Comprehensive Cyber Security Features in SIPROTEC & SICAM SIPROTEC Dag – 11. Mei 2017

siemens.tld/keyword Restricted © Siemens AG 20XX

Restricted © Siemens AG 20XX XX.XX.20XX Page 2 Author / Department

Bay Parallel wiring

Fault recorder Protection

RTU

Mimic board Ancient past

Parallel wiring

1st generation: Standard cabling

Recent past

Other bays

Serial connection

Parallel wiring

Bay

Substation controller

HMI

2nd generation: Point-to-point connections since 1985 ...

Changes to Substation Automation and Protection over Time Evolving Threat Landscape (tomorrow today...)

Security through Simplicity: the analog times

Minimal connectivity in substation control and protection

Clear point-to-point connections

Secured buildings

Owned communication networks

Restricted © Siemens AG 20XX XX.XX.20XX Page 3 Author / Department

3rd Generation: Digital Substations

Bay Parallel wiring

Fault recorder Protection

RTU

Mimic board Ancient past

Parallel wiring

1st generation: Standard cabling

Recent past

Other bays

Serial connection

Parallel wiring

Bay

Substation controller

HMI

2nd generation: Point-to-point connections since 1985 ...

Changes to Substation Automation and Protection over Time Evolving Threat Landscape (tomorrow today...)

Restricted © Siemens AG 20XX XX.XX.20XX Page 4 Author / Department

Connectivity with Responsibility Cyber Security must be considered holistically

Usage of public infrastructure

Remote control

Seamless interfacing between the IT world and the Process world

Increasing adoption of IT infrastructure

Security Availability, Integrity, Confidentiality & Data Protection

Developments Renewable energy resources, Pro-/ Consumer markets, Network optimization

Technological impact

RAIL & MICROGRIDS

PRIMARY EQUIPMENT

CONSUMPTION TRANSMISSION DISTRIBUTION GENERATION

COMMUNI-CATION & AUTOMATION

FIELD DEVICES SENSORS AND PROTECTION

GRID AND ENTERPRISE IT

SERVIC

E & SMAR

T GR

ID SEC

UR

ITY

COMMUNICATION

SMART TRANSMISSION RAIL & MICROGRIDS SMART DISTRIBUTION

Virtual Power Plants Demand Response

Meter Data Mgmt. eCar Operation Center

GRID APPLICATION

SMART METERS PROTECTION

SENSORS

POWER QUALITY

EMS DMS

ADMS Microgrids

GRID CONTROL

AUTOMATION HMI

BIG DATA ANALYTICS, IT INTEGRATION

Restricted © Siemens AG 20XX XX.XX.20XX Page 5 Author / Department

Attackers:

• Nation states (spy agencies)

• Criminal organizations

• Script kiddies

• Insiders / service providers …

Vulnerabilities in Digital Substations Potential Threats and Attackers

Station Level

Control Center Level

Field Level

Substation automation

Remote access

Malware

Unauthorized access

Unauthorized access

Attacks over Internet

Unauthorized access

Protection

Malware

Malware

Unauthorized access

Attacks over Internet

Restricted © Siemens AG 20XX XX.XX.20XX Page 6 Author / Department

Cyber attacks against critical infrastructure State of IT-Security in the Energy Infrastructure

May 2016 Bisale / Automation Products

Threats: • Increase in software

vulnerabilities • Cloud Computing • Hardware vulnerabilities • Cyber attacks on industrial

control systems

• More than 439 million Windows-malware variants

Source: https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2015.pdf

Source: https://ics-cert.us-cert.gov/sites/default/files/Monitors/ICS-CERT%20Monitor_Nov-Dec2015_S508C.pdf

Security Incidents in US, 2015: • Yearly report on all critical

infrastructure sectors • Energy sector reported

the second highest number of incidents

• Similar report from Australia

Restricted © Siemens AG 20XX XX.XX.20XX Page 7 Author / Department

Energy Concerns under Attack Example: Ukraine 2015

May 2016 Bisale / Automation Products

https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/

Restricted © Siemens AG 20XX XX.XX.20XX Page 8 Author / Department

Digital Substations are vulnerable to Cyber Attacks

Threat Scenarios

Substation automation threatened by DoS*

Substation automation threatened by unauthorized access, malware

Distribution automation threatened by insecure communication

Protection threatened by malware, unsecured engineering changes

Restricted © Siemens AG 20XX XX.XX.20XX Page 9 Author / Department

Field level – Protection Technology Cyber Security Risks

Unauthorized access: Risks with protection relays without adequate security features: • Unauthorized access easily possible without

password protection, in order to alter settings anonymously

Unsecured communication between device and configuration software cannot hinder sniffing / alteration of settings

Endangered Operational Security

• Without device-side validation compromised firmware can be downloaded into device, that could harm primary topology

• Neglecting operational security for deployed devices / SW endangers system vulnerability

• Increased chances for attackers to utilize vulnerabilities over remote access for attacks (no network segregation in device)

... 00001111 00000000 ... 00000000

Settings SW

Einstell. SW

PATCHES

Fehler!

Restricted © Siemens AG 20XX XX.XX.20XX Page 10 Author / Department

Field Level – Protection Technology Deny unauthorized Access with SIPROTEC 5

Risks with protection relays without secured access control: Without password control it is easily possible to

access the relays anonymously

Unencrypted / weakly encrypted password handling enables “sniffing”

Simple passwords and eternally valid passwords acquire “feet” over time

Access Control in SIPROTEC 5

Connection password as per NERC-CIP and BDEW White Paper complexity requirements

Transfer of connection password from DIGSI5 to device over secured SSL/TLS connection

Secured storage of password hash in device

Centralized management of password complexity, lifetime and access control for thousands of SIPROTEC 5 devices with Ruggedcom CrossBow

Confirmation codes for safety-critical operations with the device

All access attempts are logged securely in device and protected from being manipulated +

Restricted © Siemens AG 20XX XX.XX.20XX Page 11 Author / Department

Field Level – Protection Technology Avoid unsecured communication with SIPROTEC 5

Risks with protection relays without secured communication during engineering/operation: Unsecured communication between device and

configuration software enables the sniffing and overwriting of protection settings

Unencrypted / weakly encrypted password handling enables “sniffing”

Danger of having relays configured using disallowed tools

Secured Communication in SIPROTEC 5

Protection against sniffing and manipulation of settings / passwords: SSL/TLS encryption of the communication between DIGSI 5 and the SIPROTEC 5 device

Cryptographic, two-way authentication between DIGSI 5 und SIPROTEC 5 means:

Protection against usage of disallowed tools Protection against usage of SIPROTEC 5 like

relays that have not been manufactured by Siemens

Restricted © Siemens AG 20XX XX.XX.20XX Page 12 Author / Department

Field Level – Protection Technology Avoid Endangered Operational Security with SIPROTEC 5

Negligence of operational security for already deployed devices / SW increases cyber risks: Manipulated firmware can be loaded into device

due to missing device-side validation

Malware on PC can influence device behavior

3rd Party patches not compatible with products

Unsecured internet connectivity increases the risks

Unclear vulnerability / incident handling process

High Operational Security with SIPROTEC 5

Protection against usage of manipulated logic in device thanks to cryptographically signed firmware:

Validation of firmware signature prior to acceptance Validation of firmware signature at reboot

DIGSI 5 is compatible with Application Whitelisting

Monthly validation of DIGSI 5 compatibility with the latest 3rd party patches (e.g. Microsoft, Adobe, etc.) and antivirus patterns

Separation of process communication from management communication in device thanks to modular communication units

DIGSI 5 compatible for remote/VPN connectivity

Transparent vulnerability handling over Siemens ProductCERT

Restricted © Siemens AG 20XX XX.XX.20XX Page 13 Author / Department

Protection Technology High Future Readiness with SIPROTEC 5

Continuous Verification during Development Threat and risk analysis Product hardening Secure development process

„Ready for PKI“: integrated Crypto-Chip Secure storage of cryptographic key material Cryptographic computations Physically protected against data theft Ready for future PKI* based applications

*PKI: Public Key Infrastructure

Modularity for Tomorow Out-of-Band networks for today‘s and future

applications Distribution of communication load on the device

Restricted © Siemens AG 20XX XX.XX.20XX Page 14 Author / Department

Protection Technology Comprehensive Cyber Security with SIPROTEC 5

OPERATIONAL SECURITY

SECURED COMMUNICATION

ACCESS CONTROL

PRODUCTCERT

FUTURE READINESS

SECURED WITH SSL/TLS CLIENT/SERVER AUTHENTICATION

SIGNED FIRMWARE UPDATE APP. WHITELISTING COMPATIBILITY

COMPLEX CONNECTION PASSWORD CENTRAL PASSWORD MANAGEMENT

3RD PARTY PATCH MANAGEMENT VULNERABILITY HANDLING

READY FOR PKI MODULARITY FOR TOMORROW

Restricted © Siemens AG 20XX XX.XX.20XX Page 15 Author / Department

Thank you for your attention!

Chaitanya Bisale Product Lifecycle Manager Cyber Security & Substation Automation EM DG PRO LM SC Humboldtstr. 59 90459 Nuremberg Phone: +49 (911) 433 5546 Mobile: +49 (172) 7345783 E-mail: chaitanya.b@siemens.com

siemens.com/gridsecurity