Innovation Days Industrial Communication - Siemensw3.siemens.dk/home/dk/dk/industry/campaign/ic/Documents/2K... · Innovation Days Industrial Communication ... vik hd Fl tt tttd h

Innovation DaysyIndustrial CommunicationIndustrial Security

siemens.com/industrial-security

London 1903Royal Institution’s lecture theatre

Verdenspremiere på den p p

trådløse telegraf

Source: https://www.newscientist.com/article/mg21228440-700-dot-dash-diss-the-gentleman-hackers-1903-lulz/#.VRPRl-E2Wn8

Unrestricted © Siemens A/S 2016

Page 2 Digital Factory and Process Industries & Drives

Verdens første hackerandgrebScientific hooliganism

John Nevil MaskelyneThe gentleman hacker Guglielmo Marconi



Cyber SecurityHvorfor bekymre sig?

”Der er en meget høj trussel fra cyberspionage mod danske

i k h d Fl t t t tt d h k gåetvirksomheder. Flere statsstøttede hackergrupper er gået målrettet efter danske virksomheder i de seneste år.”

h d i d”Oftere forekommer det, at svagheder i udstyr og software skyldes manglende kvalitet i producentens eller

leverandørens processer.”



Source: https://fe-ddis.dk/SiteCollectionDocuments/FE/EfterretningsmaessigeRisikovurderinger/Risikovurdering2015.pdf

Industrial Security Den nye tendens – Ransomware



Industrial Security En hurtig stigning



Industrial Cyber Security incidents in USHvad siger ICS-CERT 2014

Percentage of incidentsNumber of incidents



Source: https://ics-cert.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_Sep2014-Feb2015.pdf

Industrial Cyber Security incidents in USHvad siger ICS-CERT 2015



Source: https://ics-cert.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_Sep2014-Feb2015.pdf

Industrial SecurityEr jeg ikke bare en nål i en høstak?

Der er stadig SIMATIC devices der er

eksponeret!l t

!#”@&”?*¤!&+

Og … Det er meget let at

finde!!#”@&”?*¤!&+!”#¤%

!#”@&”?* !& !”# %



!#”@&”?*¤!&+!”#¤%

Industrial SecurityProtecting Productivity



Industrial Security… protecting Productivity

https://youtu.be/4jZSfeUmhKw



Industrial SecurityThe Defense in Depth Concept



Industrial Security Løsninger på alle niveauer



Industrial SecurityHvordan holder man sig opdateret?

Abonner på Siemens RSS Feed: www.siemens.com/industrial-securityEller på ICS-CERT: www.ics-cert.us-cert.gov/ICS-CERT-Feeds



Industrial SecurityPareto-princippet

20%

80%

Invest

80%

20%

80%

Security



20%

Industrial SecurityPlant Security

Physical access control

Guidelines Guidelines Norms and standards Security Services



Industrial Security Vi kan tilbyde services – Security Assessment Workshops



Industrial SecurityVi kender standarderne



Industrial SecurityIEC 62443

• Based on IEC 62443-3-3S it L l 1 4

Security functions Security process• Based on IEC 62443-2-4

and ISO27001Protection Level (PL)

• Security Level 1-4 and ISO27001• Maturity Level 1 - 4

Leve

l 4

3PL 2

PL 1

Mat

urity

2

1

2 3 41

PL 3

PL 4



2 3 41

Security Level

Protection Levels cover security functionalities and processes

Assessment of security functionalities Assessment of security processes

Capability to protect against casual or coincidental violationSL 1 Initial - Process unpredictable, poorly controlled and reactive.ML 1

SL 3Capability to protect against intentional violation using sophisticated means with moderate resources, IACS specific skills and moderate motivation

Capability to protect against intentional violation using simple means with low resources, generic skills and low motivationSL 2

ML 3 Defined - Process characterized, proactive deployment

Managed - Process characterized , reactiveML 2

Protection Levels

SL 4 Capability to protect against intentional violation using sophisticated means with extended resources, IACS specific skills and high motivation ML 4 Optimized - Process measured, controlled and continuously

improved

4

3

2

1atur

ity L

evel

PL 2 Protection against intentional violation using simple means with low resources, generic skills and low motivation

Protection against intentional violation using sophisticated means with moderate resources, IACS specific skills and moderate motivationPL 3

PL 1 Protection against casual or coincidental violation



1Ma

2 3 41Security Level

Protection against intentional violation using sophisticated means with extended resources, IACS specific skills and high motivation

specific skills and moderate motivation

PL 4

Industrial SecurityIEC 62443, security measures

PL 4Revolving doors with card

reader and PIN; Video Dual approval for critical actions Firewalls with Fail Close

(e.g. Next Generation Firewall)Online security functionality

verification….

OrganizeSecurity

Secure SolutionDesign

SecureOperations

Secure Lifecycle management

Secure PhysicalAccess

PL 3

PL 4 Surveillance and/or IRIS Scanner at door

Revolving doors with card reader

… …

…

Automated backup / recovery

No Email, No WWW, etc.in Secure Cell

…

2 PCs (Secure Cell/outside) …

Monitoring of all device activities ……

+

PL 2

PL 3 in Secure Cell

…

( )

… Remote access with cRSPor equivalent

Monitoring of all human interactions

Persons responsible for security within own organization

Continuous monitoring

Backup verification…Physical network segmentation or equivalent (e.g. SCALANCE )

Remote access restriction

+

PL 1

PL 2 Doors with card reader

Locked building/doorsAwareness training

(e.g. Operator Awareness Training) Network segmentation Firewall protection (e.g. SCALANCE S) Backup / recovery system…

Continuous monitoring(e.g. SIEM)…

Mandatory security education

Remote access restriction(e.g. need to connect principle)…

+



PL 1 with keysSecurity logging on all systemsMandatory rules on USB sticks

(e.g. Whitelisting) …

Industrial SecurityNetwork Security

Firewalls Virtual Private Networks VPN Segmentering Demilitarized zone DMZ HardeningHardening Authentication

Cell Protection



Network SecurityJump Station og DMZ

Opdeling i separate celler Al kommunikation via Remote Desktop og

Unsecure zoneDMZ zone

Jump Station

Secure zone

Al kommunikation via Remote Desktop og Jump Station

Backup og Restore via Jump Station

dl Kun trådløs adgang fra Secure Zone til Jump Station

Samme konfiguration i alle Firewalls (global firewall rules)



Network Security –Cell protection

Opdeling separate celler Al kommunikation ind og ud af cellern er Al kommunikation ind og ud af cellern er

kontroleret En decentrale Firewall struktur En decentrale Firewall struktur



Industrial SecuritySecurity Integrated – Overview



Network SecurityHvordan beskytter man gamle sårbare systemer?

Access protection

Ingen ændring i det eksisterende

SCADA

Ghost ModeIngen ændring i det eksisterende system også med Layer-2 protokoller

Adopterer IP d d MAC Adopterer IP-adresse og ændre MAC-

adressen automatisk Samme konfiguration i alle Samme konfiguration i alle

Firewalls (global firewall rules)

S G l å b



Secure zones Gamelt sårbart system

Network SecurityAnvend Hardning!

Brug Password Anvend VLAN Disable DCP write

Enable Management Access List

Broadcarst limitation

Di bl Disable ubrugte porte

Enable SNMP V3



Industrial SecuritySystem integrity

Password protection

Know-how og Copy protectionKnow how og Copy protection

Access protection

Virus scanner og Whitelisting

Sikker kommunikation VPN og OPC-UA Deactivation of services og hardware interfaces

Windows security patch management* Windows security patch management



* https://support.industry.siemens.com/cs/document/18752994?dti=0&lc=en-WW

Industrial Security Vi har sikre produkter



Siemens is the leading vendor of Achilles level 2 certified products

Certified CPUs

LOGO!

Certified DP

ET 200 PN/DP CPUsS7- 300 PN/DPS7- 400 PN/DPS7- 1500 and 1505SS7- 1200S7 400 HF CPU V6 0

ET 200SP PN CPUs

Certified Firewalls

SCALANCE S602 S612

+ Protection against DoSattacks

S7- 400 HF CPU V6.0 S7- 410-5H

Certified CPs

SCALANCE S602, S612, S623, S627-2M

+ Defined behavior in case of attack

• Improved Availability• International Standard

CP343-1 AdvancedCP443-1 & AdvancedCP1243-1CP1543-1



International StandardCP1543-1CP1628

SCADA – Controller kommunikation via OPCEt standard setup

SCADA



Controller

SCADA – Controller kommunikation via OPCImplementer et VPN og Firewall koncept

SCADA

Via Security CP-Cards or external Fi ll/VPN t fFirewall/VPN getaway for:

- S7 300 and 400- S7 1200 and 1500- ET 200SP CPU- SCALANCE S (for all Controllers)



ControllerSCALANCE S (for all Controllers)

SCADA – Controller kommunikation via OPCImplementer et OPC-UA koncept

3. Part SCADA

Via Security CP-Cards or Controller:Via Security CP-Cards or Controller:

-S7-1500, 1500S, 1500T- ET 200SP CPU- PLCSIM Adv.- S7 400 via CP 443-1 OPC-UA



Controller

OPC-UAInteroperability with openness and standardization

Management -level

standardsMESERP

Operator-level

standardsInteroper-ability

Interoper-SCADA

MESERP

3rd party

Field-level

Controller-level ability

Interoper-ability

PLC HMI

ydevices

openness

Sensors Actuators



Perfect interoperatbility on all levels of communication by openness and standards

OPC-UAOPC UA og PROFINET den perfekte kombination

OPC UA’s styrke PROFINET’s styrke

L d fh i d t i i ti kCloudLeverandør uafhængig

Direkte forbindelse til alle niveauer

deterministisk

Real-Time egenskaberManagement-

level

Cloud

Tace

niveauer

Autentificering og kryptering

g

Enkelt C2C-kommunikationController-

Operator-level

PRO

FIN

ET

C U

A in

terf

a

Passer perfekt til data & t i t

Passer perfekt til controller-& Fi ld i t

Field-level

Controller-levelO

PC



management niveauet & Field niveauetlevel

OPC-UA og TIA-Portal Read and write PLC-data easy, standardized and symbolic

Activate the OPC UA server in the PLC1

Easy setup

Individual accessLevel of access via OPC UA

Value

Write access possibleserver in the PLC properties

Confirm that you have purchased the correct

1

2

Level of access via OPC UA can be controlled individually for each variable

Inheritance of access rightsBased upon the well known

Access possible

purchased the correct license

2

Make PLC-variables accessible through 3

Based upon the well known Step7 mechanisms

Different ways to accessAccess individual variables as

Symbolic access via OPC UA4

gcheckboxes in the editor

3 well as access whole structures and arrays as one object

PerformanceAccess whole structures and arrays to achieve optimal



arrays to achieve optimal performance

OPC UA client

CP 443-1 OPC UAAdditional Openness for SIMATIC S7-400

Feature/ Function Benefit

OPC UA Server/Client directly in the SIMATIC S7-400 station

Price sensitive, standardized connection to HMI, SCADA, MES/ERP SIMATIC S7 400 station , ,or 3rd Party PLC

As OPC UA Client – Configuration via function blocks compliant to PLCOpen standard

Flexible but standardized Interface for communication to any OPC UA Server

Use of the standardized OPC UA elementary security functions like authentication, authorization, encryption and signing of data

Protection of the system from unauthorized access

Configuration in STEP7 Classic V5 5 Expansion of existing ST7 plantsConfiguration in STEP7 Classic V5.5 as well as and STEP7 Professional V14(TIA Portal)

Expansion of existing ST7 plants without Migration to TIA-Portal

For use with CPU V5.3 / H-CPU V6.0 and H-CPU V8

Investment protectionUse of redundant H-system supported



Delivery release: 04/2016

Industrial SecurityPasswords – et konkret eksempel

Et Password skal være

komplekst:

https://www.youtube.com/watch?v=KnK5qLgErwo

Hvor stærkt er mit Password: http://calc.opensecurityresearch.com/?pwLen=3&kpsSelect=9250000&charSelect=lalpha

‐numeric‐all‐space&charsetLen=77&kps=9250000



Industrial SecurityPasswords

Udgangspunketet er stadig ofte

Admin/AdminAdmin/Admin Single Sign on Brute Force Prevention Brute Force Prevention

RADIUS Randomize



Slide 39

SBA1 Sarah Bay-Andersen; 20-03-2015

SBA2 Sarah Bay-Andersen; 20-03-2015

Industrial SecurityKan man anvende RADIUS og AD?

SCALANCE S615

Århus

SCALANCE S623Server

SINEMA Remote Connect

Windows Active Directory

RADIUS

SIMATIC CPU



Industrial SecurityDen store løsning – Siemens Ruggedcom CrossBow

Wow…! Det er en

elegant løsning…

NERC-CIP og IEC 6244362443 kompatibel



Industrial Security…endnu flere koncepter og informationer

Defense-in-Depth Super gode links…pSolution User Authentication Network Segmentation

All-round protection with Industrial Security

Demilitarized Zones Firewalls VPN Tunnels

Vi S i

https://support.industry.siemens.com/cs/document/92605897/all-round-protection-with-industrial-security-system-integrity?dti=0&lc=en-WW

Virus Scanning Patch Management Application Whitelisting



Industrial Security Opsummering

Fokus er kritisk – tag det alvorligt Stil krav til autentificering og brug af passwords

Anvend Jump Stations og brug

ifi dcertificerede produkter

Segmentér netværk og isolér sårbare systemery

Implementer centrale Security Access Management løsninger



Mange tak for jeres opmærksomhed

Kontakt infoKontakt info

Navn Telefon emailMorten Kromann +45 2037 3508 [email protected]

Per Krog Christiansen +45 4042 6239 [email protected]

Lars Peter Hansen +45 2129 9650 [email protected]

