Siemens - Corporate Technology - IT Security Challenges in ... · Challenges in industrial...

Handout 1

© Siemens AG 2015. All rights reserved

Challenges in industrial IT-SecurityDr. Rolf Reinema,Head of Technology Field IT-Security, Siemens

Siemens - Corporate Technology - IT Security

Page 2 May 2015 Corporate Technology © Siemens AG 2015. All rights reserved

Real World

Virtual World

Yesterday Today Tomorrow

SW

Multi-CoreEmbedded System

SWOpen Source

CloudComputing

AmbientIntelligence

IntermodalInteraction

Standaloneembeddedsystems

Closed network ofdistributed

embedded systems

SocialNetworksandPlatforms

CyberSecurity

IT Security

Open network ofsystems of systems

of embedded systems

DataKnow-ledge

From standalone embedded systems to secure andintelligent Cyber-Physical Systems

In-memorycomputing/

real-time DA 1)

1) Data Analytics

Handout 2


Not a single day without an IT security disaster


The threat level is rising –attackers are targeting critical infrastructures

Hacking againstphysical assets

Politics and CriticalInfrastructure

Cybercrime andFinancial Interests

The Age ofComputerworms

Code Red Slammer Blaster Zeus SpyEye Rustock Aurora Nitro Stuxnet

"Hacking for fun" "Hacking for money" "Hacking for political andeconomic gains" States Criminals

Hobbyists Organized Criminals HacktivistsState sponsored Actors Terrorists Activists

BackdoorsWorms

Anti-Virus

HackersBlackHat

Viruses

Responsible Disclosure

Credit Card Fraud

Botnets Banker TrojansPhishing

SPAMAdware

WebSite Hacking

AnonymousSCADA

RSA BreachDigiNotar

APTTargeted Attacks

Sony Hack

Cyberwar

Hacking against criticalinfrastructure

Identity theft

Loss of privacy

# of published exploits

# of newmalwaresamples

# of published vulnerabilities

2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015

Data sources:IBM X-Force Trend andRisk ReportHP Cyber Risk ReportSymantec Intelligence Report

Handout 3


Incidents on critical infrastructure are taken seriouslyby governments

The US government runs the ICS CERT 1) to monitor the increasing number of incidents in critical infrastructure

From ICS-CERT Monitor January–April 2014 ICS CERT reports 257 incidents in criticalinfrastructure in 2013

• Internet Accessible Control Systems At Risk"Tools, such as SHODAN, Google and other searchengines, enable researchers and adversaries toeasily discover and identify a variety of ICSdevices that were not intended to be Internet facing.Adding to the threat landscape is the continuedscanning and cataloguing of devices known to besusceptible to emerging vulnerabilities such as theOpenSSL Heartbleed."

• Public Utility Compromised"A public utility was recently compromised when asophisticated threat actor gained unauthorized accessto its control system network. After notification of theincident, ICS-CERT validated that the software usedto administer the control system assets wasaccessible via Internet facing hosts. The systemswere configured with a remote access capability,utilizing a simple password mechanism; however,the authentication method was susceptible tocompromise via standard brute forcing techniques."

Data sources:ICS-CERT Report "ICS-CERT Year-in-Review – 2013"ICS-CERT Monthly Monitor January–April 2014

ICS CERT = Industrial Control Systems Cyber Emergency Response Team

91

13

121

4

1

121

10

3810

Commercial Facilities

Financial

Healthcare

145

Communications

Critical Manufacturing

EnergyGovernment Facilities

Emergency Services

Water

Information Technology

Transportation

Dams

Nuclear


Security is required by Siemens customers

EG2 SGIS/M490

Trends and examples for security requirements

Security is becoming a MUST Examples of organizationsissuing security standards or guidelines

• Heightened awareness forsecurity issues in public

• Increasing need to protectproducts' intellectual propertyand business case

• Specific standards andguidelines regarding securityand privacy are gettingestablished

• Security lifecycle is becomingstandard at softwarecompanies

• Internal assessments andcompliance tests areperceived as first steptowards fulfilling customersecurity requirements

Global Europe Germany

Handout 4


Different factors are driving the research demandfor IT Security

Example• Integrated solutions• Device connectivity

Examples• Robust and easy to use• Long term security

Examples• Know-how protection• Industry 4.0 scenarios

New Functionality Quality of SecuritySecurity Use Case


Industrial IT and Office IT havedifferent management & operational characteristics

Office ITIndustrial IT

Regular / scheduled

Medium, delays accepted

Scheduled and mandated

High (for critical IT)

High

Common / widely used

3-5 years

Slow

Very high

Occasional

Very much varying

Increasing

Uncommon / hard to deploy

Up to 20 years

Application of patches

Availabilityrequirement

Security testing / audit

Physical Security

Security Awareness

Anti-virus

Component Lifetime

Delays acceptedCriticalReal time requirement

Security Standards ExistingUnder development

“Office“ security concepts and solutions are not directly applicable for industrial controlsystems

Handout 5


Industrial SecurityDefense-in-Depth-Concept

Plant Security• Access Control• Security Management

Network Securiy• Controlled Access between IT

and OT networks, industrial firewalls• Segmentation of OT networks

System Integrity• Antivirus- and Whitelisting-Software• Systemhardening• Maintenance and Patching• Identification and Access Management

Security solutions in the context of industrial IT-security have to consider all protection layers

Plant Security

NetworkSecurity

System IntegrityProduction

Plant


Critical InfrastructuresSiemens – Infrastructure provider in an increasinglydigitalized and networked world

Handout 6


Critical InfrastructuresExample: Smart Grid – Incorporation of DecentralizedEnergy Resources (DER) and flexible loads requires security

Large andFlexible

GenerationDistributedGeneration

Transmission& Distribution Storage

Industrial &Residential

ElectroMobility

ICT


Different elements of energy management requirespecific and aligned security features

Serv

ices

and

secu

rity

Software/ITGrid control – big data analytics – grid application

Dig

italiz

atio

nAu

tom

atio

n

Communication, automation, protection, and field devices

Ele

ctrif

icat

ion

Electrification solutionsHigh-voltage direct current (HVDC) transmission – grid access – FACTS – air-insulated/gas-insulated substations – power systems solutions – microgrids / nanogrids

Products and systemsHigh-voltage switchgear and systems – power transformers – medium-voltage switchgears –distribution transformers – low-voltage switchboards and circuit breakers

Largepower

generation

TSOs1 Oil and gas Industries Infrastructures /construction

DSOs2 andmunicipalities

Distributedgeneration

1 Transmission system operators2 Distribution system operators

Handout 7


Security requirements for smart grid applicationsstem from a variety of potential attacks (examples)

Generation / DER• Misuse of local

administrative rights

Distribution and Transmission• Falsified status information, e.g., from synchrophasors (PMU)

in widely dispersed locations may limit the power flow.

Customer• Prosumer behavior tracking,

e.g., through smart meters• Fraud through smart meter

manipulation

Market• Fraud based on falsified offers and

contracts (Customer, Utilities, DNOs, …)

Operation• Unauthorized remote

service access


Security Guidelines / Standards / Regulation toensureReliable Operation of the Smart Grid (examples)

Smart GridCoordinationGroup (M/490)à SGAM

Smart GridInteroperability Panel,Cyber Security WGà NIST IR 7628

Cyber SecurityFramework

Critical Infrastructure ProtectionCIP 001-011

• Protection Profile for SM GW• Guideline TR-03109 required

through EnWG• IEC TC 57 – Power systems management

and associated information exchange• IEC 62351-1 … -13

• IEC TC 65 – Industrial ProcessMeasurement, Control and Automation• IEC 62443-1 … -4

• ISO/TC 022/SC 03 & IEC/TC 69 JWG 01 –Vehicle-to-Grid Interface• ISO 15118

• ISO 27001 – Information security managementsystems – Requirements

• ISO 27002 – Code of Practice for informationsecurity management

• ISO 27019 – Information security managementguidelines for process control systems used inthe energy utility industry on the basis ofISO/IEC 27002

• Critical Infrastructure Protection

Handout 8


Focus Shifting from Product Security toe2e Security

Cyber Security Requirements – The Moving Target

Awareness• Cyber Security is on top of the agenda

of C-level

• Media exposure on vulnerability orincidents is high

• Cyber Security incidents have a cross-division impact

Regulation• Increased Attention on critical Infrastructure

• Actual and upcoming regulation:• EU: Data Protection Regulation• DE: Protection Profile (Smart Metering)• DE: Sicherheitskatalog (certified risk

management)• FR: Industrial Control System• US: NERC CIPv5

Product Security

Solution Security

Operational Security

Shift in Customerrequirements towards

• Life-cycle management(e.g. Incident & Vulnerability handling,Security Patch management)

• Solution-Security(e.g. e2e security)

• Compliance of solutions(Certification)


Our Products – Integrated Security

Siemens Domain Knowledge &

Life Cyclemanagement

SecurityArchitecture

Securityby Design

Integrity

Confidentially

Availability

SubstationAutomation

ProtectionPower Quality

Standards

NERC CIP bdew WIB 2.0 IEC 62443

Control Center &Applications

Handout 9


Our Systems and Solutions: End-to-End SecuritySecure System Design

Secure solutions considering

• Secure network configuration

• Hardening

• Account Management incl.Authentication

• Vulnerability Management &Malware protection

• Backup & Restore

• Remote Access

Product DevelopmentPhases: Requirements,Implementation, Test

Project ManagementPhases: Offering, Contract, Engineering,Commissioning (FAT/SAT), After Sales

Including all relevant Processes and Phases

Siemens Provision

• Deep IT Security knowledge andexperience for products, systems andsolutions

• Documentation and processes availableon product and system level

• Different levels of support for customerprojects

Secure Systems & Solutions


Substation Security Patch ManagementVendor-centric Processes

Security VulnerabilityMonitoring

(SVM) Service

Manage vulnerabilities andpatches as part of thedevelopment process

Keep security patchlevel in the solution

up to date (SCM)

ProductCERT Development / PLM Project Delivery /SCM

Handout 10


Example: Secure Substation –Advanced Cyber Security Integrated in the Products

Competence and Processes• Secure Development Process

• Patch Management Process

• Contribution to definition ofsecurity standards, like IEC62351







Integrated Security inour products• Centralized user

management and role-based access

• Encrypted communication

• Secure Remote Firmwareand Security Update

Secure SubstationDesign• Proofed reference

architecture

• Recommendation fornetwork components,malware protection andother security controls






architecture







architecture



Cyber Security in Energy Management – OurOfferings

Siemens

Offerings

• Secure Substation, e.g. migration to a secure substation

• BDEW white paper compliance modules

• Secure Substation, e.g. migration to a secure substation

• BDEW white paper compliance modules

Products

Solutions

Products&

Solutions

• Network penetration tests at customer infrastructure(simulating external and internal cyber attacks)

• Network penetration tests at customer infrastructure(simulating external and internal cyber attacks)

PenetrationPenetration

Tests

• Security Assessments for existing infrastructure, e.g. Hardening

• Consultancy for secure integration of Siemens products and systems

• BDEW white paper compliance audit

• Holistic Security Consultancy via Smart Grid Compass (incl. data security anddata privacy)

• Security Standardization to ensure aligned and interoperable system security

• Security Assessments for existing infrastructure, e.g. Hardening

• Consultancy for secure integration of Siemens products and systems

• BDEW white paper compliance audit

• Holistic Security Consultancy via Smart Grid Compass (incl. data security anddata privacy)

• Security Standardization to ensure aligned and interoperable system security

ConsultingConsulting

• Cyber Security Trainings

• Security Patch Management for SCADA

• Cyber Security Trainings

• Security Patch Management for SCADAServices

Siemens - Corporate Technology - IT Security Challenges in ... · Challenges in industrial...

Documents

Transcript of Siemens - Corporate Technology - IT Security Challenges in ... · Challenges in industrial...