Industrial Security Reale Gefahren aus dem virtuellen

Transcription

Helping to increase your resistance to attack
Industrial Security
Reale Gefahren aus dem virtuellen Raum
Unrestricted / © Siemens AG 2015. All Rights Reserved.
siemens.com/industrialsecurity
Industrial Security
• The age of cyberattacks
• The concept of Defense-in-Depth
• The Siemens approach
• Awareness is Key
• Outlook: in future cybersecurity will be regulated
Page 2
January 2015
Industrial Security, Reale Gefahren aus dem virtuellen Raum
Security Trends
Globally we are seeing more network connections than ever before
Trends Impacting Security
• Cloud Computing approaches
• Increased use of Mobile Devices
• Wireless Technology
• Reduced Personnel Requirements
• Smart Grid
• The worldwide and remote access to remote
plants, remote machines and mobile applications
• The “Internet of Things”
Source: World Economic Forum, 50 Global Risks
Page 3
January 2015
Industrial Security
The corporate security chain is only as strong as its weakest link
Security Can Fail at Any of these Points
• Employee
• Smartphone
• Laptops
• PC workstations
• Network infrastructure
• Mobile storage devices
• Tablet PC
• Computer center
• Policies and guidelines
• Printer
• Production systems
Page 4
January 2015
Industrial Security
Why has industrial security become so important?
Main Trends Impacting the Vulnerability of Automation Plants
• Horizontal and vertical Integration at all network levels
• Connection of automation networks with IT-Networks and Internet for remote
maintenance
• Increased use of open standards and PC-based systems
• Possible Threats increased due to these trends:
• Access violation through unauthorized persons
• Espionage and manipulation of data
• Damages and data loss caused by malware
• Several security incidents reveal the vulnerability of automation plants.
Page 5
January 2015
Industrial Security
Cyber vulnerabilities can affect your plant at many level
The Need to Act Because of Cyber Security
Vulnerabilities
• Loss of intellectual property, recipes,…
• Sabotage of production plant
• Plant downtime e.g. caused by virus and malware
• Manipulation of data or of application software
• Unauthorized use of system functions
• Regulations and standards for industrial security
require conformance
• Regulations:
FDA, NERC CIP, CFATS, CPNI, KRITIS
• Standards:
ISA 99, IEC 62443
Page 6
January 2015
Threat analysis
Every three years new developments
The Age of
Computerworms
CodeRed Slammer Blaster
Cybercrime and
Financial Interests
Politics and
Critical Infrastructure
Zeus
Aurora
SpyEye
Rustock
“Hacking for Fun”
“Hacking for Money”
Hobbyists
Organized Criminals
Credit Card Fraud
Botnets
Banker Trojans
Worms
Backdoors
Anti-Virus
Phishing
Hackers
Viruses
SPAM
Adware
BlackHat
Nitro
CyberwarfarePreparation
“Hacking for political and
economic gains”
Hacktivists
State sponsored Actors
Anonymous
SCADA
RSA Breach
DigiNotar
APT
Targeted Attacks
WebSite Hacking
???
Stuxnet
Sony Hack
“Development and spreading
of cyberwarface capabilities”
Multiple state- and
non-state actors
Underground exploit market
Systematic remote exploration
and reconnaissance of critical
Infrastructures and vendors
Increasing sophistication, focus
and brutality/impact of cyber methods
Responsible Disclosure
Number of new malware signatures
Introduction of malicious, sleeping
functionality in critical products
Number of published exploits
Number of published vulnerabilities
2001
2002
2003
2004
2005
2006
2007
?
2008
2009
2010
2011
2012
2013
2014
Page 7
January 2015
Top 10 threats
Page 8
January 2015
Industrial Security
Page 9
January 2015
IACS, automation solution, control system
Industrial Automation and Control System
(IACS)
Asset Owner
operates
Operational and Maintenance
policies and procedures
+
System
Integrator
Automation solution
designs and deploys
Basic Process Control System
(BPCS)
Safety Instrumented System
(SIS)
IACS environment / project specific
is the base for
Product Supplier
develops
Control System
as a combination of
Embedded
devices
Network
components
Host
devices
Applications
Independent of IACS environment
Page 10
January 2015
Actual structure of IEC / ISA-62443
Main documents to be published
IEC / ISA-62443
General
Policies and procedures
System
Component
1-1 Terminology, concepts and
models
2-1 Requirements for an IACS
security management system
Ed.2.0
Profile of
ISO 27001 / 27002
3-1 Security technologies for IACS
4-1 Product development
requirements
TR* 2009
ID* 4Q13
3-2 Security risk assessment and
system design
4-2 Technical security requirements
for IACS products
IS* 2009
1-2 Master glossary of terms and
abbreviations
DC* 10/12
ID* 4Q13
DC* 2Q13
1-3 System security compliance
metrics
2-3 Patch management in the IACS
environment
DTS* 1Q14
Rejected
TR* 4Q14
3-3 System security requirements
and security levels
IS* 08/2013
2-4 Requirements for IACS solution
suppliers
IS* 4Q14
Definitions
Metrics
Requirements placed on security
organization and processes of the
plant owner and suppliers
*DC: Draft for Comment
*IS: International Standard
*CDV: Committee Draft for Vote
*TR: Technical Report
Page 11
January 2015
Requirements to achieve a
secure system
*ID: Initial Draft
Requirements to secure system
components
Functional requirements
Processes / procedures
Various parts of IEC / ISA-62443
are addressing Defense in Depth
Main parts
of IEC 62443
General
IEC / ISA-62443
System
Component
Asset Owner
2-1
2-4
Operational and Maintenances
System Integrator
2-4
3-2
3-3
Security capabilities of the
Automation Solution
Product Supplier
3-3
4-2
4-1
Security capabilities of the products
Development process
‘Defense in Depth’ involves all stakeholders:
Asset Owner, System Integrator, Product Supplier
Page 12
January 2015
(IACS)
Asset Owner
operates
2-1
2-4
+
2-4
System
Integrator
Automation solution
designs and deploys
(BPCS)
3-2
(SIS)
3-3
is the base for
Product Supplier
develops
4-1
Control System
as a combination of
Embedded
devices
Network
components
Host
devices
Applications
3-3
4-2
Page 13
January 2015
Each stakeholder can create vulnerabilities
(IACS)
Invalid accounts not
deleted
Asset Owner
operates
can create
weaknesses
Non confidential
passwords
Passwords not renewed
+
System
Integrator
can create
weaknesses
Temporary accounts not
deleted
Automation solution
designs and deploys
(BPCS)
(SIS)
Default passwords not
changed
IACS environment
base for
Product Supplier
develops
can create
weaknesses
Control System
as a combination of
Embedded
devices
Network
components
Host
devices
Elevation of privileges
Applications
Hard coded passwords
Example: User Identification and Authentication
Page 14
January 2015
Industrial Security
Page 15
January 2015
(IACS)
Asset Owner
operates
+
System
Integrator
Automation solution
designs and deploys
Basic Process Control
System (BPCS)
Safety Instrumented
System (SIS)
Complementary
Hardware and Software
Siemens is product and solution supplier
Product Supplier
develops
is the base for
Control System
as a combination of
Embedded
devices
Network
components
Host
devices
Applications
Page 16
January 2015
Industrial Security
The Defense in Depth Concept
Plant security
§ Physical prevention of access to critical areas
§ Establishing a Security Management Process
Network security
§ Controlled interfaces between office and plant network
e.g. via firewalls
§ Further segmentation of plant network
System integrity
§ Antivirus and whitelisting software
§ System hardening
§ Maintenance and update processes
§ User authentication for plant or machine operators
§ Integrated access protection mechanisms in automation
components
Security solutions in an industrial context must take account of all protection layers
Page 17
January 2015
Siemens Industrial Security approach
Industrial Security
The Siemens Approach
Implementation of Security Management
The interfaces are subject to regulations and are monitored accordingly.
PC-based systems must be protected.
The control level must be protected.
Communication must be monitored and can
be segmented.
The Siemens approach is based on five key points
Page 18
January 2015
Industrial Security
The Siemens Solution
Industrial Security Services
Security Management
Products & Systems
Managed service and
consulting
Processes and policies
Secure PCs,
controllers and
networks
§ Integral security in PCs and
controllers
§ Security products for
networking and communication
The Siemens solution reduces your risk with a well thought-out security concept
Page 19
January 2015
Step-by-step approach for long-term protection of your industrial control
system (ICS)
Step 1:
Step 2:
Step 3:
Assess
Implement
Information about the security
Planning, development and
Continuous security
services
status and development of a
implementation of a holistic
security roadmap
cyber security program
• Vulnerability analysis
• Gap analysis
• Threat analysis
• Risk analysis
Continuous security through
detection and proactive
protection
• Cyber security training
• Development of security
• Global Threat Intelligence
• Detection and resolution of
strategies and procedures
• Implementation of security
technology
incidents
• Fast adaptation to changing
threats
Page 20
January 2015
Industrial Security
The Siemens solution for plant security
The interfaces are subject to regulations
- and are monitored accordingly.
Plant security
Communication must be monitored and
can be segmented.
Page 21
January 2015
Industrial Security
Security Management
Security Management Process
1
• Risk analysis with definition of mitigation
measures
• Setting up of policies and coordination of
organizational measures
• Coordination of technical measures
• Regular / event-based repetition of the risk
analysis
Risk analysis
4
2
Validation &
improvement
Policies,
Organizational
measures
3
Technical
measures
Security Management is essential for a well thought-out security concept
Page 22
January 2015
Industrial Security
The Siemens Solution for Network Security
The interfaces are subject to regulations
- and are monitored accordingly.
Network security
System Integrity
Communication must be monitored and
can be segmented.
Implementierung des SecurityPage
23
January 2015
Managements
Industrial Security
Security Integrated is an essential component of a Defense in Depth concept
Plant security
• Access blocked for unauthorized persons
• Physical prevention of access to critical components
Network security
• Controlled interfaces with SCALANCE firewalls
• Further segmentation with Advanced CPs
System integrity
• Know-how protection
• Copy protection
• Protection against manipulation
• Access protection
• Expanded access protection with CP 1543-1
Siemens products with Security Integrated provide security features such as integrated
firewall, VPN communication, access protection, protection against manipulation.
Page 24
January 2015
Industrial Security
SIMATIC S7-1500 and the TIA Portal
Security Highlights
The SIMATIC S7-1500 and the TIA Portal provide several security features:
• Increased Know-How Protection in STEP 7
Protection of intellectual property and effective investment:
• Password protection against unauthorized opening of program blocks in STEP 7 and thus protection against
unauthorized copying of e.g. developed algorithms
• Password protection against unauthorized evaluation of the program blocks with external programs
• from the STEP 7 project
• from the data of the memory card
• from program libraries
• Increased Copy Protection
Protection against unauthorized reproduction of executable programs:
• Binding of single blocks to the serial number of the memory card or PLC
• Protection against unauthorized copying of program blocks with STEP 7
• Protection against duplicating the project saved on the memory card
Page 25
January 2015
Industrial Security
SIMATIC S7-1500 and the TIA Portal
Security Highlights
The SIMATIC S7-1500 and the TIA Portal provide several security features:
• Increased Access Protection (Authentication)
Extensive protection against unauthorized project changes:
• New degree of Protection Level 4 for PLC, complete lockdown (also HMI connections need password) *
• Configurable levels of authorization (1-3 with own password)
• For accessing over PLC and Communication Module interfaces
• General blocking of project parameter changes via the built-in display
• Expanded Access Protection
Extensive protection against unauthorized project changes:
• Via Security CP1543-1 by means of integrated firewall and VPN communication
• Increased Protection against Manipulation
Protection of communication against unauthorized manipulation for high plant availability:
• Improved protection against manipulated communication by means of digital checksums when accessing controllers
• Protection against network attacks such as intrude of faked / recorded network communication (replay attacks)
• Protected password transfer for authentication
• Detection of manipulated firmware updates by means of digital checksums
* Optimally supported by SIMATIC HMI products and SIMATIC NET OPC Server
Page 26
January 2015
Industrial Security
Page 27
January 2015
Security Awareness is a basic Element
Technical Security
Organization
Security
Awareness
Processes
Standardization/
Regulations
Industrial Security must be addressed at different levels
Page 28
January 2015
… die 10 Top-Tipps der Informationssicherheit
1
Stufen Sie Informationen richtig ein, z.B. als “vertraulich”, und schützen Sie diese
entsprechend
2
Machen Sie Informationen nur denjenigen zugänglich, die diese wirklich benötigen
3
Geben Sie persönliche Passwörter, Zugangscodes oder Ihre PIN/PKI nicht weiter – auch
nicht zu Vertretungszwecken
4
Speichern oder versenden Sie vertrauliche Informationen nur verschlüsselt. Verschlüsseln
Sie Ihre Kommunikation mit Externen
5
Nutzen Sie sichere Entsorgungswege für vertrauliche Informationen, z.B. spezielle
Container, Schredder
6
Führen Sie auf Reisen nur Informationen und Geräte mit, die Sie wirklich brauchen
7
Schützen Sie Informationen vor ungewollten Blicken und unerwünschten Zuhörern, im Büro
und in der Öffentlichkeit
8
Seien Sie stets vorsichtig und wachsam im Umgang mit dem Internet und mit E-Mails
9
Halten Sie Ihre PC- und Antivirus-Software stets auf dem aktuellen Stand
10
Verständigen Sie sofort Ihren InfoSec Advisor, wenn Sie unsicher sind oder Gefahr
vermuten
Page 29
January 2015
Industrial Security
Page 30
January 2015
Security will be regulated
Page 31
January 2015
Assessment of cybersecurity requires an holistic approach
Cybersecurity protection of IACS
Asset Owner has the appropriate
operational and maintenance policies and procedures
to operate in a secure fashion an automation solution
Asset Owner
+
operates
Automation
solution
Automation solution fulfills the security functionalities required
by the target protection level of the plant
controls
SL 1
Protection against casual or coincidental violation
SL 2
Protection against intentional violation using simple means with low resources, generic skills and
low motivation
SL 3
Protection against intentional violation using sophisticated means with moderate resources, IACS
specific skills and moderate motivation
SL 4
Protection against intentional violation using sophisticated means with extended resources, IACS
specific skills and high motivation
Plant
Page 32
January 2015
Thank you for your attention!
Dr. Pierre Kobes
Product and Solution Security Officer
PD TI ATS TM 2
E-Mail: [email protected]
Page 33
January 2015
Industrial Security
Support & Service for Industrial Security
Information about Industrial Security
WWW: http://www.siemens.de/industrialsecurity
Email: [email protected]
Contact in Marketing Promotion Industrial Security
Oliver Narr
Phone: +49 (911) 895-2442
Contact for Industrial Security Services
Stefan Woronka
Phone: +49 (721) 595-4500
Page 34
January 2015
Industrial Security
SIMATIC System Presales Support Factory Automation
Phone: +49 (911) 895-4646
Contact in Security Product Management Factory Automation
Dirk Gebert
Phone: +49 (911) 895-2253
Contact for Motion Control
Sven Härtel
Phone: +49 (9131) 98-3059
Page 35
January 2015
Industrial Security
SIMATIC System Presales Support Process Automation
Phone: +49 (721) 595-7117
Contact in Security Product Management Process Automation
Jean-Luc Gummersbach
Phone: +49 (721) 595-8637
Page 36
January 2015
Industrial Security
SIMATIC NET support for Network Security
Phone: +49 (911) 895-2905
Customer Support
WWW: http://support.automation.siemens.com
Phone: +49 (911) 895-7222
Page 37
January 2015
Industrial Security
Any questions about Network Security??
Contact in Security Product Management Network Security
Franz Köbinger
Phone: +49 (911) 895-4912
Contact in Business Development Network Security
Maximilian Korff
Phone: +49 (911) 895-2839
Contact in Marketing Promotion Network Security
Christine Gaida
Telefon: +49 (911) 895-2111
Page 38
January 2015
Industrial Security
Security Information
Siemens provides products and solutions with industrial security functions that support the secure operation of plants,
solutions, machines, equipment and/or networks. They are important components in a holistic industrial security concept.
With this in mind, Siemens’ products and solutions undergo continuous development. Siemens recommends strongly that
you regularly check for product updates.
For the secure operation of Siemens products and solutions, it is necessary to take suitable preventive action (e.g. cell
protection concept) and integrate each component into a holistic, state-of-the-art industrial security concept. Third-party
products that may be in use should also be considered. For more information about industrial security, visit
http://www.siemens.com/industrialsecurity.
To stay informed about product updates as they occur, sign up for a product-specific newsletter. For more information, visit
http://support.automation.siemens.com.
Page 39
January 2015
Thank you for your attention!
Dr. Pierre Kobes
Product and Solution Security Officer
PD TI ATS TM 2
Page 40
January 2015

Industrial Security Reale Gefahren aus dem virtuellen

Transcription

Similar documents

Unimotor cover:033532.control.tech.20pp