Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Unrestricted © Siemens AG 2019
siemens.com/industrial-security-servicesUnrestricted © Siemens AG 2020
Aluminium Conference
2020Industrial Security | 20
Unrestricted © Siemens AG 2019
FirstIndustrial Revolution
SecondIndustrial Revolution
ThirdIndustrial Revolution
FourthIndustrial (R)Evolution
Based on the introduction
of mechanical production
equipment driven
by water and steam
power
Based on mass
production achieved by
division of labor concept
and the use of electrical
energy (electrification)
Based on the use of
electronics and IT to
further automate
production (automation)
… driven by
DIgitalisation, Integration
and enhanced Flexibility
1784: First mechanical loom 1870: First conveyor belt,
Cincinnati slaughterhouse,
1908: Ford T-Model
1969: First programmable
logic controller (PLC)
Modicon 084,
1800 1900 2000
Time
2025
Digitalisation Technologies
• Virtual/Augmented Reality
• Digital Twin
• Cyber-Physical Systems
• Big Data/Smart Algorithms
• Internet of Things
• Advanced Robotics & Cobotics
• Cloud Technology
• 3D Printing/Additive Manufacturing
• Cyber-Security
Britain’s 4th Industrial RevolutionRevolution or Evolution?
Unrestricted © Siemens AG 2019
MindSphere is your entry point to drive performance with
digitalization
2000 2004 2008 2012 2016 20201996
(2003) 0.5B
1988 1992
(1992) 1M
50.1B (2020)
IoT Inception (2009)
8.7B (2012)
11.2B (2013)
14.2B (2014)
18.2B (2015)
22.9B (2016)
28.4B (2017)
34.8B (2018)
42.1B (2019)
MindSphere –
The cloud-based,
open IoT operating
system
…through new service and business models
Differentiate in the Market …
…through development of applications &
digital services
Build Digital Business …
…powered by digital transformation
Increase Performance …
The Internet of Things(projected number of connected assets)
Unrestricted © Siemens AG 2019
2020it will be
45Zettabyte
2015it will be
7.4Zettabyte
2012 3.1Zettabyte
Big data / cloud applications
From machine to machine – the focus today and in the future
From person to person – that was the beginning
Machine2Machine
Sensors, meters, devices, industrial machines
Internet of Things/"Industry 4.0"
Enabling additional productivity levers and new business models
People2Machine
Medical technology, digital TV,
cameras, computers, mobile phones
People2People
Network of virtual communities
The total volume of
data generated on
earth summed up to
Source: Oracle, 2012, Roland Berger 2015
Industry Evolution: The future of big data and cloud
applications will be in the industrial space
1 Zettabyte = 1 sextillion bytes = 1000 Exabytes = 1 Billion Terabytes
Unrestricted © Siemens AG 2019
User
Customer
Supplier
PARTNER
IT/OT convergence supporting New Business and Collaboration
Models
Customer
Consumer
Connected machines
R&D
PARTNER
Connected
customers
Connected products
Connected
consumers
Connected R&D
Connected Suppliers
Connected Enterprise
Field Level
Control Level
Enterprise Level
Management Level
Operator Level
IT –
OT
Se
cu
rity A
ss
es
sm
en
t, Imp
lem
en
tieru
ng
, Be
trieb
Co
ns
ultin
g, In
teg
ratio
n, C
lou
dific
atio
n, H
os
ting
, Ma
inte
na
ce
Restricted © Siemens AG 2018Page 6 DF PL CAS S EMEANovember 2018
Digital Transformation is a journey to unlock the value of your dataIIoT Digital maturity model, a phased planned approach with targeted outcomes
Value Creation
Solution Maturity
Apps and Solutions
Phase 1
Data-driven actions • Improve existing process to
reduce downtime improve
customer experience)
• Collect data and use it in
a “stand alone” process
Phase 2
Data driven process
integration • New integrated data drive process
to automate and react proactively
• IoT solution (OT) merges with
existing processes and IT
• New processes to capture
value of data
Phase 3 Learn and
Innovate • New products, new services,
new insights
• Data is analyzed for patterns
• Business transformation
• New products,
new services
Asset Mgmt.ConditionMonitoring
AssetPerformance
Mgmt.
Predictive Maintenance
OptimizedPredictive
Maintenance
OptimizedPrescriptiveMaintenance
Asset
Energy
Usage
Energy
Cost /
Savings
Digital Twin
Production
Digital Twin
Production
Digital Twin
Performance
Augmentedvirtual reality
AI/self optimizingsystems
.…
Unrestricted © Siemens AG 2019
Challenges for our CustomersProductivity, Cost Pressure and Regulations
Protect Productivity
Reduce cost
Comply to regulations
• Externally caused incidents
through increasing connectivity
• Internal misbehavior
• The evolving Threat Landscape
• For qualified personnel
• For essential Security
Technologies
• Reporting Requirements
• Minimum Standards
• Security Know-how
Protect
against
Costs
Comply
to
Page 7 DF CS SD SCP PSS
Unrestricted © Siemens AG 2019
The ever-changing threat landscape
Cybersecurity laws and
RegulationsInternet of
Things
Professional
Hackers Vulnerabilities
§
§§
§
Page 8 DF CS SD SCP PSS
Unrestricted © Siemens AG 2019
ICS Attack surface is growing
Challenges: Increasing vulnerability, high connectivity.
Introduction of malware via removable
media and external hardware
Human error and sabotage
Intrusion via remote access
Control components
connected to the Internet
Compromising of smartphones
in the production environment
Compromising of extranet
and cloud components
Malware infection via the
Internet and Intranet
(Distributed) denial-of-
service ((D)DOS) attacks
Technical malfunctions
Source © BSI analysis on cyber security 2016, German Federal Office for Information Security
Social engineering and phishing
Unrestricted © Siemens AG 2019
Evolution of the cyber threat landscape
Digital Information Processing Digital Connectivity Digital Automation and Intelligence
1950s – 1960s 1980s 20151999 2010s1970s 19911990s 2020s2000s
Home computer is introduced
Computers make their way
into schools, homes, business
and industry
Digital enhancement of
electrification and automation
The World Wide Web becomes
publicly accessible
The globe is connected
by the internet
Mobile flexibility
Cloud computing enters the
mainstream
Internet of Things, Smart
and autonomous systems,
Artificial Intelligence, Big Data
Industry 4.0
Military, governments and other
organizations implement
computer systems
AOHell
Cryptovirology
Level Seven Crew hack
Denial of service attacks
Cloudbleed
sl1nk SCADA hacksInfineon/TPM
Meltdown/Spectre
AT&T Hack
Blue Boxing
Morris WormPhishing Targeting Critical
Infrastructure
NotPetya
Industroyer/Chrashoverride
WannaCryCyberwar
Stuxnet
The threat landscape keeps growing and
changing and attackers are targeting industrial
and critical infrastructures
Page 10 DF CS SD SCP PSS
Unrestricted © Siemens AG 2019
Challenges and driversMost critical threats to Industrial Control systems
Outdated operating systems²
Industrial Control System Security
Top 10 Threats and Countermeasures1
1 Social Engineering and Phishing
2Infiltration of Malware via Removable
Media and External Hardware
3 Malware Infection via Internet and Intranet
4 Intrusion via Remote Access
5 Human Error Sabotage
6Control Components Connected to the
Internet
7 Technical Malfunctions and Force Majeure
8Compromising of Extranet and Cloud
Components
9 (D)Dos Attacks
10Compromising of Smartphones in the
Production Environment
Windows NT 4.0 30. June 2004
Windows XP 08. April 2014
Windows 7 14. January 2020
Windows 10 14. October 2025
Page 11 DF CS SD SCP PSS
1 Source © BSI Publication on Cyber Security | Industrial Control System Security 2016
2 Source © Microsoft
Unrestricted © Siemens AG 2019
Industrial Security ServicesDefinition IT-Security vs. OT- (Industrial) Security
AvailabilityConfidentialityIntegrity
ConfidentialityIntegrityAvailability
Availability
Installation
Topology
Location
Device
Downtime < 300 ms
Plant-ICS-Staff
Plant specific
Industrial environment
Low, Switches with fewer ports
Range in minutes is acceptable
Network Specialists
Ring structure
Air conditioned environment
High, Switches with many ports
What is it about?Increasing attacks on devices
Investment Cycles Min 5-15 YearsAll 2-3 Years
IT-Security Industrial Security
Page 12 February 20
Unrestricted © Siemens AG 2019
The challenge
Increasing Vulnerability
There is a significant need to identify gaps, protect shop-floor, early detect security
risks, respond to incidents and recover rapidly
• Cyber threats targeting office and industrial control
systems increase and become more specialized and
complex
• Information technologies are used in industrial
automation: Horizontal and vertical integration, open
standards, PC-based systems…
• Industry 4.0 calls for the next level of connectivity (IT
and OT). Production processes need a higher level of
protection
• Cost pressure and production availability necessitate
prioritized and balanced security investment
• Lack of expertise & resources generate need of
trusted partners
73%of companies with 200 employees
or more have suffered a security
incident in the last two years
~50 billionloss in revenue yearly due to cyber
incidents*
62% of the companies face a significant
lack of qualified resources**
In the next 5 years 1.5 million posts for
security experts worldwide will remain vacant,
since there will not be no suitable applicants**
* Source © Bitkom Research 2015** Source © (ISC)² Center for Cyber Safety and Education's Global Information Security Workforce Study 2015
NIS DirectiveNetwork and Information Systems
DF CS SD SCP PSSPage 14
Unrestricted © Siemens AG 2019
NIS1
1)Wording from NCSC/DCMS
What is it? An EU Directive on Security of Networks & Information Systems
that will come into UK legislation 9th May 2018
Who is leading implementation? The Department for Digital, Culture, Media and Sport (DCMS)
What is the aim? Raise the level of overall security and resilience of network
and information systems. Potential 4% Fine of Total business T/O
• Have a national framework for security to include: a National Cyber security strategy, a CSIRT2, a SPOC3
and a NIS competent authority (CA)
What is expected of member states?
• Set up a Cooperation Group among Member States to support and facilitate strategic cooperation and the exchange of
information among Member States. Member States will also need to participate in a CSIRT Network to promote swift
and effective operational cooperation on specific network and information system security incidents and as well as
sharing information about risks.
• Ensure that businesses within vital sectors which rely heavily on information networks, for example utilities,
healthcare, transport, and digital infrastructure sectors, are identified by each Member State as “operators of
essential services” (OES). Those OES will have to take appropriate and proportionate security measures to
manage risks to their network and information systems, and they will be required to notify serious incidents to the
relevant national authority. Engagement with industry is therefore crucial in the implementation of the directive.
2)Computer Security Incident Response Team
3)Single Point of Contact
Unrestricted © Siemens AG 2019
NIS1 - continued
What is the NCSC’s role in preparing for the implementation of the NIS Directive?
The NCSC is providing technical support and guidance to other government departments and CAs through:
• a set of cyber security principles for securing essential services
• a collection of supporting guidance
• a Cyber Assessment Framework (CAF), incorporating indicators of Good Practice
• implementation guidance and support to CAs to enable them to:
• adapt the NCSC NIS principles for use in their sectors
• plan and undertake assessments using the CAF, and interpret the results.
Once the NIS Directive is live in May 2018, we expect our role to be:
• Single Point of Contact (SPOC) - we'll act as the contact point for engagement with EU partners, coordinating requests for action or
information and submitting annual incident statistics.
• CSIRT (Computer Security Incident Response Team) - we will receive all incident reports and will provide advice and support on the
cyber aspects to operators and Digital Service providers in the event of an incident. We will be responsible for the dissemination of
appropriate risk and incident information to Competent Authorities and other relevant stakeholders.
• Technical Authority on Cyber Security - the NCSC will support CAs with security advice and guidance and act as a source of technical
expertise. We'll tailor some generic guidance to individual sectors to support CAs.
1)Wording from NCSC/DCMS
Aiming to be CA
Also see OG86
Unrestricted © Siemens AG 2019
Product Safety vs. Product & Solution Security
Product Safety
Prevent and mitigate risks to people and
the environment resulting from failure
of product.
People / Environment
Prevent and mitigate risks for the system
and its data resulting from intentional
actions by people or malicious software.
Product / System
Fault by “intentional misuse”
Product & Solution Security
People / Software
Product / System
Fault or “foreseeable misuse”
Security might affect Safety!
Malicious product manipulation
Some Keywords
Cyber attack, Hacker, Virus,
Passwords, Cryptography,
Denial of Service, Software
Protection, Software-related
Incidents, Exploit, Malware,
Integrity, Confidentiality,
CERT, ...
Some Keywords
Fault Tolerant System, Fail
Safe, Hardware Failure,
Redundancy, Patient Safety,
Safety First, Railway
Systems, SIL, Dead-Man’s
Button, IEC 61508, ...
Standards ?
DF CS SD SCP PSSPage 18
Unrestricted © Siemens AG 2019
National regulations force the plant owners to operate and
maintain critical infrastructure with high security
Page 1910.02.2020
Unrestricted © Siemens AG 2019
Industrial Security Services
GB&I Market trends and drivers.
NIST 800-82, 800-30,
800-53
ISA 99
ISA/IEC 62443
NERC-CIP 4ISO 27032
NIS Directive
2018 May 9th
UK Law, priority is CNI companies.
CAF’s Cyber Assessment Frameworks
WIB M2784Process Users Ass
ISO 27002
ISO 27001
Direct Effect
Influencer
No Effect
BS10754-1
Unrestricted © Siemens AG 2019
We as SIEMENS need the capability to design, hand over and
maintain secure products and solutions for our customer
Product
(System)
Supplier
System
Integrator
Asset
Owner
designs and
deploys
operates and
maintains
develops and
supports
Design + hand over / maintain
a secure solution
Capabilities, documentation,
secure development, support
Secure operation, policies,
requirements
• ISO 27001/19
• NERC-CIP
• IEC 62443-2-1
• IEC 62443-2-4
• IEC 62443-3-3
• BDEW WP
• IEC 62443-4-1
• IEC 62443-4-2
• (IEC 62443-3-3)
• BDEW WP
* Examples of Security Requirements Standards
*
*
*
Standards define the requirements on security for product suppliers, system integrators and asset owners
Page 2110.02.2020
Unrestricted © Siemens AG 2019
Security is about technology, processes and people
A holistic security protection concept has to include technology, processes and people
Page 22 10.02.2020
Unrestricted © Siemens AG 2019
SL 4Capability to protect against intentional violation using sophisticated meanswith extended resources, IACS specific skills and high motivation
SL 3Capability to protect against intentional violation using sophisticated meanswith moderate resources, IACS specific skills and moderate motivation
Capability to protect against casual or coincidental violation
Capability to protect against intentional violation using simple means withlow resources, generic skills and low motivationSL 2
SL 1
Future customer target requirement:
IEC 62443 based Protection Levels
Protection Levels
Assessment of security functionalities Assessment of security processes
ML 4Optimized –Process measured, controlled and continuously improved
ML 3Defined –Process characterized, proactive deployment
Initial –Process unpredictable, poorly controlled and reactive.
Managed –Process characterized , reactive
ML 2
ML 1
4
3
2
1Ma
turi
ty L
eve
l
2 3 41
Security Level
PL 1 Protection against casual or coincidental violation
PL 2Protection against intentional violation using simple means with low resources, generic skillsand low motivation
Protection against intentional violation using sophisticated means with extended resources,IACS specific skills and high motivation
Protection against intentional violation using sophisticated means with moderate resources,IACS specific skills and moderate motivationPL 3
PL 4
Best Practice
DF CS SD SCP PSSPage 24
Unrestricted © Siemens AG 2019
Best Practice guidance from Siemens
Lots of advice and guidance provided in the form of manuals, whitepapers.
Unrestricted © Siemens AG 2019
Guidance
National Cyber Security Centre
CPNI – SICS Framework
Operational Guidance OG86
Unrestricted © Siemens AG 2019
Page 27 10.02.2020
Charter of Trust - Partners
Unrestricted © Siemens AG 2019
Charter of Trust - Principles
Page 28 10.02.2020
Siemens Portfolio
DF CS SD SCP PSSPage 29
Unrestricted © Siemens AG 2019
Assess Security
Industrial Security ServicesSolution portfolio
Evaluation of the current security
status of an ICS environment
Implement Security
Risk mitigation through
implementation of security
measures for reactive protection
Manage Security
Comprehensive security through
monitoring, vulnerability
management and proactive
protection
Page 30 DF CS SD SCP PSS
Unrestricted © Siemens AG 2019
Industrial Security ServicesSolution portfolio
• Industrial Security Monitoring
• Industrial Vulnerability Manager
• Patch Management
• Remote Incident Handling
• Security Awareness Training
• Industrial Security Consulting
• Automation Firewall
• Application Whitelisting
• Antivirus
• Industrial Anomaly Detection
• Industrial Security Monitoring
Solution
• Industrial Security Assessment
• IEC 62443 Assessment
• ISO 27001 Assessment
• Risk and Vulnerability Assessment
• Scanning Services
Page 31 DF CS SD SCP PSS
Unrestricted © Siemens AG 2019
Thank you
DF CS SD SCP PSSPage 32