summer school security and human in the loop · pdf file7 scada software and s7 plcs) update...

16.08.2017

1

© A

IS, 2015

SUMMER SCHOOL

Security and Human in the Loop

Univ.-Prof. Dr.-Ing. Birgit Vogel-Heuser

Ordinaria

Automation and Information Systems (AIS)

Mechanical engineering,

Technische Universität München

www.ais.mw.tum.de; [email protected]

TUM ASIA SUMMER SCHOOL

24TH – 30TH August 2017

Automatisierung und InformationssystemeTechnische Universität München

©A

IST

UM

Automation

and Information Systems

Technical University of Munich

Agenda – TUM Asia Summer School 29th August

Complete Agenda: https://tum-asia.edu.sg/i4ss/

29th August 30th August

9:00AM – 10:30AM

Comparison of Industry

4.0, IoT, Smart Factory,

Smart Data

Case Studies &

Successful Demostrators:

Applying Enabling

Technologies

10:30AM – 11:00AM MORNING TEA BREAK

11:00AM – 12:30PM

PART I: Enabling

Technologies (Agents,

Modelling Notations for

Automation)

Smart Data Enabled

Learning During

Operation

12:30PM – 01:30PM LUNCH BREAK

01:30PM – 03:00PM

PART II: Enabling

Technologies (Agents,

Modelling Notations for

Automation)

Security and Human in

the Loop

Univ.-Prof. Dr.-Ing. Birgit Vogel-Heuser| TUM Chair of Automation and Information Systems

16.08.2017

2


©A

IST

UM

Automation



Answer: It depends on the process automation system and the system

Factors:

Attractiveness of the product / facility for third parties

security also requires know-how and costs

• "Networked production" (e.g. MyYoghurt)

• "Intelligent sensors“

• "Cyber-Physical (-Production) system

• Increasing number of participating disciplines

Reasons for security:

Secure data transfer

Protection of the AT-system against

virtual and physical attackers

(eg attacks on control code or sabotage on

real physical equipment)

3

Do we need security at all in the AT?

?

?

?

?

?

Trend-Architectures:

From intranet (private network) to internet (public network)

and cloud-based architectures



©A

IST

UM

Automation



4

Trend: Cloud-based architecture models (1)

Software-as-a Service (SaaS)

• Cloud-deployed applications (e.g. Facebook,

Skype, ...)

• Target group: SMEs, private users

Platform-as-a-Service (PaaS)

• Create applications and load them into the

cloud

(e.g. Amazon Web Services, Windows Azure,

...)

• Target group: IT and application developers

Infrastructure-as-a-Service (IaaS)

• IT infrastructure and hardware components

(e.g. Dropbox, Windows Azure, ...)

• Target group: IT departments, IT service

providers

[Quelle: Dr.-Ing. Iris Braun: Vorlesung „SOA – Entwicklung verteilter Systeme auf Basis serviceorientierter Architekturen“, Technische Universität Dresden]

clients

User Interface Machine Interface

Components Services

Calculation Network Storage

Physical Resources Set (PRS)


Application

Application services

Software services (SaaS)

Programming environment

Execution environment

Platform services (PaaS)

Virtual Resources Set (VRS)

Infrastructure services (IaaS)

16.08.2017

3


©A

IST

UM

Automation



5

Trend: Cloud-based architecture models (2)

[Quelle: Dr.-Ing. Iris Braun: Vorlesung „SOA – Entwicklung verteilter Systeme auf Basis serviceorientierter Architekturen“, Technische Universität Dresden]


Fle

xib

ility

,

com

fort

data sovereignty

• No 100% availability guaranteed

• Lack of trustworthiness through loss of data sovereignty

• High interchangeability (Vendor-Lock-In)

• Adaptation of IT organizations and applications if necessary


©A

IST

UM

Automation



Connected to the

Internet

Controlledinfection

• USB and localnetworks

• Windows PCs

• Used valid certificates tonot bedetected

Distribution

• Finds correcttargets (i.e. WinCC/PCS 7 SCADA software andS7 PLCs)

Update

• Access theInternet todownload a newer versionof itself

Disturbance

• Injected codein order tomodifycentrifugespeeds

Evade

• Providesfalse processcontrolinformation toavoiddetection

6

Motivation: Security in the AT

Stuxnet worm - known as cyber attack on Iran

The object of the attack was Iranian atomic power

stations for the destruction and disturbance of

centrifuges

Infection in June 2009

Discovered July 2010 after already> 100,000

components were infected

Sophisticated and self-acting computer virus

Disguised as control software

[Source: https://greenwichmeantime.com]

[Source: http://www.bbc.com]

[Quellen:Langner, Ralph. "Stuxnet: Dissecting a cyberwarfare weapon." IEEE Security & Privacy 9.3 (2011): 49-51, und, Broad, William J., John Markoff, and

David E. Sanger. "Israel tests on worm called crucial in Iran nuclear delay." New York Times 15 (2011): 2011]


16.08.2017

4


©A

IST

UM

Automation



7

The main focus of IT-Security

[Source: Tipton, Harold F., et. al. “Official (ISC)2 Guide to the CISSP CBK”. Auerbach Publications, 2009]

Priority

high

middle

low

availability

"Only authorized persons,

processes or systems have

access to information on a"

knowledge only if necessary

"basis.

"Information shall be protected

against intentional,

unauthorized or accidental

changes".

"Information should be

accessible by the user when

needed".



©A

IST

UM

Automation



8

Security im comparison: IT vs. AT

Valuable information

(In € million scale)

Humane / environmental damage

Availability, reliability and integrity

have a significant impact on

security !

Seconds to

Minutes

Information

& System

Information

& System

IT AT

confidentiality integrity

reliability

safety

availability

Priority

high

middle

low

availability

Response times

in the range: 100

μs - 100 ms

Real-time

capability

Manufacturing

information


16.08.2017

5


©A

IST

UM

Automation



9

Challenge: Security in the AT

Limited resources

Strict requirements

Usage of outdatedtechnologies

Progressive development

Lifetime ofcomponents

Lack of awareness /

perception of safety

culture

computing power

Real-time capability

Security gaps and

problems with upwards

compatibility

Impairment of

scalability and

extensibility

Preferred functionality

over security

Shift of centralized systems to

distributed systems

Integration of new IT

technologies



©A

IST

UM

Automation



10

Defense in Depth – Staggered security levels

[Quelle: Defense in Depth: A practical strategy for achieving Information Assurance in today’s highly networked environments, National Security

Agency. Abgerufen von: https://www.nsa.gov/ia/_files/support/ defenseindepth.pdf]

"Each layer is an

obstacle for the

attacker and provides

both protection and

detection methods."

Data

Physical

Network

Host

Application

Policy, procedures &

perceptions


https://www.nsa.gov/ia/_files/support/

16.08.2017

6


©A

IST

UM

Automation



11

Level1: Need for Directives, Procedures and Perception

Example: Uploading control software to the wrong oil claim platform

in Canada (2000)

Causes:

Insufficient policies and guidelines:

Staff has only partial knowledge/ authorization to upload

the control software via remote (remote access)

Poor maintenance practices:

Staff did not check if there was a connection to the

correct destination

Further identified security gaps:

Infringement of the safety guideline:

No regular passwords change

Lack of system design:

Using unencrypted protocols

Lack of security culture:

Neglecting the lock of workstations and/ or work

computers

[Quelle:Accidental Remote Uploading of PLC Program.

Canada 2002. Abgerufen von: http://www.risidata.com/]]

Intranet

office

Conveying

station /

Factory

PLC control software

Consequences: Oil

production interrupted

for ½ day

~ 100 000 oil barrels

Daten

Physikalisch

Netzwerk

Host

Anwendung

Richtlinie,

Verfahren &

Wahrnehmung



©A

IST

UM

Automation



12

Level 1: Security mechanisms by means of directives,

procedures and perception

Policies (recommended):

Derived instructions from a "higher" organization for behavior of a heterogeneous system,

application or network

Security policies:

Derived instructions from security features that a given system should have integrated

Specifications:

Requirements for designs, behaviors, or other features of a component/ system. (Ideally in a complete,

precise and verifiable manner).

It is also often necessary to specify the procedures for deciding whether these provisions are fulfilled

Guideline (recommended):

Concise representation in a field of knowledge

Unofficial regulations with binding character

Standards (mandatory):

Document defining a general level of quality or performance

Unified provisions, specifications, guidelines and characteristics relating to a specific subject (e.g.

determining the use of a method)

User awareness regarding security:

Instruction for the use of security concepts, technologies, policies and guidelines

[Quellen: Wies R. “Policy Definition and Classification: Aspects, Criteria and Examples”. InProceedings of the IFIP/IEEE International Workshop

on Distributed Systems: Operation and Management 1994 Oct 10 (pp. 10-12); Anderson, Ross, Frank Stajano, and Jong-Hyeon Lee. "Security

policies." Advances in Computers 55 (2002): 185-235; Duden]

Daten

Physikalisch

Netzwerk

Host

Anwendung

Richtlinie,

Verfahren &

Wahrnehmung


16.08.2017

7


©A

IST

UM

Automation



13

Standards regarding security

Daten

Physikalisch

Netzwerk

Host

Anwendung

Richtlinie,

Verfahren &

Wahrnehmung

Institute of Electrical and Electronics Engineers

Internation Electrotecnical Comission

Internatonal Organization for Standardization



©A

IST

UM

Automation



14

Level 6: Data

Ways to attack

Data Manipulation

Data Theft

Data destruction

Safety mechanism:

Data permission

Backup

Regular backup of data and storage in

secure locations

Database security

Continuous verification of data integrity

Encryption of data

Daten

Physikalisch

Netzwerk

Host

Anwendung

Richtlinie,

Verfahren &

Wahrnehmung


16.08.2017

8


©A

IST

UM

Automation



15

Procedure for security according to [VDI 2182]

Identify assets Analyse threat

Identify relevant

protection

objectives

Analyse and

evaluate risks

Identify protective

measures and assess

efficacy

Select protective

measures

Process auditing

START

«module»: Zylinder

Ausfahren;Einfahren

B4

Manufacturer


Ausfahren;Einfahren

B4

Integrator


Ausfahren;Einfahren

B4

Operator

Documentation Documentation

Documentation

Requirement

RequirementRequirement

Assets:

Material and intangible

values that could be

threatened



©A

IST

UM

Automation



16

Identification of assets using the example of the xPPU

• Identify threats affecting the target system

• What threats are there at all?

E.g. from ICS-CERT Report (quarterly)

Filtering the threats to your own system,

and identification vulnerabilities

[Source: http://www.govtech.com/]

[Quelle::NCCIC/ICS-CERT Year in Review: FY 2015. https://ics-cert.us-cert.gov/sites/default/files/Annual_Reports/Year_in_Review_FY2015_Final_S508C.pdf.]


16.08.2017

9


©A

IST

UM

Automation



17

Threats and vulnerabilities using the example of the xPPU

Security level Threats Weak spot Nr.

Policy, procedures and

perceptions

Abuse of authentication Access data are public 1

Physical Hardware theft Laboratory always open

and unsecured

2

Network Data modification and DoS Unsafe communication

protocols

3

Host Port Scanning Variety of accessible ports 4

Application Buffer overflow in the SPS/ PLC

Application

Low quality tests 5

Data Data theft Lack of data encryption and

backup

6

1 NCCIC/ICS-CERT Year in Review: FY 2015. https://ics-cert.us-cert.gov/sites/default/files/Annual_Reports/Year_in_Review_FY2015_Final_S508C.pdf.



©A

IST

UM

Automation



18

Classification into the risk matrix

Wa

hrs

ch

ein

lich

keit

AuswirkungSehr klein Sehr groß

Sehr groß

2

34

5

6

15) Buffer Overflow

Low to medium probability: Funded knowledge of the staff,

only small bugs possible

Medium to high impact: Impairment of system functions

possible

6) Data theft

Medium probability: Lack of encryption and backup

Medium impact: Depending on the nature and relevance of the

data

1) Abuse of authentication

Low probability: Staff is aware of the confidentiality

Medium impact: Unauthorized third parties can only make

conditional system changes

2) Hardware theft

Low probability: Continuous supervision by chair staff

Medium impact: Missing components affect functionality

3) Data modification and DoS

High probability: Use of unsafe communication protocols (FTP)

High impact: Potential for malware, confidential data transfer,

etc.

4) Port Scanning

High probability: Missing security mechanisms and monitoring

Medium to high Impact: Unauthorized third-party access

without discovery

very big

very bigvery small impact

pro

babili

ty


16.08.2017

10


©A

IST

UM

Automation



19

Set the arrangement limitW

ah

rsch

ein

lich

keit

AuswirkungSehr klein Sehr groß

Sehr groß

2

34

5

6

1

1. Risk-affected weaknesses must be corrected

Challenges:

• Methods and technologies

• staff

• costs

2. Need for arrangement must be estimated!

Set a arrangement limit

3. Implementation of measures for each threat

5) Buffer Overflow Verification and validation of program code

Execution of quality tests for program code

3) Data modification and DoS• Prohibition of unsafe protocols (e.g. FTP)

• Use of encrypted protocols (e.g. SSH, OPC UA)

• Installation of an attack detection system (e.g.

Snort, Bro)

4) Port Scanning Installation of an attack detection system (e.g.

Snort, Bro)

very big

very bigvery small impact

pro

babili

ty



©A

IST

UM

Automation



20

Outlook: Latest Industrial Security Solutions

Cyber Security Evaluation Tool (CSET):

• Developed by the Industrial Control Systems Cyber Emergency Response Team (USA)

• Supporting software platform for security matters

• Considers standards, guidelines and best practices

Samurai‘s Security Testing Framework for Utilities

(SamuraiSTFU):

• Open source Linux distribution for testing the vulnerability of

control software

Follows the SANS Institute (American Research and Training

Organization)

[Bildquelle: http://linuxiarze.pl/

QuickDraw IDS:

• Open-Source attack detection system

• Testing of industrial communication protocols

Conpot:

• Honeypot (software application for network protection)

• Emulation and testing of known protocols such as HTTP,

MODBUS

[Bildquelle: https://adarshdinesh.wordpress.com/

As part of Industry 4.0, security is becoming

increasingly important!


16.08.2017

11


©A

IST

UM

Automation



Real plant with DMZ

Any VPN compatible with

the protocols used

21

Outlook: Industrial Security Solution

software

protection

mechanisms

(E.g. encryption

&

authentication)

remote

maintenanceOutgoing

VPN

Incoming

VPN

Main contributions:

• Bidirectional firewall

• NAT router

• VPN router

Use of:

• Network routers

• DMZ

• VPN gateways

• WLAN only via VPN

VPN

initialization

• Use of a mGuard rs 2000 3G VPN Cell Router (hardware software solution)

• Marketed by Phoenix Contact

• Numerous industrial companies, a. BMW and BASF, are interested customers

[Quelle

: http://w

ww

.phoenix

conta

ct-

cybers

ecurity

.com

/de/p

rodukte

/mguard

-rs2000-3

g]

mechanical

protection

mechanisms

(E.g. switch)



©A

IST

UM

Automation



22

Relation of reliability, safety and security

Functionality

Security

Security & Safety

Continuousprocess

Safety is not

negotiable

Security only

when needed


16.08.2017

12


©A

IST

UM

Automation



Assistance systems for

Engineering

Cyber-Physical Production Systems (CPPS) – Industrie 4.0

Data processing and

integration for humans

Data analysis of process and alarm

data and connection with

engineering data

Appropriation of necessary data

for configuration, production,

negotiation

Data consistency about different

„stakeholders“ in different engineering

phases and crafts

Architecture models (reference

architecture) for a category of

aggregation/modules related to properties,

capabilities, interfaces…

Description of product and operating

resources, e.g. ontology, for independent

analysis, presentation, organisation and execution

of a production process

Production units with inherent

capabilities

Digital networks and interfaces for

communication (between machine, human and

plant, plant and plant)

World wide distribution of data, high

availability, access protectionFlexible production units, adaptable to

modified product requirements, allow also

structural changes

CPS

market place

of

production

units

Source: B. Vogel-Heuser, G. Bayrak, U. Frank: Forschungsfragen in "Produktautomatisierung der Zukunft". acatech Materialien. 2012.

Communication and

data consistency

Intelligent products and

production units

Data processing for humans

Univ.-Prof. Dr.-Ing. Birgit Vogel-Heuser| TUM Chair of Automation and Information Systems 23


©A

IST

UM

Smart Data in automated Production Systems

24

Model

Deployment

Data

Warehousing

Data Collection

Data Aggregation

Data Integration

Data

Preparation

Exploration

Quality Measures

Transformation

Feature Generation

Data

Analysis

Detection

Prediction

Process Expert

Decision Support

System

Model

Design

Data-Driven

Knowledge-Driven

Model Selection

Data Analyst

Decision Support

System

Process Operator

Decision Support

System


16.08.2017

13


©A

IST

UM

Automation



Information aggregation for maintenance staff

• Mobile devices with

touchscreen

• Augmented Reality supports

optimization and maintenance

of industrial plants



©A

IST

UM

Automation



Shift supervisor

Mechanic

Operator

Red-green color

blindness

Preferred voice

control

Context

Information aggregation for maintenance staff

Wartungshandbuch1. Maße und

Abbildung Zylinder

2. Sicherheits-

vorschriften

2.1 Allgemeine

Sicherheitshinweise

Wartungspläne ^

^

^

^

©A

IS

Shift supervisor Role

Personalpläne ^

^

Bestandsliste ^

^

<

<

Visualisierung

Prozessdaten ^

^

^

^

<

<

Challenge

• Prediction of critical

situations based on

analysis of process data

and alarm sequences

• Recommendations for

operator

Approach

• Pattern analysis,

statistical approaches

and Clustering

Shift supervisor undertakes

role of mechanic

Role

shift supervisorShift supervisor undertakes

role of operator


16.08.2017

14


©A

IST

UM

Automation



Vizualization of parameters- chipboard manufacturing

process paramters

plant/batch/roll

Comparison of plant

parameters with

different plants/batches

Influence of process

parameters on

quality criteriaz-direction

Gross density

Transverse tensil stress

Bending stress



©A

IST

UM

Automation



Motivation: State of the art II

Transfer of 2D in quasi 3D-view

• Table data is transferred to a graphical view

• Summarizing the conventional four views into one

• Color coding of the values allows for faster recognition

• Spatial connection


16.08.2017

15


©A

IST

UM

Automation



3D-Patterns

Without Interpolation With Interpolation

Comparison of single data rows

(clustered)

Comparison of curves

Pro

cess

vis

ualiz

ation

3D

-sensor

field

Pro

cess

da

taanaly

sis

2D

da

tafield



©A

IST

UM

Automation



Data visualization: Combination of 3D-Patterns

Surfaceplot with 3D comparison min

and max values

Surfaceplot with 2D values from

measurement


16.08.2017

16


©A

IST

UM

Automation



Data player- process infeet particle board press



©A

IST

UM

Univ.-Prof. Dr.-Ing. Birgit Vogel-Heuser

Ordinaria

Automation and Information Systems (AIS)

Mechanical engineering,

Technische Universität München

www.ais.mw.tum.de; [email protected]

Thank you for your

attention!


summer school security and human in the loop · pdf file7 scada software and s7 plcs) update...

Documents