Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
Unrestricted © Siemens AG 2018
siemens.com/industrial-securityUnrestricted © Siemens AG 2018
Industrial SecurityThe essential basics forindustrial automation
TALBANI RachidSystem designer Team Leader
Unrestricted © Siemens AG 2018Page 2
Unrestricted © Siemens AG 2018Page 3
Cyber crime is wide spread and costs the globaleconomy US$400 billion by annually.1
Cyber attacks are impacting companiesof all sizes, in all markets
1 Estimate by Center for Strategic and International Studies, Washington, D.C.
Stay secure in theage of digitalization
Page 3
Unrestricted © Siemens AG 2018Page 4
Unrestricted © Siemens AG 2018
Industrial SecurityTop threats for Industrial Control Systems (ICS)
Overview of the top 9 threats
1. Attaques en ligne via des réseaux de bureau / d'entreprise2. Attaques contre des composants standard utilisés dans le réseau ICS3. Utilisation non autorisée des accès de télémaintenance4. sabotage5. Introduction de code nuisible via un support amovible et externe6. attaques (D)DoS7. Lecture et écriture de messages sur le réseau ICS8. Accès non autorisé aux ressources9. Attaques sur des composants réseau
Page 5
Unrestricted © Siemens AG 2018
Industrial Security – protection goals & value added aspects
Availability Integrity Confidentiality1 2 3Protection of system and dataintegrity to avoid malfunctions,production errors and downtimes
Protection of confidential dataand information as well asintellectual property
Increased plant availabilitythrough prevention or reductionof faults caused by attacks ormalware
Protecting productivitythrough risk minimization
Page 6
Unrestricted © Siemens AG 2018
Table of contents
The Industrial Security Concept
• Plant Security
• Network Security
• System Integrity
Security Usecases
Security Certifications
Unrestricted © Siemens AG 2018
Wall
§ A single defense layer§ Easy to overbear – just one successful attack
can be enough
Defense-in-Depth
§ Multiple, independent security layers§ Hard to overbear – attacker need to invest
tremendous time, efforts and know-how tohave a chance for successA single defense layer does not
provide adequate protection!
Protecting productivity – but how?The solution: with a holistic Defense-in-Depth concept
Page 8
Unrestricted © Siemens AG 2018
The Industrial Security Concept from Siemens:Defense in Depth - based on IEC 62443
Security solutions in an industrial context must take account ofall protection levels
Page 9
Unrestricted © Siemens AG 2018
Industrial SecurityThe Siemens solution for plant security
System Integrity
Network Security
Plant SecurityPlant Security
Page 10
Unrestricted © Siemens AG 2018
Industrial SecurityPlant Security
Security Management is essential for a well thought-out security concept
Plant Security measures
• physical security measures :q Control of physical access to space , building, rooms , cabinets , devices , equipment , port , cables
and wires .• Organizational security measures :q Security guidelines , security concepts, set of security rules , security checks , risk analyses ,
assessments and audits, awareness measures and training
Page 11
Unrestricted © Siemens AG 2018
Industrial SecurityThe Siemens solution for network security
System Integrity
Plant Security
Network Security
Page 12
Unrestricted © Siemens AG 2018
Industrial SecurityOverview: Network security
Products with firewall or VPN functionality
Cell protection• Risk mitigation by means of
network segmentation• Extension of cell protection concept by
means of:• Security communication processors• Flexible VLAN configuration
Redundancy• Protection of redundant network topologies
Network access control• Secure interface to IT networks• Secure architecture with DMZ• Secure remote access via Internet• Secure local network access (port security)
via device and user authentication
Adapted measures forproduction:
Page 13
Unrestricted © Siemens AG 2018
Industrial SecurityNetwork security use cases
Increased protection by means ofdata exchange via DMZ byavoiding direct access to theautomation network.
è A firewall controls all data trafficbetween the different networks andDMZ1).
Demilitarized zone (DMZ11))
Secured remote access via theInternet or mobile networks toavoid espionage and sabotage.
è Encryption of datacommunication and access controlto dedicated end devices.
Remote access
Devices without own networksecurity functionality can beprotected within an automationcell.
è Access to automation cell issecured by firewall mechanisms.
1) Demilitarized zone
Securedzone:
Demilitarizedzone (DMZ1)):
Unsecuredzone:
Cell protectionIncreased reliability andavailability of segmentednetworks by means ofredundant connections.
è Industrial Security AppliancesSCALANCE S for redundantconnections of ring topologies
Redundancy
Page 14
Unrestricted © Siemens AG 2018
Industrial SecurityIndustrial Security Appliances – SCALANCE S
SC632-2C SC636-2C S615 SC642-2C SC646-2C
Page 15
Unrestricted © Siemens AG 2018
Industrial SecurityProtection of industrial networks with SCALANCE SC-600
Feature / function BenefitConfiguration of flexible security zones:• 2 or 6 electrical ports (RJ45),
of them 2 combo ports each• Free assignment of ports
to desired VLANs
u Establishment of a network segmentationincluding DMZ:• Combo ports with SFPs for
fiber optic topologies• Protection of network cells
Integrated security functionalities:• Stateful Inspection Firewall• User Specific Firewall2)
• Bridge Firewall2)
• Virtual Private Network (VPN)1)
• Network Address Translation (NAT)
u Protection of critical networks against:• unauthorized network access• espionage or data manipulation• Inspection and filtering of layer 2 data
Data throughput:• 600 Mbps for firewall and routing• 120 Mbps for IPsec-VPN1)
u High data throughput for high systemavailability and data security in the network
Integrated engineering by means of:• TIA portal and SINEC NMS2)
u Central configuration and monitoringof industrial security appliances
Integration into SINEMA Remote Connect u Secured remote access to machinery,plants
1) Only with SCALANCE SC64x-2C2) Delivery 01/2019
SCALANCE SC646-2C
Page 16
Unrestricted © Siemens AG 2018
Feature / function BenefitConfiguration of flexible security zones:• Free assignment of ports
to desired VLANs
u Establishment of a network segmentationincluding DMZ:• Protection of network cells
Integrated security functionalities:• Stateful Inspection Firewall• User Specific Firewall• Virtual Private Network (VPN)• Network Address Translation (NAT)
u Protection of critical networks against:• unauthorized network access• espionage or data manipulation
Data throughput:• 100 Mbps for firewall and routing• 035 Mbps for IPsec-VPN
u Demand-driven data throughput forproduction machines and data security inthe network
Integrated engineering by means of:• TIA portal and SINEC NMS1)
u Central configuration and monitoringof industrial security appliances
Integration into SINEMA Remote Connect u Secured remote access to machinery,plants
Industrial SecurityProtection of industrial networks with SCALANCE S615
SCALANCE S615
1) Delivery 12/2018
Page 17
Unrestricted © Siemens AG 2018
Industrial SecurityIndustrial routers: SCALANCE M
Page 18
M874-3 M874-2 M876-3 M876-4 SCALANCE M804PB M812-1 M816-1
Unrestricted © Siemens AG 2018
Feature / function BenefitSecured connection via mobile networks:• 2G / EDGE• 3G / HSPA+
u Secured connection of Ethernet-basednetworks to mobile networks of the 2nd
and 3rd generation:• Transfer rates of up to 14.4 Mbps
Integrated security functionalities:• Stateful Packet Inspection Firewall• User Specific Firewall• Virtual Private Network (VPN)• Network Address Translation (NAT)
u Protection of critical networks against:• unauthorized network access• espionage or data manipulation
Full integration in SINEMA RemoteConnect
u Convenient central administration andauto configuration of remote access
M874-3 M874-2
Industrial SecurityIndustrial routers: Mobile access with SCALANCE M874
Page 19
Unrestricted © Siemens AG 2018
Feature / function BenefitSecured connection via mobile networks:• 3G / HSPA+• 4G / LTE
u Secured connection of Ethernet-basednetworks to mobile networks of the 3rd
and 4th generation:• Transfer rates of up to 100 Mbps
Integrated security functionalities:• Stateful Packet Inspection Firewall• User Specific Firewall• Virtual Private Network (VPN)• Network Address Translation (NAT)
u Protection of critical networks against:• unauthorized network access• espionage or data manipulation
Full integration in SINEMA RemoteConnect
u Convenient central administration andauto configuration of remote access
Implementation of a flexible security zoneconcept
u Integrated 4-port switch for easyconnection of multiple network cells
M876-3 M876-4
Industrial SecurityIndustrial routers: Mobile access with SCALANCE M876
Page 20
Unrestricted © Siemens AG 2018
Industrial SecurityIndustrial routers: Access to PROFIBUS/ MPI with SCALANCE M804PB
Feature / function BenefitSecured Ethernet connection to existingplants with:• PROFIBUS / MPI
u Direct connection to existing plants withPROFIBUS / MPI and SINEMA RC(without additional devices), for securedremote access to remote machinery andplants
Integrated security functionalities:• Stateful Packet Inspection Firewall• User Specific Firewall• Virtual Private Network (VPN)• Network Address Translation (NAT)
u Protection of critical networks against:• unauthorized network access• espionage or data manipulation
Full integration in SINEMA RemoteConnect
u Convenient central administration andauto configuration of remote access
Integrated TIA Portal Cloud Connecter u Easy and central administration ofengineering software (TIA Portal) at oneserver
SCALANCE M804PB
Page 21
Unrestricted © Siemens AG 2018
Industrial SecurityIndustrial routers: Broadband access with SCALANCE M812 und M816
Feature / function BenefitSecured wired connection to thetelephone or DSL network:• ADSL2+
u Secured broadband access for industrialand industry-related applications:• Transfer rates of up to 25 Mbps
Integrated security functionalities:• Stateful Packet Inspection Firewall• User Specific Firewall• Virtual Private Network (VPN)• Network Address Translation (NAT)
u Protection of critical networks against:• unauthorized network access• espionage or data manipulation
Full integration in SINEMA RemoteConnect
u Convenient central administration andauto configuration of remote accesses(M816-1)
Implementation of a flexible security zoneconcept
u Integrated 4-port switch (M816-1) for easyconnection of multiple network cells
M812-1 M816-1
Page 22
Unrestricted © Siemens AG 2018
Industrial SecurityIndustrial routers: Broadband access with SCALANCE M826
Feature / function BenefitSecured wired connection of remoteautomation devices via:• SHDSL
u Secured 2-wire or 4-wire Ethernetcommunication for distances of up to10 km (~ 6.2 miles):• Transfer rates of up to 15.3 Mbps
Integrated security functionalities:• Stateful Packet Inspection Firewall• User Specific Firewall• Virtual Private Network (VPN)• Network Address Translation (NAT)
u Protection of critical networks against:• unauthorized network access• espionage or data manipulation
Full integration in SINEMA RemoteConnect
u Convenient central administration andauto configuration of remote access
Implementation of a flexible security zoneconcept
u Integrated 4-port switch for easyconnection of multiple network cells
M826-2
Page 23
Unrestricted © Siemens AG 2018
Industrial SecurityCommunication processors: S7-1200 / S7-1500 /S7-300 /S7-400
Page 24
Unrestricted © Siemens AG 2018
Industrial SecurityCommunication processors: Secured to Ethernet with CP 1243-1
Feature / function BenefitSecured Ethernet connection toSIMATIC S7-1200
u Network protection and segmentationwithout additional security components andsecured connection to a Telecontrolcontrol center with TeleControl ServerBasic
Integrated security functionalities:• Stateful Packet Inspection Firewall• Virtual Private Network (VPN)• Clock synchronization (NTP secure)• Secured web server access (HTTPS)• Transmission of network analysis
information with SNMP V3
u Protection of critical networks against:• unauthorized network access• espionage or data manipulation
Full integration in SINEMA RemoteConnect
u Convenient central administration andauto configuration of remote access
Integrated engineering by means of:• STEP 7 in TIA Portal
u Central configuration of thecommunication processorCP 1243-1
Page 25
Unrestricted © Siemens AG 2018
Industrial SecurityCommunication processors: Mobile access with CP 1243-7 LTE
Merkmal / Funktion NutzenGesicherte Anbindung einer SIMATIC S7-1200 an das LTE-Netz im europäischenoder amerikanischen Frequenzbereich
u Gesicherte Anbindung von einer SIMATICS7-1200 an das Mobilfunknetz der 4.Generation• Übertragungsraten von bis zu
42 Mbit/s
Integrierte Security-Funktionalitäten:• Stateful Packet Inspection Firewall• Virtual Private Network (IPsec)• Uhrzeitsynchronisation (NTP secure)• Gesicherter Webserver-Zugriff (HTTPS)
u Schutz kritischer Anlagenteile vor:• unbefugten Netzwerkzugriffen• Spionage oder Datenmanipulation
Durchgängiges Engineering durch:• STEP 7 im TIA Portal• TeleControl Basic
u Zentrale Konfiguration desKommunikationsprozessors undVerwaltung der Leitstellen-Anbindung
CP 1243-7 LTE
Feature / function BenefitSecured mobile radio access toSIMATIC S7-1200:• 4G / LTE
u Network protection and segmentationwithout additional security components andsecured connection to a Telecontrolcontrol center with TeleControl ServerBasic
Integrated security functionalities:• Stateful Packet Inspection Firewall• Virtual Private Network (VPN)• Clock synchronization (NTP secure)• Secured web server access (HTTPS)• Transmission of network analysis
information with SNMP V3
u Protection of critical networks against:• unauthorized network access• espionage or data manipulation
Full integration in SINEMA RemoteConnect
u Convenient central administration andauto configuration of remote access
Integrated engineering by means of:• STEP 7 in TIA Portal
u Central configuration of thecommunication processor
Page 26
Unrestricted © Siemens AG 2018
Industrial SecurityCommunication processors: Telecontrol with CP 1243-8 IRC
CP 1243-8 IRC
Feature / function BenefitSecured remote access toSIMATIC S7-1200:• SINAUT ST7• DNP3• IEC 60870-5-104
u Network protection and segmentationwithout additional security components andsecured connection to a Telecontrolcontrol center
Integrated security functionalities:• Stateful Packet Inspection Firewall• Virtual Private Network (VPN)
u Protection of critical networks against:• unauthorized network access• espionage or data manipulation
Full integration in SINEMA RemoteConnect
u Convenient central administration andauto configuration of remote access
Integrated engineering by means of:• STEP 7 in TIA Portal
u Central configuration of thecommunication processor
Page 27
Unrestricted © Siemens AG 2018
Industrial SecurityCommunication processors: Secured to Ethernet with CP 1543-1
Feature / function BenefitSecured Industrial Ethernet toSIMATIC S7-1500
u Network protection and segmentationwithout any additional security appliances
Integrated security functionalities:• Stateful Packet Inspection Firewall• Virtual Private Network (VPN)• clock synchronization (NTP secure)• Secured web server access (HTTPS)• Secure file transfers (FTPs)• Transmission of network analysis
information with SNMP V3
u Protection of critical networks against:• unauthorized network access• espionage or data manipulation
Integrated engineering by means of:• STEP 7 in TIA Portal
u Central configuration of thecommunication processor
CP 1543-1
Page 28
Unrestricted © Siemens AG 2018
Industrial SecurityCommunication processors: CP 1542SP-1 IRC for Distributed Controller
Feature / function BenefitSecured connection of DistributedController SIMATIC ET 200SP as remoteterminal unit (RTU) in telecontrolapplications:• SINAUT ST7• DNP3• IEC 60870-5-104• TeleControl Basic
u Network protection and segmentationwithout any additional security appliancesas well as secured connection to differentTelecontrol control centers
Integrated security functionalities:• Virtual Private Network (VPN)
u Protection of critical networks against:• espionage or data manipulation
Full integration in SINEMA RemoteConnect
u Convenient central administration andauto configuration of remote accesses
Integrated engineering by means of:• STEP 7 in TIA Portal
u Central configuration of thecommunication processor
CP 1542SP-1
Page 29
Unrestricted © Siemens AG 2018
Industrial SecurityCommunication processors: CP 1543SP-1 for SIMATIC ET 200SP
Feature / function BenefitSecured connection of SIMATIC ET 200SPto Industrial Ethernet
u Network protection and segmentationwithout any additional security appliances
Integrated security functionalities:• Stateful Packet Inspection Firewall• Virtual Private Network (VPN)• Clock synchronization (NTP secure)• Transmission of network analysis
information with SNMP V3• Secure authentication of communication
partners by means of certificates
u Protection of critical networks against:• unauthorized network access• espionage or data manipulation
Full integration in SINEMA RemoteConnect
u Convenient central administration andauto configuration of remote accesses
Integrated engineering by means of:• STEP 7 in TIA Portal
u Central configuration of thecommunication processor
CP 1543SP-1
Page 30
Unrestricted © Siemens AG 2018
Industrial SecurityCommunication processors: CP 343-1 / CP 443-1 Advanced
Feature / function BenefitSecured connection of SIMATIC S7-400and S7-300 to Industrial Ethernetnetworks
u Network protection and segmentationwithout any additional security appliances
Integrated security functionalities:• Stateful Packet Inspection Firewall• Virtual Private Network (VPN)• Clock synchronization (NTP secure)• Secured web server access (HTTPS)• Secured file transfers (FTPs)• Transmission of network analysis
information with SNMP V3
u Protection of critical networks against:• unauthorized network access• espionage or data manipulation
Integrated engineering by means of:• STEP 7 in TIA Portal
u Central configuration of thecommunication processor
CP 343-1Advanced
CP 443-1Advanced
Page 31
Unrestricted © Siemens AG 2018
Industrial SecurityCommunication processors: Secured PC connection with CP 1628
Feature / function BenefitSecure connection of PGs or PCs toIndustrial Ethernet networks
u Secured communication between PGs /PCs and connected automationcomponents
Integrated security functionalities:• Stateful Packet Inspection Firewall• Virtual Private Network (VPN)• Transmission of network analysis
information with SNMP V3
u Protection of critical networks against:• unauthorized network access• espionage or data manipulation
Integrated engineering by means of:• STEP 7 in TIA Portal
u Central configuration of thecommunication processor
CP 1628
Page 32
Unrestricted © Siemens AG 2018
Industrial SecurityCard reader: Access control with SIMATIC RF1060R
SIMATIC RF1060R
Feature / function BenefitAccess control to machines or plantcomponents
u Flexible authorization levels, e.g. formachine access for each employee byusing employee ID cards
Security functionalities:• Identification of operating personnel• Tracking of critical activities• Avoidance of operating errors
u Protection of critical componentsagainst:• unauthorized network and
device access• espionage or data manipulation
Integration options into WinCC,SIMATIC Logon, PCS 7 via USB interface
u Easy integration in existing hardware (HMIdevices and panels)
Supported standards:• ISO 14443 A/B (MIFARE)• ISO 15693
u The use of existing employee ID cardspermits individual control of access rights
Suitable for industrial applications:• IP65 (front)• -25 to+55 °C (-13 to 131°F)• ATEX II admission
u For direct use on machines and systemsin harsh industrial environments and forzones 2/22
Page 33
Unrestricted © Siemens AG 2018
Industrial SecurityMechanical closing of unused ports with IE RJ45 Port Lock
Feature / function BenefitMechanical closing of unused RJ45interfaces of network components and enddevices
u Secures physically open, unused RJ45interfaces to prevent unauthorized networkaccess
Temporary network disconnections (plantshutdown for maintenance) can beimplemented directly on site
Security functionalities:• RJ45 port can also lock non-
configurable network components• Robust, industrial-suited construction• Easy installation without additional tools
due to RJ45 compatible design• Removal of port lock only after
unlocking with a mechanical key
u Protection of critical networks against:• unauthorized network access• espionage or data manipulation
IE RJ45 Port Lock
Page 34
Unrestricted © Siemens AG 2018
Industrial SecurityThe Siemens solution for system integrity
Network Security
Plant Security
System Integrity
Page 35
Unrestricted © Siemens AG 2018
Industrial SecuritySecurity functions overview for SIMATIC Controller
A) Realizable via PLC program
Security Function
S7-300(>=v3.2)
S7-400(>=v6.0)
S7-1200(>v4, V12 SP1)
S7-1500 S7-1500SoftwareController
Increased Know-how Protection
Know-How Protection for Program blocks l l l l l
Copy Protection for Program blocks (as system function) A) A) l l l
Improved Access Protection
Project access protection via Password l l l l l
HMI Access Protection for Controllers l l l
Different Access Levels by multiple Passwords l l l
Integrity Protection
Integrity Protection for Firmware Updates B) l l l l
Communication Integrity l l l
B) CRC basedPage 36
Unrestricted © Siemens AG 2018
Table of contents
Introduction
The Industrial Security Concept
• Plant Security
• Network Security
• System Integrity
Security UsecasesSecurity Certifications
Unrestricted © Siemens AG 2018
TaskThe security concept of an industrial networkshall be divided into several security zones.
Use cases for more network securityNetwork segmentation and „demilitarized zone“ (DMZ)
SolutionWith Industrial Security AppliancesSCALANCE S a flexible security zoneconcept can be realized, containing:
• Different security zones such as DMZ,and automation cells
• Remote access only to specific andselected network cells
• Support of ‘series machines’ by meansof NAT/NAPT
Page 38
Unrestricted © Siemens AG 2018
Use cases for more network securityNetwork segmentation and cell protection
TaskFor the purpose of risk mitigation, a largeand flat automation network shall be dividedinto several security-based sections. Foreach individual segment differentrequirements may apply.
SolutionThe individual network segments will besecured with the Industrial SecurityAppliances SCALANCE S or with specificsecurity communication processors.These appliances will control the access anddata traffic to the subordinate segment viatheir integrated firewalls. By means ofVLAN, the Industrial Security AppliancesSCALANCE S can be used to protectseveral network cells simultaneously.
Page 39
Unrestricted © Siemens AG 2018
Use cases for more network securityNetwork segmentation and cell protection for S7-1200 stationsTaskThe automation network and itscommunication shall be separated intoindividual automation cells, which arecontrolled and protected by S7-1200controller.
SolutionBy means of integrated security functions(firewall and VPN) the CP 1243-1 protectsthe S7-1200 controller and the subordinatecomponents against unauthorized access,espionage and data manipulation.
Page 40
Unrestricted © Siemens AG 2018
Use cases for more network securityNetwork segmentation and cell protection for S7-1500 stationsTaskThe automation network and itscommunication shall be separated intoindividual automation cells, which arecontrolled and protected by S7-1500controller.
SolutionBy means of integrated security functions(firewall and VPN) the CP 1543-1 protectsthe S7-1500 controller and the subordinatecomponents against unauthorized access,espionage and data manipulation.
Page 41
Unrestricted © Siemens AG 2018
Use cases for more network securityNetwork segmentation and cell protection for S7-300 and S7-400
TaskThe automation network and itscommunication shall be separated intoindividual automation cells, which arecontrolled and protected by S7-300 or S7-400 controller.
SolutionBy means of integrated security functions(firewall and VPN) the CP 343-1 Advancedprotects the S7-300 controller while theCP 443-1 Advanced protects the S7-400controller. Both communication processorsalso protect their subordinate componentsagainst unauthorized access, espionage anddata manipulation.
Page 42
Unrestricted © Siemens AG 2018
Use cases for more network securityNetwork segmentation and cell protection for SIMATIC ET 200SP
TaskThe automation network and itscommunication shall be separated intoindividual automation cells, which arecontrolled and protected by a DistributedController SIMATIC ET 200SP.
SolutionBy means of integrated security functions(firewall and VPN) the CP 1543SP-1protects the Distributed Controller SIMATICET 200SP and the subordinate componentsagainst unauthorized access, espionage anddata manipulation.
Page 43
Unrestricted © Siemens AG 2018
Use cases for more network securitySecured communication between PGs / PCs and controllers
TaskThe communication from and to PC systemssuch as operator stations and engineeringstations shall be controlled and protected.
SolutionWith the communication processor CP 1628,an Ethernet PCI card, and its integratedsecurity functions (firewall and VPN).the PG or PC can be protected againstunauthorized access, espionage and datamanipulation.
Page 44
Unrestricted © Siemens AG 2018
Use cases for more network securityDirect and secured remote access to machines and plants
TaskA direct and secured remote access to themachines and plants of a production siteshall be realized.
SolutionWith the SOFTNET Security Client a directVPN tunnel can be established to theautomation cells, which are protected byIndustrial Security Appliance SCALANCE S:• Direct and secured connection
establishment via client-server VPNconnections
• Firewall with 600 Mbps and VPN with120 Mbps throughput
• Support of series machines by meansof NAT/NAPT
Page 45
Unrestricted © Siemens AG 2018
Use cases for more network securityDirect and secured remote access via mobile networks
TaskA service center shall be connected via theInternet and shall be able to access globallydistributed machines and plants via mobilecommunication to perform typicalapplications such as remote programming,parameter assignment, diagnostics andmonitoring.
SolutionAll IP-based devices secured by theIndustrial Routers SCALANCE M87x can beaccessed via mobile communication. Fordistributed SIMATIC S7-1200 controllers theCP 1243-7 LTE can be used. Thanks tointegrated security functionalities it is alsopossible to terminate a VPN tunnel at devicedirectly.
Page 46
Unrestricted © Siemens AG 2018
Use cases for more network securitySecured remote access via SINEMA Remote Connect
TaskA secured remote access to production sitesdistributed around the world shall bepossible.
SolutionThe Industrial Security ApplianceSCALANCE S are integrated into theSINEMA Remote Connect managementplatform. High data throughput with datasecurity at the same time allows servicetechnicians to quickly and securely accessplants and machines:• Central and transparent management of
user access rights and VPN connections• All VPN clients connect to SINEMA
Remote Connect Server (only one publicstatic IP address required)
Page 47
Unrestricted © Siemens AG 2018
Use cases for more network securitySecured remote maintenance for special and series machines
TaskA secured remote maintenance shall beestablished for special-purpose and seriesmachines as well as for larger plants withidentical subnets. For all requiredconnections the status- and maintenancedata shall be centrally gathered andmaintained.
SolutionCentral management of connectedmachines and authorized servicetechnicians in SINEMA Remote Connect.Assignment and management of user rightsfor dedicated access authorization:
• Support of ‘series machines’ by means ofNAT/NAPT
Page 48
Unrestricted © Siemens AG 2018
Use cases for more network securitySecured remote access to PROFIBUS/MPI plants
SINEMA Remote Connect with TIA Cloud Connector – Solution with SCALANCE M804PB
TaskA service engineer shall access aPROFIBUS plant from outside of a corporatenetwork. The engineering tool shall becentrally hosted in a service center.
SolutionConnection to production cell by means ofSCALANCE M804PB. A VPN tunnel enablessecured remote access (e.g. RemoteDesktop) to TIA Portal within the servicecenter. The communication from TIA Portalto production cell will be enabled by TIAPortal Cloud Connector functionalities withinSCALANCE M804PB.
Page 49
Unrestricted © Siemens AG 2018
Use cases for more network securitySecured remote access to PROFIBUS/MPI plants
SINEMA Remote Connect with SCALANCE M804PB, Step 7 and TIA Portal Cloud Connector
TaskRemote access for PROFIBUS via MPI: Aservice engineer shall access a PROFIBUSplant from outside of a corporate network viamobile access (LTE).
SolutionConnection to PROFIBUS/MPI plants withSCALANCE M804PB which is connected toproduction cell via MPI. Use of industrialrouter SCLANCE M876-4 to connect plantcomponents without local internet access.The easy project planning and managementof VPN tunnels via the managementplatform SINEMA Remote Connect enablesa secured remote access to the plant.
Page 50
Unrestricted © Siemens AG 2018
Industrial SecuritySIMATIC PCS 7 application example
Page 51
Unrestricted © Siemens AG 2018
Table of contents
Introduction
The Industrial Security Concept
• Plant Security
• Network Security
• System Integrity
Security Usecases
Security Certifications
Unrestricted © Siemens AG 2018
• S7- 1500 Controllers• SCALANCE XM408-8C
• First security level certification(CSPN – Certification de Sécuritéde Premier Niveau)
• Development process
• Certification of “Secure ProductDevelopment Lifecycle” forDivision DF and PD based onIEC 62443-4-1
• TIA Ethernet based devices• E.g. S7-1500, 1505S, S7-300,
CP343-1 SCALANCE S, …• Protection against DoS
attacks• Defined behavior in case of
attack• Improved Availability
Industrial SecurityGranted Certificates
Find more information: https://www.siemens.com/global/en/home/company/topic-areas/future-of-manufacturing/industrial-security/certification-standards.html
Find more information:http://ssi.gouv.fr/certification_cspn/simatic-s7-1518-4-version-du-micrologiciel-1-83/, http://www.ssi.gouv.fr/entreprise/certification_cspn/scalance-xm408-8c/
Page 53
Unrestricted © Siemens AG 2018
Industrial SecuritySiemens is the leading vendor of Achilles level 2 certified products
+ Protection against DoSattacks
+ Defined behavior in caseof attack
• Improved Availability• International Standard
Certified CPUs
LOGO!S7- 300 PN/DPS7- 400 PN/DPS7- 1500 and 1505SS7- 1200S7- 400 HF CPU V6.0S7- 410-5H
Certified CPs
CP343-1 AdvancedCP443-1 & AdvancedCP1243-1CP1543-1CP1628
Certified DP
ET 200 PN/DP CPUsET 200SP PN CPUs
Page 54
Unrestricted © Siemens AG 2018
Industrial SecurityCertification for the process control system SIMATIC PCS 7
First product certificationaccording to IEC 62443
• TÜV SÜD certifies that theSIMATIC PCS 7 process controlsystem conforms with the securitystandards IEC 62443-4-1 and IEC62443-3-3
• With this certificate, the company documents itssecurity approach to automation products, and givesintegrators and operators a transparent insight into itsindustrial security measures.
• The process control system offers comprehensivesecurity measures and functions to protect plantoperation
Highlights:
3-3
4-1
Functional security capabilitiesof SIMATIC PCS 7
Product Development Lifecycleof SIMATIC PCS 7
Page 55
Unrestricted © Siemens AG 2018
Industrial Security Trainings
Security Basicsfor Factory Automation
ST-SECFA1
Security Basicsfor Process Automation
ST-SECPA1
Security in IndustrialNetworks with SCALANCE
IK-SECIN-S https://www.sitrain-learning.siemens.com/ILP/en/index.do
Industry Learning ProgramWBT Industrial SecurityILP
Know How Initiative SecurityKHI
Page 56
Unrestricted © Siemens AG 2018
siemens.com
Subject to changes and errors. The information given in this document only contains general descriptions and/or performance features which maynot always specifically reflect those described, or which may undergo modification in the course of further development of the products. The requestedperformance features are binding only when they are expressly agreed upon in the concluded contract.
All product designations, product names, etc. may contain trademarks or other rights of Siemens AG, its affiliated companies or third parties.Their unauthorized use may infringe the rights of the respective owner.
Unrestricted © Siemens AG 2018
Industrial SecurityGuide d’hygiène informatique)
q Disposer d’une cartographie précise de l’installation ICS et la maintenir à jour.
q Disposer d’un inventaire exhaustif des comptes privilégiés et le maintenir à jour.
q Rédiger et appliquer des procédures d’arrivée et de départ des utilisateurs (personnel).
q Limiter le nombre d’accès Internet à l’ICS au strict nécessaire.
q Interdire la connexion d’équipements personnels au système .
q Connaître les modalités de mises à jour de l’ensemble des composants logiciels utilisés etse tenir informé des vulnérabilités de ces composants et des mises à jour nécessaires.
Page 58
Unrestricted © Siemens AG 2018
Industrial SecurityGuide d’hygiène informatique)
q Définir une politique de mise à jour et l’appliquer strictement.
q Interdire techniquement la connexion des supports amovibles sauf si cela est strictementnécessaire; désactiver l’exécution des autoruns depuis de tels supports.
q Interdire tout accès à Internet depuis les comptes d’administration.
q Ne pas donner aux utilisateurs de privilèges d’administration. Ne faire aucune exception.
q N’autoriser l’accès à distance au réseau ICS, y compris pour l’administration du réseau, quedepuis des postes qui mettent en œuvre des mécanismes d’authentification forte etprotégeant l’intégrité et la confidentialité des échanges à l’aide de moyens robustes.
q Sécuriser les passerelles d’interconnexion avec Internet.
Page 59
Unrestricted © Siemens AG 2018
Industrial SecurityGuide d’hygiène informatique
q Utiliser impérativement des mécanismes robustes de contrôle d’accès aux locaux.
q Protéger rigoureusement les clés permettant l’accès aux locaux et les codes d’alarme.
q Disposer d’un plan de reprise et de continuité d’activité , même sommaire, tenurégulièrement à jour décrivant comment sauvegarder les données essentielles del’entreprise.
q Ne jamais se contenter de traiter l’infection d’une machine sans tenter de savoir comment lecode malveillant a pu s’installer sur la machine, s’il a pu se propager ailleurs dans le réseauet quelles informations ont été manipulées.
q Sensibiliser les utilisateurs aux règles d’hygiène informatique élémentaires.
Page 60