4. Poglavje
Industrial Security in upravljanje z
industrijskimi omrežji
Matjaž Demšar
GSM: +386 (31) 684 810
reliableindustrial communication networksare the backboneof a digital enterprise
Industrial Security –
Essentialin the Age ofDigitalization
Challenges for CompaniesProductivity, Cost Pressure and Regulations
Protect Productivity
Reduce cost
Comply to regulations
• Externally caused incidentsthrough increasing connectivity
• Internal misbehavior• The evolving Threat Landscape
• For qualified personnel• For essential Security
Technologies
• Reporting Requirements• Minimum Standards• Security Know-how
Protect against
Costs
Comply to
IT-Security
confidentiality
integrityavailability
Industrial Security
availability
integrityconfidentiality
challenge
bring everyoneto the table
Challenges are similar but reality is very different in IT and Industrial (OT) Security
IT Security Industrial Security
3-5 years
Forced migration (e.g. PCs, smart phone)
High (> 10 “agents” on office PCs)
Low (~2 generations, Windows 7 and 10)
Standards based (agents & forced patching)
20-40 years
Usage as long as spare parts available
Low (old systems w/o “free” performance)
High (from Windows 95 up to 10)
Case and risk based
Asset lifecycle
Software lifecycle
Options to add security SW
Heterogeneity
Main protection concept
Confidentiality Availability
The ever-changing threat landscape
Cybersecurity laws and
RegulationsInternet ofThings
Professional
Hackers Vulnerabilities
§
§§
§
Evolution of the cyber threat landscape
Digital Information Processing Digital Connectivity Digital Automation and Intelligence
1950s – 1960s 1980s 20151999 2010s1970s 19911990s 2020s2000s
Home computer is introduced
Computers make their way into schools, homes, business and industry
Digital enhancement of electrification and automation
The World Wide Web becomes publicly accessible
The globe is connectedby the internet
Mobile flexibility
Cloud computing enters the mainstream
Internet of Things, Smart and autonomous systems,Artificial Intelligence, BigData
Industry 4.0
Military, governments and other organizations implement computer systems
AOHell
Cryptovirology Level Seven Crew hack
Denial of service attacks
Cloudbleedsl1nk SCADA hacks
Meltdown/Spectre
AT&T Hack Blue Boxing
Morris WormPhishing Targeting Critical
Infrastructure
NotPetya
Industroyer/Chrashoverride WannaCryCyberwar
Stuxnet
The threat landscape keeps growing and changing and attackers are targeting industrialand critical infrastructures
Challenges and driversMost critical threats to Industrial Control systems
Outdated operating systems²
Industrial Control System Security
Top 10 Threats and Countermeasures1
1Infiltration of Malware via Removable Media
and External Hardware
2 Malware Infection via Internet and Intranet
3 Human Error Sabotage
4Compromising of Extranet and Cloud
Components
5 Social Engineering and Phishing
6 (D)Dos Attacks
7Control Components Connected to the
Internet
8 Intrusion via Remote Access
9 Technical Malfunctions and Force Majeure
10Compromising of Smartphones in the
Production Environment
Windows NT 4.0 30. June 2004
Windows XP 08. April 2014
Windows 7 14. January 2020
Windows 10 14. October 2025
1 Source © BSI Publications on Cyber Security | Industrial Control System Security 2019 2 Source © Microsoft
Assess Security
Industrial SecurityLifecycle of security management
Evaluation of the current security status of an ICS environment
Implement Security
Risk mitigation through implementation of security measures
Manage Security
Comprehensive security through monitoring and vulnerability management
Industrial SecurityPhases in details
• Industrial Security Monitoring
• Industrial Vulnerability Management
• Patch Management
• Remote Incident Handling
• IEC 62443
• ISO 27001
• Penetration testing
• User Training
• OT network infrastructure
• Automation Firewalls
• Application Whitelisting
• Antivirus
• Industrial Anomaly Detection
… covers a holistic analysis of threatsand vulnerabilities,the identificationof risks …
Assess SecurityFollowing a risk-based approach
AssessSecurity
… and recommen-dations of security measures to close the identified gaps.
IEC 62443 AssessmentAssessment of compliance to the IEC 62443 international standard
• Focus on parts 2-1 “Establishing an industrial automation and control system security program” and 3-3 “Security for industrial process measurement and control – Network and system security”
• 2 days on-site with the customer, coordinated by a security consultant and a security engineer
• Questionnaire-based checklist to identify and classify risks
• Up to 30 pages report containing recommendations for risk mitigation measures
Questionnaire
Result spider diagram
Result chart bar
ISO 27001 AssessmentAssessment of security according to the ISO 27001 international standard
• 1 day on-site workshop with the customer, to identify and classify risks
• Coordinated by a security consultant and a security engineer
• Typical attendants: Management and customer’s responsible for production, IT-security and physical security, maintenance staff, engineering staff, …
• Offline evaluation of the results
• Up to 30 pages report containing analysis, recommendationsfor risk mitigation measures and prioritization of actions (based on cost/benefit scenario)
Network ScanningDetection of relevant vulnerabilities in the production environment
Rapid transparency over vulnerabilities and
end of life information mitigations in automation
environments
Industrial scan profiles optimized for production environment
… reduce the risk of downtimes
… provide relevant results only
Service delivery by automation specialists ensures project‘s success by
… deep system know-how
… combined expertise within IT and OT area
Visualization
of scan results
Vulnerabilities,
configuration
problemsSelected Open-Source and
Commercial Tools
June 2018Page 16
Implement Security
… means the Implementation of security measures …
Implement SecurityTo mitigate risks
… to increase the protection levelof shop-floor environments.
Security Awareness TrainingChallenge• 91% of the security incidents in 2015 consisted of stolen
credentials by use of phishing e-mails1
• Only 3% of targeted individuals reported the phishing e-mail1
• 70% of all security incidents are caused by human error2
Common approach• No cyber security training at all
• Cyber security training for the office environment
focusing on classic IT-security topics
Weak points of common approach• Increased vulnerability due to human error threats
• Lack of automation perspective when training staff on cyber
security topics
Goal
Increase security awareness among
shop-floor staff to avoid security
incidents caused by human error
1 Source © Verizon 2016
2 Source © Ponemon Institute Research 2013
OT network infrastructure and policies
Policy Consulting
• Establish new or review and enhance existing policies, processes, procedures and work instructions which influence security in the shop-floor
• Integration with existing enterprise cybersecurity practices
• Examples: Patch and backup strategy, handling of removable media
• Cell segmentation of networks based on IEC 62443 standard or SIMATIC PCS 7 and WinCC security concept
• Design and planning of a perimeter protection (DMZ – demilitarized zone)
• Perimeter firewall rule establishment, review and implementation
Protected Zone
DMZ
Unsecure Zone
Page 18
Industrial Network Security Consulting
Automation Firewall Next Generation
Digital Factory Division
Challenge• Shop-floor landscape changed from isolated
islands to highly complex networks• Automation networks historically grown and often
evolved to huge flat networks without any segmentation
Today’s solutions• Perimeter protection for the office environment or the whole site• Perimeter protection for the automation network but controlled
by office IT without automation know-how
Weak points of today’s solution• Spread of failures due to flat networks• Inconsistent configuration of protection measures due to lack of
automation expertise (e.g. perimeter firewall configured to protect the office against the automation network and not the other way around)
• No perimeter protection at all
Goal
Increase network security witha perimeter protection solution in line with security requirements for industrial automation and tested and approved for usage with Siemens process control system
Application Whitelisting
1 Source: © CNN Money | 2 Source: © Symantec | 3 Selected SINUMERIK 840D PCU50.X versions
In 90% of attacks in 2014, old vulnerabilities that already had patches available were leveraged – some of which were more than decade old1.
Total zero-day vulnerabilities increased exponentially in the last years2:
• 2013: 23
• 2014: 24 (+4%)
• 2015: 54 (+125%), more than one per week
With Application Whitelisting application, only trusted applications are allowed to run on the computer systems. These applications are maintained in a positive list (whitelist). It prevents executions of unknown applications and executables like malware or unwanted applications.
Application Whitelisting application must be approved for use in different automation and process control software products like SIMATIC PCS 7, WinCC, and SINUMERIK3.
Challenges Our Solution
1 Source © CNN Money2 Source © Symantec3 Selected SINUMERIK 8400 PCU50 X versions
Antivirus
Antivirus software protects systems and single files from virus infections, trojans and other malware by using continuously updated signature files.
Antivirus application must be approved for use in different Siemens’ software products like SIMATIC PCS 7, WinCC or TIA Portal.
1 Source: © Risk Based Security 2016 | 2 Source: © Symantec | 3 Source: © AV-Test
Challenges Solution
The total number of 2015 vulnerabilities reflects 77%increase compared to 20111.
Almost one million never-before-seen malware are being released on a daily basis2.
Until now, more than 550 Millions malware have been released in 20163.
Information technologies are used in industrial automation. The number of open standards and PC-based systems has increased enormously in the last years.
1 Source © Risk Based Security2 Source © Symantec3 Source © AV-Test
Industrial Anomaly DetectionTransparency of communication with your production assets
Transparency over data exchange within the plant networks provides you continuous and proactive identification of changes (anomalies) in the system
Correlation of the current traffic against your own baseline of normal operation allows the detection of anomalies in the network, including advanced deep packet inspection
Automated asset identification to assist in risk analysis and mitigation
Industrial Anomaly Detection
Correlation of the current traffic against your own baseline of normal operation allows the detection of anomalies in the network, including advanced deep packet inspection
100% passive monitoring oversees the plant network without impact to the monitored systems
Automated asset identification to assist in risk analysis and mitigation
Use of an advanced machine learning system, so the detection rate will be enhanced over time
Transparency of communication with your production assets
Aligned with requirements of standards, regulations and acts to protect critical infrastructure
Transparency over data exchange within the plant networks provides you continuous & proactive identification of changes (anomalies) in the system
Anomaly Detection Software
• Many professional vendors as well as Open Source solutions• Considerations
• Maturity• Scalability• Stability• Support• Development approach (IEC62443-4-1 and IEC62443-4-2)
• Intrusion Detection for OT networks specific issues
OT Network graph
Asset Insights
Attack Detection
Root cause analysis
Reporting capabilites
… means the continuous monitoringand renewal …
Manage Security For a comprehensive, always up-to-date industrial security solution
June 2018Page 30
Manage Security
… of implementedmeasures through our centralized services.
Industrial Security MonitoringScenario: Joint IT / OT / IoT Security Monitoring & Operation
IT / IoT SOC
OT / IoT SOC
SOC
CustomerIT / OT / IoT
data gathering
SIEM Event Receiver
correlation & aggregation
SIEM Manager
Analysis of Security Events
1st & 2nd level SOC for IT / OT & IoT
root cause analysis & forensic 3rd
level vSOCIT / IoTOT / IoT
roo
t cause elim
inatio
n
Cu
stom
er Service O
peratio
n
data p
rovisio
nin
g
Cu
stom
er data
sou
rces
Industrial Vulnerability Management Process
Challenge• Every day new software vulnerabilities get reported• Currently manufacturers and operators struggle to identify
if their manufactured or used automation products are affected
Solutions• Manual checking of different web pages from providers of
automation technology (e.g. on the Siemens web page https://www.siemens.com/cert/en/cert-security-advisories.htm)
• Customers need to compare the findings on these web pages against their lists of software components in their products or in the automation environment
Considerations• High manual effort and consequently neglecting already officially
reported vulnerabilities• Customers stay unaware of the real threat and consequently they do
not trigger proactive measures (e.g. patching).
Goal
Provide relevant security information, to enable manufacturers and opera-tors of automation technology to pro-actively manage their cyber risks.
Industrial Vulnerability Managementapplication example
Definition what software components to monitor
Notifications in case of detected vulnerabilities
and possible patches
Risk based management of vulnerabilities
Patch ManagementManaging critical updates in Microsoft products
Challenge• Patches contribute toward stable system operation and/or eliminate
known security vulnerabilities. Regular and prompt installation of patches represents a vital element of a comprehensive security concept
• Patching with an incompatible patch can cause unplanned downtimes
Common approach• Customer has to release the Microsoft patches manually on a WSUS,
based on Siemens SIMATIC PCS 7 compatibility excel sheet • No patching is performed at all or no WSUS server is used, but
patches are downloaded directly by the endpoints
Weak points of common approach• Possibility of system disruption due to missing consideration of
compatibility or failures due to manual work• Need to manual check for updated excel sheet on Siemens Website• Labor intensive process (monthly occurring)
Goal
Support operations by testing automationsoftware with Microsoft security and critical patches when new patches are released in order to check the compatibility of the PCS 7 software with these patch classifications1 and providing metadata about approved patches at the customer site
1 Only “Security Patches” and “Critical Patches” are necessary to ensure that SIMATIC PCS 7 operation is secure and stable
Patch Management
Reduce the consequences that might have impact on plant availability
Timely release of patches after finishing of tests (approx. 2 weeks after Microsoft patch day)
Reduce probability of wrong implementation of patches
Reduction of manual work on-site
Managing vulnerabilities and critical updates in Microsoft products
Solution designed combining Securityknow how with Process Control expertise
Fully automatic release of patch information (only metadata, no automatic installation to avoid plant downtime)
Incident HandlingFast reaction upon security relevant threats
• What shall I do with the system?• What protects me for the future?
Team of experts• Root-cause analysis performed
by experts for industrial security• Analysis of root-cause and criticality• Report incl. suggestions how
to clean the affected systems
Incident Handling Report
Ukrainian power grids cyberattackA forensic analysis based on ISA/IEC 62443
Information from publicly available resources
Ukrainian power grids cyberattackPhase 1: Malware & spear phishing
Vir: isa.org
Ukrainian power grids cyberattackPhase 2: Preparing the attack, network scans & „APT“
Vir: isa.org
Ukrainian power grids cyberattackPhase 3: The attack
Vir: isa.org
Ukrainian power grids cyberattackAnalysis
• Seems easy to detect
• Significant network activities
• Activities on multiple systems
• Normal network activity?
• Volume of traffic
Ukrainian power grids cyberattackIEC 62443 assessment
• IEC 62443-3-3
• 51 system requirements in 7 foundational requirements
• SL-A estimation
• Approx. half of SR could be estimated
• Overall SL-A = 0
• Takeaways
• Do not aim for high SL in some areas
• Keep controls in place to ensure SL-A
• Plan for contingency actions
• SR 6.2 at SL = 2 could prevent the attack!
Thank you for your attention!
Matjaž DemšarDigital Industries
Customer Services
+386 31 684 810
siemens.com/industrial-security-services
Subject to changes and errors. The information given in this document only contains general descriptions and/or performance features which may
not always specifically reflect those described, or which may undergo modification in the course of further development of the products. The requested
performance features are binding only when they are expressly agreed upon in the concluded contract.
All product designations, product names, etc. may contain trademarks or other rights of Siemens AG, its affiliated companies or third parties.
Their unauthorized use may infringe the rights of the respective owner.
Questions and Answers
Top Related