 Mbit/sup to 5,76 Mbit/s
DownlinkUplink
SCALANCE M874-3 SCALANCE M876-4
4G / LTE
41/1yesyesyesyesyesnoup to 100 Mbpsup to 50 Mbips
*In preparation **KBA = Federal Motor Transport Authority
Page 44 DF/PD Siemens Belgium-Luxembourg
Networks – Sinema Remote ConnectStart Package
Page 45 DF/PD Siemens Belgium-Luxembourg
POLL 2What’s the price to beginwith the starterpackage of
the Scalance S615?
ƒ 200-400€ƒ 400-600€ƒ 600-800€ƒ 800-1000€ƒ >1000€
Page 46 DF/PD Siemens Belgium-Luxembourg
Network SecurityDMZ-zone
Innovative technologies to connect safely and securely with your business network
Network Segmentation(security cells)
Firewalls(Front & Back)
VPN Tunnels(IPsec)
Demiliterized Zone(DMZ)
Page 47 DF/PD Siemens Belgium-Luxembourg
Network SecurityDMZ-zone
TaskNetwork users (e.g. MES servers)should be reachable from the secureand non-secure network withoutcreating a direct connection betweenthe networks.
SolutionA DMZ can be established on theyellow port with the SCALANCE S623,in which the aforementioned server canbe placed.
Page 48 DF/PD Siemens Belgium-Luxembourg
Why choose Siemens network solution?Only Siemens has integrated solutions for automation and communication
Why is office IT not sufficient for production?
Core
...
...
TIA Portal SCADA
Defined interfacebetween Office IT &Production
Efficientengineering ofthe completeproductionnetwork withTIA Portal
High AvailabilityTo avoid significant economic losses or other damages
- 100% Uptime for secured productivity- Specific (different) Network structures (star <-> complex)- Ring structures (e.g. MRP)- 2/3 sec. network recovery not acceptable
Determinism- Different protocols (Profinet, Profisafe, ….)- Real-time requirements of automation tasks- Short recovery times
Support IT- IT not in the field. Changes/diagnostic of network has to be fast- IT Sometimes in other countries, sometimes case has to be made- Windows updates (not compatible with industry software)
High-performance,highly availablecommunication
Page 49 DF/PD Siemens Belgium-Luxembourg
Why choose Siemens network solution?Only Siemens has integrated solutions for automation and communication
Core
...
...
TIA Portal SCADA
Efficientengineering ofthe completeproductionnetwork withTIA Portal
What is the benefit of the Siemens (TIA portal)?
Efficient engineering, fast commissioningConsistent data management and minimizedtraining effort (TIA portal)
Fast fault localization- Integrated diagnostic down to the field level
Maintenance:- Experience + everything in 1 hand (TIA)- No other software- C-plug (or exchange without PC)
Industrial- Temperature, dusty, corrosive- Vibrations, fanless- Number of ports (din-rail)
Trust Siemens:- All components tested together- 5 years warranty- Security
Page 50 DF/PD Siemens Belgium-Luxembourg
Digitalization -> enterprise and productionlayer get closer connected
Yesterday:Limited interoperability
Enterprise
Production
Limited communication betweenenterprise and production layer
Future: Defined interface tohandle complexity
EnterpriseNetwork
ProductionBackbone
ProductionCell
Two dedicated networks withdefined managed interface
Today: Arising challenges throughincreasing interoperability
Enterprise
Field
Control
Enterprise
Management
Production Operator
Challenge to handle complexity ofincreasing communication
Interoperability
Page 51 DF/PD Siemens Belgium-Luxembourg
Industrial SecurityThe Siemens Solution
• Physical access protection to the plant andcritical systems
• Security management and policies• Security services for protection of a plant's
entire lifecycle
• Secure remote access to theplant via the Internet or mobilenetworks
• Protection of the plant / machinenetwork through segmentation
• Secured communication
• Protection of system integrity throughintegrated functions
• Access protection and rightsmanagement
Page 52 DF/PD Siemens Belgium-Luxembourg
System IntegrityS7-1500 system hardening
Protection of intellectual propertyof program code Know-how protection for
PLC program blocks
Know-how protection
Detection of manipulatedcommunication data Engineering and HMI
communication withintegrated security
Communication integrityTIA Portal
Controller HMI
Protection against unauthorizedaccess and configurationchanges Protection level concept with
different access rights incl.HMI connections
Access protectionEngineering
Maintenance Operation
Remote control
Controller
Engineering System Protection against unauthorizedduplication of runtime programcode Bind program blocks to
hardware serial numbers (CPUor SD card)
Copy protection
Controller Controller
Storage A Storage B
AA A
B*******
Page 53 DF/PD Siemens Belgium-Luxembourg
System IntegrityEssential Mechanisms
• Per default PCs have softwareinstalled, which is not required fornormal plant operation
• Usually malware are created forwidely-used software applicationslike IE, Adobe, Active X,Javascript, …
Reduce surface of attack
System hardening
• Protection against viruses, wormsand trojaner with anti-virusprograms
• Protection against unwantedapplications and malware withwhitelisting applications
Continuous identification andprevention of malware
Anti-virus and whitelisting• All patches should be tested for
compatibility• Central patch distribution• Creation of patch groups and
strategies for updates withoutinterrupting plant operation
Continuous deployment ofsecurity patches and updates
Patch management
• „Minimality principle“ applies• Clear assignment of roles and
rights• Use of secure passwords• Access protection for ICS project
data Management of user andoperator rights
Authentication and user management
Page 54 DF/PD Siemens Belgium-Luxembourg
Industrial SecuritySiemens Security Services
Siemens Plant Security Services
AssessSecurity
ImplementSecurity
ManageSecurity
Siemens products and systems offer integrated security
Know how andcopy protection
Firewall and VPN(Virtual PrivateNetwork)
Authenticationand usermanagement
System“hardening”
The Siemens security concept –“Defense in Depth”
Page 55 DF/PD Siemens Belgium-Luxembourg
Industrial SecuritySiemens Security Services
McAfee inside
• IEC 62443 Assessment• ISO 27001 Assessment• SIMATIC PCS 7 and WinCC Assessment• Risk and Vulnerability Assessment
• Security Awareness Training• Security Policy Consulting• Network Security Consulting• Perimeter Firewall Installation• Clean Slate Validation• Anti Virus Installation• Whitelisting Installation• System BackUp• Windows Patch Installation
• Industrial Security Monitoring• Remote Incident Handling• Perimeter Firewall Management• Perimeter Firewall Review• Anti Virus Management• Whitelisting Management• Patch and Vulnerability Management
SecureGUARD inside
Evaluation of the current securitystatus of an ICS environment
Risk mitigation through implementation ofsecurity measures for reactive protection
Comprehensive security throughmonitoring and proactive protection
Page 56 DF/PD Siemens Belgium-Luxembourg
Industrial SecurityCERT@Siemens
www.siemens.com/industrialsecurity
Cyber Emergency Readiness Team
Page 57 DF/PD Siemens Belgium-Luxembourg
• S7- 1500 Controllers• XM408-8C
• First security level certification(CSPN – Certification de Sécuritéde Premier Niveau)
• Development process
• Certification of “Secure ProductDevelopment Lifecycle” forDivision DF and PD based onIEC 62443-4-1
• TIA Ethernet based devices• E.g. S7-1500, 1505S, S7-300,
CP343-1 SCALANCE S, …• Protection against DoS
attacks• Defined behavior in case of
attack• Improved Availability
Industrial SecuritySecurity of Siemens Products – Granted Certificates
Find more information:http://www.wurldtech.com/product_services/certifications/certified_products/
Find more information: http://ssi.gouv.fr/certification_cspn/simatic-s7-1518-4-version-du-micrologiciel-1-83/
Page 58 DF/PD Siemens Belgium-Luxembourg
Best ApplicationContestNow – September 21
Page 59 DF/PD Siemens Belgium-Luxembourg
Headline, Arial Bold, 22 pt, lorem ipsum dolor estTable of content
What:Collection of your succes stories (with Siemenstechnology) in Industrial Security
Why ?- You win: a voucher for Siemens’ automation
portfolio of 5000€, 3000€, 2000€- Free publicity for almost 1 year- Recognition at the Award Show (and far beyond)
How ?- Oct 1, 2017 - May 30, 2018: enter your project
www.siemens.be/best-application-contest- June 1, 2018- August 30, 2018: voting period- Sept 20, 2018: Award Show
Page 60 DF/PD Siemens Belgium-Luxembourg
Industrial Security
If you want to work secure
Work with
Page 61 DF/PD Siemens Belgium-Luxembourg