Download - [CLASS 2014] Palestra Técnica - Oliver Narr
Unrestricted / © Siemens AG 2014. All Rights Reserv ed. siemens.com/answers
Security product & process management for industrial automation systems
SCADA Security Conference LATAM
Unrestricted / © Siemens AG 2014. All Rights Reserv ed.
Page 2 Oliver Narr, Marketing Manager Industrial Security
• Advanced security process management 22
• The Siemens Solution 9
• Trends & vulnerabilities on cyber security 2
Industrial Security
Unrestricted / © Siemens AG 2014. All Rights Reserv ed.
Page 3 Oliver Narr, Marketing Manager Industrial Security
Industrial SecurityWhy has industrial security become so important?
Main trends impacting the vulnerability of automati on plants
• Automation networks are connected to IT networks and Internet for remote maintenance
• Increased use of open standards and PC-based systems
• Potential threats increased due to these trends:
• Access by unauthorized persons
• Espionage and data manipulation
• Damage and data loss caused by malware
• Several security incidents reveal the vulnerability of automation plants.
Unrestricted / © Siemens AG 2014. All Rights Reserv ed.
Page 4 Oliver Narr, Marketing Manager Industrial Security
The ICS-CERT incident summary of the annual report tells the story
Cyber threat is a serious challenge facing US industry today
Cyber threats to Industrial Control Systems (ICS) are on the rise
0
50
100
150
200
250
300
2009 2010 2011 2012 2013
IR Tickets
ICS-CERT incident response trends data
There is a critical need to protect our critical infrastructure from cyber attacks
Incident reports by sector (2013)
Unrestricted / © Siemens AG 2014. All Rights Reserv ed.
Page 5 Oliver Narr, Marketing Manager Industrial Security
The Age ofComputerworms
Cybercrime andFinancial Interests
Politics andCritical Infrastructure
Cyberwarfare-Preparation
Threat analysisEvery three years new developments
CodeRed Slammer Blaster
“Hacking for Fun”
Hobbyists
WormsBackdoors
Anti-Virus
HackersBlackHat
Viruses
Responsible Disclosure
Credit Card Fraud
Botnets Banker TrojansPhishing
Adware SPAM
WebSite Hacking
AnonymousSCADA
RSA BreachDigiNotar APT
Targeted Attacks
Sony Hack
Zeus SpyEye Rustock
“Hacking for Money”
Organized Criminals
Aurora Nitro Stuxnet
“Hacking for political andeconomic gains”
HacktivistsState sponsored Actors
? ? ?
“Development and spreadingof cyberwarface capabilities”
Multiple state- andnon-state actors
Underground exploit market
Systematic remote explorationand reconnaissance of criticalInfrastructures and vendors
Increasing sophistication, focusand brutality/impact of cyber methods
Introduction of malicious, sleepingfunctionality in critical products
?
Number of new malware signatures
Number of published exploitsNumber of published vulnerabilities
2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
Unrestricted / © Siemens AG 2014. All Rights Reserv ed.
Page 6 Oliver Narr, Marketing Manager Industrial Security
Industrial SecurityImpact on relevant vulnerabilities affecting automation products
2010 2011 2012 2013 2014
Unrestricted / © Siemens AG 2014. All Rights Reserv ed.
Page 7 Oliver Narr, Marketing Manager Industrial Security
2010 - StuxnetThe beginning of a new security age in automation
Manipulated area (networked control systems)
Characteristics of Stuxnet Principle ways of infection & function
Infected USB stick
or infection via network
Malware to manipulate windows based SIMATIC tools to load PLC
with modifieddata and program blocks
SIMATIC controller SIMATIC controller
SIMATICEngineering / Runtime Station
Malware to infect PC environment running Windows operating system
SIMATIC data and program blocks - content modified by malware
ModifiedSIMATIC data and programblocks loaded by standard
SIMATIC mechanisms
A complex, highly specific malware
• Attack targeted to one dedicated plant configuration
• Professional propagation
• Spread through four zero-day-exploits for Windows systems
• Mobile data storage, such as USB memory sticks to infect PC
• Mutual update using P2P mechanism
• Network access through WinCC database
With complex manipulations & camouflage mechanisms
• Manipulated PLC program blocks changed automation behavior
• Rootkit mechanism in PC communication drivers hide PLC code changes to the user
Infected area (PC environment / Microsoft Windows)
Unrestricted / © Siemens AG 2014. All Rights Reserv ed.
Page 8 Oliver Narr, Marketing Manager Industrial Security
• Advanced security process management 22
• The Siemens Solution 8
• Trends & vulnerabilities on cyber security 3
Industrial Security
Unrestricted / © Siemens AG 2014. All Rights Reserv ed.
Page 9 Oliver Narr, Marketing Manager Industrial Security
Industrial SecurityWhy implement a security strategy instead of just applying some measures?
One big defense measure
“Unconquerable” wall
Single layer of protection
No more checkpoints behind the wall
Defense in depth
Multiple layers of protection
Each layer supports the other layersFor every transition between two layers an
attacker must spend time and effort
No single security measure is good enough to prevent intrusion !
Unrestricted / © Siemens AG 2014. All Rights Reserv ed.
Page 10 Oliver Narr, Marketing Manager Industrial Security
Industrial SecurityThe Siemens defense in depth concept
Plant security• Access control for persons• Physical prevention of access to critical areas
Network security• Controlled interfaces between office and plant network
e.g. via firewalls• Further segmentation of plant network
System integrity• Antivirus and whitelisting software• System hardening• Maintenance and update processes• User authentication for plant and machine operators • Integrated access protection mechanisms in automation
components
Security solutions in an industrial context must ta ke all protection levels into account
Unrestricted / © Siemens AG 2014. All Rights Reserv ed.
Page 11 Oliver Narr, Marketing Manager Industrial Security
Industrial SecurityThe Siemens strategy for plant security
Plant security
Unrestricted / © Siemens AG 2014. All Rights Reserv ed.
Page 12 Oliver Narr, Marketing Manager Industrial Security
Defense in DepthPhysical protection of critical infrastructure
Plant security is the first layer of DiD and frequen tly little emphasis is placed on it
Plant security
• Access protection to plant via gates and checking company identification badges
• Physical protection of critical infrastructures - such as server rooms and control cabinets
• Surveillance with video cameras and motion detectors
• Security guards
Unrestricted / © Siemens AG 2014. All Rights Reserv ed.
Page 13 Oliver Narr, Marketing Manager Industrial Security
Industrial Security ServicesA phased approach to long-term protection of your industrial control system
Activities• Current architecture assessment• Threat modeling• Analysis of vulnerabilities
and their impact
Step 1: Assess
Step 2:Implement
Step 3:Operate & manage
Activities• Employee training• Process improvement• Security technology
implementation
Activities• Global threat monitoring• Incident detection and notification • Design and deploy adjustments to
address changing threat technology
Unrestricted / © Siemens AG 2014. All Rights Reserv ed.
Page 17 Oliver Narr, Marketing Manager Industrial Security
Industrial SecurityThe Siemens solution for network security
Network security
Unrestricted / © Siemens AG 2014. All Rights Reserv ed.
Page 18 Oliver Narr, Marketing Manager Industrial Security
Industrial SecurityExample of network security
Adapted measures for production
Network access control• Interface to IT networks: Secure architecture with DMZ
(SCALANCE S623)• Secure remote access via Internet• Local network access (port security) via device and user
authentication (SCALANCE S)
Cell protection• Risk mitigation through network segmentation• Extension of the cell protection concept with security PC and S7
CPs (CP1628, CP343-1 Adv., CP443-1 Adv., CP1543-1)• Use of secure communication protocols (e.g. https) prevent
espionage and manipulation
Redundancy• Protection of redundant network topologies and secure redundant
connection of subordinate networks or rings with S627-2M
– Products with firewall or VPN functionality
Unrestricted / © Siemens AG 2014. All Rights Reserv ed.
Page 19 Oliver Narr, Marketing Manager Industrial Security
Industrial SecurityThe Siemens solution for system integrity
System Integrity
Unrestricted / © Siemens AG 2014. All Rights Reserv ed.
Page 20 Oliver Narr, Marketing Manager Industrial Security
Industrial SecuritySIMATIC S7-1500 & the TIA Portal to increase system integrity in the automation environment
Security highlights
The S7-1500 + security communication processor and TIA Portal provide several security features:
• Increased know-how protection in STEP 7Protection of intellectual property is an effective investment
• Increased copy protectionProtection against unauthorized reproduction of executable programs
• Increased access protection (authentication )Extensive protection against unauthorized project changes
• Expanded access protectionExtensive protection against unauthorized project changes
• Increased protection against manipulationCommunication protected against unauthorized manipulation
Unrestricted / © Siemens AG 2014. All Rights Reserv ed.
Page 21 Oliver Narr, Marketing Manager Industrial Security
• Advanced security process management 21
• The Siemens Solution 9
• Trends & vulnerabilities on cyber security 3
Industrial Security
Unrestricted / © Siemens AG 2014. All Rights Reserv ed.
Page 22 Oliver Narr, Marketing Manager Industrial Security
Industrial Security Siemens internal process improvement
Define ���� Self Assessments
+ SECURE by CT CERT • Project Charter• Scope Definition• Work Package Planning• Reviews (CT CERT)• Implementation• Communication / Training
Goals
ISA SDSA Questionnaire
WIB Questionnaire
Measures
• Provide sustainable Industrial Security robustness to our customers• Keep it up to date by implementing build-in tools and methods to our processes
• Product Lifecycle Management• PM@Siemens• Customer Relationship Management
Realize ���� ISPI Project Operate ���� Roll-Out
Unrestricted / © Siemens AG 2014. All Rights Reserv ed.
Page 23 Oliver Narr, Marketing Manager Industrial Security
Industrial SecuritySiemens initiatives
Escalation process in case of incident
Central process enhancements
Investment
New roles
System test
Awareness and competence enhancements
• Process and escalation levels defined
• Security aspects in project and product lifecycle• Standardization & regulations
• High investment in research & development• Approx. 100 persons involved in security network
• Product security office and security expert
• Intellectual property hardening• Robustness and test enhancements
• Workshops, web-based trainings, announcements• Security training
Unrestricted / © Siemens AG 2014. All Rights Reserv ed.
Page 24 Oliver Narr, Marketing Manager Industrial Security
Industrial SecurityFirst vendor with certification at Achilles Level 2
Certified PLC
S7- 300 PN/DP
S7- 400 PN/DP
S7- 1500 PN/DP
Certified distributed I/O
ET200 PN/DP CPUs
Certified network products
CP343-1 Advanced
CP443-1 Advanced
CP1543-1
CP1628
CPU 410-5H
Scalance S
+ Protection against DoS attacks
+ Defined behavior in case of attack
• Improved availability
• IP protection
• International standard
Unrestricted / © Siemens AG 2014. All Rights Reserv ed.
Page 25 Oliver Narr, Marketing Manager Industrial Security
Security relevant incidents are handled using a dedicated escalation process
Focus on speed of response:Escalation process for security-relevant incidents within Siemens
Internal Customer support
SiemensCERT
Initial classification
Security researcher, etc. Customer / OEMs
Customernotification
Updates /recommendations
Information to external partners
Product-development
Case-orientedtask force
Sec
urity
Net
wor
k
Fast and individual handling with case-oriented taskforce incl. dedicated product security experts
Fast realization of remedies and updates including communication to customers and press, if needed
Unrestricted / © Siemens AG 2014. All Rights Reserv ed.
Page 26 Oliver Narr, Marketing Manager Industrial Security
TestImplementation (secure design/secure coding)
Requirements
Focus on product security: Security aspects in R&D and product lifecycle process
Standardization• Proactive cooperation with standardization organizations such as IEC62443 (ISA99) / VDI2182• A holistic approach is supported in terms of Industrial Security
Training & communication• Workshops, (web based) training courses for social engineering and industrial security
• Special consideration of security requirements in product planning
• Transfer of security know-how / Contact people for security-specific questions
• It is guaranteed that all security-relevant requirements will be implemented
• Expansion of security test tools usage in R&D and system test to analyze source code and to test regarding network robustness
• Theoretical and practical security-assessments (“Hacking tests”)as part of PLM process
Unrestricted / © Siemens AG 2014. All Rights Reserv ed.
Page 27 Oliver Narr, Marketing Manager Industrial Security
Industrial SecurityA recommendation regarding vulnerabilities and responses
Industrial security website
• News / alerts
• Support with whitepapers and application examples
• Glossary
• Concept
• Products
• Services
• Direct link to security experts
• News on standards and regulations