siemens - corporate technology - it security challenges in ... · challenges in industrial...
TRANSCRIPT
Handout 1
© Siemens AG 2015. All rights reserved
Challenges in industrial IT-SecurityDr. Rolf Reinema,Head of Technology Field IT-Security, Siemens
Siemens - Corporate Technology - IT Security
Page 2 May 2015 Corporate Technology © Siemens AG 2015. All rights reserved
Real World
Virtual World
Yesterday Today Tomorrow
SW
Multi-CoreEmbedded System
SWOpen Source
CloudComputing
AmbientIntelligence
IntermodalInteraction
Standaloneembeddedsystems
Closed network ofdistributed
embedded systems
SocialNetworksandPlatforms
CyberSecurity
IT Security
Open network ofsystems of systems
of embedded systems
DataKnow-ledge
From standalone embedded systems to secure andintelligent Cyber-Physical Systems
In-memorycomputing/
real-time DA 1)
1) Data Analytics
Handout 2
Page 3 May 2015 Corporate Technology © Siemens AG 2015. All rights reserved
Not a single day without an IT security disaster
Page 4 May 2015 Corporate Technology © Siemens AG 2015. All rights reserved
The threat level is rising –attackers are targeting critical infrastructures
Hacking againstphysical assets
Politics and CriticalInfrastructure
Cybercrime andFinancial Interests
The Age ofComputerworms
Code Red Slammer Blaster Zeus SpyEye Rustock Aurora Nitro Stuxnet
"Hacking for fun" "Hacking for money" "Hacking for political andeconomic gains" States Criminals
Hobbyists Organized Criminals HacktivistsState sponsored Actors Terrorists Activists
BackdoorsWorms
Anti-Virus
HackersBlackHat
Viruses
Responsible Disclosure
Credit Card Fraud
Botnets Banker TrojansPhishing
SPAMAdware
WebSite Hacking
AnonymousSCADA
RSA BreachDigiNotar
APTTargeted Attacks
Sony Hack
Cyberwar
Hacking against criticalinfrastructure
Identity theft
Loss of privacy
# of published exploits
# of newmalwaresamples
# of published vulnerabilities
2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015
Data sources:IBM X-Force Trend andRisk ReportHP Cyber Risk ReportSymantec Intelligence Report
Handout 3
Page 5 May 2015 Corporate Technology © Siemens AG 2015. All rights reserved
Incidents on critical infrastructure are taken seriouslyby governments
The US government runs the ICS CERT 1) to monitor the increasing number of incidents in critical infrastructure
From ICS-CERT Monitor January–April 2014 ICS CERT reports 257 incidents in criticalinfrastructure in 2013
• Internet Accessible Control Systems At Risk"Tools, such as SHODAN, Google and other searchengines, enable researchers and adversaries toeasily discover and identify a variety of ICSdevices that were not intended to be Internet facing.Adding to the threat landscape is the continuedscanning and cataloguing of devices known to besusceptible to emerging vulnerabilities such as theOpenSSL Heartbleed."
• Public Utility Compromised"A public utility was recently compromised when asophisticated threat actor gained unauthorized accessto its control system network. After notification of theincident, ICS-CERT validated that the software usedto administer the control system assets wasaccessible via Internet facing hosts. The systemswere configured with a remote access capability,utilizing a simple password mechanism; however,the authentication method was susceptible tocompromise via standard brute forcing techniques."
Data sources:ICS-CERT Report "ICS-CERT Year-in-Review – 2013"ICS-CERT Monthly Monitor January–April 2014
ICS CERT = Industrial Control Systems Cyber Emergency Response Team
91
13
121
4
1
121
10
3810
Commercial Facilities
Financial
Healthcare
145
Communications
Critical Manufacturing
EnergyGovernment Facilities
Emergency Services
Water
Information Technology
Transportation
Dams
Nuclear
Page 6 May 2015 Corporate Technology © Siemens AG 2015. All rights reserved
Security is required by Siemens customers
EG2 SGIS/M490
Trends and examples for security requirements
Security is becoming a MUST Examples of organizationsissuing security standards or guidelines
• Heightened awareness forsecurity issues in public
• Increasing need to protectproducts' intellectual propertyand business case
• Specific standards andguidelines regarding securityand privacy are gettingestablished
• Security lifecycle is becomingstandard at softwarecompanies
• Internal assessments andcompliance tests areperceived as first steptowards fulfilling customersecurity requirements
Global Europe Germany
Handout 4
Page 7 May 2015 Corporate Technology © Siemens AG 2015. All rights reserved
Different factors are driving the research demandfor IT Security
Example• Integrated solutions• Device connectivity
Examples• Robust and easy to use• Long term security
Examples• Know-how protection• Industry 4.0 scenarios
New Functionality Quality of SecuritySecurity Use Case
Page 8 May 2015 Corporate Technology © Siemens AG 2015. All rights reserved
Industrial IT and Office IT havedifferent management & operational characteristics
Office ITIndustrial IT
Regular / scheduled
Medium, delays accepted
Scheduled and mandated
High (for critical IT)
High
Common / widely used
3-5 years
Slow
Very high
Occasional
Very much varying
Increasing
Uncommon / hard to deploy
Up to 20 years
Application of patches
Availabilityrequirement
Security testing / audit
Physical Security
Security Awareness
Anti-virus
Component Lifetime
Delays acceptedCriticalReal time requirement
Security Standards ExistingUnder development
“Office“ security concepts and solutions are not directly applicable for industrial controlsystems
Handout 5
Page 9 May 2015 Corporate Technology © Siemens AG 2015. All rights reserved
Industrial SecurityDefense-in-Depth-Concept
Plant Security• Access Control• Security Management
Network Securiy• Controlled Access between IT
and OT networks, industrial firewalls• Segmentation of OT networks
System Integrity• Antivirus- and Whitelisting-Software• Systemhardening• Maintenance and Patching• Identification and Access Management
Security solutions in the context of industrial IT-security have to consider all protection layers
Plant Security
NetworkSecurity
System IntegrityProduction
Plant
Page 10 May 2015 Corporate Technology © Siemens AG 2015. All rights reserved
Critical InfrastructuresSiemens – Infrastructure provider in an increasinglydigitalized and networked world
Handout 6
Page 11 May 2015 Corporate Technology © Siemens AG 2015. All rights reserved
Critical InfrastructuresExample: Smart Grid – Incorporation of DecentralizedEnergy Resources (DER) and flexible loads requires security
Large andFlexible
GenerationDistributedGeneration
Transmission& Distribution Storage
Industrial &Residential
ElectroMobility
ICT
Page 12 May 2015 Corporate Technology © Siemens AG 2015. All rights reserved
Different elements of energy management requirespecific and aligned security features
Serv
ices
and
secu
rity
Software/ITGrid control – big data analytics – grid application
Dig
italiz
atio
nAu
tom
atio
n
Communication, automation, protection, and field devices
Ele
ctrif
icat
ion
Electrification solutionsHigh-voltage direct current (HVDC) transmission – grid access – FACTS – air-insulated/gas-insulated substations – power systems solutions – microgrids / nanogrids
Products and systemsHigh-voltage switchgear and systems – power transformers – medium-voltage switchgears –distribution transformers – low-voltage switchboards and circuit breakers
Largepower
generation
TSOs1 Oil and gas Industries Infrastructures /construction
DSOs2 andmunicipalities
Distributedgeneration
1 Transmission system operators2 Distribution system operators
Handout 7
Page 13 May 2015 Corporate Technology © Siemens AG 2015. All rights reserved
Security requirements for smart grid applicationsstem from a variety of potential attacks (examples)
Generation / DER• Misuse of local
administrative rights
Distribution and Transmission• Falsified status information, e.g., from synchrophasors (PMU)
in widely dispersed locations may limit the power flow.
Customer• Prosumer behavior tracking,
e.g., through smart meters• Fraud through smart meter
manipulation
Market• Fraud based on falsified offers and
contracts (Customer, Utilities, DNOs, …)
Operation• Unauthorized remote
service access
Page 14 May 2015 Corporate Technology © Siemens AG 2015. All rights reserved
Security Guidelines / Standards / Regulation toensureReliable Operation of the Smart Grid (examples)
Smart GridCoordinationGroup (M/490)à SGAM
Smart GridInteroperability Panel,Cyber Security WGà NIST IR 7628
Cyber SecurityFramework
Critical Infrastructure ProtectionCIP 001-011
• Protection Profile for SM GW• Guideline TR-03109 required
through EnWG• IEC TC 57 – Power systems management
and associated information exchange• IEC 62351-1 … -13
• IEC TC 65 – Industrial ProcessMeasurement, Control and Automation• IEC 62443-1 … -4
• ISO/TC 022/SC 03 & IEC/TC 69 JWG 01 –Vehicle-to-Grid Interface• ISO 15118
• ISO 27001 – Information security managementsystems – Requirements
• ISO 27002 – Code of Practice for informationsecurity management
• ISO 27019 – Information security managementguidelines for process control systems used inthe energy utility industry on the basis ofISO/IEC 27002
• Critical Infrastructure Protection
Handout 8
Page 15 May 2015 Corporate Technology © Siemens AG 2015. All rights reserved
Focus Shifting from Product Security toe2e Security
Cyber Security Requirements – The Moving Target
Awareness• Cyber Security is on top of the agenda
of C-level
• Media exposure on vulnerability orincidents is high
• Cyber Security incidents have a cross-division impact
Regulation• Increased Attention on critical Infrastructure
• Actual and upcoming regulation:• EU: Data Protection Regulation• DE: Protection Profile (Smart Metering)• DE: Sicherheitskatalog (certified risk
management)• FR: Industrial Control System• US: NERC CIPv5
Product Security
Solution Security
Operational Security
Shift in Customerrequirements towards
• Life-cycle management(e.g. Incident & Vulnerability handling,Security Patch management)
• Solution-Security(e.g. e2e security)
• Compliance of solutions(Certification)
Page 16 May 2015 Corporate Technology © Siemens AG 2015. All rights reserved
Our Products – Integrated Security
Siemens Domain Knowledge &
Life Cyclemanagement
SecurityArchitecture
Securityby Design
Integrity
Confidentially
Availability
SubstationAutomation
ProtectionPower Quality
Standards
NERC CIP bdew WIB 2.0 IEC 62443
Control Center &Applications
Handout 9
Page 17 May 2015 Corporate Technology © Siemens AG 2015. All rights reserved
Our Systems and Solutions: End-to-End SecuritySecure System Design
Secure solutions considering
• Secure network configuration
• Hardening
• Account Management incl.Authentication
• Vulnerability Management &Malware protection
• Backup & Restore
• Remote Access
Product DevelopmentPhases: Requirements,Implementation, Test
Project ManagementPhases: Offering, Contract, Engineering,Commissioning (FAT/SAT), After Sales
Including all relevant Processes and Phases
Siemens Provision
• Deep IT Security knowledge andexperience for products, systems andsolutions
• Documentation and processes availableon product and system level
• Different levels of support for customerprojects
Secure Systems & Solutions
Page 18 May 2015 Corporate Technology © Siemens AG 2015. All rights reserved
Substation Security Patch ManagementVendor-centric Processes
Security VulnerabilityMonitoring
(SVM) Service
Manage vulnerabilities andpatches as part of thedevelopment process
Keep security patchlevel in the solution
up to date (SCM)
ProductCERT Development / PLM Project Delivery /SCM
Handout 10
Page 19 May 2015 Corporate Technology © Siemens AG 2015. All rights reserved
Example: Secure Substation –Advanced Cyber Security Integrated in the Products
Competence and Processes• Secure Development Process
• Patch Management Process
• Contribution to definition ofsecurity standards, like IEC62351
Competence and Processes• Secure Development Process
• Patch Management Process
• Contribution to definition ofsecurity standards, like IEC62351
Competence and Processes• Secure Development Process
• Patch Management Process
• Contribution to definition ofsecurity standards, like IEC62351
Integrated Security inour products• Centralized user
management and role-based access
• Encrypted communication
• Secure Remote Firmwareand Security Update
Secure SubstationDesign• Proofed reference
architecture
• Recommendation fornetwork components,malware protection andother security controls
Integrated Security inour products• Centralized user
management and role-based access
• Encrypted communication
• Secure Remote Firmwareand Security Update
Secure SubstationDesign• Proofed reference
architecture
• Recommendation fornetwork components,malware protection andother security controls
Integrated Security inour products• Centralized user
management and role-based access
• Encrypted communication
• Secure Remote Firmwareand Security Update
Secure SubstationDesign• Proofed reference
architecture
• Recommendation fornetwork components,malware protection andother security controls
Page 20 May 2015 Corporate Technology © Siemens AG 2015. All rights reserved
Cyber Security in Energy Management – OurOfferings
Siemens
Offerings
• Secure Substation, e.g. migration to a secure substation
• BDEW white paper compliance modules
• Secure Substation, e.g. migration to a secure substation
• BDEW white paper compliance modules
Products
Solutions
Products&
Solutions
• Network penetration tests at customer infrastructure(simulating external and internal cyber attacks)
• Network penetration tests at customer infrastructure(simulating external and internal cyber attacks)
PenetrationPenetration
Tests
• Security Assessments for existing infrastructure, e.g. Hardening
• Consultancy for secure integration of Siemens products and systems
• BDEW white paper compliance audit
• Holistic Security Consultancy via Smart Grid Compass (incl. data security anddata privacy)
• Security Standardization to ensure aligned and interoperable system security
• Security Assessments for existing infrastructure, e.g. Hardening
• Consultancy for secure integration of Siemens products and systems
• BDEW white paper compliance audit
• Holistic Security Consultancy via Smart Grid Compass (incl. data security anddata privacy)
• Security Standardization to ensure aligned and interoperable system security
ConsultingConsulting
• Cyber Security Trainings
• Security Patch Management for SCADA
• Cyber Security Trainings
• Security Patch Management for SCADAServices
Handout 11
© Siemens AG 2015. All rights reserved
Thank you for your attention!
Siemens Corporate Technology 2015