Aluminium Conference 2020 machine to machine –the focus today and in the future From person to person –that was the beginning Machine2Machine Sensors, meters, devices, industrial

Unrestricted © Siemens AG 2019

siemens.com/industrial-security-servicesUnrestricted © Siemens AG 2020

Aluminium Conference

2020Industrial Security | 20


FirstIndustrial Revolution

SecondIndustrial Revolution

ThirdIndustrial Revolution

FourthIndustrial (R)Evolution

Based on the introduction

of mechanical production

equipment driven

by water and steam

power

Based on mass

production achieved by

division of labor concept

and the use of electrical

energy (electrification)

Based on the use of

electronics and IT to

further automate

production (automation)

… driven by

DIgitalisation, Integration

and enhanced Flexibility

1784: First mechanical loom 1870: First conveyor belt,

Cincinnati slaughterhouse,

1908: Ford T-Model

1969: First programmable

logic controller (PLC)

Modicon 084,

1800 1900 2000

Time

2025

Digitalisation Technologies

• Virtual/Augmented Reality

• Digital Twin

• Cyber-Physical Systems

• Big Data/Smart Algorithms

• Internet of Things

• Advanced Robotics & Cobotics

• Cloud Technology

• 3D Printing/Additive Manufacturing

• Cyber-Security

Britain’s 4th Industrial RevolutionRevolution or Evolution?


MindSphere is your entry point to drive performance with

digitalization

2000 2004 2008 2012 2016 20201996

(2003) 0.5B

1988 1992

(1992) 1M

50.1B (2020)

IoT Inception (2009)

8.7B (2012)

11.2B (2013)

14.2B (2014)

18.2B (2015)

22.9B (2016)

28.4B (2017)

34.8B (2018)

42.1B (2019)

MindSphere –

The cloud-based,

open IoT operating

system

…through new service and business models

Differentiate in the Market …

…through development of applications &

digital services

Build Digital Business …

…powered by digital transformation

Increase Performance …

The Internet of Things(projected number of connected assets)


2020it will be

45Zettabyte

2015it will be

7.4Zettabyte

2012 3.1Zettabyte

Big data / cloud applications

From machine to machine – the focus today and in the future

From person to person – that was the beginning

Machine2Machine

Sensors, meters, devices, industrial machines

Internet of Things/"Industry 4.0"

Enabling additional productivity levers and new business models

People2Machine

Medical technology, digital TV,

cameras, computers, mobile phones

People2People

Network of virtual communities

The total volume of

data generated on

earth summed up to

Source: Oracle, 2012, Roland Berger 2015

Industry Evolution: The future of big data and cloud

applications will be in the industrial space

1 Zettabyte = 1 sextillion bytes = 1000 Exabytes = 1 Billion Terabytes


User

Customer

Supplier

PARTNER

IT/OT convergence supporting New Business and Collaboration

Models

Customer

Consumer

Connected machines

R&D

PARTNER

Connected

customers

Connected products

Connected

consumers

Connected R&D

Connected Suppliers

Connected Enterprise

Field Level

Control Level

Enterprise Level

Management Level

Operator Level

IT –

OT

Se

cu

rity A

ss

es

sm

en

t, Imp

lem

en

tieru

ng

, Be

trieb

Co

ns

ultin

g, In

teg

ratio

n, C

lou

dific

atio

n, H

os

ting

, Ma

inte

na

ce

Restricted © Siemens AG 2018Page 6 DF PL CAS S EMEANovember 2018

Digital Transformation is a journey to unlock the value of your dataIIoT Digital maturity model, a phased planned approach with targeted outcomes

Value Creation

Solution Maturity

Apps and Solutions

Phase 1

Data-driven actions • Improve existing process to

reduce downtime improve

customer experience)

• Collect data and use it in

a “stand alone” process

Phase 2

Data driven process

integration • New integrated data drive process

to automate and react proactively

• IoT solution (OT) merges with

existing processes and IT

• New processes to capture

value of data

Phase 3 Learn and

Innovate • New products, new services,

new insights

• Data is analyzed for patterns

• Business transformation

• New products,

new services

Asset Mgmt.ConditionMonitoring

AssetPerformance

Mgmt.

Predictive Maintenance

OptimizedPredictive

Maintenance

OptimizedPrescriptiveMaintenance

Asset

Energy

Usage

Energy

Cost /

Savings

Digital Twin

Production

Digital Twin

Production

Digital Twin

Performance

Augmentedvirtual reality

AI/self optimizingsystems

.…


Challenges for our CustomersProductivity, Cost Pressure and Regulations

Protect Productivity

Reduce cost

Comply to regulations

• Externally caused incidents

through increasing connectivity

• Internal misbehavior

• The evolving Threat Landscape

• For qualified personnel

• For essential Security

Technologies

• Reporting Requirements

• Minimum Standards

• Security Know-how

Protect

against

Costs

Comply

to

Page 7 DF CS SD SCP PSS


The ever-changing threat landscape

Cybersecurity laws and

RegulationsInternet of

Things

Professional

Hackers Vulnerabilities

§

§§

§



ICS Attack surface is growing

Challenges: Increasing vulnerability, high connectivity.

Introduction of malware via removable

media and external hardware

Human error and sabotage

Intrusion via remote access

Control components

connected to the Internet

Compromising of smartphones

in the production environment

Compromising of extranet

and cloud components

Malware infection via the

Internet and Intranet

(Distributed) denial-of-

service ((D)DOS) attacks

Technical malfunctions

Source © BSI analysis on cyber security 2016, German Federal Office for Information Security

Social engineering and phishing


Evolution of the cyber threat landscape

Digital Information Processing Digital Connectivity Digital Automation and Intelligence

1950s – 1960s 1980s 20151999 2010s1970s 19911990s 2020s2000s

Home computer is introduced

Computers make their way

into schools, homes, business

and industry

Digital enhancement of

electrification and automation

The World Wide Web becomes

publicly accessible

The globe is connected

by the internet

Mobile flexibility

Cloud computing enters the

mainstream

Internet of Things, Smart

and autonomous systems,

Artificial Intelligence, Big Data

Industry 4.0

Military, governments and other

organizations implement

computer systems

AOHell

Cryptovirology

Level Seven Crew hack

Denial of service attacks

Cloudbleed

sl1nk SCADA hacksInfineon/TPM

Meltdown/Spectre

AT&T Hack

Blue Boxing

Morris WormPhishing Targeting Critical

Infrastructure

NotPetya

Industroyer/Chrashoverride

WannaCryCyberwar

Stuxnet

The threat landscape keeps growing and

changing and attackers are targeting industrial

and critical infrastructures



Challenges and driversMost critical threats to Industrial Control systems

Outdated operating systems²

Industrial Control System Security

Top 10 Threats and Countermeasures1

1 Social Engineering and Phishing

2Infiltration of Malware via Removable

Media and External Hardware

3 Malware Infection via Internet and Intranet

4 Intrusion via Remote Access

5 Human Error Sabotage

6Control Components Connected to the

Internet

7 Technical Malfunctions and Force Majeure

8Compromising of Extranet and Cloud

Components

9 (D)Dos Attacks

10Compromising of Smartphones in the

Production Environment

Windows NT 4.0 30. June 2004

Windows XP 08. April 2014

Windows 7 14. January 2020

Windows 10 14. October 2025


1 Source © BSI Publication on Cyber Security | Industrial Control System Security 2016

2 Source © Microsoft


Industrial Security ServicesDefinition IT-Security vs. OT- (Industrial) Security

AvailabilityConfidentialityIntegrity

ConfidentialityIntegrityAvailability

Availability

Installation

Topology

Location

Device

Downtime < 300 ms

Plant-ICS-Staff

Plant specific

Industrial environment

Low, Switches with fewer ports

Range in minutes is acceptable

Network Specialists

Ring structure

Air conditioned environment

High, Switches with many ports

What is it about?Increasing attacks on devices

Investment Cycles Min 5-15 YearsAll 2-3 Years

IT-Security Industrial Security

Page 12 February 20


The challenge

Increasing Vulnerability

There is a significant need to identify gaps, protect shop-floor, early detect security

risks, respond to incidents and recover rapidly

• Cyber threats targeting office and industrial control

systems increase and become more specialized and

complex

• Information technologies are used in industrial

automation: Horizontal and vertical integration, open

standards, PC-based systems…

• Industry 4.0 calls for the next level of connectivity (IT

and OT). Production processes need a higher level of

protection

• Cost pressure and production availability necessitate

prioritized and balanced security investment

• Lack of expertise & resources generate need of

trusted partners

73%of companies with 200 employees

or more have suffered a security

incident in the last two years

~50 billionloss in revenue yearly due to cyber

incidents*

62% of the companies face a significant

lack of qualified resources**

In the next 5 years 1.5 million posts for

security experts worldwide will remain vacant,

since there will not be no suitable applicants**

* Source © Bitkom Research 2015** Source © (ISC)² Center for Cyber Safety and Education's Global Information Security Workforce Study 2015

NIS DirectiveNetwork and Information Systems

DF CS SD SCP PSSPage 14


NIS1

1)Wording from NCSC/DCMS

What is it? An EU Directive on Security of Networks & Information Systems

that will come into UK legislation 9th May 2018

Who is leading implementation? The Department for Digital, Culture, Media and Sport (DCMS)

What is the aim? Raise the level of overall security and resilience of network

and information systems. Potential 4% Fine of Total business T/O

• Have a national framework for security to include: a National Cyber security strategy, a CSIRT2, a SPOC3

and a NIS competent authority (CA)

What is expected of member states?

• Set up a Cooperation Group among Member States to support and facilitate strategic cooperation and the exchange of

information among Member States. Member States will also need to participate in a CSIRT Network to promote swift

and effective operational cooperation on specific network and information system security incidents and as well as

sharing information about risks.

• Ensure that businesses within vital sectors which rely heavily on information networks, for example utilities,

healthcare, transport, and digital infrastructure sectors, are identified by each Member State as “operators of

essential services” (OES). Those OES will have to take appropriate and proportionate security measures to

manage risks to their network and information systems, and they will be required to notify serious incidents to the

relevant national authority. Engagement with industry is therefore crucial in the implementation of the directive.

2)Computer Security Incident Response Team

3)Single Point of Contact

https://www.ncsc.gov.uk/information/ncsc-support-nis-directive-implementation


NIS1 - continued

What is the NCSC’s role in preparing for the implementation of the NIS Directive?

The NCSC is providing technical support and guidance to other government departments and CAs through:

• a set of cyber security principles for securing essential services

• a collection of supporting guidance

• a Cyber Assessment Framework (CAF), incorporating indicators of Good Practice

• implementation guidance and support to CAs to enable them to:

• adapt the NCSC NIS principles for use in their sectors

• plan and undertake assessments using the CAF, and interpret the results.

Once the NIS Directive is live in May 2018, we expect our role to be:

• Single Point of Contact (SPOC) - we'll act as the contact point for engagement with EU partners, coordinating requests for action or

information and submitting annual incident statistics.

• CSIRT (Computer Security Incident Response Team) - we will receive all incident reports and will provide advice and support on the

cyber aspects to operators and Digital Service providers in the event of an incident. We will be responsible for the dissemination of

appropriate risk and incident information to Competent Authorities and other relevant stakeholders.

• Technical Authority on Cyber Security - the NCSC will support CAs with security advice and guidance and act as a source of technical

expertise. We'll tailor some generic guidance to individual sectors to support CAs.

1)Wording from NCSC/DCMS

Aiming to be CA

Also see OG86

https://www.ncsc.gov.uk/information/ncsc-support-nis-directive-implementation


Product Safety vs. Product & Solution Security

Product Safety

Prevent and mitigate risks to people and

the environment resulting from failure

of product.

People / Environment

Prevent and mitigate risks for the system

and its data resulting from intentional

actions by people or malicious software.

Product / System

Fault by “intentional misuse”

Product & Solution Security

People / Software

Product / System

Fault or “foreseeable misuse”

Security might affect Safety!

Malicious product manipulation

Some Keywords

Cyber attack, Hacker, Virus,

Passwords, Cryptography,

Denial of Service, Software

Protection, Software-related

Incidents, Exploit, Malware,

Integrity, Confidentiality,

CERT, ...

Some Keywords

Fault Tolerant System, Fail

Safe, Hardware Failure,

Redundancy, Patient Safety,

Safety First, Railway

Systems, SIL, Dead-Man’s

Button, IEC 61508, ...

Standards ?



National regulations force the plant owners to operate and

maintain critical infrastructure with high security

Page 1910.02.2020


Industrial Security Services

GB&I Market trends and drivers.

NIST 800-82, 800-30,

800-53

ISA 99

ISA/IEC 62443

NERC-CIP 4ISO 27032

NIS Directive

2018 May 9th

UK Law, priority is CNI companies.

CAF’s Cyber Assessment Frameworks

WIB M2784Process Users Ass

ISO 27002

ISO 27001

Direct Effect

Influencer

No Effect

BS10754-1


We as SIEMENS need the capability to design, hand over and

maintain secure products and solutions for our customer

Product

(System)

Supplier

System

Integrator

Asset

Owner

designs and

deploys

operates and

maintains

develops and

supports

Design + hand over / maintain

a secure solution

Capabilities, documentation,

secure development, support

Secure operation, policies,

requirements

• ISO 27001/19

• NERC-CIP

• IEC 62443-2-1

• IEC 62443-2-4

• IEC 62443-3-3

• BDEW WP

• IEC 62443-4-1

• IEC 62443-4-2

• (IEC 62443-3-3)

• BDEW WP

* Examples of Security Requirements Standards

*

*

*

Standards define the requirements on security for product suppliers, system integrators and asset owners

Page 2110.02.2020


Security is about technology, processes and people

A holistic security protection concept has to include technology, processes and people

Page 22 10.02.2020


SL 4Capability to protect against intentional violation using sophisticated meanswith extended resources, IACS specific skills and high motivation

SL 3Capability to protect against intentional violation using sophisticated meanswith moderate resources, IACS specific skills and moderate motivation

Capability to protect against casual or coincidental violation

Capability to protect against intentional violation using simple means withlow resources, generic skills and low motivationSL 2

SL 1

Future customer target requirement:

IEC 62443 based Protection Levels

Protection Levels

Assessment of security functionalities Assessment of security processes

ML 4Optimized –Process measured, controlled and continuously improved

ML 3Defined –Process characterized, proactive deployment

Initial –Process unpredictable, poorly controlled and reactive.

Managed –Process characterized , reactive

ML 2

ML 1

4

3

2

1Ma

turi

ty L

eve

l

2 3 41

Security Level

PL 1 Protection against casual or coincidental violation

PL 2Protection against intentional violation using simple means with low resources, generic skillsand low motivation

Protection against intentional violation using sophisticated means with extended resources,IACS specific skills and high motivation

Protection against intentional violation using sophisticated means with moderate resources,IACS specific skills and moderate motivationPL 3

PL 4

Best Practice



Best Practice guidance from Siemens

Lots of advice and guidance provided in the form of manuals, whitepapers.


Guidance

National Cyber Security Centre

CPNI – SICS Framework

Operational Guidance OG86

https://www.ncsc.gov.uk/guidance/10-steps-cyber-security

http://www.hse.gov.uk/foi/internalops/og/index.htm


Page 27 10.02.2020

Charter of Trust - Partners


Charter of Trust - Principles

Page 28 10.02.2020

Siemens Portfolio



Assess Security

Industrial Security ServicesSolution portfolio

Evaluation of the current security

status of an ICS environment

Implement Security

Risk mitigation through

implementation of security

measures for reactive protection

Manage Security

Comprehensive security through

monitoring, vulnerability

management and proactive

protection



Industrial Security ServicesSolution portfolio

• Industrial Security Monitoring

• Industrial Vulnerability Manager

• Patch Management

• Remote Incident Handling

• Security Awareness Training

• Industrial Security Consulting

• Automation Firewall

• Application Whitelisting

• Antivirus

• Industrial Anomaly Detection

• Industrial Security Monitoring

Solution

• Industrial Security Assessment

• IEC 62443 Assessment

• ISO 27001 Assessment

• Risk and Vulnerability Assessment

• Scanning Services



Thank you


Documents

Aluminium Conference 2020 machine to machine –the focus today and in the future From person to person –that was the beginning Machine2Machine Sensors, meters, devices, industrial