Page 1 DF/PD Siemens Belgium-Luxembourg...Accept Vlan1 Vlan2 192.168.2.20 /32 192.168.1.10/32 Destination port X Page 30 DF/PD Siemens Belgium-Luxembourg Network security Other Improvements?

Page 1 DF/PD Siemens Belgium-Luxembourg


The challengeIncreasing Vulnerability



Stuxnet


Security TrendsOT security is essential to protect industrial automation

• Horizontal andvertical integration

• Open standards• PC-based systems

Information technologies areused in industrial automation Increased security threats demand action

Loss of intellectual property, recipes …

Plant standstill, e.g. due to viruses or malware

Sabotage in the production plant

Manipulation of data or application software

Unauthorized use of system functions

Compliance with standards and regulations is required



IT-Security

Industrial Security

IT-Security

Industrial Security

What is it all about?Exponentially increasing number of incidents and attacks to companies – with both IT and OT asmain targets.

Digitalisation

Safety &Security


What is it all about?Exponentially increasing number of incidents and attacks to companies – with both IT and OT asmain targets


AvailabilityConfidentialityIntegrity

ConfidentialityIntegrityAvailability

Availability

Installation

Topology

Location of use

Device density

Network failure times < 300 ms

Plant commissioning personnel

Plant-specific

Harsh environment

Low, switches with fewer ports

Second to minute range accepted

Network specialists

Star-shaped

Climate-controlled offices

Large, switches with large number of ports

Investment life cycle Min 5 to15 yearsEvery 2 to 3 years

IT-Security Industrial Security


The Digital Factory needs powerful communication networks

High data volumebroad band width - GByte

High speedReal-time communication

Secure connectivityRobust, reliable componentsand networks

Smart assetsIdentification solutionsfor communication betweensmart objects

Requirements of a productionnetwork doesn’t change

Verticalintegration

Horizontal integration


The Digital Factory needs intelligent data

??


The FactsCyber threats become more specialized

Source: http://www.tuv-sud.com/news-media/news-archive/potential-attackers-can-be-anywhere

Controllers

Firewalls

Honeynet experiment of waterworks linked to the internet (TÜV SÜD – Germany)

EXPERIMENTReal devices and network connected to the internetState of the art security (firewalls etc.)Simulated IO and process

RESULTIn 8 month over 60,000 attemptsAttacks to manipulate, upload and change configurationrouter and PLCsIT and industrial protocols (Modbus, S7) were used


Protecting ProductivityThe key to a secure infrastructure: Defense in depth

Great wall

ƒ Impenetrable wallƒ One-layer protectionƒ One point of attack

Defense in depth

ƒ Multi-layer protectionƒ Each layer protects the other layersƒ An attacker must spend time and effort

at each transition

A single protection measure is never enough to withstand a threat!


Industrial SecurityThe Siemens Solution

• Physical access protection to the plant andcritical systems

• Security management and policies• Security services for protection of a plant's

entire lifecycle

• Secure remote access to theplant via the Internet or mobilenetworks with VPN

• Protection of the plant / machinenetwork through segmentation

• Secured communication

• Protection of system integrity throughintegrated functions

• Access protection and rightsmanagement

• System Hardning


• Security management and policies• Security services & monitoring


Plant securityTypical examples of the real life.


Plant SecurityEstablishing a Security Management Process and organization

Security Management is essential for a well thought-out security concept

Security Management Process

• Risk analysis with definition of mitigationmeasures

• Setting up of policies and coordination oforganizational measures

• Coordination of technical measures• Regular / event-based repetition of the risk

analysis

Technicalmeasures

Risk analysis

Validation &improvement

Policies,Organizational

measures

1

2

3

4

Am

ount

oflo

ss

Probability of occurrence

verylow low medium high very

high

verylow

low

medium

high

veryhigh

acceptablerisks

inacceptablerisks





entire lifecycle

• Secure remote access to theplant via the Internet or mobilenetworks






Network securityWe come From isolated production islands…


Network securityEverything has to be connected

Internet/ IT

Unmanaged Switch Wireless

Ethernet

ProfinetProfisafe

SCADA


Network securitySolution1: Cellprotection with CP

Internet/ IT

Wireless

MRP

CP-card


Network securitySolution1: Cellprotection with CP

Internet/ IT

Wireless

MRP

From 1515 ->2 network cardsCP-card

MRP

172/16.0.1

192.168.0.1

172/16.0.2

192.168.0.1

192.168.0.2

192.168.0.3

192.168.0.2

192.168.0.3

In the future: more & moreIP - addresses


Network securityCellprotection with CP - Portfolio

S7-1500 S7-300/S7-400 ET200 SP CPU PC

CM 1542-1 CP 343-1/CP443-1 CP 1542SP-1 CP 1616/ 1612/ 1613/1623/ 1626

Cell segmentation

Cell ProtectionS7-1500 S7-1200 S7-300/S7-400 ET200 SP CPU PC

CM 1543-1 CP 1243-1 CP 343-1/CP443-1Advanced

CP 1543SP-1 CP 1628


Network securityProfinet should be safe now… Next improvements

Internet/ IT

Wireless

MRP

CP-card

MRP


Network securitySolution 2: Segmentation and use VLANS

Internet/ IT

Managed Switches

MRP

CP-card

Segment 1VLAN 11

Segment 2VLAN 12

Segment 3VLAN 13

MRP

SCADA


POLL 1What is the smallest switch

we can use to configureVLAN’s ?

ƒ Scalance XB004-1ƒ XC108ƒ XB208ƒ XC208ƒ XM408


Future Network portfolio X200 – X300

Laye

r2M

anag

ed

Previous portfolio Future portfolio

XR-300 XR-300(additional versions)

X-300 XC-200New product line

X-200 XB-200

X-200PROXP-200

New product line of theIP65/67 switches

X-200IRT X-200IRT(additional versions)

X-200RNA X-200RNAXF-200BA DNA

Product line Description

XR-300 19" rack switches

X-300X-200

Compact managed previousportfolio

XP-200 Protected (IP65/67) managed

XC-200 Compact managedFuture portfolio

XB-200 Box managed

XF-200 Flat managed

X-200IRT IRT managed switches

X-200RNA Switches for redundantnetwork structures


Network securityEach segment is more secure now… Other optimizations?

Internet/ IT

MRP

CP-card

Segment 1VLAN 11

Segment 2VLAN 12

Segment 3VLAN 13

MRP

ScalanceXB/XC200

ScalanceXB/XC200

ScalanceXB/XC200

SCADA


SCADAVLAN20

Network securityConfigure PC in another VLAN

Internet/ IT

MRP

CP-card

Segment 1VLAN 11

Segment 2VLAN 12

Segment 3VLAN 13

MRP

ScalanceXB/XC200

ScalanceXB/XC200

ScalanceXB/XC200


Network securityAdd a router XM400

Internet/ IT

MRP

CP-card

Segment 1VLAN 11

Segment 2VLAN 12

Segment 3VLAN 13

MRP

ScalanceXB/XC200

ScalanceXM400 Scalance

XB/XC200

SCADASCADAVLAN20

Action From To Source (range) Destination (range) Service

Accept Vlan2 Vlan1 192.168.1.10/32 192.168.2.20/32 Destination port X

Accept Vlan1 Vlan2 192.168.2.20/32 192.168.1.10/32 Destination port X


Network securityOther Improvements?

Internet/ IT

MRP

CP-card

Segment 1VLAN 11

Segment 2VLAN 12

Segment 3VLAN 13

MRP

ScalanceXB/XC200

ScalanceXM400 Scalance

XB/XC200

SCADASCADAVLAN20


SCADAVLAN20

Network securityOptimization2: Create a production Backbone

Internet/ IT

MRP

CP-card

Segment 1VLAN 11

Segment 2VLAN 12

Segment 3VLAN 13

MRP

Redundant production backbone (MRP)

ScalanceXB/XC200

ScalanceXB/XC200

ScalanceXB/XC200

ScalanceXM400


Network securityFirewalls

Innovative technologies to connect safely and securely with your business network

Network Segmentation(security cells)

Firewalls(Front & Back)

VPN Tunnels(IPsec)

Demiliterized Zone(DMZ)


Network securitySolution: Install Firewall

Internet/ IT

MRP

CP-card

Segment 1VLAN 11

Segment 2VLAN 12

Segment 3VLAN 13

MRP

Router: Scalance XM400

SCADAVLAN20


SCADAVLAN20

Network securityFinal solution

Internet/ IT

MRP

CP-card

Segment 1VLAN 11

Segment 2VLAN 12

Segment 3VLAN 13

MRP

Scalance S

Redundant Production backbone


SCADAVLAN20

Network securityFinal solution

Internet/ IT

MRP

CP-card

Segment 1VLAN 11

Segment 2VLAN 12

Segment 3VLAN 13

MRP

Scalance S

Redundant Production backbone

Strong communication networkand basic for digitalization:High speed: Realtime communicationHigh data volumes: BandwidthAvailability: Fast redundancyProtection against IT: SecurityFlexibility: Easy extension

(plug’n’play)Reliable components: Robust


Network SecuritySCALANCE S - Portfolio

Product in development Product available

Interfaces 10/100 Mbps 10/100/1000 Mbps

Firewall/routing 100 Mbps 200 Mbps 600 Mbps

VPN 35 Mbps 55 Mbps 120 Mbps

FirewallNATVPN

S615Maximum:64 rules20 VPNs

S612, S623, S627-2MMaximum:256 rules128 VPNs

SC642-2C, SC646-2CMaximum:1000 rules200 VPNs

FirewallNAT

S602Maximum:256 rules

SC632-2C, SC636-2CMaximum:1000 rules


Network securityAlternative for cell protection again with CP-cards…

Internet/ IT

Wireless

MRP

CP-card

MRP

Only S7-routing is possible here


Network SecurityInstead of CP-cards, scalance S can also be used for cell protection


Network SecurityVPN-tunnels




VPN Tunnels(IPsec)



Network SecurityRemote maintenance with SINEMA RC server

SCALANCE S615SIMATIC S7-1200

SCALANCE S615

Mobilewirelessnetwork

SIMATIC S7-1500

SIMATIC S7-300

Companynetwork

SINEMA RCClient

SINEMARemote Connect

Internet router

Internet connection

Internetrouter

*) As from firmware V4.2

SCALANCE M876-4


Network SecurityRemote access with Sinema Remote Connect


Configuration example of SINEMA RC: Condition Monitoring

Network SecurityCondition Monitoring

Configuration example SINEMA Remote Connect:Condition Monitoring

Task• Central management of the connections needed to acquire

status/ maintenance data

Solution• Transparent communication structure via standard IP

mechanisms• Connection via various media to the routers in the SCALANCE

M portfolio• Central management of the communication network in SINEMA

RC• Establishment of the VPN tunnel from the field

Benefits• Transparency and overview of the remote maintenance network• Easy, secure operation without specialized IT know-how• Transparent IP communication• Secured remote access (via VPN tunnel)


Network SecurityScalance M - Portfolio

WAN interface

IE number of portsDI/DOFW/VPN (IPsec)/ NATOpenVPN *VRRP/HSR/MRP/RSTP *WBMTIA Portal / CLI *KBA** (e1/E1)/ EN50155Data rate

List price

SCALANCE M874-2 SCALANCE M876-3

3G / HSPA+EV-DO41/1yesyesyesyesyesnoup to 14,4 Mbit/sup to 5,76 Mbit/s

2G / EDGE

21/1yesyesyesyesyesnoup to 237 kbit/sup to 237 kbit/s

3G / HSPA+

21/1yesyesyesyesyesnoup to 14,4 Mbit/sup to 5,76 Mbit/s

DownlinkUplink

SCALANCE M874-3 SCALANCE M876-4

4G / LTE

41/1yesyesyesyesyesnoup to 100 Mbpsup to 50 Mbips

*In preparation **KBA = Federal Motor Transport Authority


Networks – Sinema Remote ConnectStart Package


POLL 2What’s the price to beginwith the starterpackage of

the Scalance S615?

ƒ 200-400€ƒ 400-600€ƒ 600-800€ƒ 800-1000€ƒ >1000€


Network SecurityDMZ-zone




VPN Tunnels(IPsec)



Network SecurityDMZ-zone

TaskNetwork users (e.g. MES servers)should be reachable from the secureand non-secure network withoutcreating a direct connection betweenthe networks.

SolutionA DMZ can be established on theyellow port with the SCALANCE S623,in which the aforementioned server canbe placed.


Why choose Siemens network solution?Only Siemens has integrated solutions for automation and communication

Why is office IT not sufficient for production?

Core

...

...

TIA Portal SCADA

Defined interfacebetween Office IT &Production

Efficientengineering ofthe completeproductionnetwork withTIA Portal

High AvailabilityTo avoid significant economic losses or other damages

- 100% Uptime for secured productivity- Specific (different) Network structures (star <-> complex)- Ring structures (e.g. MRP)- 2/3 sec. network recovery not acceptable

Determinism- Different protocols (Profinet, Profisafe, ….)- Real-time requirements of automation tasks- Short recovery times

Support IT- IT not in the field. Changes/diagnostic of network has to be fast- IT Sometimes in other countries, sometimes case has to be made- Windows updates (not compatible with industry software)

High-performance,highly availablecommunication


Why choose Siemens network solution?Only Siemens has integrated solutions for automation and communication

Core

...

...

TIA Portal SCADA

Efficientengineering ofthe completeproductionnetwork withTIA Portal

What is the benefit of the Siemens (TIA portal)?

Efficient engineering, fast commissioningConsistent data management and minimizedtraining effort (TIA portal)

Fast fault localization- Integrated diagnostic down to the field level

Maintenance:- Experience + everything in 1 hand (TIA)- No other software- C-plug (or exchange without PC)

Industrial- Temperature, dusty, corrosive- Vibrations, fanless- Number of ports (din-rail)

Trust Siemens:- All components tested together- 5 years warranty- Security


Digitalization -> enterprise and productionlayer get closer connected

Yesterday:Limited interoperability

Enterprise

Production

Limited communication betweenenterprise and production layer

Future: Defined interface tohandle complexity

EnterpriseNetwork

ProductionBackbone

ProductionCell

Two dedicated networks withdefined managed interface

Today: Arising challenges throughincreasing interoperability

Enterprise

Field

Control

Enterprise

Management

Production Operator

Challenge to handle complexity ofincreasing communication

Interoperability





entire lifecycle

• Secure remote access to theplant via the Internet or mobilenetworks






System IntegrityS7-1500 system hardening

Protection of intellectual propertyof program code Know-how protection for

PLC program blocks

Know-how protection

Detection of manipulatedcommunication data Engineering and HMI

communication withintegrated security

Communication integrityTIA Portal

Controller HMI

Protection against unauthorizedaccess and configurationchanges Protection level concept with

different access rights incl.HMI connections

Access protectionEngineering

Maintenance Operation

Remote control

Controller

Engineering System Protection against unauthorizedduplication of runtime programcode Bind program blocks to

hardware serial numbers (CPUor SD card)

Copy protection

Controller Controller

Storage A Storage B

AA A

B*******


System IntegrityEssential Mechanisms

• Per default PCs have softwareinstalled, which is not required fornormal plant operation

• Usually malware are created forwidely-used software applicationslike IE, Adobe, Active X,Javascript, …

Reduce surface of attack

System hardening

• Protection against viruses, wormsand trojaner with anti-virusprograms

• Protection against unwantedapplications and malware withwhitelisting applications

Continuous identification andprevention of malware

Anti-virus and whitelisting• All patches should be tested for

compatibility• Central patch distribution• Creation of patch groups and

strategies for updates withoutinterrupting plant operation

Continuous deployment ofsecurity patches and updates

Patch management

• „Minimality principle“ applies• Clear assignment of roles and

rights• Use of secure passwords• Access protection for ICS project

data Management of user andoperator rights

Authentication and user management


Industrial SecuritySiemens Security Services

Siemens Plant Security Services

AssessSecurity

ImplementSecurity

ManageSecurity

Siemens products and systems offer integrated security

Know how andcopy protection

Firewall and VPN(Virtual PrivateNetwork)

Authenticationand usermanagement

System“hardening”

The Siemens security concept –“Defense in Depth”


Industrial SecuritySiemens Security Services

McAfee inside

• IEC 62443 Assessment• ISO 27001 Assessment• SIMATIC PCS 7 and WinCC Assessment• Risk and Vulnerability Assessment

• Security Awareness Training• Security Policy Consulting• Network Security Consulting• Perimeter Firewall Installation• Clean Slate Validation• Anti Virus Installation• Whitelisting Installation• System BackUp• Windows Patch Installation

• Industrial Security Monitoring• Remote Incident Handling• Perimeter Firewall Management• Perimeter Firewall Review• Anti Virus Management• Whitelisting Management• Patch and Vulnerability Management

SecureGUARD inside

Evaluation of the current securitystatus of an ICS environment

Risk mitigation through implementation ofsecurity measures for reactive protection

Comprehensive security throughmonitoring and proactive protection


Industrial SecurityCERT@Siemens

www.siemens.com/industrialsecurity

Cyber Emergency Readiness Team


• S7- 1500 Controllers• XM408-8C

• First security level certification(CSPN – Certification de Sécuritéde Premier Niveau)

• Development process

• Certification of “Secure ProductDevelopment Lifecycle” forDivision DF and PD based onIEC 62443-4-1

• TIA Ethernet based devices• E.g. S7-1500, 1505S, S7-300,

CP343-1 SCALANCE S, …• Protection against DoS

attacks• Defined behavior in case of

attack• Improved Availability

Industrial SecuritySecurity of Siemens Products – Granted Certificates

Find more information:http://www.wurldtech.com/product_services/certifications/certified_products/

Find more information: http://ssi.gouv.fr/certification_cspn/simatic-s7-1518-4-version-du-micrologiciel-1-83/


Best ApplicationContestNow – September 21


Headline, Arial Bold, 22 pt, lorem ipsum dolor estTable of content

What:Collection of your succes stories (with Siemenstechnology) in Industrial Security

Why ?- You win: a voucher for Siemens’ automation

portfolio of 5000€, 3000€, 2000€- Free publicity for almost 1 year- Recognition at the Award Show (and far beyond)

How ?- Oct 1, 2017 - May 30, 2018: enter your project

www.siemens.be/best-application-contest- June 1, 2018- August 30, 2018: voting period- Sept 20, 2018: Award Show


Industrial Security

If you want to work secure

Work with


Documents

Page 1 DF/PD Siemens Belgium-Luxembourg...Accept Vlan1 Vlan2 192.168.2.20 /32 192.168.1.10/32 Destination port X Page 30 DF/PD Siemens Belgium-Luxembourg Network security Other Improvements?