page 1 df/pd siemens belgium-luxembourg...accept vlan1 vlan2 192.168.2.20 /32 192.168.1.10/32...
TRANSCRIPT
![Page 1: Page 1 DF/PD Siemens Belgium-Luxembourg...Accept Vlan1 Vlan2 192.168.2.20 /32 192.168.1.10/32 Destination port X Page 30 DF/PD Siemens Belgium-Luxembourg Network security Other Improvements?](https://reader034.vdocuments.net/reader034/viewer/2022042419/5f35585c79cedb57f22a328d/html5/thumbnails/1.jpg)
Page 1 DF/PD Siemens Belgium-Luxembourg
![Page 2: Page 1 DF/PD Siemens Belgium-Luxembourg...Accept Vlan1 Vlan2 192.168.2.20 /32 192.168.1.10/32 Destination port X Page 30 DF/PD Siemens Belgium-Luxembourg Network security Other Improvements?](https://reader034.vdocuments.net/reader034/viewer/2022042419/5f35585c79cedb57f22a328d/html5/thumbnails/2.jpg)
Page 2 DF/PD Siemens Belgium-Luxembourg
The challengeIncreasing Vulnerability
![Page 3: Page 1 DF/PD Siemens Belgium-Luxembourg...Accept Vlan1 Vlan2 192.168.2.20 /32 192.168.1.10/32 Destination port X Page 30 DF/PD Siemens Belgium-Luxembourg Network security Other Improvements?](https://reader034.vdocuments.net/reader034/viewer/2022042419/5f35585c79cedb57f22a328d/html5/thumbnails/3.jpg)
Page 3 DF/PD Siemens Belgium-Luxembourg
The challengeIncreasing Vulnerability
Stuxnet
![Page 4: Page 1 DF/PD Siemens Belgium-Luxembourg...Accept Vlan1 Vlan2 192.168.2.20 /32 192.168.1.10/32 Destination port X Page 30 DF/PD Siemens Belgium-Luxembourg Network security Other Improvements?](https://reader034.vdocuments.net/reader034/viewer/2022042419/5f35585c79cedb57f22a328d/html5/thumbnails/4.jpg)
Page 4 DF/PD Siemens Belgium-Luxembourg
Security TrendsOT security is essential to protect industrial automation
• Horizontal andvertical integration
• Open standards• PC-based systems
Information technologies areused in industrial automation Increased security threats demand action
Loss of intellectual property, recipes …
Plant standstill, e.g. due to viruses or malware
Sabotage in the production plant
Manipulation of data or application software
Unauthorized use of system functions
Compliance with standards and regulations is required
![Page 5: Page 1 DF/PD Siemens Belgium-Luxembourg...Accept Vlan1 Vlan2 192.168.2.20 /32 192.168.1.10/32 Destination port X Page 30 DF/PD Siemens Belgium-Luxembourg Network security Other Improvements?](https://reader034.vdocuments.net/reader034/viewer/2022042419/5f35585c79cedb57f22a328d/html5/thumbnails/5.jpg)
Page 5 DF/PD Siemens Belgium-Luxembourg
The challengeIncreasing Vulnerability
IT-Security
Industrial Security
IT-Security
Industrial Security
What is it all about?Exponentially increasing number of incidents and attacks to companies – with both IT and OT asmain targets.
Digitalisation
Safety &Security
![Page 6: Page 1 DF/PD Siemens Belgium-Luxembourg...Accept Vlan1 Vlan2 192.168.2.20 /32 192.168.1.10/32 Destination port X Page 30 DF/PD Siemens Belgium-Luxembourg Network security Other Improvements?](https://reader034.vdocuments.net/reader034/viewer/2022042419/5f35585c79cedb57f22a328d/html5/thumbnails/6.jpg)
Page 6 DF/PD Siemens Belgium-Luxembourg
What is it all about?Exponentially increasing number of incidents and attacks to companies – with both IT and OT asmain targets
The challengeIncreasing Vulnerability
AvailabilityConfidentialityIntegrity
ConfidentialityIntegrityAvailability
Availability
Installation
Topology
Location of use
Device density
Network failure times < 300 ms
Plant commissioning personnel
Plant-specific
Harsh environment
Low, switches with fewer ports
Second to minute range accepted
Network specialists
Star-shaped
Climate-controlled offices
Large, switches with large number of ports
Investment life cycle Min 5 to15 yearsEvery 2 to 3 years
IT-Security Industrial Security
![Page 7: Page 1 DF/PD Siemens Belgium-Luxembourg...Accept Vlan1 Vlan2 192.168.2.20 /32 192.168.1.10/32 Destination port X Page 30 DF/PD Siemens Belgium-Luxembourg Network security Other Improvements?](https://reader034.vdocuments.net/reader034/viewer/2022042419/5f35585c79cedb57f22a328d/html5/thumbnails/7.jpg)
Page 8 DF/PD Siemens Belgium-Luxembourg
The Digital Factory needs powerful communication networks
High data volumebroad band width - GByte
High speedReal-time communication
Secure connectivityRobust, reliable componentsand networks
Smart assetsIdentification solutionsfor communication betweensmart objects
Requirements of a productionnetwork doesn’t change
Verticalintegration
Horizontal integration
![Page 8: Page 1 DF/PD Siemens Belgium-Luxembourg...Accept Vlan1 Vlan2 192.168.2.20 /32 192.168.1.10/32 Destination port X Page 30 DF/PD Siemens Belgium-Luxembourg Network security Other Improvements?](https://reader034.vdocuments.net/reader034/viewer/2022042419/5f35585c79cedb57f22a328d/html5/thumbnails/8.jpg)
Page 9 DF/PD Siemens Belgium-Luxembourg
The Digital Factory needs intelligent data
??
![Page 9: Page 1 DF/PD Siemens Belgium-Luxembourg...Accept Vlan1 Vlan2 192.168.2.20 /32 192.168.1.10/32 Destination port X Page 30 DF/PD Siemens Belgium-Luxembourg Network security Other Improvements?](https://reader034.vdocuments.net/reader034/viewer/2022042419/5f35585c79cedb57f22a328d/html5/thumbnails/9.jpg)
Page 11 DF/PD Siemens Belgium-Luxembourg
The FactsCyber threats become more specialized
Source: http://www.tuv-sud.com/news-media/news-archive/potential-attackers-can-be-anywhere
Controllers
Firewalls
Honeynet experiment of waterworks linked to the internet (TÜV SÜD – Germany)
EXPERIMENTReal devices and network connected to the internetState of the art security (firewalls etc.)Simulated IO and process
RESULTIn 8 month over 60,000 attemptsAttacks to manipulate, upload and change configurationrouter and PLCsIT and industrial protocols (Modbus, S7) were used
![Page 10: Page 1 DF/PD Siemens Belgium-Luxembourg...Accept Vlan1 Vlan2 192.168.2.20 /32 192.168.1.10/32 Destination port X Page 30 DF/PD Siemens Belgium-Luxembourg Network security Other Improvements?](https://reader034.vdocuments.net/reader034/viewer/2022042419/5f35585c79cedb57f22a328d/html5/thumbnails/10.jpg)
Page 13 DF/PD Siemens Belgium-Luxembourg
Protecting ProductivityThe key to a secure infrastructure: Defense in depth
Great wall
ƒ Impenetrable wallƒ One-layer protectionƒ One point of attack
Defense in depth
ƒ Multi-layer protectionƒ Each layer protects the other layersƒ An attacker must spend time and effort
at each transition
A single protection measure is never enough to withstand a threat!
![Page 11: Page 1 DF/PD Siemens Belgium-Luxembourg...Accept Vlan1 Vlan2 192.168.2.20 /32 192.168.1.10/32 Destination port X Page 30 DF/PD Siemens Belgium-Luxembourg Network security Other Improvements?](https://reader034.vdocuments.net/reader034/viewer/2022042419/5f35585c79cedb57f22a328d/html5/thumbnails/11.jpg)
Page 14 DF/PD Siemens Belgium-Luxembourg
Industrial SecurityThe Siemens Solution
• Physical access protection to the plant andcritical systems
• Security management and policies• Security services for protection of a plant's
entire lifecycle
• Secure remote access to theplant via the Internet or mobilenetworks with VPN
• Protection of the plant / machinenetwork through segmentation
• Secured communication
• Protection of system integrity throughintegrated functions
• Access protection and rightsmanagement
• System Hardning
• Physical access protection to the plant andcritical systems
• Security management and policies• Security services & monitoring
![Page 12: Page 1 DF/PD Siemens Belgium-Luxembourg...Accept Vlan1 Vlan2 192.168.2.20 /32 192.168.1.10/32 Destination port X Page 30 DF/PD Siemens Belgium-Luxembourg Network security Other Improvements?](https://reader034.vdocuments.net/reader034/viewer/2022042419/5f35585c79cedb57f22a328d/html5/thumbnails/12.jpg)
Page 15 DF/PD Siemens Belgium-Luxembourg
Plant securityTypical examples of the real life.
![Page 13: Page 1 DF/PD Siemens Belgium-Luxembourg...Accept Vlan1 Vlan2 192.168.2.20 /32 192.168.1.10/32 Destination port X Page 30 DF/PD Siemens Belgium-Luxembourg Network security Other Improvements?](https://reader034.vdocuments.net/reader034/viewer/2022042419/5f35585c79cedb57f22a328d/html5/thumbnails/13.jpg)
Page 16 DF/PD Siemens Belgium-Luxembourg
Plant SecurityEstablishing a Security Management Process and organization
Security Management is essential for a well thought-out security concept
Security Management Process
• Risk analysis with definition of mitigationmeasures
• Setting up of policies and coordination oforganizational measures
• Coordination of technical measures• Regular / event-based repetition of the risk
analysis
Technicalmeasures
Risk analysis
Validation &improvement
Policies,Organizational
measures
1
2
3
4
Am
ount
oflo
ss
Probability of occurrence
verylow low medium high very
high
verylow
low
medium
high
veryhigh
acceptablerisks
inacceptablerisks
![Page 14: Page 1 DF/PD Siemens Belgium-Luxembourg...Accept Vlan1 Vlan2 192.168.2.20 /32 192.168.1.10/32 Destination port X Page 30 DF/PD Siemens Belgium-Luxembourg Network security Other Improvements?](https://reader034.vdocuments.net/reader034/viewer/2022042419/5f35585c79cedb57f22a328d/html5/thumbnails/14.jpg)
Page 17 DF/PD Siemens Belgium-Luxembourg
Industrial SecurityThe Siemens Solution
• Physical access protection to the plant andcritical systems
• Security management and policies• Security services for protection of a plant's
entire lifecycle
• Secure remote access to theplant via the Internet or mobilenetworks
• Protection of the plant / machinenetwork through segmentation
• Secured communication
• Protection of system integrity throughintegrated functions
• Access protection and rightsmanagement
![Page 15: Page 1 DF/PD Siemens Belgium-Luxembourg...Accept Vlan1 Vlan2 192.168.2.20 /32 192.168.1.10/32 Destination port X Page 30 DF/PD Siemens Belgium-Luxembourg Network security Other Improvements?](https://reader034.vdocuments.net/reader034/viewer/2022042419/5f35585c79cedb57f22a328d/html5/thumbnails/15.jpg)
Page 18 DF/PD Siemens Belgium-Luxembourg
Network securityWe come From isolated production islands…
![Page 16: Page 1 DF/PD Siemens Belgium-Luxembourg...Accept Vlan1 Vlan2 192.168.2.20 /32 192.168.1.10/32 Destination port X Page 30 DF/PD Siemens Belgium-Luxembourg Network security Other Improvements?](https://reader034.vdocuments.net/reader034/viewer/2022042419/5f35585c79cedb57f22a328d/html5/thumbnails/16.jpg)
Page 19 DF/PD Siemens Belgium-Luxembourg
Network securityEverything has to be connected
Internet/ IT
Unmanaged Switch Wireless
Ethernet
ProfinetProfisafe
SCADA
![Page 17: Page 1 DF/PD Siemens Belgium-Luxembourg...Accept Vlan1 Vlan2 192.168.2.20 /32 192.168.1.10/32 Destination port X Page 30 DF/PD Siemens Belgium-Luxembourg Network security Other Improvements?](https://reader034.vdocuments.net/reader034/viewer/2022042419/5f35585c79cedb57f22a328d/html5/thumbnails/17.jpg)
Page 20 DF/PD Siemens Belgium-Luxembourg
Network securitySolution1: Cellprotection with CP
Internet/ IT
Wireless
MRP
CP-card
![Page 18: Page 1 DF/PD Siemens Belgium-Luxembourg...Accept Vlan1 Vlan2 192.168.2.20 /32 192.168.1.10/32 Destination port X Page 30 DF/PD Siemens Belgium-Luxembourg Network security Other Improvements?](https://reader034.vdocuments.net/reader034/viewer/2022042419/5f35585c79cedb57f22a328d/html5/thumbnails/18.jpg)
Page 21 DF/PD Siemens Belgium-Luxembourg
Network securitySolution1: Cellprotection with CP
Internet/ IT
Wireless
MRP
From 1515 ->2 network cardsCP-card
MRP
172/16.0.1
192.168.0.1
172/16.0.2
192.168.0.1
192.168.0.2
192.168.0.3
192.168.0.2
192.168.0.3
In the future: more & moreIP - addresses
![Page 19: Page 1 DF/PD Siemens Belgium-Luxembourg...Accept Vlan1 Vlan2 192.168.2.20 /32 192.168.1.10/32 Destination port X Page 30 DF/PD Siemens Belgium-Luxembourg Network security Other Improvements?](https://reader034.vdocuments.net/reader034/viewer/2022042419/5f35585c79cedb57f22a328d/html5/thumbnails/19.jpg)
Page 22 DF/PD Siemens Belgium-Luxembourg
Network securityCellprotection with CP - Portfolio
S7-1500 S7-300/S7-400 ET200 SP CPU PC
CM 1542-1 CP 343-1/CP443-1 CP 1542SP-1 CP 1616/ 1612/ 1613/1623/ 1626
Cell segmentation
Cell ProtectionS7-1500 S7-1200 S7-300/S7-400 ET200 SP CPU PC
CM 1543-1 CP 1243-1 CP 343-1/CP443-1Advanced
CP 1543SP-1 CP 1628
![Page 20: Page 1 DF/PD Siemens Belgium-Luxembourg...Accept Vlan1 Vlan2 192.168.2.20 /32 192.168.1.10/32 Destination port X Page 30 DF/PD Siemens Belgium-Luxembourg Network security Other Improvements?](https://reader034.vdocuments.net/reader034/viewer/2022042419/5f35585c79cedb57f22a328d/html5/thumbnails/20.jpg)
Page 23 DF/PD Siemens Belgium-Luxembourg
Network securityProfinet should be safe now… Next improvements
Internet/ IT
Wireless
MRP
CP-card
MRP
![Page 21: Page 1 DF/PD Siemens Belgium-Luxembourg...Accept Vlan1 Vlan2 192.168.2.20 /32 192.168.1.10/32 Destination port X Page 30 DF/PD Siemens Belgium-Luxembourg Network security Other Improvements?](https://reader034.vdocuments.net/reader034/viewer/2022042419/5f35585c79cedb57f22a328d/html5/thumbnails/21.jpg)
Page 24 DF/PD Siemens Belgium-Luxembourg
Network securitySolution 2: Segmentation and use VLANS
Internet/ IT
Managed Switches
MRP
CP-card
Segment 1VLAN 11
Segment 2VLAN 12
Segment 3VLAN 13
MRP
SCADA
![Page 22: Page 1 DF/PD Siemens Belgium-Luxembourg...Accept Vlan1 Vlan2 192.168.2.20 /32 192.168.1.10/32 Destination port X Page 30 DF/PD Siemens Belgium-Luxembourg Network security Other Improvements?](https://reader034.vdocuments.net/reader034/viewer/2022042419/5f35585c79cedb57f22a328d/html5/thumbnails/22.jpg)
Page 25 DF/PD Siemens Belgium-Luxembourg
POLL 1What is the smallest switch
we can use to configureVLAN’s ?
ƒ Scalance XB004-1ƒ XC108ƒ XB208ƒ XC208ƒ XM408
![Page 23: Page 1 DF/PD Siemens Belgium-Luxembourg...Accept Vlan1 Vlan2 192.168.2.20 /32 192.168.1.10/32 Destination port X Page 30 DF/PD Siemens Belgium-Luxembourg Network security Other Improvements?](https://reader034.vdocuments.net/reader034/viewer/2022042419/5f35585c79cedb57f22a328d/html5/thumbnails/23.jpg)
Page 26 DF/PD Siemens Belgium-Luxembourg
Future Network portfolio X200 – X300
Laye
r2M
anag
ed
Previous portfolio Future portfolio
XR-300 XR-300(additional versions)
X-300 XC-200New product line
X-200 XB-200
X-200PROXP-200
New product line of theIP65/67 switches
X-200IRT X-200IRT(additional versions)
X-200RNA X-200RNAXF-200BA DNA
Product line Description
XR-300 19" rack switches
X-300X-200
Compact managed previousportfolio
XP-200 Protected (IP65/67) managed
XC-200 Compact managedFuture portfolio
XB-200 Box managed
XF-200 Flat managed
X-200IRT IRT managed switches
X-200RNA Switches for redundantnetwork structures
![Page 24: Page 1 DF/PD Siemens Belgium-Luxembourg...Accept Vlan1 Vlan2 192.168.2.20 /32 192.168.1.10/32 Destination port X Page 30 DF/PD Siemens Belgium-Luxembourg Network security Other Improvements?](https://reader034.vdocuments.net/reader034/viewer/2022042419/5f35585c79cedb57f22a328d/html5/thumbnails/24.jpg)
Page 27 DF/PD Siemens Belgium-Luxembourg
Network securityEach segment is more secure now… Other optimizations?
Internet/ IT
MRP
CP-card
Segment 1VLAN 11
Segment 2VLAN 12
Segment 3VLAN 13
MRP
ScalanceXB/XC200
ScalanceXB/XC200
ScalanceXB/XC200
SCADA
![Page 25: Page 1 DF/PD Siemens Belgium-Luxembourg...Accept Vlan1 Vlan2 192.168.2.20 /32 192.168.1.10/32 Destination port X Page 30 DF/PD Siemens Belgium-Luxembourg Network security Other Improvements?](https://reader034.vdocuments.net/reader034/viewer/2022042419/5f35585c79cedb57f22a328d/html5/thumbnails/25.jpg)
Page 28 DF/PD Siemens Belgium-Luxembourg
SCADAVLAN20
Network securityConfigure PC in another VLAN
Internet/ IT
MRP
CP-card
Segment 1VLAN 11
Segment 2VLAN 12
Segment 3VLAN 13
MRP
ScalanceXB/XC200
ScalanceXB/XC200
ScalanceXB/XC200
![Page 26: Page 1 DF/PD Siemens Belgium-Luxembourg...Accept Vlan1 Vlan2 192.168.2.20 /32 192.168.1.10/32 Destination port X Page 30 DF/PD Siemens Belgium-Luxembourg Network security Other Improvements?](https://reader034.vdocuments.net/reader034/viewer/2022042419/5f35585c79cedb57f22a328d/html5/thumbnails/26.jpg)
Page 29 DF/PD Siemens Belgium-Luxembourg
Network securityAdd a router XM400
Internet/ IT
MRP
CP-card
Segment 1VLAN 11
Segment 2VLAN 12
Segment 3VLAN 13
MRP
ScalanceXB/XC200
ScalanceXM400 Scalance
XB/XC200
SCADASCADAVLAN20
Action From To Source (range) Destination (range) Service
Accept Vlan2 Vlan1 192.168.1.10/32 192.168.2.20/32 Destination port X
Accept Vlan1 Vlan2 192.168.2.20/32 192.168.1.10/32 Destination port X
![Page 27: Page 1 DF/PD Siemens Belgium-Luxembourg...Accept Vlan1 Vlan2 192.168.2.20 /32 192.168.1.10/32 Destination port X Page 30 DF/PD Siemens Belgium-Luxembourg Network security Other Improvements?](https://reader034.vdocuments.net/reader034/viewer/2022042419/5f35585c79cedb57f22a328d/html5/thumbnails/27.jpg)
Page 30 DF/PD Siemens Belgium-Luxembourg
Network securityOther Improvements?
Internet/ IT
MRP
CP-card
Segment 1VLAN 11
Segment 2VLAN 12
Segment 3VLAN 13
MRP
ScalanceXB/XC200
ScalanceXM400 Scalance
XB/XC200
SCADASCADAVLAN20
![Page 28: Page 1 DF/PD Siemens Belgium-Luxembourg...Accept Vlan1 Vlan2 192.168.2.20 /32 192.168.1.10/32 Destination port X Page 30 DF/PD Siemens Belgium-Luxembourg Network security Other Improvements?](https://reader034.vdocuments.net/reader034/viewer/2022042419/5f35585c79cedb57f22a328d/html5/thumbnails/28.jpg)
Page 31 DF/PD Siemens Belgium-Luxembourg
SCADAVLAN20
Network securityOptimization2: Create a production Backbone
Internet/ IT
MRP
CP-card
Segment 1VLAN 11
Segment 2VLAN 12
Segment 3VLAN 13
MRP
Redundant production backbone (MRP)
ScalanceXB/XC200
ScalanceXB/XC200
ScalanceXB/XC200
ScalanceXM400
![Page 29: Page 1 DF/PD Siemens Belgium-Luxembourg...Accept Vlan1 Vlan2 192.168.2.20 /32 192.168.1.10/32 Destination port X Page 30 DF/PD Siemens Belgium-Luxembourg Network security Other Improvements?](https://reader034.vdocuments.net/reader034/viewer/2022042419/5f35585c79cedb57f22a328d/html5/thumbnails/29.jpg)
Page 32 DF/PD Siemens Belgium-Luxembourg
Network securityFirewalls
Innovative technologies to connect safely and securely with your business network
Network Segmentation(security cells)
Firewalls(Front & Back)
VPN Tunnels(IPsec)
Demiliterized Zone(DMZ)
![Page 30: Page 1 DF/PD Siemens Belgium-Luxembourg...Accept Vlan1 Vlan2 192.168.2.20 /32 192.168.1.10/32 Destination port X Page 30 DF/PD Siemens Belgium-Luxembourg Network security Other Improvements?](https://reader034.vdocuments.net/reader034/viewer/2022042419/5f35585c79cedb57f22a328d/html5/thumbnails/30.jpg)
Page 33 DF/PD Siemens Belgium-Luxembourg
Network securitySolution: Install Firewall
Internet/ IT
MRP
CP-card
Segment 1VLAN 11
Segment 2VLAN 12
Segment 3VLAN 13
MRP
Router: Scalance XM400
SCADAVLAN20
![Page 31: Page 1 DF/PD Siemens Belgium-Luxembourg...Accept Vlan1 Vlan2 192.168.2.20 /32 192.168.1.10/32 Destination port X Page 30 DF/PD Siemens Belgium-Luxembourg Network security Other Improvements?](https://reader034.vdocuments.net/reader034/viewer/2022042419/5f35585c79cedb57f22a328d/html5/thumbnails/31.jpg)
Page 34 DF/PD Siemens Belgium-Luxembourg
SCADAVLAN20
Network securityFinal solution
Internet/ IT
MRP
CP-card
Segment 1VLAN 11
Segment 2VLAN 12
Segment 3VLAN 13
MRP
Scalance S
Redundant Production backbone
![Page 32: Page 1 DF/PD Siemens Belgium-Luxembourg...Accept Vlan1 Vlan2 192.168.2.20 /32 192.168.1.10/32 Destination port X Page 30 DF/PD Siemens Belgium-Luxembourg Network security Other Improvements?](https://reader034.vdocuments.net/reader034/viewer/2022042419/5f35585c79cedb57f22a328d/html5/thumbnails/32.jpg)
Page 35 DF/PD Siemens Belgium-Luxembourg
SCADAVLAN20
Network securityFinal solution
Internet/ IT
MRP
CP-card
Segment 1VLAN 11
Segment 2VLAN 12
Segment 3VLAN 13
MRP
Scalance S
Redundant Production backbone
Strong communication networkand basic for digitalization:High speed: Realtime communicationHigh data volumes: BandwidthAvailability: Fast redundancyProtection against IT: SecurityFlexibility: Easy extension
(plug’n’play)Reliable components: Robust
![Page 33: Page 1 DF/PD Siemens Belgium-Luxembourg...Accept Vlan1 Vlan2 192.168.2.20 /32 192.168.1.10/32 Destination port X Page 30 DF/PD Siemens Belgium-Luxembourg Network security Other Improvements?](https://reader034.vdocuments.net/reader034/viewer/2022042419/5f35585c79cedb57f22a328d/html5/thumbnails/33.jpg)
Page 36 DF/PD Siemens Belgium-Luxembourg
Network SecuritySCALANCE S - Portfolio
Product in development Product available
Interfaces 10/100 Mbps 10/100/1000 Mbps
Firewall/routing 100 Mbps 200 Mbps 600 Mbps
VPN 35 Mbps 55 Mbps 120 Mbps
FirewallNATVPN
S615Maximum:64 rules20 VPNs
S612, S623, S627-2MMaximum:256 rules128 VPNs
SC642-2C, SC646-2CMaximum:1000 rules200 VPNs
FirewallNAT
S602Maximum:256 rules
SC632-2C, SC636-2CMaximum:1000 rules
![Page 34: Page 1 DF/PD Siemens Belgium-Luxembourg...Accept Vlan1 Vlan2 192.168.2.20 /32 192.168.1.10/32 Destination port X Page 30 DF/PD Siemens Belgium-Luxembourg Network security Other Improvements?](https://reader034.vdocuments.net/reader034/viewer/2022042419/5f35585c79cedb57f22a328d/html5/thumbnails/34.jpg)
Page 37 DF/PD Siemens Belgium-Luxembourg
Network securityAlternative for cell protection again with CP-cards…
Internet/ IT
Wireless
MRP
CP-card
MRP
Only S7-routing is possible here
![Page 35: Page 1 DF/PD Siemens Belgium-Luxembourg...Accept Vlan1 Vlan2 192.168.2.20 /32 192.168.1.10/32 Destination port X Page 30 DF/PD Siemens Belgium-Luxembourg Network security Other Improvements?](https://reader034.vdocuments.net/reader034/viewer/2022042419/5f35585c79cedb57f22a328d/html5/thumbnails/35.jpg)
Page 38 DF/PD Siemens Belgium-Luxembourg
Network SecurityInstead of CP-cards, scalance S can also be used for cell protection
![Page 36: Page 1 DF/PD Siemens Belgium-Luxembourg...Accept Vlan1 Vlan2 192.168.2.20 /32 192.168.1.10/32 Destination port X Page 30 DF/PD Siemens Belgium-Luxembourg Network security Other Improvements?](https://reader034.vdocuments.net/reader034/viewer/2022042419/5f35585c79cedb57f22a328d/html5/thumbnails/36.jpg)
Page 39 DF/PD Siemens Belgium-Luxembourg
Network SecurityVPN-tunnels
Innovative technologies to connect safely and securely with your business network
Network Segmentation(security cells)
Firewalls(Front & Back)
VPN Tunnels(IPsec)
Demiliterized Zone(DMZ)
![Page 37: Page 1 DF/PD Siemens Belgium-Luxembourg...Accept Vlan1 Vlan2 192.168.2.20 /32 192.168.1.10/32 Destination port X Page 30 DF/PD Siemens Belgium-Luxembourg Network security Other Improvements?](https://reader034.vdocuments.net/reader034/viewer/2022042419/5f35585c79cedb57f22a328d/html5/thumbnails/37.jpg)
Page 40 DF/PD Siemens Belgium-Luxembourg
Network SecurityRemote maintenance with SINEMA RC server
SCALANCE S615SIMATIC S7-1200
SCALANCE S615
Mobilewirelessnetwork
SIMATIC S7-1500
SIMATIC S7-300
Companynetwork
SINEMA RCClient
SINEMARemote Connect
Internet router
Internet connection
Internetrouter
*) As from firmware V4.2
SCALANCE M876-4
![Page 38: Page 1 DF/PD Siemens Belgium-Luxembourg...Accept Vlan1 Vlan2 192.168.2.20 /32 192.168.1.10/32 Destination port X Page 30 DF/PD Siemens Belgium-Luxembourg Network security Other Improvements?](https://reader034.vdocuments.net/reader034/viewer/2022042419/5f35585c79cedb57f22a328d/html5/thumbnails/38.jpg)
Page 41 DF/PD Siemens Belgium-Luxembourg
Network SecurityRemote access with Sinema Remote Connect
![Page 39: Page 1 DF/PD Siemens Belgium-Luxembourg...Accept Vlan1 Vlan2 192.168.2.20 /32 192.168.1.10/32 Destination port X Page 30 DF/PD Siemens Belgium-Luxembourg Network security Other Improvements?](https://reader034.vdocuments.net/reader034/viewer/2022042419/5f35585c79cedb57f22a328d/html5/thumbnails/39.jpg)
Page 42 DF/PD Siemens Belgium-Luxembourg
Configuration example of SINEMA RC: Condition Monitoring
Network SecurityCondition Monitoring
Configuration example SINEMA Remote Connect:Condition Monitoring
Task• Central management of the connections needed to acquire
status/ maintenance data
Solution• Transparent communication structure via standard IP
mechanisms• Connection via various media to the routers in the SCALANCE
M portfolio• Central management of the communication network in SINEMA
RC• Establishment of the VPN tunnel from the field
Benefits• Transparency and overview of the remote maintenance network• Easy, secure operation without specialized IT know-how• Transparent IP communication• Secured remote access (via VPN tunnel)
![Page 40: Page 1 DF/PD Siemens Belgium-Luxembourg...Accept Vlan1 Vlan2 192.168.2.20 /32 192.168.1.10/32 Destination port X Page 30 DF/PD Siemens Belgium-Luxembourg Network security Other Improvements?](https://reader034.vdocuments.net/reader034/viewer/2022042419/5f35585c79cedb57f22a328d/html5/thumbnails/40.jpg)
Page 43 DF/PD Siemens Belgium-Luxembourg
Network SecurityScalance M - Portfolio
WAN interface
IE number of portsDI/DOFW/VPN (IPsec)/ NATOpenVPN *VRRP/HSR/MRP/RSTP *WBMTIA Portal / CLI *KBA** (e1/E1)/ EN50155Data rate
List price
SCALANCE M874-2 SCALANCE M876-3
3G / HSPA+EV-DO41/1yesyesyesyesyesnoup to 14,4 Mbit/sup to 5,76 Mbit/s
2G / EDGE
21/1yesyesyesyesyesnoup to 237 kbit/sup to 237 kbit/s
3G / HSPA+
21/1yesyesyesyesyesnoup to 14,4 Mbit/sup to 5,76 Mbit/s
DownlinkUplink
SCALANCE M874-3 SCALANCE M876-4
4G / LTE
41/1yesyesyesyesyesnoup to 100 Mbpsup to 50 Mbips
*In preparation **KBA = Federal Motor Transport Authority
![Page 41: Page 1 DF/PD Siemens Belgium-Luxembourg...Accept Vlan1 Vlan2 192.168.2.20 /32 192.168.1.10/32 Destination port X Page 30 DF/PD Siemens Belgium-Luxembourg Network security Other Improvements?](https://reader034.vdocuments.net/reader034/viewer/2022042419/5f35585c79cedb57f22a328d/html5/thumbnails/41.jpg)
Page 44 DF/PD Siemens Belgium-Luxembourg
Networks – Sinema Remote ConnectStart Package
![Page 42: Page 1 DF/PD Siemens Belgium-Luxembourg...Accept Vlan1 Vlan2 192.168.2.20 /32 192.168.1.10/32 Destination port X Page 30 DF/PD Siemens Belgium-Luxembourg Network security Other Improvements?](https://reader034.vdocuments.net/reader034/viewer/2022042419/5f35585c79cedb57f22a328d/html5/thumbnails/42.jpg)
Page 45 DF/PD Siemens Belgium-Luxembourg
POLL 2What’s the price to beginwith the starterpackage of
the Scalance S615?
ƒ 200-400€ƒ 400-600€ƒ 600-800€ƒ 800-1000€ƒ >1000€
![Page 43: Page 1 DF/PD Siemens Belgium-Luxembourg...Accept Vlan1 Vlan2 192.168.2.20 /32 192.168.1.10/32 Destination port X Page 30 DF/PD Siemens Belgium-Luxembourg Network security Other Improvements?](https://reader034.vdocuments.net/reader034/viewer/2022042419/5f35585c79cedb57f22a328d/html5/thumbnails/43.jpg)
Page 46 DF/PD Siemens Belgium-Luxembourg
Network SecurityDMZ-zone
Innovative technologies to connect safely and securely with your business network
Network Segmentation(security cells)
Firewalls(Front & Back)
VPN Tunnels(IPsec)
Demiliterized Zone(DMZ)
![Page 44: Page 1 DF/PD Siemens Belgium-Luxembourg...Accept Vlan1 Vlan2 192.168.2.20 /32 192.168.1.10/32 Destination port X Page 30 DF/PD Siemens Belgium-Luxembourg Network security Other Improvements?](https://reader034.vdocuments.net/reader034/viewer/2022042419/5f35585c79cedb57f22a328d/html5/thumbnails/44.jpg)
Page 47 DF/PD Siemens Belgium-Luxembourg
Network SecurityDMZ-zone
TaskNetwork users (e.g. MES servers)should be reachable from the secureand non-secure network withoutcreating a direct connection betweenthe networks.
SolutionA DMZ can be established on theyellow port with the SCALANCE S623,in which the aforementioned server canbe placed.
![Page 45: Page 1 DF/PD Siemens Belgium-Luxembourg...Accept Vlan1 Vlan2 192.168.2.20 /32 192.168.1.10/32 Destination port X Page 30 DF/PD Siemens Belgium-Luxembourg Network security Other Improvements?](https://reader034.vdocuments.net/reader034/viewer/2022042419/5f35585c79cedb57f22a328d/html5/thumbnails/45.jpg)
Page 48 DF/PD Siemens Belgium-Luxembourg
Why choose Siemens network solution?Only Siemens has integrated solutions for automation and communication
Why is office IT not sufficient for production?
Core
...
...
TIA Portal SCADA
Defined interfacebetween Office IT &Production
Efficientengineering ofthe completeproductionnetwork withTIA Portal
High AvailabilityTo avoid significant economic losses or other damages
- 100% Uptime for secured productivity- Specific (different) Network structures (star <-> complex)- Ring structures (e.g. MRP)- 2/3 sec. network recovery not acceptable
Determinism- Different protocols (Profinet, Profisafe, ….)- Real-time requirements of automation tasks- Short recovery times
Support IT- IT not in the field. Changes/diagnostic of network has to be fast- IT Sometimes in other countries, sometimes case has to be made- Windows updates (not compatible with industry software)
High-performance,highly availablecommunication
![Page 46: Page 1 DF/PD Siemens Belgium-Luxembourg...Accept Vlan1 Vlan2 192.168.2.20 /32 192.168.1.10/32 Destination port X Page 30 DF/PD Siemens Belgium-Luxembourg Network security Other Improvements?](https://reader034.vdocuments.net/reader034/viewer/2022042419/5f35585c79cedb57f22a328d/html5/thumbnails/46.jpg)
Page 49 DF/PD Siemens Belgium-Luxembourg
Why choose Siemens network solution?Only Siemens has integrated solutions for automation and communication
Core
...
...
TIA Portal SCADA
Efficientengineering ofthe completeproductionnetwork withTIA Portal
What is the benefit of the Siemens (TIA portal)?
Efficient engineering, fast commissioningConsistent data management and minimizedtraining effort (TIA portal)
Fast fault localization- Integrated diagnostic down to the field level
Maintenance:- Experience + everything in 1 hand (TIA)- No other software- C-plug (or exchange without PC)
Industrial- Temperature, dusty, corrosive- Vibrations, fanless- Number of ports (din-rail)
Trust Siemens:- All components tested together- 5 years warranty- Security
![Page 47: Page 1 DF/PD Siemens Belgium-Luxembourg...Accept Vlan1 Vlan2 192.168.2.20 /32 192.168.1.10/32 Destination port X Page 30 DF/PD Siemens Belgium-Luxembourg Network security Other Improvements?](https://reader034.vdocuments.net/reader034/viewer/2022042419/5f35585c79cedb57f22a328d/html5/thumbnails/47.jpg)
Page 50 DF/PD Siemens Belgium-Luxembourg
Digitalization -> enterprise and productionlayer get closer connected
Yesterday:Limited interoperability
Enterprise
Production
Limited communication betweenenterprise and production layer
Future: Defined interface tohandle complexity
EnterpriseNetwork
ProductionBackbone
ProductionCell
Two dedicated networks withdefined managed interface
Today: Arising challenges throughincreasing interoperability
Enterprise
Field
Control
Enterprise
Management
Production Operator
Challenge to handle complexity ofincreasing communication
Interoperability
![Page 48: Page 1 DF/PD Siemens Belgium-Luxembourg...Accept Vlan1 Vlan2 192.168.2.20 /32 192.168.1.10/32 Destination port X Page 30 DF/PD Siemens Belgium-Luxembourg Network security Other Improvements?](https://reader034.vdocuments.net/reader034/viewer/2022042419/5f35585c79cedb57f22a328d/html5/thumbnails/48.jpg)
Page 51 DF/PD Siemens Belgium-Luxembourg
Industrial SecurityThe Siemens Solution
• Physical access protection to the plant andcritical systems
• Security management and policies• Security services for protection of a plant's
entire lifecycle
• Secure remote access to theplant via the Internet or mobilenetworks
• Protection of the plant / machinenetwork through segmentation
• Secured communication
• Protection of system integrity throughintegrated functions
• Access protection and rightsmanagement
![Page 49: Page 1 DF/PD Siemens Belgium-Luxembourg...Accept Vlan1 Vlan2 192.168.2.20 /32 192.168.1.10/32 Destination port X Page 30 DF/PD Siemens Belgium-Luxembourg Network security Other Improvements?](https://reader034.vdocuments.net/reader034/viewer/2022042419/5f35585c79cedb57f22a328d/html5/thumbnails/49.jpg)
Page 52 DF/PD Siemens Belgium-Luxembourg
System IntegrityS7-1500 system hardening
Protection of intellectual propertyof program code Know-how protection for
PLC program blocks
Know-how protection
Detection of manipulatedcommunication data Engineering and HMI
communication withintegrated security
Communication integrityTIA Portal
Controller HMI
Protection against unauthorizedaccess and configurationchanges Protection level concept with
different access rights incl.HMI connections
Access protectionEngineering
Maintenance Operation
Remote control
Controller
Engineering System Protection against unauthorizedduplication of runtime programcode Bind program blocks to
hardware serial numbers (CPUor SD card)
Copy protection
Controller Controller
Storage A Storage B
AA A
B*******
![Page 50: Page 1 DF/PD Siemens Belgium-Luxembourg...Accept Vlan1 Vlan2 192.168.2.20 /32 192.168.1.10/32 Destination port X Page 30 DF/PD Siemens Belgium-Luxembourg Network security Other Improvements?](https://reader034.vdocuments.net/reader034/viewer/2022042419/5f35585c79cedb57f22a328d/html5/thumbnails/50.jpg)
Page 53 DF/PD Siemens Belgium-Luxembourg
System IntegrityEssential Mechanisms
• Per default PCs have softwareinstalled, which is not required fornormal plant operation
• Usually malware are created forwidely-used software applicationslike IE, Adobe, Active X,Javascript, …
Reduce surface of attack
System hardening
• Protection against viruses, wormsand trojaner with anti-virusprograms
• Protection against unwantedapplications and malware withwhitelisting applications
Continuous identification andprevention of malware
Anti-virus and whitelisting• All patches should be tested for
compatibility• Central patch distribution• Creation of patch groups and
strategies for updates withoutinterrupting plant operation
Continuous deployment ofsecurity patches and updates
Patch management
• „Minimality principle“ applies• Clear assignment of roles and
rights• Use of secure passwords• Access protection for ICS project
data Management of user andoperator rights
Authentication and user management
![Page 51: Page 1 DF/PD Siemens Belgium-Luxembourg...Accept Vlan1 Vlan2 192.168.2.20 /32 192.168.1.10/32 Destination port X Page 30 DF/PD Siemens Belgium-Luxembourg Network security Other Improvements?](https://reader034.vdocuments.net/reader034/viewer/2022042419/5f35585c79cedb57f22a328d/html5/thumbnails/51.jpg)
Page 54 DF/PD Siemens Belgium-Luxembourg
Industrial SecuritySiemens Security Services
Siemens Plant Security Services
AssessSecurity
ImplementSecurity
ManageSecurity
Siemens products and systems offer integrated security
Know how andcopy protection
Firewall and VPN(Virtual PrivateNetwork)
Authenticationand usermanagement
System“hardening”
The Siemens security concept –“Defense in Depth”
![Page 52: Page 1 DF/PD Siemens Belgium-Luxembourg...Accept Vlan1 Vlan2 192.168.2.20 /32 192.168.1.10/32 Destination port X Page 30 DF/PD Siemens Belgium-Luxembourg Network security Other Improvements?](https://reader034.vdocuments.net/reader034/viewer/2022042419/5f35585c79cedb57f22a328d/html5/thumbnails/52.jpg)
Page 55 DF/PD Siemens Belgium-Luxembourg
Industrial SecuritySiemens Security Services
McAfee inside
• IEC 62443 Assessment• ISO 27001 Assessment• SIMATIC PCS 7 and WinCC Assessment• Risk and Vulnerability Assessment
• Security Awareness Training• Security Policy Consulting• Network Security Consulting• Perimeter Firewall Installation• Clean Slate Validation• Anti Virus Installation• Whitelisting Installation• System BackUp• Windows Patch Installation
• Industrial Security Monitoring• Remote Incident Handling• Perimeter Firewall Management• Perimeter Firewall Review• Anti Virus Management• Whitelisting Management• Patch and Vulnerability Management
SecureGUARD inside
Evaluation of the current securitystatus of an ICS environment
Risk mitigation through implementation ofsecurity measures for reactive protection
Comprehensive security throughmonitoring and proactive protection
![Page 53: Page 1 DF/PD Siemens Belgium-Luxembourg...Accept Vlan1 Vlan2 192.168.2.20 /32 192.168.1.10/32 Destination port X Page 30 DF/PD Siemens Belgium-Luxembourg Network security Other Improvements?](https://reader034.vdocuments.net/reader034/viewer/2022042419/5f35585c79cedb57f22a328d/html5/thumbnails/53.jpg)
Page 56 DF/PD Siemens Belgium-Luxembourg
Industrial SecurityCERT@Siemens
www.siemens.com/industrialsecurity
Cyber Emergency Readiness Team
![Page 54: Page 1 DF/PD Siemens Belgium-Luxembourg...Accept Vlan1 Vlan2 192.168.2.20 /32 192.168.1.10/32 Destination port X Page 30 DF/PD Siemens Belgium-Luxembourg Network security Other Improvements?](https://reader034.vdocuments.net/reader034/viewer/2022042419/5f35585c79cedb57f22a328d/html5/thumbnails/54.jpg)
Page 57 DF/PD Siemens Belgium-Luxembourg
• S7- 1500 Controllers• XM408-8C
• First security level certification(CSPN – Certification de Sécuritéde Premier Niveau)
• Development process
• Certification of “Secure ProductDevelopment Lifecycle” forDivision DF and PD based onIEC 62443-4-1
• TIA Ethernet based devices• E.g. S7-1500, 1505S, S7-300,
CP343-1 SCALANCE S, …• Protection against DoS
attacks• Defined behavior in case of
attack• Improved Availability
Industrial SecuritySecurity of Siemens Products – Granted Certificates
Find more information:http://www.wurldtech.com/product_services/certifications/certified_products/
Find more information: http://ssi.gouv.fr/certification_cspn/simatic-s7-1518-4-version-du-micrologiciel-1-83/
![Page 55: Page 1 DF/PD Siemens Belgium-Luxembourg...Accept Vlan1 Vlan2 192.168.2.20 /32 192.168.1.10/32 Destination port X Page 30 DF/PD Siemens Belgium-Luxembourg Network security Other Improvements?](https://reader034.vdocuments.net/reader034/viewer/2022042419/5f35585c79cedb57f22a328d/html5/thumbnails/55.jpg)
Page 58 DF/PD Siemens Belgium-Luxembourg
Best ApplicationContestNow – September 21
![Page 56: Page 1 DF/PD Siemens Belgium-Luxembourg...Accept Vlan1 Vlan2 192.168.2.20 /32 192.168.1.10/32 Destination port X Page 30 DF/PD Siemens Belgium-Luxembourg Network security Other Improvements?](https://reader034.vdocuments.net/reader034/viewer/2022042419/5f35585c79cedb57f22a328d/html5/thumbnails/56.jpg)
Page 59 DF/PD Siemens Belgium-Luxembourg
Headline, Arial Bold, 22 pt, lorem ipsum dolor estTable of content
What:Collection of your succes stories (with Siemenstechnology) in Industrial Security
Why ?- You win: a voucher for Siemens’ automation
portfolio of 5000€, 3000€, 2000€- Free publicity for almost 1 year- Recognition at the Award Show (and far beyond)
How ?- Oct 1, 2017 - May 30, 2018: enter your project
www.siemens.be/best-application-contest- June 1, 2018- August 30, 2018: voting period- Sept 20, 2018: Award Show
![Page 57: Page 1 DF/PD Siemens Belgium-Luxembourg...Accept Vlan1 Vlan2 192.168.2.20 /32 192.168.1.10/32 Destination port X Page 30 DF/PD Siemens Belgium-Luxembourg Network security Other Improvements?](https://reader034.vdocuments.net/reader034/viewer/2022042419/5f35585c79cedb57f22a328d/html5/thumbnails/57.jpg)
Page 60 DF/PD Siemens Belgium-Luxembourg
Industrial Security
If you want to work secure
Work with
![Page 58: Page 1 DF/PD Siemens Belgium-Luxembourg...Accept Vlan1 Vlan2 192.168.2.20 /32 192.168.1.10/32 Destination port X Page 30 DF/PD Siemens Belgium-Luxembourg Network security Other Improvements?](https://reader034.vdocuments.net/reader034/viewer/2022042419/5f35585c79cedb57f22a328d/html5/thumbnails/58.jpg)
Page 61 DF/PD Siemens Belgium-Luxembourg