Industrial Security - Siemens · Top threats for Industrial Control Systems (ICS) Overview of the top 9 threats 1. Attaques en ligne via des réseaux de bureau / d'entreprise 2. Attaques

Unrestricted © Siemens AG 2018

siemens.com/industrial-securityUnrestricted © Siemens AG 2018

Industrial SecurityThe essential basics forindustrial automation

TALBANI RachidSystem designer Team Leader

Unrestricted © Siemens AG 2018Page 2


Cyber crime is wide spread and costs the globaleconomy US$400 billion by annually.1

Cyber attacks are impacting companiesof all sizes, in all markets

1 Estimate by Center for Strategic and International Studies, Washington, D.C.

Stay secure in theage of digitalization

Page 3



Industrial SecurityTop threats for Industrial Control Systems (ICS)

Overview of the top 9 threats

1. Attaques en ligne via des réseaux de bureau / d'entreprise2. Attaques contre des composants standard utilisés dans le réseau ICS3. Utilisation non autorisée des accès de télémaintenance4. sabotage5. Introduction de code nuisible via un support amovible et externe6. attaques (D)DoS7. Lecture et écriture de messages sur le réseau ICS8. Accès non autorisé aux ressources9. Attaques sur des composants réseau

Page 5


Industrial Security – protection goals & value added aspects

Availability Integrity Confidentiality1 2 3Protection of system and dataintegrity to avoid malfunctions,production errors and downtimes

Protection of confidential dataand information as well asintellectual property

Increased plant availabilitythrough prevention or reductionof faults caused by attacks ormalware

Protecting productivitythrough risk minimization

Page 6


Table of contents

The Industrial Security Concept

• Plant Security

• Network Security

• System Integrity

Security Usecases

Security Certifications


Wall

§ A single defense layer§ Easy to overbear – just one successful attack

can be enough

Defense-in-Depth

§ Multiple, independent security layers§ Hard to overbear – attacker need to invest

tremendous time, efforts and know-how tohave a chance for successA single defense layer does not

provide adequate protection!

Protecting productivity – but how?The solution: with a holistic Defense-in-Depth concept

Page 8


The Industrial Security Concept from Siemens:Defense in Depth - based on IEC 62443

Security solutions in an industrial context must take account ofall protection levels

Page 9


Industrial SecurityThe Siemens solution for plant security

System Integrity

Network Security

Plant SecurityPlant Security

Page 10


Industrial SecurityPlant Security

Security Management is essential for a well thought-out security concept

Plant Security measures

• physical security measures :q Control of physical access to space , building, rooms , cabinets , devices , equipment , port , cables

and wires .• Organizational security measures :q Security guidelines , security concepts, set of security rules , security checks , risk analyses ,

assessments and audits, awareness measures and training

Page 11


Industrial SecurityThe Siemens solution for network security

System Integrity

Plant Security

Network Security

Page 12


Industrial SecurityOverview: Network security

Products with firewall or VPN functionality

Cell protection• Risk mitigation by means of

network segmentation• Extension of cell protection concept by

means of:• Security communication processors• Flexible VLAN configuration

Redundancy• Protection of redundant network topologies

Network access control• Secure interface to IT networks• Secure architecture with DMZ• Secure remote access via Internet• Secure local network access (port security)

via device and user authentication

Adapted measures forproduction:

Page 13


Industrial SecurityNetwork security use cases

Increased protection by means ofdata exchange via DMZ byavoiding direct access to theautomation network.

è A firewall controls all data trafficbetween the different networks andDMZ1).

Demilitarized zone (DMZ11))

Secured remote access via theInternet or mobile networks toavoid espionage and sabotage.

è Encryption of datacommunication and access controlto dedicated end devices.

Remote access

Devices without own networksecurity functionality can beprotected within an automationcell.

è Access to automation cell issecured by firewall mechanisms.

1) Demilitarized zone

Securedzone:

Demilitarizedzone (DMZ1)):

Unsecuredzone:

Cell protectionIncreased reliability andavailability of segmentednetworks by means ofredundant connections.

è Industrial Security AppliancesSCALANCE S for redundantconnections of ring topologies

Redundancy

Page 14


Industrial SecurityIndustrial Security Appliances – SCALANCE S

SC632-2C SC636-2C S615 SC642-2C SC646-2C

Page 15


Industrial SecurityProtection of industrial networks with SCALANCE SC-600

Feature / function BenefitConfiguration of flexible security zones:• 2 or 6 electrical ports (RJ45),

of them 2 combo ports each• Free assignment of ports

to desired VLANs

u Establishment of a network segmentationincluding DMZ:• Combo ports with SFPs for

fiber optic topologies• Protection of network cells

Integrated security functionalities:• Stateful Inspection Firewall• User Specific Firewall2)

• Bridge Firewall2)

• Virtual Private Network (VPN)1)

• Network Address Translation (NAT)

u Protection of critical networks against:• unauthorized network access• espionage or data manipulation• Inspection and filtering of layer 2 data

Data throughput:• 600 Mbps for firewall and routing• 120 Mbps for IPsec-VPN1)

u High data throughput for high systemavailability and data security in the network

Integrated engineering by means of:• TIA portal and SINEC NMS2)

u Central configuration and monitoringof industrial security appliances

Integration into SINEMA Remote Connect u Secured remote access to machinery,plants

1) Only with SCALANCE SC64x-2C2) Delivery 01/2019

SCALANCE SC646-2C

Page 16


Feature / function BenefitConfiguration of flexible security zones:• Free assignment of ports

to desired VLANs

u Establishment of a network segmentationincluding DMZ:• Protection of network cells

Integrated security functionalities:• Stateful Inspection Firewall• User Specific Firewall• Virtual Private Network (VPN)• Network Address Translation (NAT)

u Protection of critical networks against:• unauthorized network access• espionage or data manipulation

Data throughput:• 100 Mbps for firewall and routing• 035 Mbps for IPsec-VPN

u Demand-driven data throughput forproduction machines and data security inthe network

Integrated engineering by means of:• TIA portal and SINEC NMS1)

u Central configuration and monitoringof industrial security appliances

Integration into SINEMA Remote Connect u Secured remote access to machinery,plants

Industrial SecurityProtection of industrial networks with SCALANCE S615

SCALANCE S615

1) Delivery 12/2018

Page 17


Industrial SecurityIndustrial routers: SCALANCE M

Page 18

M874-3 M874-2 M876-3 M876-4 SCALANCE M804PB M812-1 M816-1


Feature / function BenefitSecured connection via mobile networks:• 2G / EDGE• 3G / HSPA+

u Secured connection of Ethernet-basednetworks to mobile networks of the 2nd

and 3rd generation:• Transfer rates of up to 14.4 Mbps

Integrated security functionalities:• Stateful Packet Inspection Firewall• User Specific Firewall• Virtual Private Network (VPN)• Network Address Translation (NAT)


Full integration in SINEMA RemoteConnect

u Convenient central administration andauto configuration of remote access

M874-3 M874-2

Industrial SecurityIndustrial routers: Mobile access with SCALANCE M874

Page 19


Feature / function BenefitSecured connection via mobile networks:• 3G / HSPA+• 4G / LTE

u Secured connection of Ethernet-basednetworks to mobile networks of the 3rd

and 4th generation:• Transfer rates of up to 100 Mbps





Implementation of a flexible security zoneconcept

u Integrated 4-port switch for easyconnection of multiple network cells

M876-3 M876-4

Industrial SecurityIndustrial routers: Mobile access with SCALANCE M876

Page 20


Industrial SecurityIndustrial routers: Access to PROFIBUS/ MPI with SCALANCE M804PB

Feature / function BenefitSecured Ethernet connection to existingplants with:• PROFIBUS / MPI

u Direct connection to existing plants withPROFIBUS / MPI and SINEMA RC(without additional devices), for securedremote access to remote machinery andplants





Integrated TIA Portal Cloud Connecter u Easy and central administration ofengineering software (TIA Portal) at oneserver

SCALANCE M804PB

Page 21


Industrial SecurityIndustrial routers: Broadband access with SCALANCE M812 und M816

Feature / function BenefitSecured wired connection to thetelephone or DSL network:• ADSL2+

u Secured broadband access for industrialand industry-related applications:• Transfer rates of up to 25 Mbps




u Convenient central administration andauto configuration of remote accesses(M816-1)


u Integrated 4-port switch (M816-1) for easyconnection of multiple network cells

M812-1 M816-1

Page 22


Industrial SecurityIndustrial routers: Broadband access with SCALANCE M826

Feature / function BenefitSecured wired connection of remoteautomation devices via:• SHDSL

u Secured 2-wire or 4-wire Ethernetcommunication for distances of up to10 km (~ 6.2 miles):• Transfer rates of up to 15.3 Mbps






u Integrated 4-port switch for easyconnection of multiple network cells

M826-2

Page 23


Industrial SecurityCommunication processors: S7-1200 / S7-1500 /S7-300 /S7-400

Page 24


Industrial SecurityCommunication processors: Secured to Ethernet with CP 1243-1

Feature / function BenefitSecured Ethernet connection toSIMATIC S7-1200

u Network protection and segmentationwithout additional security components andsecured connection to a Telecontrolcontrol center with TeleControl ServerBasic

Integrated security functionalities:• Stateful Packet Inspection Firewall• Virtual Private Network (VPN)• Clock synchronization (NTP secure)• Secured web server access (HTTPS)• Transmission of network analysis

information with SNMP V3




Integrated engineering by means of:• STEP 7 in TIA Portal

u Central configuration of thecommunication processorCP 1243-1

Page 25


Industrial SecurityCommunication processors: Mobile access with CP 1243-7 LTE

Merkmal / Funktion NutzenGesicherte Anbindung einer SIMATIC S7-1200 an das LTE-Netz im europäischenoder amerikanischen Frequenzbereich

u Gesicherte Anbindung von einer SIMATICS7-1200 an das Mobilfunknetz der 4.Generation• Übertragungsraten von bis zu

42 Mbit/s

Integrierte Security-Funktionalitäten:• Stateful Packet Inspection Firewall• Virtual Private Network (IPsec)• Uhrzeitsynchronisation (NTP secure)• Gesicherter Webserver-Zugriff (HTTPS)

u Schutz kritischer Anlagenteile vor:• unbefugten Netzwerkzugriffen• Spionage oder Datenmanipulation

Durchgängiges Engineering durch:• STEP 7 im TIA Portal• TeleControl Basic

u Zentrale Konfiguration desKommunikationsprozessors undVerwaltung der Leitstellen-Anbindung

CP 1243-7 LTE

Feature / function BenefitSecured mobile radio access toSIMATIC S7-1200:• 4G / LTE

u Network protection and segmentationwithout additional security components andsecured connection to a Telecontrolcontrol center with TeleControl ServerBasic

Integrated security functionalities:• Stateful Packet Inspection Firewall• Virtual Private Network (VPN)• Clock synchronization (NTP secure)• Secured web server access (HTTPS)• Transmission of network analysis






u Central configuration of thecommunication processor

Page 26


Industrial SecurityCommunication processors: Telecontrol with CP 1243-8 IRC

CP 1243-8 IRC

Feature / function BenefitSecured remote access toSIMATIC S7-1200:• SINAUT ST7• DNP3• IEC 60870-5-104

u Network protection and segmentationwithout additional security components andsecured connection to a Telecontrolcontrol center

Integrated security functionalities:• Stateful Packet Inspection Firewall• Virtual Private Network (VPN)






Page 27


Industrial SecurityCommunication processors: Secured to Ethernet with CP 1543-1

Feature / function BenefitSecured Industrial Ethernet toSIMATIC S7-1500

u Network protection and segmentationwithout any additional security appliances

Integrated security functionalities:• Stateful Packet Inspection Firewall• Virtual Private Network (VPN)• clock synchronization (NTP secure)• Secured web server access (HTTPS)• Secure file transfers (FTPs)• Transmission of network analysis





CP 1543-1

Page 28


Industrial SecurityCommunication processors: CP 1542SP-1 IRC for Distributed Controller

Feature / function BenefitSecured connection of DistributedController SIMATIC ET 200SP as remoteterminal unit (RTU) in telecontrolapplications:• SINAUT ST7• DNP3• IEC 60870-5-104• TeleControl Basic

u Network protection and segmentationwithout any additional security appliancesas well as secured connection to differentTelecontrol control centers

Integrated security functionalities:• Virtual Private Network (VPN)

u Protection of critical networks against:• espionage or data manipulation


u Convenient central administration andauto configuration of remote accesses



CP 1542SP-1

Page 29


Industrial SecurityCommunication processors: CP 1543SP-1 for SIMATIC ET 200SP

Feature / function BenefitSecured connection of SIMATIC ET 200SPto Industrial Ethernet


Integrated security functionalities:• Stateful Packet Inspection Firewall• Virtual Private Network (VPN)• Clock synchronization (NTP secure)• Transmission of network analysis

information with SNMP V3• Secure authentication of communication

partners by means of certificates



u Convenient central administration andauto configuration of remote accesses



CP 1543SP-1

Page 30


Industrial SecurityCommunication processors: CP 343-1 / CP 443-1 Advanced

Feature / function BenefitSecured connection of SIMATIC S7-400and S7-300 to Industrial Ethernetnetworks


Integrated security functionalities:• Stateful Packet Inspection Firewall• Virtual Private Network (VPN)• Clock synchronization (NTP secure)• Secured web server access (HTTPS)• Secured file transfers (FTPs)• Transmission of network analysis





CP 343-1Advanced

CP 443-1Advanced

Page 31


Industrial SecurityCommunication processors: Secured PC connection with CP 1628

Feature / function BenefitSecure connection of PGs or PCs toIndustrial Ethernet networks

u Secured communication between PGs /PCs and connected automationcomponents

Integrated security functionalities:• Stateful Packet Inspection Firewall• Virtual Private Network (VPN)• Transmission of network analysis





CP 1628

Page 32


Industrial SecurityCard reader: Access control with SIMATIC RF1060R

SIMATIC RF1060R

Feature / function BenefitAccess control to machines or plantcomponents

u Flexible authorization levels, e.g. formachine access for each employee byusing employee ID cards

Security functionalities:• Identification of operating personnel• Tracking of critical activities• Avoidance of operating errors

u Protection of critical componentsagainst:• unauthorized network and

device access• espionage or data manipulation

Integration options into WinCC,SIMATIC Logon, PCS 7 via USB interface

u Easy integration in existing hardware (HMIdevices and panels)

Supported standards:• ISO 14443 A/B (MIFARE)• ISO 15693

u The use of existing employee ID cardspermits individual control of access rights

Suitable for industrial applications:• IP65 (front)• -25 to+55 °C (-13 to 131°F)• ATEX II admission

u For direct use on machines and systemsin harsh industrial environments and forzones 2/22

Page 33


Industrial SecurityMechanical closing of unused ports with IE RJ45 Port Lock

Feature / function BenefitMechanical closing of unused RJ45interfaces of network components and enddevices

u Secures physically open, unused RJ45interfaces to prevent unauthorized networkaccess

Temporary network disconnections (plantshutdown for maintenance) can beimplemented directly on site

Security functionalities:• RJ45 port can also lock non-

configurable network components• Robust, industrial-suited construction• Easy installation without additional tools

due to RJ45 compatible design• Removal of port lock only after

unlocking with a mechanical key


IE RJ45 Port Lock

Page 34


Industrial SecurityThe Siemens solution for system integrity

Network Security

Plant Security

System Integrity

Page 35


Industrial SecuritySecurity functions overview for SIMATIC Controller

A) Realizable via PLC program

Security Function

S7-300(>=v3.2)

S7-400(>=v6.0)

S7-1200(>v4, V12 SP1)

S7-1500 S7-1500SoftwareController

Increased Know-how Protection

Know-How Protection for Program blocks l l l l l

Copy Protection for Program blocks (as system function) A) A) l l l

Improved Access Protection

Project access protection via Password l l l l l

HMI Access Protection for Controllers l l l

Different Access Levels by multiple Passwords l l l

Integrity Protection

Integrity Protection for Firmware Updates B) l l l l

Communication Integrity l l l

B) CRC basedPage 36


Table of contents

Introduction


• Plant Security



Security UsecasesSecurity Certifications


TaskThe security concept of an industrial networkshall be divided into several security zones.

Use cases for more network securityNetwork segmentation and „demilitarized zone“ (DMZ)

SolutionWith Industrial Security AppliancesSCALANCE S a flexible security zoneconcept can be realized, containing:

• Different security zones such as DMZ,and automation cells

• Remote access only to specific andselected network cells

• Support of ‘series machines’ by meansof NAT/NAPT

Page 38


Use cases for more network securityNetwork segmentation and cell protection

TaskFor the purpose of risk mitigation, a largeand flat automation network shall be dividedinto several security-based sections. Foreach individual segment differentrequirements may apply.

SolutionThe individual network segments will besecured with the Industrial SecurityAppliances SCALANCE S or with specificsecurity communication processors.These appliances will control the access anddata traffic to the subordinate segment viatheir integrated firewalls. By means ofVLAN, the Industrial Security AppliancesSCALANCE S can be used to protectseveral network cells simultaneously.

Page 39


Use cases for more network securityNetwork segmentation and cell protection for S7-1200 stationsTaskThe automation network and itscommunication shall be separated intoindividual automation cells, which arecontrolled and protected by S7-1200controller.

SolutionBy means of integrated security functions(firewall and VPN) the CP 1243-1 protectsthe S7-1200 controller and the subordinatecomponents against unauthorized access,espionage and data manipulation.

Page 40


Use cases for more network securityNetwork segmentation and cell protection for S7-1500 stationsTaskThe automation network and itscommunication shall be separated intoindividual automation cells, which arecontrolled and protected by S7-1500controller.

SolutionBy means of integrated security functions(firewall and VPN) the CP 1543-1 protectsthe S7-1500 controller and the subordinatecomponents against unauthorized access,espionage and data manipulation.

Page 41


Use cases for more network securityNetwork segmentation and cell protection for S7-300 and S7-400

TaskThe automation network and itscommunication shall be separated intoindividual automation cells, which arecontrolled and protected by S7-300 or S7-400 controller.

SolutionBy means of integrated security functions(firewall and VPN) the CP 343-1 Advancedprotects the S7-300 controller while theCP 443-1 Advanced protects the S7-400controller. Both communication processorsalso protect their subordinate componentsagainst unauthorized access, espionage anddata manipulation.

Page 42


Use cases for more network securityNetwork segmentation and cell protection for SIMATIC ET 200SP

TaskThe automation network and itscommunication shall be separated intoindividual automation cells, which arecontrolled and protected by a DistributedController SIMATIC ET 200SP.

SolutionBy means of integrated security functions(firewall and VPN) the CP 1543SP-1protects the Distributed Controller SIMATICET 200SP and the subordinate componentsagainst unauthorized access, espionage anddata manipulation.

Page 43


Use cases for more network securitySecured communication between PGs / PCs and controllers

TaskThe communication from and to PC systemssuch as operator stations and engineeringstations shall be controlled and protected.

SolutionWith the communication processor CP 1628,an Ethernet PCI card, and its integratedsecurity functions (firewall and VPN).the PG or PC can be protected againstunauthorized access, espionage and datamanipulation.

Page 44


Use cases for more network securityDirect and secured remote access to machines and plants

TaskA direct and secured remote access to themachines and plants of a production siteshall be realized.

SolutionWith the SOFTNET Security Client a directVPN tunnel can be established to theautomation cells, which are protected byIndustrial Security Appliance SCALANCE S:• Direct and secured connection

establishment via client-server VPNconnections

• Firewall with 600 Mbps and VPN with120 Mbps throughput

• Support of series machines by meansof NAT/NAPT

Page 45


Use cases for more network securityDirect and secured remote access via mobile networks

TaskA service center shall be connected via theInternet and shall be able to access globallydistributed machines and plants via mobilecommunication to perform typicalapplications such as remote programming,parameter assignment, diagnostics andmonitoring.

SolutionAll IP-based devices secured by theIndustrial Routers SCALANCE M87x can beaccessed via mobile communication. Fordistributed SIMATIC S7-1200 controllers theCP 1243-7 LTE can be used. Thanks tointegrated security functionalities it is alsopossible to terminate a VPN tunnel at devicedirectly.

Page 46


Use cases for more network securitySecured remote access via SINEMA Remote Connect

TaskA secured remote access to production sitesdistributed around the world shall bepossible.

SolutionThe Industrial Security ApplianceSCALANCE S are integrated into theSINEMA Remote Connect managementplatform. High data throughput with datasecurity at the same time allows servicetechnicians to quickly and securely accessplants and machines:• Central and transparent management of

user access rights and VPN connections• All VPN clients connect to SINEMA

Remote Connect Server (only one publicstatic IP address required)

Page 47


Use cases for more network securitySecured remote maintenance for special and series machines

TaskA secured remote maintenance shall beestablished for special-purpose and seriesmachines as well as for larger plants withidentical subnets. For all requiredconnections the status- and maintenancedata shall be centrally gathered andmaintained.

SolutionCentral management of connectedmachines and authorized servicetechnicians in SINEMA Remote Connect.Assignment and management of user rightsfor dedicated access authorization:

• Support of ‘series machines’ by means ofNAT/NAPT

Page 48


Use cases for more network securitySecured remote access to PROFIBUS/MPI plants

SINEMA Remote Connect with TIA Cloud Connector – Solution with SCALANCE M804PB

TaskA service engineer shall access aPROFIBUS plant from outside of a corporatenetwork. The engineering tool shall becentrally hosted in a service center.

SolutionConnection to production cell by means ofSCALANCE M804PB. A VPN tunnel enablessecured remote access (e.g. RemoteDesktop) to TIA Portal within the servicecenter. The communication from TIA Portalto production cell will be enabled by TIAPortal Cloud Connector functionalities withinSCALANCE M804PB.

Page 49


Use cases for more network securitySecured remote access to PROFIBUS/MPI plants

SINEMA Remote Connect with SCALANCE M804PB, Step 7 and TIA Portal Cloud Connector

TaskRemote access for PROFIBUS via MPI: Aservice engineer shall access a PROFIBUSplant from outside of a corporate network viamobile access (LTE).

SolutionConnection to PROFIBUS/MPI plants withSCALANCE M804PB which is connected toproduction cell via MPI. Use of industrialrouter SCLANCE M876-4 to connect plantcomponents without local internet access.The easy project planning and managementof VPN tunnels via the managementplatform SINEMA Remote Connect enablesa secured remote access to the plant.

Page 50


Industrial SecuritySIMATIC PCS 7 application example

Page 51


Table of contents

Introduction


• Plant Security



Security Usecases

Security Certifications


• S7- 1500 Controllers• SCALANCE XM408-8C

• First security level certification(CSPN – Certification de Sécuritéde Premier Niveau)

• Development process

• Certification of “Secure ProductDevelopment Lifecycle” forDivision DF and PD based onIEC 62443-4-1

• TIA Ethernet based devices• E.g. S7-1500, 1505S, S7-300,

CP343-1 SCALANCE S, …• Protection against DoS

attacks• Defined behavior in case of

attack• Improved Availability

Industrial SecurityGranted Certificates

Find more information: https://www.siemens.com/global/en/home/company/topic-areas/future-of-manufacturing/industrial-security/certification-standards.html

Find more information:http://ssi.gouv.fr/certification_cspn/simatic-s7-1518-4-version-du-micrologiciel-1-83/, http://www.ssi.gouv.fr/entreprise/certification_cspn/scalance-xm408-8c/

Page 53


Industrial SecuritySiemens is the leading vendor of Achilles level 2 certified products

+ Protection against DoSattacks

+ Defined behavior in caseof attack

• Improved Availability• International Standard

Certified CPUs

LOGO!S7- 300 PN/DPS7- 400 PN/DPS7- 1500 and 1505SS7- 1200S7- 400 HF CPU V6.0S7- 410-5H

Certified CPs

CP343-1 AdvancedCP443-1 & AdvancedCP1243-1CP1543-1CP1628

Certified DP

ET 200 PN/DP CPUsET 200SP PN CPUs

Page 54


Industrial SecurityCertification for the process control system SIMATIC PCS 7

First product certificationaccording to IEC 62443

• TÜV SÜD certifies that theSIMATIC PCS 7 process controlsystem conforms with the securitystandards IEC 62443-4-1 and IEC62443-3-3

• With this certificate, the company documents itssecurity approach to automation products, and givesintegrators and operators a transparent insight into itsindustrial security measures.

• The process control system offers comprehensivesecurity measures and functions to protect plantoperation

Highlights:

3-3

4-1

Functional security capabilitiesof SIMATIC PCS 7

Product Development Lifecycleof SIMATIC PCS 7

Page 55


Industrial Security Trainings

Security Basicsfor Factory Automation

ST-SECFA1

Security Basicsfor Process Automation

ST-SECPA1

Security in IndustrialNetworks with SCALANCE

IK-SECIN-S https://www.sitrain-learning.siemens.com/ILP/en/index.do

Industry Learning ProgramWBT Industrial SecurityILP

Know How Initiative SecurityKHI

Page 56


siemens.com

Subject to changes and errors. The information given in this document only contains general descriptions and/or performance features which maynot always specifically reflect those described, or which may undergo modification in the course of further development of the products. The requestedperformance features are binding only when they are expressly agreed upon in the concluded contract.

All product designations, product names, etc. may contain trademarks or other rights of Siemens AG, its affiliated companies or third parties.Their unauthorized use may infringe the rights of the respective owner.


Industrial SecurityGuide d’hygiène informatique)

q Disposer d’une cartographie précise de l’installation ICS et la maintenir à jour.

q Disposer d’un inventaire exhaustif des comptes privilégiés et le maintenir à jour.

q Rédiger et appliquer des procédures d’arrivée et de départ des utilisateurs (personnel).

q Limiter le nombre d’accès Internet à l’ICS au strict nécessaire.

q Interdire la connexion d’équipements personnels au système .

q Connaître les modalités de mises à jour de l’ensemble des composants logiciels utilisés etse tenir informé des vulnérabilités de ces composants et des mises à jour nécessaires.

Page 58


Industrial SecurityGuide d’hygiène informatique)

q Définir une politique de mise à jour et l’appliquer strictement.

q Interdire techniquement la connexion des supports amovibles sauf si cela est strictementnécessaire; désactiver l’exécution des autoruns depuis de tels supports.

q Interdire tout accès à Internet depuis les comptes d’administration.

q Ne pas donner aux utilisateurs de privilèges d’administration. Ne faire aucune exception.

q N’autoriser l’accès à distance au réseau ICS, y compris pour l’administration du réseau, quedepuis des postes qui mettent en œuvre des mécanismes d’authentification forte etprotégeant l’intégrité et la confidentialité des échanges à l’aide de moyens robustes.

q Sécuriser les passerelles d’interconnexion avec Internet.

Page 59


Industrial SecurityGuide d’hygiène informatique

q Utiliser impérativement des mécanismes robustes de contrôle d’accès aux locaux.

q Protéger rigoureusement les clés permettant l’accès aux locaux et les codes d’alarme.

q Disposer d’un plan de reprise et de continuité d’activité , même sommaire, tenurégulièrement à jour décrivant comment sauvegarder les données essentielles del’entreprise.

q Ne jamais se contenter de traiter l’infection d’une machine sans tenter de savoir comment lecode malveillant a pu s’installer sur la machine, s’il a pu se propager ailleurs dans le réseauet quelles informations ont été manipulées.

q Sensibiliser les utilisateurs aux règles d’hygiène informatique élémentaires.

Page 60

Documents

Industrial Security - Siemens · Top threats for Industrial Control Systems (ICS) Overview of the top 9 threats 1. Attaques en ligne via des réseaux de bureau / d'entreprise 2. Attaques