operational guidelines industrial security en

8/13/2019 Operational Guidelines Industrial Security En

1/41

Siemens AG 2011. All Rights Reserved.

Operational Guidelines forIndustrial SecurityProposals and recommendations for technicaland organizational measuresfor secure operation of plant and machinery

Version 1.1


2/41


Operational Guidelines

for Industrial Security

1. Overview

2. Detailed Measures

3. Summary


3/41

Siemens AG 2011. All Rights Reserved.Industry Sector Page 3 2011-11-11 v1.1

Why Industrial Security is so important

Industrial Security for protection of productionplant and automation systems

Possible threat scenarios:Spying on data, recipes,Sabotage of production plantPlant downtime e.g. caused by virus and malwareManipulation of data or of application software

Unauthorized use of system functions

Current incidents have demonstrated the vulnerability ofautomation systems

Possible effects of a security incident:Risk of death and serious injuryEnvironmental disaster Loss of intellectual propertyLoss of production or impaired product qualityDamage to company image and financial loss


4/41


Industrial Security vs. Office Security

Office Security

Integrity

Availability

Confidentiality

Industrial Security

Requirements that a Security solutionmust meet in an industrial context

24/7/365 availability has top priority

Constant operability and assured system access

System performance

Protection against maloperations and sabotage

Know-how protection

System and data integrity

Data transfer in real time

Support throughout the lifecycle of a plant

Security trail and change management

Confidentiality

IntegrityAvailability


5/41


Fundamental Industrial Security levels

Plant security Access blocked for unauthorized persons

Physical prevention of access to criticalcomponents

Plant IT securityControlled interfaces between office and plantnetwork e.g. via firewallsFurther segmentation of plant network

Antivirus and whitelisting softwareMaintenance and update processes

Access protectionUser authentication for plant or machineoperators

Integrated access protection mechanisms inautomation components

Security solutions in an industrial context must take account of allprotection levels


6/41


7/41


8/41



for Industrial Security

1. Overview


3. Summary


9/41


Risk analysis

The risk analysis is an important precondition for SecurityManagement relating to a plant or machine, aimed at identifying andassessing individual hazards and risks.

Typical content of a risk analysis:Identification of threatened objects

Analysis of value and damage potential

Threat and weak points analysisIdentification of existing security measuresRisk assessment

The identified and unacceptable risks must, by way of suitable measures, be ruled out ortypically reduced.Which risks are ultimately acceptable can only be specified individually for the applicationconcerned. However, neither a single measure nor a combination of measures canguarantee 100% security.

Technicalmeasures

Risk analysis

Validation &improvement

Policies,Organizational

measures

1

2

3

4

S c h a

d e n s h

h e

Eintrittswahrscheinlichkeit

sehrgering gering mittel hoch

sehrhoch

sehrgering

gering

mittel

hoch

sehrhoch

acceptablerisks

inacceptablerisks


10/41


Organization and technical measures to reduce

security risks

Technicalmeasures

Risk analysis



measures

1

2

3

4

1. Security organization and policies2. Plant security

3. Plant IT security

1. Network segmentation

2. System hardening

3. Patch management

4. Access protection


11/41


12/41


1. Security organization and guidelines

Policies and processes

Definition of policies and processes in order to ensure a uniform procedure and to supportthe upholding of the defined Industrial Security concept.

Examples of Security-relevant policiesUniform stipulations for acceptable Security risksReporting mechanisms for unusual activities and eventsCommunication and documentation of Security incidents

Use of mobile PCs and data storage in the production area(e.g. forbidding their use outside this area / the production network)

Examples of Security-relevant processesDealing with known / corrected weak points in components used

Procedure in the event of Security incidents (Incident Response Plan)Procedure for restoring production systems after Security incidentsRecording and evaluation of Security events and configuration changesTest / inspection procedure for external data carriers before use in the production area


13/41


Organizational and technical measures to reduce

security risks

Technicalmeasures

Risk analysis



measures

1

2

3

4

1. Security organization and guidelines2. Plant security



2. System hardening

3. Patch management



14/41


2. Plant security

Physical protection of critical production facilities

Measures and processes to prevent access byunauthorized persons to the surroundings of the

plant

Physical separation of various production areaswith differentiated access authorizations

Physical access protection for critical automationcomponents (e.g. locked control cabinets)

Coordinated guidelines for physical and plant ITsecurity required


15/41


2. Plant security

Physical protection of critical production facilities

Risks Access by unauthorized persons to production premises / building

Physical damage to or changing of production equipmentLoss of confidential information through espionage

Company security

Company premises fenced off and under surveillance Access controls, locks / ID card readers and / or security staff Visitors / external personnel escorted by company staff

Physical production securitySeparate access controls for production areasCritical components in securely lockable control cubicles / roomsincluding surveillance and alarm facilitiesCordoned-off production areas with restricted access

Measures


16/41


17/41


18/41


Separation of production and office networks

The first step in network segmentation is strict separation between the productionnetworks and the other company networks

In the simplest case, separation is provided by means of a single firewall system thatcontrols and regulates communication between the networks.

In the more secure variant, the link is via a separate DMZ respective perimeter network.Direct communication between theproduction and the company networks

is completely blocked by firewalls;communication can take place onlyindirectly via servers in the DMZnetwork

The production networks shouldlikewise be subdivided into separateautomation cells, in order to safeguardcritical communication mechanisms

DMZ networkOffice network

Productionnetwork


19/41


The security cells / zones concept A cell or zone is a network segment sealed off for security purposesThere are access controls at the entry to the cell in the form of security networkcomponentsDevices without their own access protection mechanisms are safeguarded within the cell.This principle is thus suitable for retrofitting in existing installationsThe cell can be protected against network overload by bandwidth restriction, and datatraffic within the cell upheld without disturbance

Real-time communication remains unaffected within the cellSafety applications are likewise safeguarded within the cell without any influence fromSecurity MechanismsSecure channel and therefore secure communication between cells

Protection of automation equipment and industrial communication by means of:Firewall/VPN appliancesVPN client software for IPCs or PCs,to create secure and authenticatedlinks to the Security Appliances

Protection of automation components based on

segmented production networks


20/41


Protection of automation components based on

segmented production networks

Segmentation of a production network into multiple secured automation cells protectscomponents against unauthorized access, network overload, etc.


21/41


22/41


3. Plant IT security Network segmentation

Possible risks and recommended measures

RisksUnauthorized access to automation devices without their own Security Mechanisms

Deterioration in equipment availability due to network overloadEspionage / manipulation of data transfer between automation systems

Division of the automation network into appropriate network segments and control ofincoming and outgoing data traffic by a firewall (perimeter security). For example,critical network protocols can be blocked.Bandwidth restriction, for example in cell firewall or in switches. Network overload fromoutside the cell cannot affect those inside.Data transfer via non-secure networks, e.g. between cells or from clients to cells, canbe encrypted and authenticated with the Security or VPN Appliance that controlsaccess to the cell.

Measures


23/41


24/41


Organizational and technical measures to reduce

security risks

Technicalmeasures

Risk analysis



measures

1

2

3

4




2. System hardening

3. Patch management



25/41


3. Plant IT security System hardeningReducing vulnerability

Services with weak points

are a potential security riskIn order to minimize risks, onall automation componentsonly the services actuallyrequired should be activated

All activated services(especially Webserver, FTP,remote access, etc.) shouldbe taken into account in thesecurity concept

IP hardening measures in

SIMATIC products enhancesecurity without the need forseparate user configuration

Hardware interfaces

constitute a risk ifunauthorized access viathem to equipment or thesystem is possible

Unused interfaces shouldtherefore be deactivated:

Ethernet/Profinet ports

WLAN, Bluetooth

USB, Firewire, etc.

Protection by deactivation or

mechanical blockingDeactivate booting andautostart mechanisms ofexternal media

Every active user account

enables access to thesystem and is thus apotential riskReduce configured /activated user accounts tothe really necessary

minimumUse secure access data forexisting accountsRegular checks, particularlyof locally configured useraccounts

Network services Hardware interfaces User accounts


26/41


3. Plant IT security System hardeningIdentfying / preventing malware with virus scanners

Suitable antivirus software should be used to identify malware and to prevent furtherspreadingDepending on the particular case, certain aspects should however be taken into account:

Performance loss due to scan procedure (e.g. only automatic scan of incoming datatransfer and manual scan during maintenance pauses)Regular updating of virus signatures if applicable via central server

Availability must generally be assured even in the case of infection with malware.This means that the virus scanner must under no circumstances:

Remove files or block access theretoPlace files in quarantineBlock communicationShut systems down

Compatibility test of SIMATIC products with *):Trend Micro Office ScanSymantec Endpoint ProtectionMcAfee VirusScan Enterprise

*) Please note the compatibility must be verified for each specific configuration


27/41


28/41


Organizational and technical measures to reducesecurity risks

Technicalmeasures

Risk analysis



measures

1

2

3

4




2. System hardening

3. Patch management



29/41


30/41


3. Plant IT security Patch managementFirmware updates for automation equipment

Even such automation components as do not use a standard PC operating system arenot necessarily free of security-relevant weak points

As soon as information on a weak point becomes available, the weak point should beevaluated for relevance to the application concerned

Depending thereon, it can be decided whether further measures should be taken:

No action, as existing measures provide sufficient protection

Additional external measures in order to uphold the security level

Installation of latest firmware updates to eliminate the weak point

The procedure amounts to a risk analysis like at the beginning, but with restricted focus


31/41


Organizational and technical measures to reducesecurity risks

Technicalmeasures

Risk analysis



measures

1

2

3

4




2. System hardening

3. Patch management



32/41


4.) Access protectionProtection against unauthorized operations / changes

Central user authentication for plant or machineoperators with individual access rights foroperations

Integrated access protection mechanisms inautomation components, in order to preventunauthorized changes via the engineering

system or during maintenance

Access protection on network level, in order toenable only authorized network devices


33/41


4.) Access protectionAccess protection for operations (Runtime)

Typically, plant / machinery is operated by various persons; central user administration istherefore advisable

This is based on the user accounts of a Windows domain or of a Windows ActiveDirectory. The linking of the SIMATIC (HMI) runtime applications is in this case viaSIMATIC Logon

Specifying / enforcing of security guidelines (e.g. password validity, monitoring ofincorrect logging on, etc.)

Central user administration simplifies regular review of access authorizations (e.g.identifying disused accounts)

Central administration of

User accounts / groups

Policies


34/41


35/41


4.) Access protectionAccess protection for network components (Network)

Access protection for networks by means of Port Security with Switch Ports: MAC or IP access lists restrict access

Port Security with central device administration and RADIUS authentication (802.1x)Perimeter security of a network in relation to other networks (e.g. Internet) withfirewalls

WLAN security

Safeguarding of data transfer in accordance with WPA2 / IEEE 802.11i for Security Advanced Encryption Standard (AES) for encoding dataCentral device administration with RADIUS authentication(in accordance with 802.1x)

Protected configuration accesses to web interface by way of HTTPS and securelogging in via SSH


36/41


Reviewing of measures

Reviews and improvements After implementation of all planned measures aSecurity Audit is conducted to ensure that

measures have been put into practice asscheduled,these measures eliminate / reduce the identified risksas expected.

Depending on the results, measures can beamended / supplemented in order to attain the necessary security.

Repeating the risk analysisDue to the changes in security threats, regular repetition of the risk analysis is required inorder to ensure the security of plant / machinery

Following certain occurrences (expansion of or changes to plant / machinery, significantchanges in security threats, etc.)

Annual check of whether a fresh risk analysis is required

Technicalmeasures

Risk analysis



measures

1

2

3

4


37/41



for Industrial Security1. Overview


3. Summary


38/41


Siemens Industrial Security Concept

S i e m e n s

I n d u s t r

i a l S e c u r i

t y C o n c e p

t

The interfaces to office IT and the Internet/Intranet are subject toclearly defined regulations - and are monitored accordingly.

The control level is protected by various integrated securityfunctions.

PC-based systems (HMI, engineering and PC-based controls)must be protected with the aid of anti-virus software, whitelisting

(positive lists) and integrated security mechanisms.

Communication must be monitored and can be intelligentlysegmented by means of firewalls.

Implementation of practicable and comprehensive SecurityManagement in terms of the technology used as well as theengineering and production processes.

The Siemens Industrial Security Concept is based on five key points thatcover the main aspects of protection.


39/41


Industrial Security: What we have to offer

Products and SystemsThoroughly thought-out security conceptsfor automation components (PCs,controllers, networks) in the sense ofTotally Integrated Automation

Further individual support in planning / implementing an Industrial SecurityConcept is available from our Industrial Security Services

Industrial Security Services Comprehensive services throughout thelifecycle of a customized security solution

Security Management

Support in the introduction and

maintenance of technical andorganizational security measures basedon standards and guidelines


40/41


41/41

operational guidelines industrial security en

Documents