[class 2014] palestra técnica - oliver narr

Unrestricted / © Siemens AG 2014. All Rights Reserv ed. siemens.com/answers

Security product & process management for industrial automation systems

SCADA Security Conference LATAM

Unrestricted / © Siemens AG 2014. All Rights Reserv ed.

Oliver Narr, Marketing Manager Industrial Security

• Advanced security process management 22

• The Siemens Solution 9

• Trends & vulnerabilities on cyber security 2

Industrial Security



Industrial SecurityWhy has industrial security become so important?

Main trends impacting the vulnerability of automati on plants

• Automation networks are connected to IT networks and Internet for remote maintenance

• Increased use of open standards and PC-based systems

• Potential threats increased due to these trends:

• Access by unauthorized persons

• Espionage and data manipulation

• Damage and data loss caused by malware

• Several security incidents reveal the vulnerability of automation plants.



The ICS-CERT incident summary of the annual report tells the story

Cyber threat is a serious challenge facing US industry today

Cyber threats to Industrial Control Systems (ICS) are on the rise

0

50

100

150

200

250

300

2009 2010 2011 2012 2013

IR Tickets

ICS-CERT incident response trends data

There is a critical need to protect our critical infrastructure from cyber attacks

Incident reports by sector (2013)



The Age ofComputerworms

Cybercrime andFinancial Interests

Politics andCritical Infrastructure

Cyberwarfare-Preparation

Threat analysisEvery three years new developments

CodeRed Slammer Blaster

“Hacking for Fun”

Hobbyists

WormsBackdoors

Anti-Virus

HackersBlackHat

Viruses

Responsible Disclosure

Credit Card Fraud

Botnets Banker TrojansPhishing

Adware SPAM

WebSite Hacking

AnonymousSCADA

RSA BreachDigiNotar APT

Targeted Attacks

Sony Hack

Zeus SpyEye Rustock

“Hacking for Money”

Organized Criminals

Aurora Nitro Stuxnet

“Hacking for political andeconomic gains”

HacktivistsState sponsored Actors

? ? ?

“Development and spreadingof cyberwarface capabilities”

Multiple state- andnon-state actors

Underground exploit market

Systematic remote explorationand reconnaissance of criticalInfrastructures and vendors

Increasing sophistication, focusand brutality/impact of cyber methods

Introduction of malicious, sleepingfunctionality in critical products

?

Number of new malware signatures

Number of published exploitsNumber of published vulnerabilities

2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013



Industrial SecurityImpact on relevant vulnerabilities affecting automation products

2010 2011 2012 2013 2014



2010 - StuxnetThe beginning of a new security age in automation

Manipulated area (networked control systems)

Characteristics of Stuxnet Principle ways of infection & function

Infected USB stick

or infection via network

Malware to manipulate windows based SIMATIC tools to load PLC

with modifieddata and program blocks

SIMATIC controller SIMATIC controller

SIMATICEngineering / Runtime Station

Malware to infect PC environment running Windows operating system

SIMATIC data and program blocks - content modified by malware

ModifiedSIMATIC data and programblocks loaded by standard

SIMATIC mechanisms

A complex, highly specific malware

• Attack targeted to one dedicated plant configuration

• Professional propagation

• Spread through four zero-day-exploits for Windows systems

• Mobile data storage, such as USB memory sticks to infect PC

• Mutual update using P2P mechanism

• Network access through WinCC database

With complex manipulations & camouflage mechanisms

• Manipulated PLC program blocks changed automation behavior

• Rootkit mechanism in PC communication drivers hide PLC code changes to the user

Infected area (PC environment / Microsoft Windows)






Industrial Security



Industrial SecurityWhy implement a security strategy instead of just applying some measures?

One big defense measure

“Unconquerable” wall

Single layer of protection

No more checkpoints behind the wall

Defense in depth

Multiple layers of protection

Each layer supports the other layersFor every transition between two layers an

attacker must spend time and effort

No single security measure is good enough to prevent intrusion !



Industrial SecurityThe Siemens defense in depth concept

Plant security• Access control for persons• Physical prevention of access to critical areas

Network security• Controlled interfaces between office and plant network

e.g. via firewalls• Further segmentation of plant network

System integrity• Antivirus and whitelisting software• System hardening• Maintenance and update processes• User authentication for plant and machine operators • Integrated access protection mechanisms in automation

components

Security solutions in an industrial context must ta ke all protection levels into account



Industrial SecurityThe Siemens strategy for plant security

Plant security



Defense in DepthPhysical protection of critical infrastructure

Plant security is the first layer of DiD and frequen tly little emphasis is placed on it

Plant security

• Access protection to plant via gates and checking company identification badges

• Physical protection of critical infrastructures - such as server rooms and control cabinets

• Surveillance with video cameras and motion detectors

• Security guards



Industrial Security ServicesA phased approach to long-term protection of your industrial control system

Activities• Current architecture assessment• Threat modeling• Analysis of vulnerabilities

and their impact

Step 1: Assess

Step 2:Implement

Step 3:Operate & manage

Activities• Employee training• Process improvement• Security technology

implementation

Activities• Global threat monitoring• Incident detection and notification • Design and deploy adjustments to

address changing threat technology


Page 17 Oliver Narr, Marketing Manager Industrial Security

Industrial SecurityThe Siemens solution for network security

Network security



Industrial SecurityExample of network security

Adapted measures for production

Network access control• Interface to IT networks: Secure architecture with DMZ

(SCALANCE S623)• Secure remote access via Internet• Local network access (port security) via device and user

authentication (SCALANCE S)

Cell protection• Risk mitigation through network segmentation• Extension of the cell protection concept with security PC and S7

CPs (CP1628, CP343-1 Adv., CP443-1 Adv., CP1543-1)• Use of secure communication protocols (e.g. https) prevent

espionage and manipulation

Redundancy• Protection of redundant network topologies and secure redundant

connection of subordinate networks or rings with S627-2M

– Products with firewall or VPN functionality



Industrial SecurityThe Siemens solution for system integrity

System Integrity



Industrial SecuritySIMATIC S7-1500 & the TIA Portal to increase system integrity in the automation environment

Security highlights

The S7-1500 + security communication processor and TIA Portal provide several security features:

• Increased know-how protection in STEP 7Protection of intellectual property is an effective investment

• Increased copy protectionProtection against unauthorized reproduction of executable programs

• Increased access protection (authentication )Extensive protection against unauthorized project changes

• Expanded access protectionExtensive protection against unauthorized project changes

• Increased protection against manipulationCommunication protected against unauthorized manipulation






Industrial Security



Industrial Security Siemens internal process improvement

Define �� Self Assessments

+ SECURE by CT CERT • Project Charter• Scope Definition• Work Package Planning• Reviews (CT CERT)• Implementation• Communication / Training

Goals

ISA SDSA Questionnaire

WIB Questionnaire

Measures

• Provide sustainable Industrial Security robustness to our customers• Keep it up to date by implementing build-in tools and methods to our processes

• Product Lifecycle Management• PM@Siemens• Customer Relationship Management

Realize �� ISPI Project Operate �� Roll-Out



Industrial SecuritySiemens initiatives

Escalation process in case of incident

Central process enhancements

Investment

New roles

System test

Awareness and competence enhancements

• Process and escalation levels defined

• Security aspects in project and product lifecycle• Standardization & regulations

• High investment in research & development• Approx. 100 persons involved in security network

• Product security office and security expert

• Intellectual property hardening• Robustness and test enhancements

• Workshops, web-based trainings, announcements• Security training



Industrial SecurityFirst vendor with certification at Achilles Level 2

Certified PLC

S7- 300 PN/DP

S7- 400 PN/DP

S7- 1500 PN/DP

Certified distributed I/O

ET200 PN/DP CPUs

Certified network products

CP343-1 Advanced

CP443-1 Advanced

CP1543-1

CP1628

CPU 410-5H

Scalance S

+ Protection against DoS attacks

+ Defined behavior in case of attack

• Improved availability

• IP protection

• International standard



Security relevant incidents are handled using a dedicated escalation process

Focus on speed of response:Escalation process for security-relevant incidents within Siemens

Internal Customer support

SiemensCERT

Initial classification

Security researcher, etc. Customer / OEMs

Customernotification

Updates /recommendations

Information to external partners

Product-development

Case-orientedtask force

Sec

urity

Net

wor

k

Fast and individual handling with case-oriented taskforce incl. dedicated product security experts

Fast realization of remedies and updates including communication to customers and press, if needed



TestImplementation (secure design/secure coding)

Requirements

Focus on product security: Security aspects in R&D and product lifecycle process

Standardization• Proactive cooperation with standardization organizations such as IEC62443 (ISA99) / VDI2182• A holistic approach is supported in terms of Industrial Security

Training & communication• Workshops, (web based) training courses for social engineering and industrial security

• Special consideration of security requirements in product planning

• Transfer of security know-how / Contact people for security-specific questions

• It is guaranteed that all security-relevant requirements will be implemented

• Expansion of security test tools usage in R&D and system test to analyze source code and to test regarding network robustness

• Theoretical and practical security-assessments (“Hacking tests”)as part of PLM process



Industrial SecurityA recommendation regarding vulnerabilities and responses

Industrial security website

• News / alerts

• Support with whitepapers and application examples

• Glossary

• Concept

• Products

• Services

• Direct link to security experts

• News on standards and regulations

[class 2014] palestra técnica - oliver narr

Technology

cyber security

security incidents

security strategy

industrial securitywhy

industrial securityimpact

new security age

oliver narr

userunrestricted siemens