Industrial Security Wie sichern Sie Ihre Produktionsanlagen vor Angriffen aus dem Internet „Industrial Security to guarantee top performance in production“ 09.02.2012, Mannheim, VDI Tino Hildebrand Head Marketing & Promotion SIMATIC HMI Industrial Automation Systems Siemens AG
© Siemens AG 2012. All Rights Reserved.
CERT (Computer Emergency Response Team): Global Network for cyber security issues and requests The organizational background for CERT organizations
CERT cooperation Department of Homeland Security (DHS)
The first CERT was founded in 1988 as a consequence of the first Internet Worm
National Cyber Security Division (NCSD)
Approx. 250 CERT organizations worldwide representing both governmental and private organizations Control Systems Security Program (CSSP)
Trusted information exchange via the FIRST (Forum of Incident Response and Security Teams) organization, new parties must be introduced by at least two existing members
Industrial Control System CERT (ISC-CERT) Focus :Control Systems only
cooperates with
US-CERT Focus: All IT- related issues related to US
Expected rules of cooperation between FIRST members are defined in FIRST operational framework
Page 2
2012-02-13
I IA AS S MP / Tino Hildebrand
© Siemens AG 2012. All Rights Reserved. Industry Sector
Current CERT landscape showing Siemens CERT and other exemplary CERT organizations Communication between Siemens & ICS-CERT
CERT cooperation Worldwide CERT network (over250 governmental/ private CERT organizations)
Siemens CERT is first contact point for cyber security issues and requests concerning Siemens internal IT as well as product issues and requests
US-CERT CERT-Bund(Part of BSI) GovCERT.NL ICS-CERT
Information is exchanged via trusted, encrypted channels (data) or telephone ICS-CERT has so far notified Siemens CERT with several vulnerabilities which were disclosed by researchers to them
UKCERT
CERT.CC Siemens CERT
AusCERT Product CERT Service
Corporate CERT Service
CNCERT
Source: CERT/CC
Page 3
2012-02-13
I IA AS S MP / Tino Hildebrand
© Siemens AG 2012. All Rights Reserved. Industry Sector
Industrial Security
Introduction Technological challenges How to implement Industrial Security Siemens to support your Industrial Security strategy The Defense in Depth Strategy in detail Summary
© Siemens AG 2012. All Rights Reserved.
Industrial Security What are the current publications all about?
Remember “Stuxnet” in 2010? Stuxnet was a highly sophisticated piece of malware Combined known and unknown vulnerabilities Designed to sabotage industrial processes
Page 5
2012-02-13
I IA AS S MP / Tino Hildebrand
What are this new SIMATIC “vulnerability”? Test of automation vendor components by ICS-CERT CERT ICS
= Computer Emergency Response Team(s) = Industrial Control Systems
Negative test results are sent as “alerts” to vendors Vendors patch weaknesses and/or warn customers
© Siemens AG 2012. All Rights Reserved. Industry Sector
Industrial Security Vulnerability Disclosures – Trends and Growth Reasons for a strong growth of vulnerability disclosures Trends Applications shifting to Cloud Computing approaches Increased use of Mobile Devices Weak members in the corporate security chain (top down) Employee Smartphone Laptops PC workstations Network infrastructure Mobile storage devices Tablet PC Computer centre Policies and guidelines Printer Production systems Page 6
2012-02-13
I IA AS S MP / Tino Hildebrand
© Siemens AG 2012. All Rights Reserved. Industry Sector
Industrial Security Why is Industrial Security so important? Industrial Security for protection of production plant and automation systems Possible threat scenarios:
Spying on data, recipes,… Sabotage of production plant Plant downtime e.g. caused by virus and malware Manipulation of data or of application software Unauthorized use of system functions
Possible effects of a security incident:
Page 7
Risk of death and serious injury Environmental impact Loss of intellectual property Loss of production or impaired product quality Damage to company image and financial loss
2012-02-13
I IA AS S MP / Tino Hildebrand
© Siemens AG 2012. All Rights Reserved. Industry Sector
Industrial Security
Introduction Technological challenges How to implement Industrial Security Siemens to support your Industrial Security strategy The Defense in Depth Strategy in detail Summary
© Siemens AG 2012. All Rights Reserved.
Industrial Security has to cover a broad range of objectives
Market security requirements Security requirements are driven by Process Automation (e.g. Pharmacy, FDA) and Energy Industry: Automated asset management of used components Automated identification of status of production (Legal) Proof of authorized exchange of devices OEM request: copy protection (even if reverse engineering is used) of their Software Components
Requirements in integrated security for automation products Know How Protection Access Protection and User Management Communication Security System Integrity Process security for the whole Supply Chain Additional Malware/Spyware protection
Industrial Security addresses end customers, machine builders and system integrators requirements Page 9
2012-02-13
I IA AS S MP / Tino Hildebrand
© Siemens AG 2012. All Rights Reserved. Industry Sector
Industrial Security Office and Industrial World with different requirements Requirements that a Security solution must meet in an industrial context 24/7/365 availability has top priority Open standards for seemless communication and functionality
Office Security
Industrial Security
Common standards, e.g. Microsoft systems software, as basis of automation solutions Constant operability and assured system access System performance
Confidentiality
Availability
Integrity
Integrity
Availability
Confidentiality
Protection against mal-operations and sabotage Know-how protection System and data integrity Continuous communication between office and production IT systems for real time monitoring and controlling Data transfer in real time for efficient production processes Support throughout the lifecycle of a plant Security trail and change management
Page 10
2012-02-13
I IA AS S MP / Tino Hildebrand
© Siemens AG 2012. All Rights Reserved. Industry Sector
Industrial Security
Introduction Technological challenges How to implement Industrial Security Siemens to support your Industrial Security strategy The Defense in Depth Strategy in detail Summary
© Siemens AG 2012. All Rights Reserved.
Industrial Security Why to implement a security strategy instead of having just security measures? Great Wall “Unconquerable” wall single layer of protection no more checkpoints behind the wall
No single security measure is good enough to prevent intrusions !
Defense in Depth multiple layers of protection each layer supports the other layers for every transition between two layers an attacker must spend time and effort Page 12
2012-02-13
I IA AS S MP / Tino Hildebrand
© Siemens AG 2012. All Rights Reserved. Industry Sector
Industrial Security “Defense in Depth” strategy - Creating multiple layers of protection Potential Threat
Physical Security - Physical access to facilities and equipment
Policies & procedures -Security management processes -Operational Guidelines -Business Continuity Management & Disaster Recovery
Security cells & DMZ -Secure architecture based on network segmentation
DCS
Firewalls and VPN - Implementation of Firewalls as the only access point to a security cell
‘Defense in Depth’ because you should not rely on just one measure
System hardening
- adapting system from default to secure
User Account Management - Administration of operator und user rights (role based access control)
Patch Management Malware detection and prevention - Anti Virus and Whitelisting
Page 13
2012-02-13
I IA AS S MP / Tino Hildebrand
© Siemens AG 2012. All Rights Reserved. Industry Sector
Industrial Security “Defense in Depth” strategy - Example
Prevention: • Firewall • VPN
Reaction: • IDS • IPS • Virus Scanner
Tolerant: • Embedded hardening
A safe and trustworthy operation needs more than one security layer - embedded security is needed Page 14
2012-02-13
I IA AS S MP / Tino Hildebrand
© Siemens AG 2012. All Rights Reserved. Industry Sector
Industrial Security Fundamental Industrial Security levels
Plant security Access blocked for unauthorized persons Physical prevention of access to critical components Plant IT security Controlled interfaces between office and plant network e.g. via firewalls Further segmentation of plant network Antivirus and whitelisting software Maintenance and update processes Access protection User authentication for plant or machine operators Integrated access protection mechanisms in automation components Industrial Security levels according to current standards and regulations
Security solutions in an industrial context must take account of all protection levels Page 15
2012-02-13
I IA AS S MP / Tino Hildebrand
© Siemens AG 2012. All Rights Reserved. Industry Sector
Industrial Security Automation Cells guarantee high productivity and ensure security requirements Complete plant security
Internet
Secure automation cells Structured actions as part of a comprehensive security concept are required on several different levels. One important protection level is to create secure automation cells by segmenting the network and restricting communication between the cells. Open communication between different automation components within a secure automation cell is state-ofthe-art and standardized (It is, for example, quite common to run production via OPC.)
= secure communication between automation cells
Page 16
2012-02-13
I IA AS S MP / Tino Hildebrand
© Siemens AG 2012. All Rights Reserved. Industry Sector
Industrial Security Automation Cells guarantee high productivity and ensure security requirements Complete plant security
Internet Secure automation cells
Secure automation cells Structured actions as part of a comprehensive security concept are required on several different levels. One important protection level is to create secure automation cells by segmenting the network and restricting communication between the cells. Open communication between different automation components within a secure automation cell is state-ofthe-art and standardized (It is, for example, quite common to run production via OPC.)
= secure communication between automation cells
Page 17
2012-02-13
I IA AS S MP / Tino Hildebrand
© Siemens AG 2012. All Rights Reserved. Industry Sector
Management OEM / System integrators
Requirements that operators of industrial automation systems must meet: Security guidelines and processes, Risk management in terms of security Information and document mgmt. etc. System-side requirements in terms of . Access protection, user control Data integrity and confidentiality Controlled data flow, etc.
Component suppliers
Measures and processes that prevent unauthorized access of persons to the surrounding area of the plant Physical access protection for critical automation components (e.g. locked control cabinets)
Operators
Industrial Security needs contribution by everyone
Requirements that components of an automation system must meet in terms of Product development processes Product functionalities
Page 18
2012-02-13
I IA AS S MP / Tino Hildebrand
© Siemens AG 2012. All Rights Reserved. Industry Sector
Industrial Security
Introduction Technological challenges How to implement Industrial Security Siemens to support your Industrial Security strategy The Defense in Depth Strategy in detail Summary
© Siemens AG 2012. All Rights Reserved.
Industrial Security Fundamental Industrial Security levels
Plant security Access blocked for unauthorized persons Physical prevention of access to critical components Plant IT security Controlled interfaces between office and plant network e.g. via firewalls Further segmentation of plant network Antivirus and whitelisting software Maintenance and update processes Access protection User authentication for plant or machine operators Integrated access protection mechanisms in automation components Industrial Security levels according to current standards and regulations
Security solutions in an industrial context must take account of all protection levels Page 20
2012-02-13
I IA AS S MP / Tino Hildebrand
© Siemens AG 2012. All Rights Reserved. Industry Sector
Siemens Industrial Security approach
Industrial Security Siemens Industrial Security approach
Implementation of practicable and comprehensive Security Management in terms of the technology used as well as the engineering and production processes. The interfaces to office IT and the Internet/Intranet are subject to clearly defined regulations - and are monitored accordingly.
PC-based systems (HMI, engineering and PC-based controls) must be protected with the aid of anti-virus software, whitelisting (positive lists) and integrated security mechanisms.
The control level is protected by various integrated security functions. Communication must be monitored and can be intelligently segmented by means of firewalls.
The Siemens Industrial Security approach is based on five key points that cover the main aspects of protection in all Industrial Security levels. Page 21
2012-02-13
I IA AS S MP / Tino Hildebrand
© Siemens AG 2012. All Rights Reserved. Industry Sector
Industrial Security Siemens offering
Industrial Security Services
Security Management
Products & Systems
Professional consulting from the initial planning steps, through implementation and operation of a tailor-made solution, right up to its modernization
Analysis of weak points
Within operations there is a clear need for processes and policies that cover all aspects for security
Operational guidelines form an essential part of every Industrial Security concept
Well thought-out concepts for the security of PCs, controllers and networks, fully in keeping with the spirit of Totally Integrated Automation
Integral security in PCs and controllers
Design of customized security solutions
Security products for networking and communication
Siemens supports in selectively implementing these measures – within the scope of an integrated range for industrial security Page 22
2012-02-13
I IA AS S MP / Tino Hildebrand
© Siemens AG 2012. All Rights Reserved. Industry Sector
Industrial Security Security Management
Industrial IT Security Services
Security Management
Products & Systems
Security Management
Security Management Process
Security management and operational guidelines form an essential part of every Industrial Security concept Security measures have to be defined depending on the identified threats and risks to the plant
1 Risk analysis
Achievement and continuous preservation of the necessary security level needs a consequent security management process containing risk analysis with definition of mitigation measures coordination of organizational / technical measures regular / event-based repetition of the risk analysis.
4
2
Validation & improvement
Industrial Security must be established at suppliers, integrators and operators likewise. Products, plants and processes have to be compliant with existing due diligence based on laws, standards, internal guidelines and state of the art.
3
Policies, Organizational measures
Technical measures
Operational guidelines covering organizational and technical measures Page 24
2012-02-13
I IA AS S MP / Tino Hildebrand
© Siemens AG 2012. All Rights Reserved. Industry Sector
Industrial Security
Introduction Technological challenges How to implement Industrial Security Siemens to support your Industrial Security strategy The Defense in Depth Strategy in detail Summary
© Siemens AG 2012. All Rights Reserved.
Industrial Security “Defense in Depth” strategy - Creating multiple layers of protection Potential Threat
Physical Security - Physical access to facilities and equipment
Policies & procedures -Security management processes -Operational Guidelines -Business Continuity Management & Disaster Recovery
Security cells & DMZ -Secure architecture based on network segmentation
DCS
Firewalls and VPN - Implementation of Firewalls as the only access point to a security cell
‘Defense in Depth’ because you should not rely on just one measure
System hardening
- adapting system from default to secure
User Account Management - Administration of operator und user rights (role based access control)
Patch Management Malware detection and prevention - Anti Virus and Whitelisting
Page 27
2012-02-13
I IA AS S MP / Tino Hildebrand
© Siemens AG 2012. All Rights Reserved. Industry Sector
Industrial Security - “Defense in Depth” strategy Physical Security
Ignoring the risk of physical security could undo all other security measures Restrict physical and unauthorized access to Facilities and buildings Control and equipment rooms Cabinets Devices, PCs (USB, CD/DVD) Switches, cables and wiring LAN Ports, WiFi,… Controller, IO System, PS, etc. Page 28
2012-02-13
I IA AS S MP / Tino Hildebrand
© Siemens AG 2012. All Rights Reserved. Industry Sector
Industrial Security - “Defense in Depth” strategy Policies, Procedures,Training: Most critical path of an effective security strategy Management buy-in Defined Responsibilities Control System specific: Remote access & Service Laptops Portable Media Patch Management Strategy Malware Protection Mitigation and Disaster Recovery Plan Change Management & documentation Maintenance of Security Measures (e.g. FW rules) Regular Auditing of implemented measures Raise security awareness of personnel Provide training on policies and procedures Page 29
2012-02-13
I IA AS S MP / Tino Hildebrand
© Siemens AG 2012. All Rights Reserved. Industry Sector
Industrial Security - “Defense in Depth” strategy Security Cells and DMZ: Key to a Secure System Architecture Limits the effect of a security threat to the local cell Internal network structure will not be visible from outside Access to the security cell only via clearly defined access points
Page 30
2012-02-13
I IA AS S MP / Tino Hildebrand
© Siemens AG 2012. All Rights Reserved. Industry Sector
Industrial Security - “Defense in Depth” strategy Firewalls and VPN: Secure access to the security cell Virtual Private Networks (VPN) with Data Encryption secure connections between cells through an unprotected network SCALANCE S for encypted, authenticated data exchange between devices through the IPsec tunnel in the VPN The data exchange/communication is protected against: eavesdropping espionage and manipulation
Page 31
2012-02-13
I IA AS S MP / Tino Hildebrand
© Siemens AG 2012. All Rights Reserved. Industry Sector
Industrial Security - “Defense in Depth” strategy System Hardening Commercially available PCs contain a lot of software that is not used by the process control system Many viruses are written against common software like Internet Explorer, Media Player, Active X, Javascript,… Adapt an out of the box system from default to secure: Disable or lock down USB, CD/DVD, unused communication ports Remove and disable unnecessary applications, protocols and services e.g. e-mail, Games, Autorun, Screensaver, Messenger,… Apply latest MS Patches SSC Siemens Security Console (DCOM, FW, limiting file registry, sharing, and database access) Bios PW and limit desktop and system access
„IP hardened“ equipment ensures that critical automation components do not fail when subjected to communication stress Page 32
2012-02-13
I IA AS S MP / Tino Hildebrand
© Siemens AG 2012. All Rights Reserved. Industry Sector
Industrial Security - “Defense in Depth” strategy Preventing a wide range of attacks: Patch Management
90% of all successful cyber security attacks are based on vulnerabilities for which patches have already been released
Only 2% of all equipment is completely patched (source: Secunia)
PCS 7/WinCC support for MS Security Patches
New MS Security Patches are tested for compatibility with latest/supported versions of PCS 7
Test results published via Newsletter and FAQ http://support.automation.siemens.com/WW/view/en/18490004
Patch Deployment via centralized Patch Server located in a perimeter network (DMZ) and Windows Server Update Serv. (WSUS)
Setup of Patch Groups and Procedures for updating online (redundant system)
Page 33
2012-02-13
I IA AS S MP / Tino Hildebrand
© Siemens AG 2012. All Rights Reserved. Industry Sector
Industrial Security - “Defense in Depth” strategy Malware detection and prevention: Virus Scanner & Whitelisting
The following virus scanners are approved: Trend Micro Office Scan Symantec Endpoint Protection McAfee VirusScan Enterprise
To avoid a negative impact on performance or response time of the system, follow the recommended setup guidelines for PCS 7/ WinCC based Control systems Whitelisting to Stop unauthorized applications and malware Whitelisting software creates or holds a list of programs and applications that are allowed to be executed on a PC Software that is not part of the „Whitelist“ will not be executed
Benefits no pattern updates required Æ less maintenance effective protection against zero-day exploits Page 34
2012-02-13
I IA AS S MP / Tino Hildebrand
© Siemens AG 2012. All Rights Reserved. Industry Sector
Industrial Security - “Defense in Depth” strategy Summary Segmentation in Security Cells and DMZ
Enterprise Control Network
Cell access via Front & Back FW only Office PC
Office PC
WSUS or WWW IT - Firewall
WAN
WSUS AV Server Whitelisting Console
Front - Firewall
All Ports and Media Drives disabled PC hardening Latest MS Patches Role-Based Access Control and
Perimeter Netzwork (DMZ)
Quarantine - PC Back - Firewall
User Account Management with least privilege principle Anti Virus & Whitelisting File and data transfer to and from PCS 7 via „Quarantine PC“ and FTP/SFTP in DMZ
OS Client
OS Client Process Control Network (DCS)
OS Server
OS Server
Engineering Station
Remote access via secure communication, dedicated Access points and defined support user accounts and… Policies and Procedures !
Page 35
2012-02-13
I IA AS S MP / Tino Hildebrand
© Siemens AG 2012. All Rights Reserved. Industry Sector
Industrial Security
Introduction Technological challenges How to implement Industrial Security Siemens to support your Industrial Security strategy The Defense in Depth Strategy in detail Summary
© Siemens AG 2012. All Rights Reserved.
Industrial Security More security where it matters in industrial automation
Security at the control level
Security at the communication level
Security Management
IT Link to the Office World
PC based security functions
Î see the website Page 37
2012-02-13
I IA AS S MP / Tino Hildebrand
© Siemens AG 2012. All Rights Reserved. Industry Sector
Summary
Industrial Security is not only a topic of technical implementation, but starts from security awareness across all layers of management and employees Security is an ongoing task and must be ensured through all lifecycle phases Industrial Security
There is no 100% security – Security is a process involving management, operators, integrators and suppliers and not only a product for sale Siemens Industry Automation provides products, systems and solutions as well as professional services to ensure overall Industrial Security for customers
Page 38
2012-02-13
I IA AS S MP / Tino Hildebrand
© Siemens AG 2012. All Rights Reserved. Industry Sector
Thank you for your attention!
Tino Hildebrand Head Marketing & Promotion SIMATIC HMI I IA AS S MP
Phone: +49 (911) 895 7964 Fax: +49 (911) 895 15 3949 Cellular: +49 (173) 707 3246 E-Mail:
[email protected]
© Siemens AG 2012. All Rights Reserved. 20120209_IndustrialSecurity_VDI_Mannheim_Hildebrand_EN.ppt