Innovation Days Industrial Communication -...
-
Upload
vuongthien -
Category
Documents
-
view
229 -
download
3
Transcript of Innovation Days Industrial Communication -...
Innovation DaysyIndustrial CommunicationIndustrial Security
siemens.com/industrial-security
London 1903Royal Institution’s lecture theatre
Verdenspremiere på den p p
trådløse telegraf
Source: https://www.newscientist.com/article/mg21228440-700-dot-dash-diss-the-gentleman-hackers-1903-lulz/#.VRPRl-E2Wn8
Unrestricted © Siemens A/S 2016
Page 2 Digital Factory and Process Industries & Drives
Verdens første hackerandgrebScientific hooliganism
John Nevil MaskelyneThe gentleman hacker Guglielmo Marconi
Unrestricted © Siemens A/S 2016
Page 3 Digital Factory and Process Industries & Drives
Cyber SecurityHvorfor bekymre sig?
”Der er en meget høj trussel fra cyberspionage mod danske
i k h d Fl t t t tt d h k gåetvirksomheder. Flere statsstøttede hackergrupper er gået målrettet efter danske virksomheder i de seneste år.”
h d i d”Oftere forekommer det, at svagheder i udstyr og software skyldes manglende kvalitet i producentens eller
leverandørens processer.”
Unrestricted © Siemens A/S 2016
Page 4 Digital Factory and Process Industries & Drives
Source: https://fe-ddis.dk/SiteCollectionDocuments/FE/EfterretningsmaessigeRisikovurderinger/Risikovurdering2015.pdf
Industrial Security Den nye tendens – Ransomware
Unrestricted © Siemens A/S 2016
Page 5 Digital Factory and Process Industries & Drives
Industrial Security En hurtig stigning
Unrestricted © Siemens A/S 2016
Page 6 Digital Factory and Process Industries & Drives
Industrial Cyber Security incidents in USHvad siger ICS-CERT 2014
Percentage of incidentsNumber of incidents
Unrestricted © Siemens A/S 2016
Page 7 Digital Factory and Process Industries & Drives
Source: https://ics-cert.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_Sep2014-Feb2015.pdf
Industrial Cyber Security incidents in USHvad siger ICS-CERT 2015
Unrestricted © Siemens A/S 2016
Page 8 Digital Factory and Process Industries & Drives
Source: https://ics-cert.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_Sep2014-Feb2015.pdf
Industrial SecurityEr jeg ikke bare en nål i en høstak?
Der er stadig SIMATIC devices der er
eksponeret!l t
!#”@&”?*¤!&+
Og … Det er meget let at
finde!!#”@&”?*¤!&+!”#¤%
!#”@&”?* !& !”# %
Unrestricted © Siemens A/S 2016
Page 9 Digital Factory and Process Industries & Drives
!#”@&”?*¤!&+!”#¤%
Industrial SecurityProtecting Productivity
Unrestricted © Siemens A/S 2016
Page 10 Digital Factory and Process Industries & Drives
Industrial Security… protecting Productivity
https://youtu.be/4jZSfeUmhKw
Unrestricted © Siemens A/S 2016
Page 11 Digital Factory and Process Industries & Drives
Industrial SecurityThe Defense in Depth Concept
Unrestricted © Siemens A/S 2016
Page 12 Digital Factory and Process Industries & Drives
Industrial Security Løsninger på alle niveauer
Unrestricted © Siemens A/S 2016
Page 13 Digital Factory and Process Industries & Drives
Industrial SecurityHvordan holder man sig opdateret?
Abonner på Siemens RSS Feed: www.siemens.com/industrial-securityEller på ICS-CERT: www.ics-cert.us-cert.gov/ICS-CERT-Feeds
Unrestricted © Siemens A/S 2016
Page 14 Digital Factory and Process Industries & Drives
Industrial SecurityPareto-princippet
20%
80%
Invest
80%
20%
80%
Security
Unrestricted © Siemens A/S 2016
Page 15 Digital Factory and Process Industries & Drives
20%
Industrial SecurityPlant Security
Physical access control
Guidelines Guidelines Norms and standards Security Services
Unrestricted © Siemens A/S 2016
Page 16 Digital Factory and Process Industries & Drives
Industrial Security Vi kan tilbyde services – Security Assessment Workshops
Unrestricted © Siemens A/S 2016
Page 17 Digital Factory and Process Industries & Drives
Industrial SecurityVi kender standarderne
Unrestricted © Siemens A/S 2016
Page 18 Digital Factory and Process Industries & Drives
Industrial SecurityIEC 62443
• Based on IEC 62443-3-3S it L l 1 4
Security functions Security process• Based on IEC 62443-2-4
and ISO27001Protection Level (PL)
• Security Level 1-4 and ISO27001• Maturity Level 1 - 4
Leve
l 4
3PL 2
PL 1
Mat
urity
2
1
2 3 41
PL 3
PL 4
Unrestricted © Siemens A/S 2016
Page 19 Digital Factory and Process Industries & Drives
2 3 41
Security Level
Protection Levels cover security functionalities and processes
Assessment of security functionalities Assessment of security processes
Capability to protect against casual or coincidental violationSL 1 Initial - Process unpredictable, poorly controlled and reactive.ML 1
SL 3Capability to protect against intentional violation using sophisticated means with moderate resources, IACS specific skills and moderate motivation
Capability to protect against intentional violation using simple means with low resources, generic skills and low motivationSL 2
ML 3 Defined - Process characterized, proactive deployment
Managed - Process characterized , reactiveML 2
Protection Levels
SL 4 Capability to protect against intentional violation using sophisticated means with extended resources, IACS specific skills and high motivation ML 4 Optimized - Process measured, controlled and continuously
improved
4
3
2
1atur
ity L
evel
PL 2 Protection against intentional violation using simple means with low resources, generic skills and low motivation
Protection against intentional violation using sophisticated means with moderate resources, IACS specific skills and moderate motivationPL 3
PL 1 Protection against casual or coincidental violation
Unrestricted © Siemens A/S 2016
Page 20 Digital Factory and Process Industries & Drives
1Ma
2 3 41Security Level
Protection against intentional violation using sophisticated means with extended resources, IACS specific skills and high motivation
specific skills and moderate motivation
PL 4
Industrial SecurityIEC 62443, security measures
PL 4Revolving doors with card
reader and PIN; Video Dual approval for critical actions Firewalls with Fail Close
(e.g. Next Generation Firewall)Online security functionality
verification….
OrganizeSecurity
Secure SolutionDesign
SecureOperations
Secure Lifecycle management
Secure PhysicalAccess
PL 3
PL 4 Surveillance and/or IRIS Scanner at door
Revolving doors with card reader
… …
…
Automated backup / recovery
No Email, No WWW, etc.in Secure Cell
…
2 PCs (Secure Cell/outside) …
Monitoring of all device activities ……
+
PL 2
PL 3 in Secure Cell
…
( )
… Remote access with cRSPor equivalent
Monitoring of all human interactions
Persons responsible for security within own organization
Continuous monitoring
Backup verification…Physical network segmentation or equivalent (e.g. SCALANCE )
Remote access restriction
+
PL 1
PL 2 Doors with card reader
Locked building/doorsAwareness training
(e.g. Operator Awareness Training) Network segmentation Firewall protection (e.g. SCALANCE S) Backup / recovery system…
Continuous monitoring(e.g. SIEM)…
Mandatory security education
Remote access restriction(e.g. need to connect principle)…
+
Unrestricted © Siemens A/S 2016
Page 21 Digital Factory and Process Industries & Drives
PL 1 with keysSecurity logging on all systemsMandatory rules on USB sticks
(e.g. Whitelisting) …
Industrial SecurityNetwork Security
Firewalls Virtual Private Networks VPN Segmentering Demilitarized zone DMZ HardeningHardening Authentication
Cell Protection
Unrestricted © Siemens A/S 2016
Page 22 Digital Factory and Process Industries & Drives
Network SecurityJump Station og DMZ
Opdeling i separate celler Al kommunikation via Remote Desktop og
Unsecure zoneDMZ zone
Jump Station
Secure zone
Al kommunikation via Remote Desktop og Jump Station
Backup og Restore via Jump Station
dl Kun trådløs adgang fra Secure Zone til Jump Station
Samme konfiguration i alle Firewalls (global firewall rules)
Unrestricted © Siemens A/S 2016
Page 23 Digital Factory and Process Industries & Drives
Network Security –Cell protection
Opdeling separate celler Al kommunikation ind og ud af cellern er Al kommunikation ind og ud af cellern er
kontroleret En decentrale Firewall struktur En decentrale Firewall struktur
Unrestricted © Siemens A/S 2016
Page 24 Digital Factory and Process Industries & Drives
Industrial SecuritySecurity Integrated – Overview
Unrestricted © Siemens A/S 2016
Page 25 Digital Factory and Process Industries & Drives
Network SecurityHvordan beskytter man gamle sårbare systemer?
Access protection
Ingen ændring i det eksisterende
SCADA
Ghost ModeIngen ændring i det eksisterende system også med Layer-2 protokoller
Adopterer IP d d MAC Adopterer IP-adresse og ændre MAC-
adressen automatisk Samme konfiguration i alle Samme konfiguration i alle
Firewalls (global firewall rules)
S G l å b
Unrestricted © Siemens A/S 2016
Page 26 Digital Factory and Process Industries & Drives
Secure zones Gamelt sårbart system
Network SecurityAnvend Hardning!
Brug Password Anvend VLAN Disable DCP write
Enable Management Access List
Broadcarst limitation
Di bl Disable ubrugte porte
Enable SNMP V3
Unrestricted © Siemens A/S 2016
Page 27 Digital Factory and Process Industries & Drives
Industrial SecuritySystem integrity
Password protection
Know-how og Copy protectionKnow how og Copy protection
Access protection
Virus scanner og Whitelisting
Sikker kommunikation VPN og OPC-UA Deactivation of services og hardware interfaces
Windows security patch management* Windows security patch management
Unrestricted © Siemens A/S 2016
Page 28 Digital Factory and Process Industries & Drives
* https://support.industry.siemens.com/cs/document/18752994?dti=0&lc=en-WW
Industrial Security Vi har sikre produkter
Unrestricted © Siemens A/S 2016
Page 29 Digital Factory and Process Industries & Drives
Siemens is the leading vendor of Achilles level 2 certified products
Certified CPUs
LOGO!
Certified DP
ET 200 PN/DP CPUsS7- 300 PN/DPS7- 400 PN/DPS7- 1500 and 1505SS7- 1200S7 400 HF CPU V6 0
ET 200SP PN CPUs
Certified Firewalls
SCALANCE S602 S612
+ Protection against DoSattacks
S7- 400 HF CPU V6.0 S7- 410-5H
Certified CPs
SCALANCE S602, S612, S623, S627-2M
+ Defined behavior in case of attack
• Improved Availability• International Standard
CP343-1 AdvancedCP443-1 & AdvancedCP1243-1CP1543-1
Unrestricted © Siemens A/S 2016
Page 30 Digital Factory and Process Industries & Drives
International StandardCP1543-1CP1628
SCADA – Controller kommunikation via OPCEt standard setup
SCADA
Unrestricted © Siemens A/S 2016
Page 31 Digital Factory and Process Industries & Drives
Controller
SCADA – Controller kommunikation via OPCImplementer et VPN og Firewall koncept
SCADA
Via Security CP-Cards or external Fi ll/VPN t fFirewall/VPN getaway for:
- S7 300 and 400- S7 1200 and 1500- ET 200SP CPU- SCALANCE S (for all Controllers)
Unrestricted © Siemens A/S 2016
Page 32 Digital Factory and Process Industries & Drives
ControllerSCALANCE S (for all Controllers)
SCADA – Controller kommunikation via OPCImplementer et OPC-UA koncept
3. Part SCADA
Via Security CP-Cards or Controller:Via Security CP-Cards or Controller:
-S7-1500, 1500S, 1500T- ET 200SP CPU- PLCSIM Adv.- S7 400 via CP 443-1 OPC-UA
Unrestricted © Siemens A/S 2016
Page 33 Digital Factory and Process Industries & Drives
Controller
OPC-UAInteroperability with openness and standardization
Management -level
standardsMESERP
Operator-level
standardsInteroper-ability
Interoper-SCADA
MESERP
3rd party
Field-level
Controller-level ability
Interoper-ability
PLC HMI
ydevices
openness
Sensors Actuators
Unrestricted © Siemens A/S 2016
Page 34 Digital Factory and Process Industries & Drives
Perfect interoperatbility on all levels of communication by openness and standards
OPC-UAOPC UA og PROFINET den perfekte kombination
OPC UA’s styrke PROFINET’s styrke
L d fh i d t i i ti kCloudLeverandør uafhængig
Direkte forbindelse til alle niveauer
deterministisk
Real-Time egenskaberManagement-
level
Cloud
Tace
niveauer
Autentificering og kryptering
g
Enkelt C2C-kommunikationController-
Operator-level
PRO
FIN
ET
C U
A in
terf
a
Passer perfekt til data & t i t
Passer perfekt til controller-& Fi ld i t
Field-level
Controller-levelO
PC
Unrestricted © Siemens A/S 2016
Page 35 Digital Factory and Process Industries & Drives
management niveauet & Field niveauetlevel
OPC-UA og TIA-Portal Read and write PLC-data easy, standardized and symbolic
Activate the OPC UA server in the PLC1
Easy setup
Individual accessLevel of access via OPC UA
Value
Write access possibleserver in the PLC properties
Confirm that you have purchased the correct
1
2
Level of access via OPC UA can be controlled individually for each variable
Inheritance of access rightsBased upon the well known
Access possible
purchased the correct license
2
Make PLC-variables accessible through 3
Based upon the well known Step7 mechanisms
Different ways to accessAccess individual variables as
Symbolic access via OPC UA4
gcheckboxes in the editor
3 well as access whole structures and arrays as one object
PerformanceAccess whole structures and arrays to achieve optimal
Unrestricted © Siemens A/S 2016
Page 36 Digital Factory and Process Industries & Drives
arrays to achieve optimal performance
OPC UA client
CP 443-1 OPC UAAdditional Openness for SIMATIC S7-400
Feature/ Function Benefit
OPC UA Server/Client directly in the SIMATIC S7-400 station
Price sensitive, standardized connection to HMI, SCADA, MES/ERP SIMATIC S7 400 station , ,or 3rd Party PLC
As OPC UA Client – Configuration via function blocks compliant to PLCOpen standard
Flexible but standardized Interface for communication to any OPC UA Server
Use of the standardized OPC UA elementary security functions like authentication, authorization, encryption and signing of data
Protection of the system from unauthorized access
Configuration in STEP7 Classic V5 5 Expansion of existing ST7 plantsConfiguration in STEP7 Classic V5.5 as well as and STEP7 Professional V14(TIA Portal)
Expansion of existing ST7 plants without Migration to TIA-Portal
For use with CPU V5.3 / H-CPU V6.0 and H-CPU V8
Investment protectionUse of redundant H-system supported
Unrestricted © Siemens A/S 2016
Page 37 Digital Factory and Process Industries & Drives
Delivery release: 04/2016
Industrial SecurityPasswords – et konkret eksempel
Et Password skal være
komplekst:
https://www.youtube.com/watch?v=KnK5qLgErwo
Hvor stærkt er mit Password: http://calc.opensecurityresearch.com/?pwLen=3&kpsSelect=9250000&charSelect=lalpha
‐numeric‐all‐space&charsetLen=77&kps=9250000
Unrestricted © Siemens A/S 2016
Page 38 Digital Factory and Process Industries & Drives
Industrial SecurityPasswords
Udgangspunketet er stadig ofte
Admin/AdminAdmin/Admin Single Sign on Brute Force Prevention Brute Force Prevention
RADIUS Randomize
Unrestricted © Siemens A/S 2016
Page 39 Digital Factory and Process Industries & Drives
Slide 39
SBA1 Sarah Bay-Andersen; 20-03-2015
SBA2 Sarah Bay-Andersen; 20-03-2015
Industrial SecurityKan man anvende RADIUS og AD?
SCALANCE S615
Århus
SCALANCE S623Server
SINEMA Remote Connect
Windows Active Directory
RADIUS
SIMATIC CPU
Unrestricted © Siemens A/S 2016
Page 40 Digital Factory and Process Industries & Drives
Industrial SecurityDen store løsning – Siemens Ruggedcom CrossBow
Wow…! Det er en
elegant løsning…
NERC-CIP og IEC 6244362443 kompatibel
Unrestricted © Siemens A/S 2016
Page 41 Digital Factory and Process Industries & Drives
Industrial Security…endnu flere koncepter og informationer
Defense-in-Depth Super gode links…pSolution User Authentication Network Segmentation
All-round protection with Industrial Security
Demilitarized Zones Firewalls VPN Tunnels
Vi S i
https://support.industry.siemens.com/cs/document/92605897/all-round-protection-with-industrial-security-system-integrity?dti=0&lc=en-WW
Virus Scanning Patch Management Application Whitelisting
Unrestricted © Siemens A/S 2016
Page 42 Digital Factory and Process Industries & Drives
Industrial Security Opsummering
Fokus er kritisk – tag det alvorligt Stil krav til autentificering og brug af passwords
Anvend Jump Stations og brug
ifi dcertificerede produkter
Segmentér netværk og isolér sårbare systemery
Implementer centrale Security Access Management løsninger
Unrestricted © Siemens A/S 2016
Page 43 Digital Factory and Process Industries & Drives
Mange tak for jeres opmærksomhed
Kontakt infoKontakt info
Navn Telefon emailMorten Kromann +45 2037 3508 [email protected]
Per Krog Christiansen +45 4042 6239 [email protected]
Lars Peter Hansen +45 2129 9650 [email protected]
Unrestricted © Siemens A/S 2016
Page 44 Digital Factory and Process Industries & Drives