White Paper Cyber Security for Critical Infrastructures · tinuous rise in the number of cyber attacks in recent years has spurred lawmakers to pass corre sponding rules and regulations

© Siemens 2020

White Paper

Cyber Security for Critical Infrastructures

siemens.com/industrial-security

DFFA-B10518-01_WhitePaper-IT.3-68388.3-80212.indd 1DFFA-B10518-01_WhitePaper-IT.3-68388.3-80212.indd 1 10.06.20 06:0610.06.20 06:06

White Paper | Industrial Security

© Siemens 2020 2

Content

2 Content

3 Introduction

3 The IT Security Act in Germany

4 State of the art – IEC 62443

5 Cyber security – An ongoing process

6 Threats

6 Objective and type of attackers

6 Hazards

8 Cyber security – Procedure

8 Object selection

8 Application case selection

8 Hazard identification

9 Risk assessment

10 Identification of measures

10 Implementation of measures

10 Auditing

11 Cyber security measures

11 Protection concept

11 Plant protection

12 Measures for network security

19 Measures for system integrity

22 Personnel measures

23 Emergency plan and restoration

23 Siemens ProductCERT

23 Siemens Security Advisories

24 We support you

27 Terms and abbreviations



© Siemens 2020 3

Introduction

The increasing digitization of companies and the accompanying networking of practically all areas are creating tremendous economic potential. At the same time, though, the increased networking is giving rise to new hazards that require a fast and rigorous response. The continuous rise in the number of cyber attacks in recent years has spurred lawmakers to pass corresponding rules and regulations for cyber security. The purpose of these requirements is to protect critical infrastructures in order to ensure uninterrupted service (e.g. of water) for citizens and the stability of the country.

In Germany, for example, the IT Security Act for “increasing the security of information technology systems” went into effect in July 2015 and requires owners of critical infrastructures (KRITIS) in Germany to take certain measures.

Other countries also have agencies that oversee cyber security of domestic industries. These include the Agence nationale de la sécurité des systèmes d’information (ANSSI) in France, the National Center for Security in Critical Infrastructure (NCSC) in Great Britain and the Department of Homeland Security (DHS) in the United States.

The examples show that cyber security is increasingly being mandated by law. Thus, plant owners that erred by not prioritizing cyber security before are now being induced to adopt an effective protection concept.

The IT Security Act in GermanyThe IT Security Act in Germany prescribed mandatory reporting of securityrelated incidents by certain critical infrastructures of water supply and sewage disposal systems starting in November 2016 and compliance with minimum cyber security standards by May 2, 2018. If a critical infrastructure owner experiences a reportable IT disruption, the BSI (German Federal Office for Information Security) may also require the manufacturers of the respective IT products and systems to get involved. This includes, for example, the prompt elimination of identified vulnerabilities.

“State of the art” cyber security measures are required. Both the manufacturers of automation and network components and the plant owners must keep up with the state of the art. Plant owners must also review their cyber security measures at least every two years through tests, audits or certifications (see §8a (3) IT Security Act).

The legal term “state of the art” is used, because – based on experience – technical development is usually faster than the legislative process. For this reason, it has been an effective practice for many years in some legal areas to reference the “state of the art” in laws instead of trying to establish specific technical requirements in the law. What is considered “state of the art” at a certain point in time can be determined for a particular area, for example, based on existing national or international standards, such as DIN or IEC standards, or based on socalled “best practices.” Since the necessary technical measures can differ depending on the specific situation, a universal and conclusive description of the “state of the art” is hardly possible.

The German industry associations “German Gas and Water Engineers’ Association (DVGW) and “German Association for Water, Wastewater and Waste” (DWA) have created a standard for the protection of facilities in the water and wastewater industry in the form of information leaflet (Merkblatt) DWAM 1060. This industry standard was judged to be suitable by the BSI in 2017. It contains specifications for implementing cyber security and can be used by all owners, irrespective of whether their facilities are regarded as critical infrastructures. Owners of critical infra structures (KRITIS) in this industry must implement all requirements of the industry standard (K and Ameasures). Other owners only have to implement the Ameasures. Owners can join the UP KRITIS (public/private organization of owners of critical infrastructures). The KRITIS category includes organizational and physical structures and facilities of such vital importance to a nation’s society and economy that their failure or degradation would result in sustained supply shortages, significant disruption of public safety and security, or other dramatic consequences.

• Water supply facilities with an annual output volume of >= 2.2 million m³ water.• Sewage disposal facilities with a capacity of >= 500,000 population equivalents.



© Siemens 2020 4

The industry standard comprises the following documents • Information leaflet (Merkblatt) DVGW W 1060 (M) / DWA M 1060 “ITSicherheit – Branchen

standard Wasser/Abwasser” [IT Security – Water/Wastewater Industry Standard]• IT Security Guideline (online tool)• Manual for IT Security Guideline

State of the art – IEC 62443How then can cyber security in line with the state of the art as required by law be implemented? IEC 62443 is available in the industrial environment for this purpose. As the leading standard it is sometimes also adapted or referenced in other areas, such as railway applications. It is an internationally recognized standard and the most comprehensive of all security standards. It addresses owners, system integrators and manufacturers of automation systems alike. In doing so, reference is made in various parts of the standard to processes, technologies and the role of people. It is made clear that for protection to be adequate, suitable measures must be defined and implemented based on a risk assessment. Equally important is the sustainability of the achieved degree of protection over the long term, e.g. by regularly reviewing the effectiveness of the measures used.

The documents of IEC 62443 are structured as follows:

Figure 1: Documents of IEC 62443

• IEC 624431 includes terminology, concepts, applications and models• IEC 624432 is addressed to plant owners; it describes the implementation of a security

management system, patch management, etc.• IEC 624433 describes safety technologies for controllers and network components• IEC 624434 is addressed to manufacturers and describes, for example, how to secure the

development process

This structure also indicates that cyber security is a comprehensive process measure and that compliance with security standards is required as early as the component development phase.



© Siemens 2020 5

Cyber security – An ongoing processEffective protection against cyber attacks is not achieved by onetime implementation of measures, but rather by an ongoing process.

Figure 2: The three phases of IT security

Starting from an evaluation of risks for the automated process (Assessment), measures must be implemented to minimize these risks (Implementation). These measures must be monitored (Management) and continuously reviewed and evaluated to determine if they need to be revised to address new or changing hazards. In the following you will find a guideline on how to technically comply with the industry standard and how a plant must be secured according to IEC 62443.

The plant owner is always responsible for IT security. Even if the operation is outsourced in whole or in part, the plant owner remains responsible. Hazards due to outsourcing must then also be assessed.



© Siemens 2020 6

Threats

Objective and type of attackersWhat motivates potential attackers who attempt to overcome security measures? This is dependent on the type of attacker, four of which will be differentiated here:

Unsophisticated attackers: script kiddiesReadytouse scripts can be used with little expertise – attacks occur simply because that attacker is connected to the Internet and targets known vulnerabilities. The motivation is banal: amusement, mischief, playing around.

Sophisticated attackers: hackersTheir attacks are also not targeted but rather aim at a wide range of targets. However, the attacks are more complex and the goal is not just to make attacks but also to benefit from them: earn money. For example, data is encrypted and information is left behind on how the encrypted data can be recovered through payment of a ransom.

Corporate espionage: insiderThese attacks are targeted at your company – a (former) employee attempts to benefit through insider information: for example, by stealing and reselling data or by harming the company out of frustration. Because of the attacker’s insider knowledge, he poses a high threat.

Advanced Persistent Threats: APTThe technically largest hazard is from socalled APTs, because these attacks are backed by expert knowledge and a large amount of resources. These attacks generally exploit previously unknown vulnerabilities and can have many different objectives: access to sensitive data, data manipulation, production process disruption or even destruction of whole plant units. The attacks may be carried out for financial reasons but also with the aim of destabilizing a country – e.g. through interruption of the water/electricity supply.

HazardsThe following types of attacks have been identified by the BSI as the ten most common attacks on industrial facilities:

1. Introduction of malicious code via removable media and external hardware The use of removable media and mobile IT components by external personnel always entails a major risk of malware infections. However, personnel are often unaware of the effects of malware.

2. Malware infection via internet or intranet Standard components used in company networks (e.g. operating systems, databases, browsers and email clients) usually contain vulnerabilities that an attacker can exploit to infiltrate the company network. From the infiltrated intranet or office network, the attacker can often proceed into the production network, either directly or with a followup attack.

3. Human error and sabotage Deliberate actions – regardless of whether by internal or external offenders – are a massive threat to all security goals. Security can never be guaranteed through technical measures alone; organizational rules must always be established and followed.

4. Compromising of extranet and cloud components Outsourcing of IT components to cloud solutions leads in some cases to system owners having only very limited control over the security of these components and the possibility of their being compromised. The components themselves may be connected directly to the local production, however.

5. Social engineering and phishing Social engineering is a method of gaining unauthorized access to information or IT systems through mostly nontechnical actions and through exploitation of human traits, such as curiosity, helpfulness, trust, fear or respect for authority. Fraudulent emails – socalled phishing emails – that induce recipients into opening manipulated links or attachments with malware represent a classic example of this.



© Siemens 2020 7

6. (D)DoS attacks (Distributed) denial of service attacks can be used to disrupt both wired and wireless network connections as well as required system resources and cause systems to crash, e.g. to disrupt the functionality of an ICS.

7. Control components connected to the internet Despite manufacturer recommendations, ICS components are often connected directly to the internet without having an adequate level of security and security mechanisms.

8. Intrusion via remote maintenance access External access to ICS installations for maintenance purposes is a common practice. Access with default or hardcoded passwords is widespread. Access by manufacturers and external service providers for maintenance purposes is sometimes not limited to specific systems. As a consequence, further systems are accessible.

9. Technical malfunctions and force majeure Failures due to extreme environmental influences or technical defects are always possible – the risk and the potential for damage can only be minimized here.

10. Compromising by smartphones in the production environment The ability to display and change operating and production parameters on a smartphone or tablet is increasingly being used in the production environment. Remote maintenance access via a smartphone or tablet represents a special case and adds an additional attack surface.



© Siemens 2020 8

Cyber security – Procedure

The hazards show that attacks can occur very differently and that processes must be protected against a variety of threats. For implementing cyber security, the German industry standard as well as IEC 62443 define a process of multiple steps.

Figure 3: Procedure for implementing cyber security

Object selectionAll systems of the plant are identified and documented in this step. The objective is to clearly differentiate the various systems from one another. By identifying all systems at the start of the process, it is ensured that no subsystem will be overlooked and that protection can be fully examined in the subsequent evaluations. Part of this documentation is also a network diagram of the plant.

Application case selectionThe application cases are determined for the various systems of the plant according to the guideline. The hazards emerge from the application cases. An application case is, for example, that a system is accessed via a remote maintenance access.

Hazard identificationHazards are identified for the application cases in this step, for example, use of a remote maintenance access by an unauthorized person. The identification of hazards is important for determining the risk – or the potential of a hazard. Annex 2 of the BSIKritisV [Directive on the Determination of Critical Infrastructures according to the Act on the Federal Office for Information Security] can be used for the hazard identification.



© Siemens 2020 9

Risk assessmentAfter identification of possible hazards, you assess the risk. The following risk matrix is used for this:

Amount of damage

Very High

High

Medium

Low

Very Low

Unacceptable risk

Acceptable risk

Very Low Low Medium High Very HighProbability of occurrence

Figure 4: Risk matrix according to BSI Standard 2003

A hazard with a high probability of occurrence and potentially high amount damage lands at the top right of the matrix (red part – high risk). A low amount of damage and probability of occurrence means a low risk – shown in green at the bottom left of the matrix. You will find a detailed breakdown of the amount of damage (degree of limitation of plant operation), probability of occurrence and risk in the following.

Amount of damage• Very low: Minor limitation (at a minimum, plant can be operated in standard mode, minor

limitation of service quality).• Low: Noticeable limitation (plant can be operated with minor limitations, noticeable limitation of

service quality within the permissible limits).• Medium: Considerable limitation (plant is no longer fully operable, service quality is noticeably

limited, the quality is outside of the specified limits).• High: Substantial limitation (plant can only be operated in part, service can only be provided in

part, quality is far outside the specified limits).• Very high: Total failure (plant can no longer be operated, service can no longer be provided).

Probability of occurrence• “Very low” (less than 1 time in 5 years)• “Low” (less than 1 time every 2 years)• “Medium” (up to 1 time per year)• “High” (up to 3 times per year)• “Very high” (more than 3 times per year)

Risk• Red: Risk to be significantly reduced• Yellow: Risk to be limited• Green: Acceptable risk

PrioritizationWhen implementing cyber security measures, all hazards must be addressed according to their priority. Hazards with “red” risk must be prevented and the measures for doing so must be implemented immediately. Yellow hazards are then worked on, followed by green hazards.



© Siemens 2020 10

Identification of measuresThe specific possibilities are described in detail in section “Cyber security measures.” The measures must be determined from the list of hazards, and the list of measures must, in turn, be checked and supplemented if necessary. The IT systems that are relevant for the measures must then be determined.

Implementation of measuresThe implementation of measures includes the scheduling and organizational planning of the implementation. This step also includes defining the responsibility for implementing measures and ensuring that the associated budget is clearly allocated. After measures are implemented, their effectiveness must be checked and the measures themselves must be documented.

AuditingFor the auditing step, the measures must be verified, the plant documentation must be complete and checklists must be filled out. The effectiveness of measures must be continuously checked at regular intervals and if deficiencies are identified, whether due to changing risks, new types of malware, etc., the process must be restarted beginning with the hazard identification.



© Siemens 2020 11

Cyber security measures

In the following, the protection concept that is best suited for countering the wide variety of hazards is explained first. This is followed by a detailing of the individual measures conforming to the industry standard and IEC 62443.

Protection conceptBecause the hazards for processes differ widely in their nature, can occur from the outside or inside and can result from attackers with different levels of sophistication, a multilayered protection concept must be created if the process is to be protected as effectively as possible. For example, even if the firewall is overcome because the attacker has physically entered the plant, other protective mechanisms on the terminal devices must kick in.

Figure 5: Protection concept “Defense in depth”

The figure shows the multilayered protection concept “Defense in depth,” which designates the three elements of plant security, network security, and system integrity as the three essential layers of effective security.

Plant protectionOrganizational measures refer to all measures for physical protection of the plant. Besides protection against breakin, measures to counter environmental influences must also be examined.

Hazards• Breakin/vandalism• Unauthorized entry• High water/floods• Fire• Smoke/dust/harmful gases• Lightning/overvoltage/EMC



© Siemens 2020 12

Organizational measuresMeasures must be taken to protect the plant based on the hazards involved. To be examined, in particular, is the situation in which remote stations (e.g. a pumping station) are generally unmanned and are only monitored from the control room via a remote access. The design of remote stations must prevent breakins, and windows and doors must be suitably locked. The controller can detect by means of door/window contacts if these are opened and signal this to the control room. An IP camera helps to spot attackers and to monitor the building from the control room.

Different production areas must also be separated physically with different entry authorizations. Critical components must be secured by placing them in a locked control cabinet.

The guidelines for physical access protection measures also influence the required cyber security measures and their extent. If, for example, only select personnel have access to an area from the outset, then the network access interfaces or automation systems do not have to be secured to the same extent as would be the case for publicly accessible areas.

Measures for network securityThe network must be structured in such a way that it resists potential attacks as effectively as possible. In so doing, accessibility, availability and protection must all be accommodated.

AccessibilityNetworks are no longer closed systems without an Internet connection. More and more, plant owners require the ability to access networks from the outside for maintenance, diagnostics, optimization, patches, updates, etc. For remote stations (pumping stations in the water industry), in particular, a communication connection from the control room is needed.

AvailabilityThe automated process, which for example is controlled via the network using PROFINET communication, is to run regardless of individual cable interruptions. The monitoring systems in the control room are to be able to continue monitoring the process even if the occasional router fails. Redundancies are needed to meet such requirements. This means that single or multiple network structures are set up more than once so that, for example, several transmission paths are provided via a ring structure.

ProtectionThe process is to be protected from all possible risks that exist via the network, such as unauthorized access, malware, (D)DoS attacks, etc. Besides the permissible and desired accesses, all other communication types are to be blocked by suitable measures.

IEC 62443 stipulates the following elements for the protection of networks:

• Segmented network architecture• Isolation or segmentation for highrisk components• Use of firewalls to block unnecessary communication and accesses

Network segmentationNetwork segmentation using firewalls is used to protect against networkside attacks. Segmentation means that the network is divided into functional groups, such as production networks, a plant network and an office network. The only way to selectively block unknown communication and allow only explicitly permitted protocols and application is through the use of firewalls between these network segments.



© Siemens 2020 13

Figure 6: Network segmentation corresponding to IEC 6244321

The preceding figure shows a network structure as recommended in IEC 624432. The automation cells at the very bottom are grouped as functional units and separated from the overall plant network with a firewall. The automation cells comprise all devices that are addressed by the controllers via PROFINET. The plant network represented above the automation cells contains all the devices that are important for operation of the plant, such as a control system, server and the like. The plant network is separated from the office network by yet another firewall. One or more demilitarized zones (DMZ for short) can be effectively set up here. With a DMZ the devices from the higher and lowerlevel networks do not communicate directly with one another. Instead, they communicate via a server, which for example queries the plant status from the automation cells and provides this information to the higherlevel network. By eliminating direct access in this way, the security of the overall network is increased. Finally, the office network is also secured against the Internet with one or more firewalls.

This structure yields three defensive walls for each of the automation cells in this example. The office network, which is more commonly affected by introduced malware (→ USB sticks) is always separated from the automation cells by two firewalls. The closer in proximity to the automation cell that an employee works, the more important is that employee’s constant sensitization to cyber security.

The industry standard also recommends checking the following hazards for networks according to their components.



© Siemens 2020 14

Component Hazard MeasureRouters and switches Incorrect configuration of

routers and switchesConfiguration checklist for routers and switches

Incorrect administration of routers and switches

Data backup and recovery in the case of routers and switches

Unauthorized connection of IT systems to a network

Securing of switch ports

Firewalls Loss of confidentiality of confidential data of the network being protected

Selection and setup of suitable filter rulesSecure use of protocols and servicesIntrusion detection and intrusion response systems

Unauthorized IT use Logging of security gateway activities

Table: Hazards according to industry standard for networks

Remote access and distributed remote stationsA special challenge is the connection of remote stations such as isolated pumping stations or water towers. These must be able to operate independently, but it should still be possible to monitor them from the control room. The network of this remote location must therefore be protected and access to the remote location must be secured.

Note: Even if the remote location is connected using a dedicated network or a companyinternal network, the network must be protected and the communication must be encrypted nevertheless. Because the network cable could be manipulated, the plant must also be protected against this scenario.

Figure 7: Connection of remote stations using the SCALANCE M Industrial Router

The remote station can be connected via cable (e.g. ADSL, SHDSL) or radio link (e.g. LTE, UMTS). The modem must be VPNcapable and protected by a firewall.



© Siemens 2020 15

To increase security, according to IEC 62443 the VPN connection can be set up for remote access in such a way that the tunnel is only established when a technician on site actively activates the VPN establishment on the module. A digital input on the SCALANCE M modules can be connected for this purpose. This protection mechanism is used so that external access to the plant is only enabled when a technician on site can check that this access cannot cause damage or a failure.

Industrial plants and water systems are often widely distributed. For efficient and secure remote access to machines and systems in the process industry via the public infrastructure, a management platform is worthwhile starting from a certain size and complexity of the connections to be managed. These help in the management of individual connections by also encrypting, authenticating and authorizing them.

The SINEMA Remote Connect management platform is a server application that ensures secure management of VPN connections between control centers, field technicians and installed equipment. The identity of the participants is determined in advance by an exchange of certificates before access to the machine is granted. The assignment of access rights to machines can be controlled centrally in the user administration of the management platform.

Service technician (mobile)

Mobile wireless networkService Center

Internet connection

VPN tunnel

DSL Router

MachineFactoryOfficeCustomer DCustomer CCustomer A Customer B

SIMATIC S7-1200 with

CP 1243-7LTE

Customer E G_I

K10

_XX

_507

40

Wired Internet

Open VPN Client

SCALANCE M816-1 + KEY-PLUG

SINEMA Remote Connect

Industrial Ethernet

SCALANCE M876-4 + KEY-PLUG

SCALANCE S615 + KEY-PLUG

SCALANCESC636-2C

Figure 8: Secure remote access to distributed plants with SINEMA Remote Connect

Wireless connections to a WLANSpecial examination of wireless transmission using WLAN or other technologies is also required. In the case of wired communication, an attacker must have physical access to the cables or the network components in order to eavesdrop on or falsify the data communication. With wireless communication, on the other hand, radio waves spread over a larger area, which makes an attack easier.



© Siemens 2020 16

Figure 9: Example of WLAN application in the process and office

If a WLAN is needed in the automation cell, a WLAN suitable for automation must be set up. The office WLAN must be operated using different WLAN access points in order to maintain the network segmentation.

Organizational measures for WLANThe access point must be installed in an inaccessible location or a locked control cabinet, in which case the WLAN antennas are mounted separately. This prevents an attacker from physically accessing the access point. In addition, the WLAN frequency must be chosen carefully because other applications that use the same frequency, such as jammers, can limit or even completely interrupt the transmission.

Technical protection mechanisms for WLANThe current state of the art is WPA2 encryption; older encryptions (WEP and WPA) must not be used anymore because these methods are not secure and can be easily overcome. In addition, the default password and the SSID must be changed and the SSID can be hidden. This increases security.

General requirements for network elementsThe preceding examples have shown how a plant network, distributed remote stations and WLAN wireless cells must be set up. In so doing, it is also always important to configure and protect the devices in conformance with regulations. The international standard for secure configuration and management of network components in IEC 62443 recommends the following properties and protection mechanisms for network components.



© Siemens 2020 17

Access protection and account administrationThe network components are to be protected against unauthorized access. The accounts released for access are to be manageable; in particular, there must be an option to block an account. The following properties are to be supported:

• Setting up an access possibility• Identifying users/making users identifiable through accounts• Setting/changing/closing accounts by a central manager• Accounts as well as which persons may use the account must be documented in a list• Unused accounts are deleted or blocked• Periodic checking of access right• Default passwords must be changed

The requirements for access protection can be realized through the User Management Component (UMC). With UMC, various user accounts are created on a central server, the UMC Ring Server. TIA Portal projects can use these users in order to grant them access rights for the network components and devices. When the network components are accessed, they send a request, for example, to the UMC Ring Server, as to whether these accounts are still valid. Through advanced rules in UMC, it can also be specified how often passwords must be changed and the criteria the passwords must meet (upper/lower case letters, length, etc.). In this way, UMC fulfills the corresponding require ments of IEC 62443.

Figure 10: Network components and TIA Portal connected to UMC

Access control: AuthenticationWhen a component is accessed, it must be possible to identify the accessing user. This is referred to as authentication. The authentication method is to provide mechanisms like the following:

• Access possible only if the user has been authenticated• Strong protection mechanisms for administrative access• Recording of all accesses to critical systems• Identifying all remote access users• Policies for remote access, automatic logout in case of inactivity• Access blocked after multiple failed login attempts• Reauthentication required after inactivity in the case of remote access• An authentication mechanism must also be set up for tasktotask communication

These requirements pertain to different systems and must therefore be examined for the entire plant. For remote access, the requirements can be covered, for example, by SINEMA Remote Connect because, among other things, automatic logout after inactivity and blocking of an IP after multiple failed login attempts are already implemented. In addition, every remote access is logged. Local access control is achieved through devicespecific settings or the UMC mechanism, which grants users different rights and rolls for accessing the components. In the TIA Portal, it is also possible to assign different users the right of access to the project and to assign access for the security configura



© Siemens 2020 18

tion in a separate step. Because the security configuration is managed as a separate right, this ensures compliance with the requirement for additional protection of administrative access.

The last point – the tasktotask communication is discussed later in section “System integrity” > “Secure communication.”

Access control: AuthorizationAuthorization means that a user authenticated beforehand is granted certain rights, such as access to the component. IEC 62443 names the following items for the authorization:

• Logical or physical method for access permission• Rolebased rights to access the system or information• Access right for safety functions must be a separate right• For critical systems, multiple access levels must be set up

As previously mentioned, various roles for access to network components are already possible. In section “System integrity” > “CPU access protection,” you will find more information on how the access right to safety functions as well as multiple access levels must be handled.

Network managementTo be able to continue managing increasingly complex networks and growing amounts of data efficiently and securely, it is recommended that a network management system be used. SINEC NMS serves to centrally monitor, manage, and configure industrial networks with tens of thousands of devices around the clock. Central, rulebased firewall management and documentation functions via audit trails make it possible, for example, to easily monitor securityrelated aspects of the network.

Network diagramA physical network diagram, i.e. a topology view, is required for documentation of the plant. The topology shows how the devices are interconnected. Addresses (IP and MAC), port connection and installation location must be apparent from this network diagram. A network diagram could, for example, be printed from the TIA Portal, or the SINETPLAN network planning tool or SINEC NMS Network Management System could be used for this purpose.

Figure 11: Topological network in SINETPLAN

In addition, a logical network diagram can be created that shows which components communicate with one another and in which way. For example, it shows which systems communicate with one another, the direction in which data is communicated, whether an access is read access or write access and which type of data is being exchanged. A few examples are shown in the following:



© Siemens 2020 19

Figure 12: Bidirectional data exchange between controller (PLC) and SCADA

Figure 13: Read access of SCADA system to PLC

Figure 14: Write access of SCADA system to PLC

Measures for system integritySystem integrity refers to the ensuring of authenticity and genuineness of data and programs within a system. Suitable protection mechanisms must be used to guarantee that no one changes the program or falsifies data without authorization – either on the communication path or in the system. In addition, it must be ensured that the program or data cannot be copied. Finally, the knowhow for the control of the process is also worthy of protection.

Program accessProgramming of controllers (PLCs) already falls under cyber security. Access to the project must therefore also be protected by a suitable account management. Organizational measures can obviously be used to protect offices against unauthorized access. The use of Windows Login, in turn, generally affords protection for the project. To shorten development times, however, developer teams are increasingly working on the same project, which requires additional protection for the project. Starting in TIA Portal V15, the entire project can be encrypted. As a result of this, an additional user name and password is required to open the project.

Figure 15: Project protection in TIA Portal V15

If project protection in enabled, various users can be created and assigned rights (read or write) for the project. The users from UMC can again be used for this.



© Siemens 2020 20

CPU access protection

Figure 16: Access protection by a password in the S71500

The various access levels of the CPU can be used to set up different passwords, so that full access is available only to qualified personnel and only limited access is possible otherwise.

Web serverMore and more controller solutions are using accesses via web servers, which are also often being used for remote access. The web server must also be effectively protected for this.

Figure 17: Web server of the S71500 with HTTPS and various users

HTTPS is the secure version of HTTP and must be used preferentially. By setting up various users and access levels, the authentication and authorization required by the industry standard can be achieved.

Secure communicationIf the controller communicates from its secure cell to the outside (see Figure 5: Network segmentation), this communication must be secured. For example, if an OPC UA server is accessed via remote access or if the controller must communicate with other plant units (other automation cells), the communication must be encrypted. Currently, the state of the art is TLS encryption. This can be used in the S71500 via OPC UA or a TCP connection.



© Siemens 2020 21

Figure 18: OPC UA access of the S71500 limited to an encrypted connection

Another option for encryption is to use the integrated firewalls for establishing a VPN connection. The firewalls establish the VPN tunnel to one another, and the communication between the automation cells is transmitted via the higherlevel network as encrypted communication and is further transmitted to the destination network as unencrypted communication again.

Security measures on industrial PCsPCs used in the industrial environment (IPCs) require special measures because some threats – such as infected data storage media – can act directly here (unlike in the case of a controller where a USB data storage media cannot be directly connected). The following measures are used for hardening an IPC against cyber attacks:

User accountsIt is useful to create administrator and user accounts. Only the administrator is authorized to make changes to security settings or to (un)install software. The standard user cannot do these things, which prevents installation of malware during normal operation.

Configuring policiesThe Microsoft Management Console can be used to set policies for use of data storage media, the system controller, etc. Documentation and information on which policies can be used and how to set them can be found online:

https://support.industry.siemens.com/cs/ww/en/view/109475014

Enhanced Write Filter (EWF)This function is available on SIMATIC IPCs and secures a portion of the file system against alteration of data by redirecting write accesses to the RAM. After a restart of the IPC, the file system is unchanged. Malicious programs that have gained access during operation are no longer present after the restart.

FirewallStandard firewalls (Windows Firewall) already provide useful basic protection and should definitely remain activated. With suitable rules, the firewall must be configured in such a way that only user data communication is possible and other communication is blocked.

AntivirusViruses and malware can be detected using suitable antivirus software. At Siemens we rely on a McAfee installation for automation. A management server manages the antivirus clients on the PC systems and provides the current virus signatures. The management server can also email alerts in order to notify service personnel.

IEC 62443-certified productsWhen selecting the controllers, PCs, and other systems to be used, make sure that they contain security mechanisms and have been tested for vulnerabilities. These tests are standardized. For example, an Achilles Certificate indicates that the system has undergone load and vulnerability tests. Manufacturers can also perform secure product development in order to ensure a high level of quality for their products. Siemens’ development process has been tested and has passed the test according to IEC624434. With further productspecific certifications, Siemens additionally verifies that substantial technical product requirements have been implemented in compliance with IEC 6244342:

https://press.siemens.com/global/en/pressrelease/certified-security-development-process- siemens-automation-products



© Siemens 2020 22

Personnel measures

Because the best technical and organizational protection mechanisms are ineffective if employees are reckless, cyber security training and a clear definition of areas of responsibility are integral components of cyber security. As previously mentioned in the introduction, the responsibility for cyber security always lies with the plant owner.

IEC 62443 recommends screening new employees for dependability in fulfilling responsibilities. Existing personnel must also be subject to dependability checks. External personnel can also be required to undergo training but should always be accompanied and supervised by trained internal personnel.

ResponsibilityCyber security is important. There must be a person or group that assumes the responsibility for cyber security. This person or group is responsible for planning, implementing and monitoring the cyber security measures and for personnel training. The industry standard also requires operators of critical infrastructures (KRITIS) to name their contact person for cyber security to the UP KRITIS organization.

TrainingTraining on cyber security is essential and must be repeated at regular intervals to keep awareness of cyber security in the forefront of people’s minds and to address new hazards. The content of training sessions must cover correct handling of installed systems, removable data storage media and software, reaction to incidents and all other possible hazards.

For administrators, the industry standard explicitly requires them to be trained on correct handling of network components so that configurations are performed correctly.



© Siemens 2020 23

Emergency plan and restoration

Another aspect of meeting the requirements of the industry standard is to have an emergency plan, i.e. what to do if a hazard has occurred and the process has been interrupted. This concept is also referred to as business continuity management. Thought must be given in advance to how to respond to such emergencies: The following things must be clarified:

• How much downtime is tolerable?• How can the process continue to operate independent of the controller/office?• How well can other parts of the plant compensate for the supply?• How will the affected system be “cleaned”?

– Through redundancies– Through restoration of a backup

• How will another occurrence of this incident be prevented?– Announcement– Optimization

Siemens ProductCERTSiemens has a team of security experts that serves as a place for customers and security experts to go if they have identified a security gap. This team is called the Product Computer Emergency Response Team (ProductCERT). Reported security gaps are immediately evaluated and analyzed by our security experts.

Siemens Security AdvisoriesThe Siemens ProductCERT analyzes all reports on security problems and publishes security advisories on validated security vulnerabilities that affect Siemens products directly and require a software update or upgrade or some other action by the plant owner. Make use of this information source for evaluating the effects of a security vulnerability. Siemens chooses to handle its own vulnerabilities openly so that you can react before these vulnerabilities are exploited at your facility. Stay informed with our RSS feeds:

https://www.siemens.com/global/en/home/products/services/cert.html#Advisories



© Siemens 2020 24

We support you

Siemens AG is available to support you in implementing IT security. We provide you help in analyzing risk, designing and structuring a secure production process and continuously monitoring the security situation of your plant.

Security Consulting

Evaluation of the current security status of an industrial environment

• Security Assessments

• Scanning Services

• Industrial Security Consulting

Security Optimization

Comprehensive security through managed services

• Industrial Anomaly Detection

• Industrial Security Monitoring

• Remote Incident Handling

• Industrial Vulnerability Manager

• Patch Management

• SIMATIC Security Service Packages

Security Implementation

Risk mitigation through implementation of security measures

• Security Awareness Training

• Automation Firewall

• Endpoint Protection

Figure 19: Siemens Industrial Security Services

Security Consulting comprises the evaluation of the current security status in industrial plants, based on international standards such as IEC 62443. Trough assessments our experts identify threats and weaknesses and develop clear guidelines to increase the security level. Our scanning tools provide you transparency about your assets and vulnerabilities. We also advise you on guidelines, processes and procedures as well as effective network protection through cell segmentation.

In order to close the identified security gaps and to minimize risks, security measures are implemented according to the state of the art. This also includes a webbased awareness training, which increases awareness of cybersecurity in industry. Furthermore, our experts take over the smooth integration of firewalls and endpoint protection for the continuous protection of your individual system – from conception to installation and configuration to commissioning and handover. With regards to endpoint protection, Siemens offers two opposing approaches to protecting against malware: While the antivirus approach blocks the execution of malicious applications, a whitelisting approach only allows the execution of trusted applications. Depending on the application, a different approach might be useful.



© Siemens 2020 25

Figure 20: Application Whitelisting vs. Antivirus

As part of security optimization, we offer services for the ongoing operation of your system in order to obtain comprehensive longterm protection. This includes early detection of cyber threats with Industrial Anomaly Detection. This is an advanced technology based on machine learning that correlates current data traffic against a baseline of normal operation. This passive monitoring has no influence on the production.

Figure 21: Industrial Anomaly Detection



© Siemens 2020 26

In the event of a security incident, our experts will support you remotely to quickly restore the productivity of your system. We also offer solutions to manage vulnerabilities and patches, e.g. the Industrial Vulnerability Manager. This application provides security information on known vulnerabilities and enables manufacturers and operators of automation technology to proactively manage cyber risks – tailored to the respective system and via a onestop shop.

Figure 22: Industrial Vulnerability Manager as MindSphere application – also available as application for

Amazon Web Services or “on premise”

Figure 23: Industrial Vulnerability Manager – graphical dashboard

As you can see, cyber security is a comprehensive process that affects all parts of the plant and re quires continuous auditing and monitoring. Nevertheless, it is possible to secure processes against different threats using as many protection measures as possible and to more effectively reduce your plant‘s own vulnerabilities through open dialog with other experienced companies.



© Siemens 2020 27

Terms and abbreviations

AuthenticationThe detection and identification of a user or (in networked plants) another system.

AuthorizationThe permission for accessing a system or only one (software) part of a system or a program.

Cyber securityAll technical measures for security of a plant such as network protection, system hardening of components and monitoring of incidents.

ProcessThe actual production process, e.g. water supply/treatment, parts production, etc., regardless of whether it is a discrete or continuous process.

Virtual Private Network (VPN)VPN is used to establish an encrypted connection between the VPN nodes, which are also called a VPN group. VPN is like a tunnel into which data communication can be sent from each direction. The data communication is transmitted as encrypted data in the tunnel and is forwarded as unencrypted data again at the end of the tunnel – thus to the other VPN device. The terminal devices do not have to support encryption since the VPN devices take over the encryption task.

Figure 1: Documents of IEC 62443 ....................................................................................................4

Figure 2: The three phases of IT security ............................................................................................5

Figure 3: Procedure for implementing cyber security ..........................................................................8

Figure 4: Risk matrix according to BSI Standard 2003 ........................................................................9

Figure 5: Protection concept “Defense in depth” ............................................................................... 11

Figure 6: Network segmentation corresponding to IEC 6244321 ....................................................13

Figure 7: Connection of remote stations using the SCALANCE M Industrial Router .............................14

Figure 8: Secure remote access to distributed plants with SINEMA Remote Connect. .........................15

Figure 9: Example of WLAN application in the process and office ......................................................16

Figure 10: Network components and TIA Portal connected to UMC ...................................................17

Figure 11: Topological network in SINETPLAN .................................................................................. 18

Figure 12: Bidirectional data exchange between controller (PLC) and SCADA ...................................19

Figure 13: Read access of SCADA system to PLC ............................................................................... 19

Figure 14: Write access of SCADA system to PLC ............................................................................... 19

Figure 15: Project protection in TIA Portal V15 ................................................................................. 19

Figure 16: Access protection by a password in the S71500 .............................................................. 20

Figure 17: Web server of the S71500 with HTTPS and various users ................................................20

Figure 18: OPC UA access of the S71500 limited to an encrypted connection ...................................21

Figure 19: Siemens Industrial Security Services ................................................................................ 24

Figure 20: Application Whitelisting vs. Antivirus .............................................................................. 25

Figure 21: Industrial Anomaly Detection .......................................................................................... 25

Figure 22: Industrial Vulnerability Manager as MindSphere application – also available as application for Amazon Web Services or “on premise” ......................................................26

Figure 23: Industrial Vulnerability Manager – graphical dashboard ..................................................26



© Siemens 2020 28

Security information:

Siemens provides products and solutions with Industrial Security functions that support the secure operation of plants, solutions, machines, equipment and/or networks. They are important components in a holistic Industrial Security concept. With this in mind, Siemens’ products and solutions undergo continuous development. Siemens recommends that you regularly check for product updates.

For the secure operation of Siemens products and solutions, it is necessary to take suitable preventive action (e.g. cell protection concept) and integrate each component into a holistic, state of the art Industrial Security concept. Thirdparty products that may be in use should also be considered. For more information on Industrial Security, visit: www.siemens.com/industrial-security.

To stay informed about product updates as they occur, sign up for a productspecific newsletter. For more information, visit http://support.automation.siemens.com

Published by Siemens AG

Digital Industries P.O. Box 48 48 90026 Nuremberg Germany For the U.S. published by Siemens Industry Inc. 100 Technology Drive Alpharetta, GA 30005 United States

Article No. DFFAB10518017600 WP0718 PDF

Subject to changes and errors. The information given in this document only contains general descriptions and/or performance features which may not always specifically reflect those described, or which may undergo modification in the course of further development of the products. The requested performance features are binding only when they are expressly agreed upon in the concluded contract.
