View
14
Download
0
Category
Preview:
Citation preview
DATA MANAGEMENT FOR AUTOMATED PRODUCTION
IEC 62443 Security in Industrial Automation
Dirk Thielker
PRIORITIES OF DIFFERENT TYPES OF IT SYSTEM
Industrial IT – AVAILABILITY
▪ Antivirus not possible (slows down the system)
▪ Systems designed to be isolated
▪ Rebooting results in downtime
▪ Low availability of security systems
▪ Physical danger for people or the environment
Office IT – CONFIDENTIALITY
▪ High availability of security systems
▪ Slowing down the system not a major problem
▪ Systems regularly shut down and restarted
▪ Problems rarely result in physical danger
for people or the environment
*Source: AdobeStock_48975872, Fotolia_159173304_sorapolujjin and Siemens AG
IT & OT RISK MANAGMENT - COMMON GROUND
IT – BASIC PROTECTIONBSI 200-3 / ISO 2700x
OT – MACHINE SAFETYMRL 2006/42/EG / ISO 12100ISO 13849
• Overview of dangers• Risk assessment• Evaluation of risks• Handling risks• Integration into the safety concept
DangerSafety
Necessary risk reduction measures
Implemented risk reduction measures
Acceptable risk limit
Remaining riskRisk
IT & OT RISK MANAGMENT - DIFFERENCES
IT – SECURITY47 Sources of risk
OT – SAFETY11 Sources of risk (each with many facets)
CONVERGENCE OF IT AND OT
IT – SECURITY47 Sources of risk
OT – SAFETY11 Sources of risk (each with many facets)
OTIT
+ IT – SECURITY47 Sources of risk
ICS VULNERABILITIES
ICS VULNERABILITIES – NEW IN JUNE 2020
ICS VULNERABILITIES – NEW IN JUNE 2020
ICS VULNERABILITIES – STANDARDS WILL HELP
IEC 62443 DEFENSE IN DEPTH
Organisational measurestaken by the operator
Security functions built-in to componentsby the manufacturers
Protect the facility• Restricted physical access• Rules and processes• Security checks
Protect the network• Segmented network• Firewall• VPN and end-to-end encryption
Protect the system• Detect and defend against attacks• Protect against manipulation• Robust systems / password protection • Patch managment
Measures built-in to systemby the integrator
IEC 62443 DOCUMENTS
Organisational measurestaken by the operator
Measures built-in to systemby the integrator
Security functions built-in to componentsby the manufacturers
EVALUATION OF THE PROTECTION LEVEL
Mat
uri
tyLe
vel
4
3
2
1
1 2 3 4
Security Level
PL 1
PL 2
PL 3
PL 4
2-1 2-4
Policies & Procedures
3-3
System & Components
Pro
tect
ion
Leve
l
Requirement
IEC 62443-2-1A12 Operational policies and procedures
A 12.1 Operational procedures and responsibilites- Documented operating procedures- Change managementGoal: Ensure proper and secure operation
A 12.2 Protection against malware- Anti-malware measuresGoal: Facility is protected against malware
A 12.3 Backup of data
- Valuable intellectual property stored in more than one place
Goal: Data is protected against loss
A 12.4 Logging and monitoring
- Event logging
- Logged information protected
- Administrator and user logs
Goal: Events are logged and traceability is ensured
EXAMPLE 1
REQUIREMENT[…] Technical and organizational protective measures
MUST be defined. […]
IMPLEMENTATION✓ Data backed up in the form of versions of
programming projects✓ Data backup in the form of device uploads✓ Changes DETECTED by comparing consecutive
uploads✓ All the necessary tools and data for fast disaster
recovery
EXAMPLE 2
▪ AUVESY and IRMA® – network scanner
▪ Introduce versiondog: "zero touch"
▪ Passive network scan (no risk)
▪ Active network scan
▪ Detect anomalies
▪ Desired vs. actual project version / program running on device
▪ Desired vs. actual device operation
▪ Desired vs. actual anomaly detection
STUXNET
▪ Malicious manipulation that would have
been detected by versiondog
SECURITY AND SAFETY
Security Safety
BEI FRAGEN STEHE ICH IHNENGERNE ZUR VERFÜGUNG!
IHR ANSPRECHPARTNER:
Dirk Thielker
DIRK.THIELKER@AUVESY.DE
Thank you for yourattention!
Recommended