Académique Documents
Professionnel Documents
Culture Documents
Proposals and recommendations for technical and organizational measures for secure operation of plant and machinery
Version 1.1
Current incidents have demonstrated the vulnerability of automation systems Possible effects of a security incident:
Risk of death and serious injury Environmental disaster Loss of intellectual property Loss of production or impaired product quality Damage to company image and financial loss
Siemens AG 2011. All Rights Reserved. Industry Sector
Page 3
2011-11-11
v1.1
Office Security
Confidentiality
Integrity Availability
Availability
Integrity Confidentiality
Siemens AG 2011. All Rights Reserved. Industry Sector
Page 4
2011-11-11
v1.1
Plant security Access blocked for unauthorized persons Physical prevention of access to critical components Plant IT security Controlled interfaces between office and plant network e.g. via firewalls Further segmentation of plant network Antivirus and whitelisting software Maintenance and update processes Access protection User authentication for plant or machine operators Integrated access protection mechanisms in automation components
Security solutions in an industrial context must take account of all protection levels
Page 5 2011-11-11 v1.1 Siemens AG 2011. All Rights Reserved. Industry Sector
Requirements that operators of industrial automation systems must meet: Security guidelines and processes, Risk management in terms of security Information and document mgmt. etc. System-side requirements in terms of . Access protection, user control Data integrity and confidentiality Controlled data flow, etc. Requirements that components of an automation system must meet in terms of Product development processes Product functionalities Siemens AG 2011. All Rights Reserved. Industry Sector
System integrators
Operators
Component vendors
Page 6
2011-11-11
v1.1
Security Management
Security Management forms a major part of any Industrial Security concept Definition of Security measures depending on hazards and risks identified in the plant Attaining and maintaining the necessary Security Level calls for a rigorous Security Management process with: Risk analysis including definition of countermeasures aimed at reducing the risk to an acceptable level Coordinated organizational / technical measures Regular / event-driven repetition Need for manufacturers, system integrators and operators to take account of Industrial Security Products, systems and processes must meet applicable duty-of-care requirements, based on laws, standards, internal guidelines and the state of the art.
1 Risk analysis
Page 7
2011-11-11
v1.1
Risk analysis
4
1 Risk analysis
The risk analysis is an important precondition for Security Management relating to a plant or machine, aimed at identifying and assessing individual hazards and risks. Typical content of a risk analysis: Identification of threatened objects Analysis of value and damage potential Threat and weak points analysis Identification of existing security measures Risk assessment
sehr hoch hoch
Technical measures
inacceptable risks
Schadenshhe
mittel
acceptable risks
sehr gering gering mittel hoch sehr hoch
Eintrittswahrscheinlichkeit
The identified and unacceptable risks must, by way of suitable measures, be ruled out or typically reduced. Which risks are ultimately acceptable can only be specified individually for the application concerned. However, neither a single measure nor a combination of measures can guarantee 100% security.
Siemens AG 2011. All Rights Reserved. Industry Sector
Page 9
2011-11-11
v1.1
1 Risk analysis
Technical measures
1. Security organization and policies 2. Plant security 3. Plant IT security 1. Network segmentation 2. System hardening 3. Patch management 4. Access protection
Page 10
2011-11-11
v1.1
Page 11
2011-11-11
v1.1
Page 12
2011-11-11
v1.1
1 Risk analysis
Technical measures
1. Security organization and guidelines 2. Plant security 3. Plant IT security 1. Network segmentation 2. System hardening 3. Patch management 4. Access protection
Page 13
2011-11-11
v1.1
Page 14
2011-11-11
v1.1
Measures
Company security Company premises fenced off and under surveillance Access controls, locks / ID card readers and / or security staff Visitors / external personnel escorted by company staff Physical production security Separate access controls for production areas Critical components in securely lockable control cubicles / rooms including surveillance and alarm facilities Cordoned-off production areas with restricted access
Page 15 2011-11-11 v1.1 Siemens AG 2011. All Rights Reserved. Industry Sector
Page 16
2011-11-11
v1.1
1 Risk analysis
Technical measures
1. Security organization and guidelines 2. Plant security 3. Plant IT security 1. Network segmentation 2. System hardening 3. Patch management 4. Access protection
Page 17
2011-11-11
v1.1
Page 20
2011-11-11
v1.1
Example of network segmentation by means of cell protection concept with Security Appliances
PLC and PC communication processors (CP) with "Security Integrated" (firewall, VPN) can soon be used for protecting controllers and automation cells as an alternative to security appliances (SCALANCE S).
Cell protection with Security Appliance (SCALANCE S) Cell protection with Security Integrated PC/PLC-CPs
Page 21
2011-11-11
v1.1
Measures
Division of the automation network into appropriate network segments and control of incoming and outgoing data traffic by a firewall (perimeter security). For example, critical network protocols can be blocked. Bandwidth restriction, for example in cell firewall or in switches. Network overload from outside the cell cannot affect those inside. Data transfer via non-secure networks, e.g. between cells or from clients to cells, can be encrypted and authenticated with the Security or VPN Appliance that controls access to the cell.
Page 22
2011-11-11
v1.1
Page 23
2011-11-11
v1.1
1 Risk analysis
Technical measures
1. Security organization and guidelines 2. Plant security 3. Plant IT security 1. Network segmentation 2. System hardening 3. Patch management 4. Access protection
Page 24
2011-11-11
v1.1
Hardware interfaces
Hardware interfaces constitute a risk if unauthorized access via them to equipment or the system is possible Unused interfaces should therefore be deactivated: Ethernet/Profinet ports WLAN, Bluetooth USB, Firewire, etc. Protection by deactivation or mechanical blocking Deactivate booting and autostart mechanisms of external media
User accounts
Every active user account enables access to the system and is thus a potential risk Reduce configured / activated user accounts to the really necessary minimum Use secure access data for existing accounts Regular checks, particularly of locally configured user accounts
Page 25
2011-11-11
v1.1
3. Plant IT security System hardening Identfying / preventing malware with virus scanners
Suitable antivirus software should be used to identify malware and to prevent further spreading Depending on the particular case, certain aspects should however be taken into account: Performance loss due to scan procedure (e.g. only automatic scan of incoming data transfer and manual scan during maintenance pauses) Regular updating of virus signatures if applicable via central server Availability must generally be assured even in the case of infection with malware. This means that the virus scanner must under no circumstances: Remove files or block access thereto Place files in quarantine Block communication Shut systems down Compatibility test of SIMATIC products with*): Trend Micro Office Scan Symantec Endpoint Protection McAfee VirusScan Enterprise
*) Please note the compatibility must be verified for each specific configuration
Page 26
2011-11-11
v1.1
Page 27
2011-11-11
v1.1
1 Risk analysis
Technical measures
1. Security organization and guidelines 2. Plant security 3. Plant IT security 1. Network segmentation 2. System hardening 3. Patch management 4. Access protection
Page 28
2011-11-11
v1.1
Page 29
2011-11-11
v1.1
Page 30
2011-11-11
v1.1
1 Risk analysis
Technical measures
1. Security organization and guidelines 2. Plant security 3. Plant IT security 1. Network segmentation 2. System hardening 3. Patch management 4. Access protection
Page 31
2011-11-11
v1.1
Central user authentication for plant or machine operators with individual access rights for operations Integrated access protection mechanisms in automation components, in order to prevent unauthorized changes via the engineering system or during maintenance Access protection on network level, in order to enable only authorized network devices
Page 32
2011-11-11
v1.1
Page 33
2011-11-11
v1.1
Use various passwords that are as secure as possible Coordination among a number of persons, possibly a centrally coordinated password manager application including access rights via network drives
Siemens AG 2011. All Rights Reserved. Industry Sector
Page 34
2011-11-11
v1.1
Page 35
2011-11-11
v1.1
Reviewing of measures
Reviews and improvements After implementation of all planned measures a Security Audit is conducted to ensure that measures have been put into practice as scheduled, these measures eliminate / reduce the identified risks as expected. Depending on the results, measures can be amended / supplemented in order to attain the necessary security. Repeating the risk analysis Due to the changes in security threats, regular repetition of the risk analysis is required in order to ensure the security of plant / machinery Following certain occurrences (expansion of or changes to plant / machinery, significant changes in security threats, etc.) Annual check of whether a fresh risk analysis is required
Siemens AG 2011. All Rights Reserved. Industry Sector
4 Validation & improvement 3
1 Risk analysis
Technical measures
Page 36
2011-11-11
v1.1
Implementation of practicable and comprehensive Security Management in terms of the technology used as well as the engineering and production processes. The interfaces to office IT and the Internet/Intranet are subject to clearly defined regulations - and are monitored accordingly.
PC-based systems (HMI, engineering and PC-based controls) must be protected with the aid of anti-virus software, whitelisting (positive lists) and integrated security mechanisms.
The control level is protected by various integrated security functions. Communication must be monitored and can be intelligently segmented by means of firewalls.
The Siemens Industrial Security Concept is based on five key points that cover the main aspects of protection.
Page 38 2011-11-11 v1.1 Siemens AG 2011. All Rights Reserved. Industry Sector
Security Management
Support in the introduction and maintenance of technical and organizational security measures based on standards and guidelines Thoroughly thought-out security concepts for automation components (PCs, controllers, networks) in the sense of Totally Integrated Automation
Further individual support in planning / implementing an Industrial Security Concept is available from our Industrial Security Services
Page 39 2011-11-11 v1.1 Siemens AG 2011. All Rights Reserved. Industry Sector
Summary
Industrial Security is not just a question of technical implementation, but begins with an awareness of the significance of security on all levels of management and the workforce Security is an ongoing process and must be taken into account in all phases of a plants lifecycle Depending on the particular risks inherent in the automation system, appropriate organizational and technical measures must be taken and regularly reviewed Siemens Industry Automation provides products and systems as well as Security Services, in order to ensure comprehensive Industrial Security solutions for our customers
Page 40 2011-11-11 v1.1 Siemens AG 2011. All Rights Reserved. Industry Sector
Industrial Security