SIMATIC Security Concept PCS 7 & WinCC (Detail) Administration of Virus Scanners

White Paper

www.usa.siemens.com

White Paper

Security Concept PCS 7 & WinCC

December 2011

Legal information
Warning notice system This manual contains notices you have to observe in order to ensure your personal safety, as well as to prevent damage to property. The notices referring to your personal safety are highlighted in the manual by a safety alert symbol, notices referring only to property damage have no safety alert symbol. These notices shown below are graded according to the degree of danger.

Danger
Indicates that death or severe personal injury will result if proper precautions are not taken.

Warning
Indicates that death or severe personal injury may result if proper precautions are not taken.

Caution
With a safety alert symbol, indicates that minor personal injury can result if proper precautions are not taken.

Caution
Without a safety alert symbol, indicates that property damage can result if proper precautions are not taken.

Notice
Indicates that an unintended result or situation can occur if the corresponding information is not taken into account.

If more than one degree of danger is present, the warning notice representing the highest degree of danger will be used. A notice warning of injury to persons with a safety alert symbol may also include a warning relating to property damage. Qualified Personnel The device/system may only be set up and used in conjunction with this documentation. Commissioning and operation of a device/system may only be performed by qualified personnel. Within the context of the safety notes in this documentation qualified persons are defined as persons who are authorized to commission, ground and label devices, systems and circuits in accordance with established safety practices and standards. Proper use of Siemens products Note the following: Warning
Siemens products may only be used for the applications described in the catalog and in the relevant technical documentation. If products and components from other manufacturers are used, these must be recommended or approved by Siemens. Proper transport, storage, installation, assembly, commissioning, operation and maintenance are required to ensure that the products operate safely and without any problems. The permissible ambient conditions must be adhered to. The information in the relevant documentation must be observed.

Trademarks All names identified by are registered trademarks of the Siemens AG. The remaining trademarks in this publication may be trademarks whose use by third parties for their own purposes could violate the rights of the owner. Disclaimer of Liability We have reviewed the contents of this publication to ensure consistency with the hardware and software described. Since variance cannot be precluded entirely, we cannot guarantee full consistency. However, the information in this publication is reviewed regularly and any necessary corrections are included in subsequent editions.

A white paper issued by Siemens. 2011 Siemens Industry, Inc. All rights reserved.

White Paper

Security Concept PCS 7 & WinCC

December 2011

Table of Contents
1 Preface .......................................................................................................4 1.1 1.2 2 2.1 2.2 2.3 2.4 2.5 2.6 3 Structure and organization of the document....................................4 Special notes...................................................................................4 Definitions......................................................................................5 Using virus scanners........................................................................5 Basic virus scanner architecture.......................................................6 Strategy for distributing virus signatures..........................................7 Configuration of virus scanners.......................................................8 Approved virus scanners for PCS 7 and WinCC..................................9

Managing virus scanners............................................................................5

Practical information..................................................................................10

A white paper issued by Siemens. 2011 Siemens Industry, Inc. All rights reserved.

White Paper

Security Concept PCS 7 & WinCC

December 2011

Preface
1.1 Structure and organization of the document
The Security Concept PCS 7 & WinCC consists of several parts: The basic document is a central overview and guide for the Security Concept PCS 7 & WinCC. It provides a systematic description of the basic principles and strategies of the security concept. Users should have appropriate knowledge of the basic document to understand all additional detail documents. The detail documents (such as this document) explain the specific principles, solutions and their recommended configuration in detail form, focusing on particular detail topics. The detail documents are supplemented, updated and provided separately to ensure they are always up-to-date.

1
The Security Concept PCS 7 & WinCC accordingly recommends the use of currently available security mechanisms. To achieve maximum security, configurations with plant-specific scaling should not contradict the basic principles of this security concept. The Security Concept PCS 7 & WinCC is designed to support interaction between administrators of corporate networks (IT administrators) and automation networks (automation engineers), so that both can benefit from the advantages of the networking of process technology and data processing at other production levels, without increasing security risks at either end. Knowledge requirements This documentation is intended for personnel working in the fields of engineering, commissioning and servicing of SIMATIC automation systems. It is presumed that readers have appropriate management knowledge of office IT. Validity The Security Concept PCS 7 & WinCC incrementally overrides all previous documents and recommendations Security concept for PCS 7 and Security concept for WinCC and is valid as of WinCC V6.2 and PCS 7 V7.0.

1.2

Special notes

Objective of the Security Concept PCS 7 & WinCC Top priority priority is given in automation engineering to maintaining production and process control. Any measures taken to prevent the propagation of security risks must not have negative impact in this context. The Security Concept PCS 7 & WinCC is designed to ensure that only authenticated users can manipulate authenticated devices in the framework of their assigned and authorized operating options. These operations should only be performed via defined and planned access routes to ensure safe production or coordination of a job without danger to humans, the environment, product, goods to be coordinated and the business of the enterprise.

A white paper issued by Siemens. 2011 Siemens Industry, Inc. All rights reserved.

White Paper

Security Concept PCS 7 & WinCC

December 2011

Managing virus scanners

Using virus scanners in a process control system is only effective when they are part of a comprehensive security concept. A virus scanner alone generally cannot protect a process control system against security threats. The following requirements are therefore imposed on the use of virus scanners in industrial environments:

2.1

Definitions

When operating a Security Suite (virus scanner plus options), users must be able to to disable all options exceeding the functional scope of a conventional virus scanner, e.g. firewall, E-mail scan. Within a centrally managed virus scanner architecture, options must be available for organizing and configuring the clients in groups. It must be possible to disable automatic distribution of virus signatures. It must be possible to distribute virus signatures manually and based on groups. An option must be provided to manually initiate a file and system scan within selected groups. When a virus is detected, the scanner must always generate a message, however, without forcing any file actions (e.g. deleting, blocking or moving). All messages must be logged on the virus scanner server. The virus scan clients configuration must prevent the display of any messages that could hide more important process information. For reasons of performance, it must be possible to configure the virus scan clients so that only their local drives are scanned and prevent overlapping scans on network drives. Likewise, it must be possible to configure the virus scan clients so that only incoming data traffic is scanned, provided that all local data has already been scanned at least once.

Virus scanner: A virus scanner is a software that detects, blocks or eliminates known harmful program routines (computer viruses, worms and similar malware). Scan engine (scan module): The scan engine is a component of the virus scanner software that can scan data for the presence of malware. Virus signature file (virus pattern / definition file): This file provides the virus signatures to the scan engine that helps you to scan data for the existence of malware. Virus scan client: The virus scan client is a computer that is scanned for viruses and managed by the virus server. Virus scan server: The virus scan server is a central station that manages the virus scan clients, loads virus signature files and distributes them to the virus scan clients.

2.2

Using virus scanners

The use of a virus scanner should never inhibit runtime operation of a plant. The following two examples show the problems developing in an automation system as a result of the use of virus scanners: A virus scanner may not shut down a computer that is infected with a virus if there is any risk of loosing control of the production process or if the plant can no longer be brought into a safe state. Likewise, project files such as database archives that are infected with a virus must not be moved, blocked or deleted automatically if such actions prevent further reproducibility of important measuring values.

A white paper issued by Siemens. 2011 Siemens Industry, Inc. All rights reserved.

White Paper

Security Concept PCS 7 & WinCC

December 2011

2.3

Basic virus scanner architecture

To conform with requirements specified in the section Using virus scanners, it is advisable to implement a basic virus scanner architecture as shown in Fig. 2-1. The virus scan server manages its virus scan clients and downloads the virus signatures from the Internet at the update server of the virus scan manufacturer or from a master virus scan server. A Web console or similar can be used for administrative access to the virus scan server.

Fig. 2-1 Depending on the manufacturer, you can implement several virus scan servers to operate in parallel or within a hierarchy structure.

A white paper issued by Siemens. 2011 Siemens Industry, Inc. All rights reserved.

White Paper

Security Concept PCS 7 & WinCC

December 2011

2.4

Strategy for distributing virus signatures

To exclude any risk to plant operation through the use of a virus scanner and to take precautions against the minor risk of receiving "harmful" virus signatures (which are incorrectly interpreted as malware by the automation software), it is advisable to perform the following procedure for virus signature updates: The virus scan server downloads the virus signatures from the update server of the virus scan manufacturer on the Internet or from a master virus scan server on the Internet. All process servers and clients must be operated in redundant mode. At least two groups must be created on the virus scan server for each system. Each group contains a server for the redundancy partner, including half the number clients assigned to the group (see Fig. 2-2).

Configuration of a small-scale test system that is capable of simulating the vital functions of the existing plant. Start simulation by loading the new virus signatures for testing in order to detect any negative impact on plant operation. If no fault has occurred on the test system on expiration of a defined period and neither the virus scanner manufacturer, nor Siemens have reported problems in terms of compatibility with the virus signatures, the signatures can be loaded to a group in each plant. This operation only has a minor or no effect on plant operation. If no problems were found in the systems in terms of compatibility with the virus signatures on expiration of a period to be specified, the signatures can also be loaded to the other groups.

Fig. 2-2

A white paper issued by Siemens. 2011 Siemens Industry, Inc. All rights reserved.

White Paper

Security Concept PCS 7 & WinCC

December 2011

2.5

Configuration of virus scanners

Recommendations for virus scanner configurations Integrated firewall of the virus scanner The local Windows firewall is used as of PCS 7 V7.0 und WinCC V6.2 and configured using the SIMATIC Security Control (SSC) component. Therefore, the firewall integrated in most of the virus scanners must not be installed. Manual scan (manual scan, on demand scan) A manual scan (also known as On Demand Scan, depending on the product) must not be performed on virus scan clients while process mode (runtime) is active. The scan should be initiated at regular intervals, e.g. within a maintenance interval, on all computers of the plant. Automatic scan (auto-protect, on-access scanning) For the automatic scan, it is sufficient to check incoming data traffic. Time-controlled scan (scheduled check, on demand scan) A time-controlled scan (also known as On Demand Scan, depending on the product) must not be performed on virus scan clients while process mode (runtime) is active.

Displaying messages To prevent impairment of the process mode, messages must not be displayed on the virus scan clients. Drives To avoid overlapping scans on network drives, only the local drives are scanned. E-mail scan The e-mail scan should/must be disabled, except on an engineering station actually receiving e-mails. Organization into groups The virus scan clients must be organized in groups. Distribution of the virus signature (pattern update) The master virus scan server distributes the virus signatures to the virus scan clients. The non-reactive use of the virus signatures must be verified in a test system before deploying them in process mode. Distribute the virus signatures manually to the respective groups. Updating the virus scan engine Do not run any updates of the virus scan engine while process mode is active (runtime), as such operations could require rebooting the virus scan clients

A white paper issued by Siemens. 2011 Siemens Industry, Inc. All rights reserved.

White Paper

Security Concept PCS 7 & WinCC

December 2011

2.6

Approved virus scanners for PCS 7 and WinCC

For information on the compatibility of virus scanners with a specific PCS 7 or WinCC version, refer to the Internet. PCS 7: http://support.automation.siemens.com/WW/view/en/10154608 WinCC: http://support.automation.siemens.com/WW/view/en/24122009 The virus scanners were rated as follows in accordance with virus scanner requirements

Requirement

Trend Micro Office Scan 7.3 Yes Yes

Trend Symantec Micro AntiVirus 10.0 Office Scan AntiVirus 10.2 8.0 Yes Yes Yes Yes

Symantec Endpoint Protection 11.0 Yes Yes

McAfee VirusScan V8.0i VirusScan V8.5i Yes Yes

The virus scanner can be installed without firewall. The virus scan clients can be organized and configured in groups. Automatic distribution of virus signatures can be disabled. The virus signatures can be distributed manually and to selected groups. Manual and group-by-group file scans are supported.

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Conditional 1

Yes

Yes

Yes

Yes No 2

Yes Yes

Yes Yes

Yes No 2

Detection of a virus triggers Yes a message output but no file action.

1) Manual distribution of virus definition files is only possible if automatic distribution is enabled as well. 2) The guidelines do not contain an option for setting the action so that logging is enabled although no action occurs.

A white paper issued by Siemens. 2011 Siemens Industry, Inc. All rights reserved.

10

White Paper

Security Concept PCS 7 & WinCC

December 2011

Practical information
General Information
For information on Trend Micro Office Scan 7.3, refer to: http://de.trendmicro-europe.com/enterprise/products/product_overview.php For information on Symantec AntiVirusTM Corporate Edition, refer to: http://www.symantec.com/enterprise/products/overview.jsp?pcid=1322&pvid=805_1 For information on McAfee VirusScan Enterprise, refer to: http://www.mcafee.com/de/enterprise/products/anti_virus/file_servers_desktops/virusscan_enterprise_80i.html

Additional information
Software setup routines usually represent a serious modification of the local system and should always be run from a virus-free storage location on a file server with integrated virus scanner or from a DVD; a virus scanner should neither ob struct, nor corrupt such installations. To achieve this goal, you should select so-called file transfer / installation servers or virus scan configuration settings that do not interfere with setup procedures, without having to disable the virus scanner.

Test option of virus scanners

To run a simple test of the detection and reporting of virus infection and of the corresponding reaction of the virus scanners, you can deploy the test files available at http://www.eicar.org/anti_virus_test_file.htm.

A white paper issued by Siemens. 2011 Siemens Industry, Inc. All rights reserved.

White Paper

Security Concept PCS 7 & WinCC

December 2011

11

A white paper issued by Siemens. 2011 Siemens Industry, Inc. All rights reserved.

Siemens Industry, Inc. Industry Automation 3333 Old Milton Parkway Alpharetta, GA 30005 1-800-964-4114 info.us@siemens.com

Subject to change without prior notice Order No.: HMWP-A5E02-1111 Printed in USA 2011 Siemens Industry, Inc.

The information provided in this brochure contains merely general descriptions or characteristics of performance which in case of actual use do not always apply as described or which may change as a result of further development of the products. An obligation to provide the respective characteristics shall only exist if expressly agreed in the terms of contract. All product designations may be trademarks or product names of Siemens AG or supplier companies whose use by third parties for their own purposes could violate the rights of the owners.

www.usa.siemens.com