profisafe and it security - peter brown of siemens a&d
DESCRIPTION
What is PROFIsafe and how does it work? What do we mean by “Safety”? “The condition of being safe; freedom from danger, risk, or injury.” In the UK (and Europe) this can cover many areas and industries, for example: Supply of Machinery (Safety) Regulations Electromagnetic Compatibility Regulations Electrical Equipment (Safety) Regulations Pressure Equipment Regulations Simple Pressure Vessels (Safety) Regulations Equipment and Protective Systems Intended for Use in Potentially Explosive Atmospheres Regulations Lifts Regulations Medical Devices Regulations Gas Appliances (Safety) Regulations Therefore: Coexistence of standard and failsafe communicationTRANSCRIPT
What is
PROFIsafe and
how does it
work?
Pete BrownSiemens I CS
2
Author / Title of the presentation
“The condition of being safe; freedom from danger, risk, or injury.”
In the UK (and Europe) this can cover many areas and industries, for example:Supply of Machinery (Safety) RegulationsElectromagnetic Compatibility RegulationsElectrical Equipment (Safety) RegulationsPressure Equipment RegulationsSimple Pressure Vessels (Safety) RegulationsEquipment and Protective Systems Intended for Use in Potentially Explosive Atmospheres RegulationsLifts RegulationsMedical Devices RegulationsGas Appliances (Safety) Regulations
Important: It is essential to have some form of riskassessment / risk analysise.g. HAZAN / HAZID / HAZOP / RA to ISO 12100
What do we mean by “Safety”
3
Author / Title of the presentation
Profibus DP
Standard-Host/PLC
F-Gate-way
otherSafety-
Bus
Repeater
Standard-I/O
Master-Slave Assignment
F-Field-Device
DP/PA
Coexistence of standard and failsafe communication
F-Host/FPLC
Standard-I/O
F-I/O
Engineering Tool
PG/ES withsecure accesse.g. Firewall
TCP/IP
F = Failsafe
F-Sensor F-Actuator
PROFIsafe – The Vision
4
Author / Title of the presentation
"Black Channel": ASICs, Links, Cables, etc. Not safety relevant
"PROFIsafe": Safety critical communications systems: Addressing, Watch Dog Timers,Sequencing, Signature, etc.
Safety relevant, Not part of the PROFIsafe: Safety I/O / Safety Control Systems
Non safety critical functions, e.g. diagnostics
Standard-I /O
StandardControl
1
2
7
1
2
7
1
2
7
1
2
7
1
2
7
SafetyInput
SafetyControl
SafetyOutput
Safety-LayerSafety-LayerSafety-Layer
e.g.. Diagnostics
PROFIsafe – ISO/OSI Model
5
Author / Title of the presentation
PROFIsafe – Add-on Strategy
Standardengineering
toolSTEP 7
StandardCPU
StandardPROFIBUS DP
StandardRemote I/O
Failsafe engineeringTool
Distributed Safety
FailsafeI/O Modules
PROFIsafe
Failsafe ApplicationProgramF-Hardware
6
Author / Title of the presentation
Coexistence of standard program and safety-related program on one CPU
Changes to the standard program have no effect on the integrity of the safety-related program section
Standard program
Safety program
Standard program
Back-up
PROFIsafe - Program
7
Author / Title of the presentation
Time redundancy and diversity replacecomplete redundancy
Time redundancyTime
DiverseOperation
Operation
Coding Comparison
DiverseOperators
Operators
DiverseOutput
Output
Stopby D /C
D = /C
CA, B
/A, /B
OR
AND
PROFIsafe – Coded Processing
Coded Processing
8
Author / Title of the presentation
“Black channel"
PROFIsafelayer
PROFIsafelayer
Standarddata
Fail-safedata
Standardbusprotocol
Standarddata
Fail-safedata
Standardbus
protocol
PROFIBUS
PROFINET
PROFIsafe - Introduction
Safety-oriented communication via PROFIsafe First standard of communication in accordance with safety standard IEC 61508PROFIsafe supports safe communication for the open standard PROFIBUS and PROFINET The PROFIsafe meets possible faults like addresserror, delay, data loss with
Serial numerationof PROFIsafe-telegramTime monitoringAuthenticity monitoring via unique addressesOptimized CRC-checking
PROFIsafe supports standard- and failsafe Communication by one medium
9
Author / Title of the presentation
Failure type:
Remedy: ConsecutiveNumber
Time Outwith Receipt
Codename forSender and
Receiver
Data Consistency
Check
Repetition
Deletion
Insertion
Resequencing
Data Corruption
Delay
Masquerade (standard message mimics failsafe)
Revolving memory failure within switches
Overview: Possible Errors and detection mechanism
PROFIsafe - Introduction
10
Author / Title of the presentation
Which protocol must be supported ?
IO-C
FDO
Actuator
PROFINET
-IODevice
FDI
FDO
Sensor
PROFIBUS.
PROFIBUS DeviceModular Device
Local bus
F-Host
PROFINET-PROFIBUS
Link
Encapsulation
EncapsulationEncapsulation
F-DI Fail-safe digital inputF-DO Fail-safe digital outputIO-C PROFINET IO-Controller
PROFINETSWITCH
PROFIsafe - Introduction
11
Author / Title of the presentation
Which protocol version applies when ?
PROFIsafe V2 Slave used in
Protocol with 8Bit-Counter(= PROFIsafe
V1 mode)
Protocol with 24Bit-Counter(= PROFIsafe
V2 mode)PROFIBUS network only mandatory mandatory
PROFINET network only - mandatory
PROFIBUS / PROFINET network
mandatory mandatory
Goal: 100% compatabilityA PROFIsafe slave which supports the v2 mode must be able to replace an older version of this PROFIsafe slave which only supports the v1 mode without the need of any adaption
PROFIsafe - Introduction
12
Author / Title of the presentation
DP MasterDP Master
PROFINET – PROFIsafe V2
PROFIBUS – PROFIsafe V1 or V2
DP Slave V2DP Slave V2
I/OI/O--Device V2Device V2
DP Slave V1DP Slave V1DP Slave V1DP Slave V1
Proxy
Only Only DP Slave V2DP Slave V2
V1 = PROFIsafe Profil V1V1 = PROFIsafe Profil V1V2 = PROFIsafe Profil V2V2 = PROFIsafe Profil V2
Which protocol version applies when ?
PROFIsafe - Introduction
Security for
Industrial
Automation
Considering the PROFINET Security
Guideline
14
Peter Brown / IT Security for Industrial Automation
DCS/SCADA*
*DCS: Distributed Control SystemSCADA: Supervisory Control and Data Acquisition
Potential Attack
Plant SecurityPhysical Security• Physical access to facilities and equipment
Policies & Procedures• Security management processes• Operational Guidelines• Business Continuity Management & Disaster Recovery
Network SecuritySecurity Zones & DMZ• Secure architecture based on network segmentationFirewalls and VPN• Implementation of Firewalls as the only access point to a security cell
System IntegritySystem Hardening• Adapting system to be secure by defaultUser Account Management• Access control based on user rights and privilegesPatch Management• Regular implementation of patches and updatesMalware Detection and Prevention• Anti Virus and Whitelisting
Industrial IT Security
15
Peter Brown / IT Security for Industrial Automation
What is IT Security? (Cyber/Network)
Protection of computers and networks from intrusion and disruption
With so many systems relying on networks this is criticalThe internet allows global connectivity and all its advantagesThese advantaged lead to vulnerability
Security
16
Peter Brown / IT Security for Industrial Automation
Why do I need IT Security?
Intrusion can be malicious or accidentalGovernments are concerned by terrorist actsBusiness is concerned by industrial espionage and theftEx employees may have a grudgeCurrent employees can be carelessComputer viruses can attack PLCsNetwork intrusions are on the increase – The damage can be catastrophic
17
Peter Brown / IT Security for Industrial Automation
How do I implement IT Security?
CPNI recommendationsRisk analysis and policiesIndustrial grade equipmentPROFINET / PROFINET Security Guideline(ICS CERT recommendations)
Industrial Security Homepage:http://www.industry.siemens.com/topics/global/en/industrial-security
18
Peter Brown / IT Security for Industrial Automation
PROFINET Security Concept
The PROFINET Security ConceptFrom the PROFINET Security Guideline
Network Architecture – Security ZonesTrust Concept – within ZonesPerimeter Defence – Firewall/VPNProvision of Confidentiality and IntegrityTransparent Integration of Firewalls
www.AllThingsPROFINET.com
19
Peter Brown / IT Security for Industrial Automation
Security Zones
Security ZoneCommunication based on trust within zoneTrusted networks should be able to talk with each otherPerimeter defense
Local Security MeasuresE.g. Locked Ethernet ports, Networking equipment in cabinets
Trusted Network
Firewall
20
Peter Brown / IT Security for Industrial Automation
…Using Industrial FirewallsMonitor incoming and outgoing data packets on the basis of predefined rulesOnly authorized connections are acceptedHelp to keep unwanted traffic out (e.g. Office Broadcasts)Rugged industrial design“Industrial like” administrationBuilt-in VPN capabilities
How to secure the Network…
21
Peter Brown / IT Security for Industrial Automation
Linking Security Zones
Data traffic control between network using security modules Encrypted data transmission between security modulesFirewalls help to keep unwanted office traffic out as well
Trusted Network
Firewall
Trusted Network
Firewall
Corporate Network/Backbone
VPN
22
Peter Brown / IT Security for Industrial Automation
Secure Automation Cells (Zones)
Complete plant security
Secure automation cells
Internet
23
Peter Brown / IT Security for Industrial Automation
Connecting to the Outside World
When connecting to the outside world, think about Security against
Wrong address allocationsUnauthorized accessSpyingManipulation
Different requirements in industrial applications inNetworks architecturesPerformance and functions
PROFINET leverages effective and certified security standards (VPN)
e.g. IPSec
24
Peter Brown / IT Security for Industrial Automation
Methods for Network Security
Security issues and vulnerabilities need to be addressedThere are many methodsHow can we address these vulnerabilities using these techniques:
FirewallProtect against unauthorized accessVLAN (Virtual Local Area Network)Logical network that operates on the basis of a physical networkDMZ (De-Militarized Zone)Exchange data with external partners via safe areasVPN (Virtual Private Network)Secure tunnel between authenticated users
25
Peter Brown / IT Security for Industrial Automation
Industrial Security – Everyone?
Man
agem
ent
Ope
rato
rsO
EM /
Syst
emin
tegr
ator
sC
ompo
nent
supp
liers
Requirements that operators of industrialautomation systems must meet:
Security guidelines and processes, Risk management in terms of securityInformation and document mgmt.etc.
System-side requirements in terms of . Access protection, user controlData integrity and confidentialityControlled data flow,etc.
Requirements that components of an automation system must meet in terms of
Product development processesProduct functionalities
Measures and processes that prevent unauthorized access of persons to the surrounding area of the plantPhysical access protection for critical automation components (e.g. locked control cabinets)
26
Peter Brown / IT Security for Industrial Automation
Industrial Security for Controllers / HMIs
Logon Control – Central, plant-wide user administration.Deactivation of services – Most network services deactivated in our products in their basic configuration.Deactivation of hardware interfaces – The unused interfaces of HMI / Controller / Device can be deactivated via the configuration.Robust Communication – One of the system properties of our PROFINET devices is their robustness against large volumes of network traffic or faulty network packets.Encryption of the user program – Application code for the PLC / controller can be encrypted.Copy protection – Encryption protection can be supplemented with copy protection that prevents duplication of application code.
27
Peter Brown / IT Security for Industrial Automation
Example of a “Cell” (Machine?)
28
Peter Brown / IT Security for Industrial Automation
Passwords!
Various Passwords are set by default:
HMI: web server; default password = “100”.HMI: user “Administrator”; default password = “administrator”.Switches : user “Administrator”; default password = “administrator”.
29
Peter Brown / IT Security for Industrial Automation
Monitoring of PROFINET / Networks for:Detection of changesLoad monitoringSecurity monitoringEvent-forwarding
TAP
BANY Agent (integrated TAP)
BANY Agent (external TAP)
MRP
Industrial ServiceStation
Continuous Network / Security Monitoring
30
Peter Brown / IT Security for Industrial Automation
DCS/SCADA*
*DCS: Distributed Control SystemSCADA: Supervisory Control and Data Acquisition
Plant SecurityPhysical Security• Physical access to facilities and equipment
Policies & procedures• Security management processes• Operational Guidelines• Business Continuity Management & Disaster Recovery
Network SecuritySecurity cells & DMZ• Secure architecture based on network segmentationFirewalls and VPN• Implementation of Firewalls as the only access point to a security cell
System IntegritySystem hardening• Adapting system to be secure by defaultUser Account Management• Access control based on user rights and privilegesPatch Management• Regular implementation of patches and updatesMalware detection and prevention• Anti Virus and Whitelisting
Sec
urity
Ser
vice
s
Industrial IT Security
Any Questions?
31
Author / Title of the presentation
Questions?31