4. Poglavje - kocmat20.com

4. Poglavje

Industrial Security in upravljanje z

industrijskimi omrežji

Matjaž Demšar

GSM: +386 (31) 684 810

[email protected]

reliableindustrial communication networksare the backboneof a digital enterprise

Industrial Security –

Essentialin the Age ofDigitalization

Challenges for CompaniesProductivity, Cost Pressure and Regulations

Protect Productivity

Reduce cost

Comply to regulations

• Externally caused incidentsthrough increasing connectivity

• Internal misbehavior• The evolving Threat Landscape

• For qualified personnel• For essential Security

Technologies

• Reporting Requirements• Minimum Standards• Security Know-how

Protect against

Costs

Comply to

IT-Security

confidentiality

integrityavailability

Industrial Security

availability

integrityconfidentiality

challenge

bring everyoneto the table

Challenges are similar but reality is very different in IT and Industrial (OT) Security

IT Security Industrial Security

3-5 years

Forced migration (e.g. PCs, smart phone)

High (> 10 “agents” on office PCs)

Low (~2 generations, Windows 7 and 10)

Standards based (agents & forced patching)

20-40 years

Usage as long as spare parts available

Low (old systems w/o “free” performance)

High (from Windows 95 up to 10)

Case and risk based

Asset lifecycle

Software lifecycle

Options to add security SW

Heterogeneity

Main protection concept

Confidentiality Availability

The ever-changing threat landscape

Cybersecurity laws and

RegulationsInternet ofThings

Professional

Hackers Vulnerabilities

§

§§

§

Evolution of the cyber threat landscape

Digital Information Processing Digital Connectivity Digital Automation and Intelligence

1950s – 1960s 1980s 20151999 2010s1970s 19911990s 2020s2000s

Home computer is introduced

Computers make their way into schools, homes, business and industry

Digital enhancement of electrification and automation

The World Wide Web becomes publicly accessible

The globe is connectedby the internet

Mobile flexibility

Cloud computing enters the mainstream

Internet of Things, Smart and autonomous systems,Artificial Intelligence, BigData

Industry 4.0

Military, governments and other organizations implement computer systems

AOHell

Cryptovirology Level Seven Crew hack

Denial of service attacks

Cloudbleedsl1nk SCADA hacks

Meltdown/Spectre

AT&T Hack Blue Boxing

Morris WormPhishing Targeting Critical

Infrastructure

NotPetya

Industroyer/Chrashoverride WannaCryCyberwar

Stuxnet

The threat landscape keeps growing and changing and attackers are targeting industrialand critical infrastructures

Challenges and driversMost critical threats to Industrial Control systems

Outdated operating systems²

Industrial Control System Security

Top 10 Threats and Countermeasures1

1Infiltration of Malware via Removable Media

and External Hardware

2 Malware Infection via Internet and Intranet

3 Human Error Sabotage

4Compromising of Extranet and Cloud

Components

5 Social Engineering and Phishing

6 (D)Dos Attacks

7Control Components Connected to the

Internet

8 Intrusion via Remote Access

9 Technical Malfunctions and Force Majeure

10Compromising of Smartphones in the

Production Environment

Windows NT 4.0 30. June 2004

Windows XP 08. April 2014

Windows 7 14. January 2020

Windows 10 14. October 2025

1 Source © BSI Publications on Cyber Security | Industrial Control System Security 2019 2 Source © Microsoft

Assess Security

Industrial SecurityLifecycle of security management

Evaluation of the current security status of an ICS environment

Implement Security

Risk mitigation through implementation of security measures

Manage Security

Comprehensive security through monitoring and vulnerability management

Industrial SecurityPhases in details

• Industrial Security Monitoring

• Industrial Vulnerability Management

• Patch Management

• Remote Incident Handling

• IEC 62443

• ISO 27001

• Penetration testing

• User Training

• OT network infrastructure

• Automation Firewalls

• Application Whitelisting

• Antivirus

• Industrial Anomaly Detection

… covers a holistic analysis of threatsand vulnerabilities,the identificationof risks …

Assess SecurityFollowing a risk-based approach

AssessSecurity

… and recommen-dations of security measures to close the identified gaps.

IEC 62443 AssessmentAssessment of compliance to the IEC 62443 international standard

• Focus on parts 2-1 “Establishing an industrial automation and control system security program” and 3-3 “Security for industrial process measurement and control – Network and system security”

• 2 days on-site with the customer, coordinated by a security consultant and a security engineer

• Questionnaire-based checklist to identify and classify risks

• Up to 30 pages report containing recommendations for risk mitigation measures

Questionnaire

Result spider diagram

Result chart bar

ISO 27001 AssessmentAssessment of security according to the ISO 27001 international standard

• 1 day on-site workshop with the customer, to identify and classify risks

• Coordinated by a security consultant and a security engineer

• Typical attendants: Management and customer’s responsible for production, IT-security and physical security, maintenance staff, engineering staff, …

• Offline evaluation of the results

• Up to 30 pages report containing analysis, recommendationsfor risk mitigation measures and prioritization of actions (based on cost/benefit scenario)

Network ScanningDetection of relevant vulnerabilities in the production environment

Rapid transparency over vulnerabilities and

end of life information mitigations in automation

environments

Industrial scan profiles optimized for production environment

… reduce the risk of downtimes

… provide relevant results only

Service delivery by automation specialists ensures project‘s success by

… deep system know-how

… combined expertise within IT and OT area

Visualization

of scan results

Vulnerabilities,

configuration

problemsSelected Open-Source and

Commercial Tools

June 2018Page 16

Implement Security

… means the Implementation of security measures …

Implement SecurityTo mitigate risks

… to increase the protection levelof shop-floor environments.

Security Awareness TrainingChallenge• 91% of the security incidents in 2015 consisted of stolen

credentials by use of phishing e-mails1

• Only 3% of targeted individuals reported the phishing e-mail1

• 70% of all security incidents are caused by human error2

Common approach• No cyber security training at all

• Cyber security training for the office environment

focusing on classic IT-security topics

Weak points of common approach• Increased vulnerability due to human error threats

• Lack of automation perspective when training staff on cyber

security topics

Goal

Increase security awareness among

shop-floor staff to avoid security

incidents caused by human error

1 Source © Verizon 2016

2 Source © Ponemon Institute Research 2013

OT network infrastructure and policies

Policy Consulting

• Establish new or review and enhance existing policies, processes, procedures and work instructions which influence security in the shop-floor

• Integration with existing enterprise cybersecurity practices

• Examples: Patch and backup strategy, handling of removable media

• Cell segmentation of networks based on IEC 62443 standard or SIMATIC PCS 7 and WinCC security concept

• Design and planning of a perimeter protection (DMZ – demilitarized zone)

• Perimeter firewall rule establishment, review and implementation

Protected Zone

DMZ

Unsecure Zone

Page 18

Industrial Network Security Consulting

Automation Firewall Next Generation

Digital Factory Division

Challenge• Shop-floor landscape changed from isolated

islands to highly complex networks• Automation networks historically grown and often

evolved to huge flat networks without any segmentation

Today’s solutions• Perimeter protection for the office environment or the whole site• Perimeter protection for the automation network but controlled

by office IT without automation know-how

Weak points of today’s solution• Spread of failures due to flat networks• Inconsistent configuration of protection measures due to lack of

automation expertise (e.g. perimeter firewall configured to protect the office against the automation network and not the other way around)

• No perimeter protection at all

Goal

Increase network security witha perimeter protection solution in line with security requirements for industrial automation and tested and approved for usage with Siemens process control system

Application Whitelisting

1 Source: © CNN Money | 2 Source: © Symantec | 3 Selected SINUMERIK 840D PCU50.X versions

In 90% of attacks in 2014, old vulnerabilities that already had patches available were leveraged – some of which were more than decade old1.

Total zero-day vulnerabilities increased exponentially in the last years2:

• 2013: 23

• 2014: 24 (+4%)

• 2015: 54 (+125%), more than one per week

With Application Whitelisting application, only trusted applications are allowed to run on the computer systems. These applications are maintained in a positive list (whitelist). It prevents executions of unknown applications and executables like malware or unwanted applications.

Application Whitelisting application must be approved for use in different automation and process control software products like SIMATIC PCS 7, WinCC, and SINUMERIK3.

Challenges Our Solution

1 Source © CNN Money2 Source © Symantec3 Selected SINUMERIK 8400 PCU50 X versions

Antivirus

Antivirus software protects systems and single files from virus infections, trojans and other malware by using continuously updated signature files.

Antivirus application must be approved for use in different Siemens’ software products like SIMATIC PCS 7, WinCC or TIA Portal.

1 Source: © Risk Based Security 2016 | 2 Source: © Symantec | 3 Source: © AV-Test

Challenges Solution

The total number of 2015 vulnerabilities reflects 77%increase compared to 20111.

Almost one million never-before-seen malware are being released on a daily basis2.

Until now, more than 550 Millions malware have been released in 20163.

Information technologies are used in industrial automation. The number of open standards and PC-based systems has increased enormously in the last years.

1 Source © Risk Based Security2 Source © Symantec3 Source © AV-Test

Industrial Anomaly DetectionTransparency of communication with your production assets

Transparency over data exchange within the plant networks provides you continuous and proactive identification of changes (anomalies) in the system

Correlation of the current traffic against your own baseline of normal operation allows the detection of anomalies in the network, including advanced deep packet inspection

Automated asset identification to assist in risk analysis and mitigation

Industrial Anomaly Detection

Correlation of the current traffic against your own baseline of normal operation allows the detection of anomalies in the network, including advanced deep packet inspection

100% passive monitoring oversees the plant network without impact to the monitored systems

Automated asset identification to assist in risk analysis and mitigation

Use of an advanced machine learning system, so the detection rate will be enhanced over time

Transparency of communication with your production assets

Aligned with requirements of standards, regulations and acts to protect critical infrastructure

Transparency over data exchange within the plant networks provides you continuous & proactive identification of changes (anomalies) in the system

Anomaly Detection Software

• Many professional vendors as well as Open Source solutions• Considerations

• Maturity• Scalability• Stability• Support• Development approach (IEC62443-4-1 and IEC62443-4-2)

• Intrusion Detection for OT networks specific issues

OT Network graph

Asset Insights

Attack Detection

Root cause analysis

Reporting capabilites

… means the continuous monitoringand renewal …

Manage Security For a comprehensive, always up-to-date industrial security solution

June 2018Page 30

Manage Security

… of implementedmeasures through our centralized services.

Industrial Security MonitoringScenario: Joint IT / OT / IoT Security Monitoring & Operation

IT / IoT SOC

OT / IoT SOC

SOC

CustomerIT / OT / IoT

data gathering

SIEM Event Receiver

correlation & aggregation

SIEM Manager

Analysis of Security Events

1st & 2nd level SOC for IT / OT & IoT

root cause analysis & forensic 3rd

level vSOCIT / IoTOT / IoT

roo

t cause elim

inatio

n

Cu

stom

er Service O

peratio

n

data p

rovisio

nin

g

Cu

stom

er data

sou

rces

Industrial Vulnerability Management Process

Challenge• Every day new software vulnerabilities get reported• Currently manufacturers and operators struggle to identify

if their manufactured or used automation products are affected

Solutions• Manual checking of different web pages from providers of

automation technology (e.g. on the Siemens web page https://www.siemens.com/cert/en/cert-security-advisories.htm)

• Customers need to compare the findings on these web pages against their lists of software components in their products or in the automation environment

Considerations• High manual effort and consequently neglecting already officially

reported vulnerabilities• Customers stay unaware of the real threat and consequently they do

not trigger proactive measures (e.g. patching).

Goal

Provide relevant security information, to enable manufacturers and opera-tors of automation technology to pro-actively manage their cyber risks.

Industrial Vulnerability Managementapplication example

Definition what software components to monitor

Notifications in case of detected vulnerabilities

and possible patches

Risk based management of vulnerabilities

Patch ManagementManaging critical updates in Microsoft products

Challenge• Patches contribute toward stable system operation and/or eliminate

known security vulnerabilities. Regular and prompt installation of patches represents a vital element of a comprehensive security concept

• Patching with an incompatible patch can cause unplanned downtimes

Common approach• Customer has to release the Microsoft patches manually on a WSUS,

based on Siemens SIMATIC PCS 7 compatibility excel sheet • No patching is performed at all or no WSUS server is used, but

patches are downloaded directly by the endpoints

Weak points of common approach• Possibility of system disruption due to missing consideration of

compatibility or failures due to manual work• Need to manual check for updated excel sheet on Siemens Website• Labor intensive process (monthly occurring)

Goal

Support operations by testing automationsoftware with Microsoft security and critical patches when new patches are released in order to check the compatibility of the PCS 7 software with these patch classifications1 and providing metadata about approved patches at the customer site

1 Only “Security Patches” and “Critical Patches” are necessary to ensure that SIMATIC PCS 7 operation is secure and stable

Patch Management

Reduce the consequences that might have impact on plant availability

Timely release of patches after finishing of tests (approx. 2 weeks after Microsoft patch day)

Reduce probability of wrong implementation of patches

Reduction of manual work on-site

Managing vulnerabilities and critical updates in Microsoft products

Solution designed combining Securityknow how with Process Control expertise

Fully automatic release of patch information (only metadata, no automatic installation to avoid plant downtime)

Incident HandlingFast reaction upon security relevant threats

• What shall I do with the system?• What protects me for the future?

Team of experts• Root-cause analysis performed

by experts for industrial security• Analysis of root-cause and criticality• Report incl. suggestions how

to clean the affected systems

Incident Handling Report

Ukrainian power grids cyberattackA forensic analysis based on ISA/IEC 62443

Information from publicly available resources

Ukrainian power grids cyberattackPhase 1: Malware & spear phishing

Vir: isa.org

Ukrainian power grids cyberattackPhase 2: Preparing the attack, network scans & „APT“

Vir: isa.org

Ukrainian power grids cyberattackPhase 3: The attack

Vir: isa.org

Ukrainian power grids cyberattackAnalysis

• Seems easy to detect

• Significant network activities

• Activities on multiple systems

• Normal network activity?

• Volume of traffic

Ukrainian power grids cyberattackIEC 62443 assessment

• IEC 62443-3-3

• 51 system requirements in 7 foundational requirements

• SL-A estimation

• Approx. half of SR could be estimated

• Overall SL-A = 0

• Takeaways

• Do not aim for high SL in some areas

• Keep controls in place to ensure SL-A

• Plan for contingency actions

• SR 6.2 at SL = 2 could prevent the attack!

Thank you for your attention!

Matjaž DemšarDigital Industries

Customer Services

+386 31 684 810

[email protected]

siemens.com/industrial-security-services

Subject to changes and errors. The information given in this document only contains general descriptions and/or performance features which may

not always specifically reflect those described, or which may undergo modification in the course of further development of the products. The requested

performance features are binding only when they are expressly agreed upon in the concluded contract.

All product designations, product names, etc. may contain trademarks or other rights of Siemens AG, its affiliated companies or third parties.

Their unauthorized use may infringe the rights of the respective owner.

Questions and Answers

5. Poglavje

Anketa in diskusija

Rok Koren

GSM: +386 (51) 681 455

[email protected]