Secure 223
advertisement
Technical Sales Slides Industrial Security Services | April 2018 Unrestricted www.siemens.com/industrial-security-services Unrestricted © Siemens AG 2018 Challenges Productivity, Cost Pressure and Regulations Seite 2 Protect against • externally caused incidents through increasing connectivity • internal misbehavior • the evolving Threat Landscape Costs • for qualified personell • for essential Security Technologies Comply to • Reporting Requirements • Minimum Standards • Security Knowhow Protect Productivity Reduce cost Comply to regulations § § § Unrestricted © Siemens AG 2018 Industrial Security Services Your way to protect your business in the digital enterprise Seite 3 Industrial Security Services Protecting Productivity with Industrial Security Services Detect threats and vulnerabilites at an early stage React fast Get a long-term, holistic protection Unrestricted © Siemens AG 2018 Industrial Security Services Portfolio aligned with Risk Management methodology Seite 4 Manage Security Comprehensive security through monitoring and proactive protection: • Monitor to detect indicators of compromise • Manage to keep security up-to-date • React fast upon security relevant threats Assess Security Evaluation of the current security status of an ICS environment Implement Security Risk mitigation through implementation of security measures for reactive protection Unrestricted © Siemens AG 2018 Assess Security following a risk-based approach Seite 6 Assess Security covers a holistic analysis of threats and vulnerabilities, the identification of risk and recommendations of security measures to close the identified gaps Unrestricted © Siemens AG 2018 Assess Security following a risk-based approach Seite 7 • Industrial Security Assessment • IEC 62443 Assessment • ISO 27001 Assessment • Risk and Vulnerability Assessment* * upon request Unrestricted © Siemens AG 2018 Assess Security How do we figure out which assessment we need in each case? Seite 8 Which assessment do I need? Or do I rather get a deep, time intensive analysis of my industrial environment, including data collection? Would I like to have a quick check against the best known security standard? Would I like to have a quick check against the best known security standard for Industrial Control Systems? Would I like to have a compact one-day on site assessment based on Siemens long tem experience in automation security Unrestricted © Siemens AG 2018 Assess Security How do we figure out which assessment we need in each case? Seite 9 Which assessment do I need? Risk & Vulnerability Assessment IEC 62443 Assessment ISO 27001 Assessment Industrial Security Assessment Unrestricted © Siemens AG 2018 Industrial Security Assessment Identify security gaps and define measures to mitigate risks Seite 10 Assessment derived from to IEC 62443 standards and based on Siemens Industrial Defense in Depth Concept. • Ad-hoc identification of current security gaps based on the assessment scope • Proposal of appropriate mitigation measures • Available for Siemens and third party systems • 1 day on-site • Coordinated by a security consultant • Questionnaire-based checklist to identify and classify risks • Compact report containing recommendations for risk mitigation measures Unrestricted © Siemens AG 2018 IEC 62443 Assessment Identify security gaps and define measures to mitigate risks Seite 11 Assessment of compliance to IEC 62443 international standard (Industrial communication networks – Network and system security) • Focus on parts 2-1 “Establishing an industrial automation and control system security program” and 3-3 “Security for industrial process measurement and control – Network and system security” • Available for Siemens and third party systems • 2 days on-site • Coordinated by a security consultant and a security engineer • Questionnaire-based checklist to identify and classify risks • Up to 30 pages report containing recommendations for risk mitigation measures Unrestricted © Siemens AG 2018 ISO 27001 Assessment Identify security gaps and define measures to mitigate risks Seite 12 Quick assessment of plant security according to the ISO 27001 international standard (Information Security Management) • Onsite workshop incl. questionnaire-based checklist: • 1 day on-site • Coordinated by a security consultant and a security engineer • Typical attendants: Management and customer‘s responsible for production, IT security and physical security, maintenance staff, engineering staff, … • Offline evaluation of the results: Analysis, risk identification and classification, definition of risk mitigation measures and prioritization of actions (based on cost/benefit scenario) • Up to 30 pages report containing recommendations for risk mitigation measures Unrestricted © Siemens AG 2018 Risk & Vulnerability Assessment Identify, classify and evaluate risks for a riskbased security program Seite 13 • Report (~ 100 pages) including: • Project documentation: • Scope description • Current network topology • Current system architecture • Risk analysis and scoring methodology • Findings: • Network topology analysis results • Installed Base data analysis results • Evaluation of system criticality results (likelihood and business impact) • Risk classification and risk level including scoring • Training needs • Risk mitigation measures for each finding • Management presentation as a first step to establish a security roadmap Unrestricted © Siemens AG 2018 Implement Security to mitigate risks Seite 15 Implement Security Covers the Implementation of security measures to increase the protection level of shop-floor environments Unrestricted © Siemens AG 2018 Implement Security to mitigate risks Seite 16 • Security Awareness Training • Industrial Security Consulting • Automation Firewall * • Windows Patch Installation • Application Whitelisting ** • Anti Virus Installation ** • System Back-Up • Industrial Anomaly Detection • Industrial Security Monitoring * * Devices and implementation service ** Software and implementation service Unrestricted © Siemens AG 2018 Security Awareness Training Cyber Security knowledge transfer from a shop-floor perspective Seite 17 Customer’s challenge • 91% of the security incidents in 2015 consisted of stolen credentials by use of phishing e-mails1 • Only 3% of targeted individuals reported the phishing e-mail1 • 70% of all security incidents are caused by human error 2 Common approach • No cyber security training at all • Cyber security training for the office environment focusing on classic ITsecurity topics Weak points of common approach • Increased vulnerability due to human error threats • Lack of automation perspective when training staff on cyber security topics Goal Increase security awareness among shopfloor staff to avoid security incidents caused by human error 1) Source © Verizon 2016 2) Source © Ponemon Institute Research 2013 ?=X Unrestricted © Siemens AG 2018 Security Awareness Training Cyber Security knowledge transfer from a shop-floor perspective Seite 18 Our Solution Increasing industrial security awareness • SITRAIN training • Web-based, one-hour training • Generate security awareness for the staff: • Introduce current threat landscape in industrial control system environments • Describe how to handle risks • Help identifying security incidents • Includes a final test • Available in German and English – further languages on request • SCORM1) compatibility for simplified integration into other e-learning software 1) Sharable Content Object Reference Model Unrestricted © Siemens AG 2018 Security Awareness Training Knowledge transfer to secure the “weakest link” Seite 19 “What would happen if a seemingly unimportant control device was manipulated in such a way that a product recipe was changed and the resulting product makes people sick.“ Typical daily situations Sample scenarios Knowledge check Unrestricted © Siemens AG 2018 Security Awareness Training Knowledge transfer to secure the “weakest link” Seite 20 Potential vulnerabilities Statutory requirements and guidelines Statistics Unrestricted © Siemens AG 2018 Industrial Security Consulting Provide support for ICS policies and secured network design Seite 21 Policy Consulting • Establish new or review and enhance existing policies, processes, procedures and work instructions which influence security in the shopfloor • Integration with enterprise cyber security practice • Examples: Patch and backup strategy, handling of removable media Security Consulting • Cell segmentation in security cells support based on IEC 62443 standard or SIMATIC PCS 7 & WinCC security concept • Design and planning of a perimeter protection network: DMZ network (Demilitarized) • Perimeter firewall rule establishment / review and implementation Protected Zone DMZ Zone Unsecure Zone Industrial Security Policy Unrestricted © Siemens AG 2018 Automation Firewall First line of defense against highly developed threats Seite 22 Customer’s challenge • Shop-floor landscape changed from isolated islands to highly complex networks • Automation networks historically grown and often evolved to huge flat networks without any segmentation Today’s solutions • Perimeter protection for the office environment or the whole site • Perimeter protection for the automation network but controlled by office IT without automation know-how Weak points of today’s solution • Spread of failures due to flat networks • Inconsistent configuration of protection measures due to lack of automation expertise (e.g. perimeter firewall configured to protect the office against the automation network and not the other way around) • No perimeter protection at all Goal Support customers by providing a perimeter protection solution in line with security requirements for industrial automation and tested and approved for usage with Siemens process control system Unrestricted © Siemens AG 2018 Automation Firewall classic Feature set Seite 23 Our Solution Feature Overview First line of defense against highly developed threats: • Based on Microsoft® Windows Server 2012 R2 and SecureGUARD Communication Gateway • Application layer and stateful inspection firewall • VPN gateway • Secure web publishing • Intrusion detection and prevention system (IDS/IPS) • Antivirus (optional add-on) • Self-Protection (i.e. against Denial of Service Attacks) • Standard provider service (1 year included, extendable up to 5 years in total): • Updates for Automation Firewall software • Hardware spare parts (shipment of a replacement unit on the next business day) • Hotline support • Migration for existing Forefront TMG 2010 possible if standard provider service contract in place Unrestricted © Siemens AG 2018 Automation Firewall - classic Included in the Security Concept for SIMATIC PCS 7 Seite 24 Our Solution Network Integration Perimeter protection in accordance with the Security Concept for SIMATIC PCS 7 • Tested and validated in a PCS 7 environment and with Siemens industrial communication appliances • Listed in the PCS 7 Addon Catalogue • It can be used as front-firewall and/or back-firewall in line with the white paper "Security concept PCS 7 and WinCC" • It protects the PCS 7 and WinCC based automation network from external threats by controlling the access point to the automation network • Additional services like Perimeter Firewall Installation and/or Management support commissioning, continuously operation and maintenance Unrestricted © Siemens AG 2018 Automation Firewall - classic Industrial Wizard for SIMATIC PCS 7 for installation and configuration Seite 25 Our Solution Industrial Wizard The Industrial Wizard simplifies the configuration and commissioning: • Preinstalled on the Automation Firewall • Maintained in accordance with PCS 7 / WinCC requirements • Suitable for the initial firewall configuration (can be executed several times) • Based on the PCS 7 / WinCC Security concept • Automatically creates firewall rules based on inserted network clients • Migration wizard for existing Forefront TMG 2010 configurations available Unrestricted © Siemens AG 2018 Automation Firewall NG (Next-Generation) Feature set Seite 26 Our Solution Feature Overview First line of defense against highly developed threats: • Based on Palo Alto Networks Next-Generation Firewall Appliances • Palo Alto Networks is a “Gartner Magic Quadrant Leader” for Enterprise Network Firewalls for the 6th Consecutive Year • Application layer and stateful inspection firewall • IPSec VPN gateway • Threat Prevention (additional subscription required) • Advanced Malware Protection (additional WildFire subscription required) • File and Data Filtering • Classifies all applications, on all ports, all the time • Enforces security policies for any user, at any location • Prevents against known and unknown threats • High availability (active/active and active/passive) modes • Redundant power input for increased reliability (PA-220 and PA-850) • Fan-less design (for PA-220 model) Unrestricted © Siemens AG 2018 Automation Firewall - NG (NextGeneration) Different options for different needs Seite 27 PA-220 Firewall throughput Use cases Onboard interfaces (copper) Optional interfaces (SFPs) Redundant power supply PA-820 PA-850 PA-3020 500 Mbps 940 Mbps Mid-size automation networks with a small amount of copper interfaces (4 + x SFPs), plus (fiber) SFPs optional 1,9 Gbps Big automatio with a small amoun interfaces (4 plus (fiber) S optional (8) 10/100/1000 (4) 10/100/1000 (4) 10/100/10 - (8) SFP (4/8) SFP, (0/4) 10 SFP Yes No Yes Small automation networks with copper interfaces only (8 x copper) Dimensions in inch (HxDxW) 1.62”H X 6.29”D X 8.07”W Dimensions in cm (HxDxW) 4,11H X 15,98 D X 20,50 W 1U, 19” standard rack (1.75”H x 14”D x 17.125”W) 1U, 19” standard rack (4,45 H x 35,56 D x 43,50 W) Unrestricted © Siemens AG 2018 Optional Automation Firewall - NG (NextGeneration) Description of mandatory support & optional subscriptions Seite 28 • Threat Prevention Subscription (3 or 5 years) • The Threat Prevention subscription adds integrated protection against network-borne threats, including exploits, malware, command and control traffic, and a variety of hacking tools, through IPS functionality and stream-based blocking of millions of known malware samples. -> LINK TO PALO ALTO • URL Subscription (3 or 5 years) • URL Filtering provides you with granular, user-based controls over Web activity through URL categories and customizable white- and black-lists, as well as protection from Webborne threats through malicious categories like “malware” and “phishing.” -> LINK TO PALO ALTO • Wildfire Subscription (3 or 5 years) • The WildFire™ subscription actively analyzes unknown threats, including malware, websites, and command and control traffic, and delivers automatically created protections and intelligence back to subscribed firewalls all over the world for proactive global prevention. -> LINK TO PALO ALTO Premium Support (3 or 5 years) • Premium Support provides you with services for maintaining your Palo Alto Networks deployment. Premium Support is directly provided by Palo Alto Networks and includes e.g. following features: • Premium support hours: 24/7 for all severities, next-business-day delivery for parts and hardware 1U, 19” stand (1.75”H x 14. 17.125”W) 1U, 19” stand (4,45 H x 36, W) replacement, feature releases and software updates, subscription services updates, documentation and FAQ, online customer-support portal, etc. LINK TO PALO ALTO Mandatory TP UF WF Unrestricted © Siemens AG 2018 Anti Virus Installation Virus protection solution for malware detection and prevention Seite 29 Challenges Our Solution Benefits McAfee VirusScan protects systems and single files from virus infections, trojans and other malware by using continuously updated signature files. Siemens uses McAfee’s enterprise anti-virus solution to enhance the protection level of shop-floor computer systems for an up-todate defense strategy against malicious software while not interfering with the operation mode of a plant. McAfee VirusScan is approved for use in different Siemens’ software products like SIMATIC PCS 7, WinCC or TIA Portal. By adapting McAfee VirusScan to industrial security needs: • Protection against viruses, worms, rootkits, trojans and other threats and lower impact of outbreaks caused by malware • Detected malware can be removed, moved to quarantine or simply remain at the system to prevent deletion of files required for the automation process • Easy, centralized operation via management server The total number of 2015 vulnerabilities reflects 77% increase compared to 20111 . Almost one million never-before-seen malware are being released on a daily basis2 . Until now, more than 550 Millions malware have been released in 20163 . Information technologies are used in industrial automation. The number of open standards and PC-based systems has increased enormously in the last years. 1) Source © Risk Based Security 2016; 2) Source © Symantec 3) Source © AV-Test Unrestricted © Siemens AG 2018 Whitelisting Installation Application control to protect against malware and unwanted applications Seite 30 Challenges Our Solution Benefits With McAfee Application Control, only trusted applications are allowed to run on the computer systems. These applications are maintained in a positive list (whitelist). It prevents executions of unknown applications and executables like malware or unwanted applications. Siemens uses McAfee Application Control to enhance the protection level of shop-floor computer systems. Application Control is approved for use in different Siemens’ software products like SIMATIC PCS 7, WinCC, TIA Portal and SINUMERIK3. With the McAfee Application Control adapted to industrial security needs, Siemens offers: • Block known and unknown threats (new/unknown viruses, zero-day exploits, system manipulations, ) and allow approved, trusted applications to run • Easily protect unsupported legacy / obsolete systems (e.g. Microsoft XP) • As it requires few resources, protection of real-time systems and less powerful devices • No pattern/signature updates required • It allows patching without disabling whitelist protection • Easy, centralized operation via management server In 90% of attacks in 2014, old vulnerabilities that already had patches available were leveraged – some of which were more than decade old1. Total zero-day vulnerabilities increased exponentially in the last years2: • 2013: 23 • 2014: 24 (+4%) • 2015: 54 (+125%), more than one per week 1) Source © CNN Money 2) Source © Symantec 3) Selected SINUMERIK 840D PCU50.X versions Unrestricted © Siemens AG 2018 Whitelisting Installation Application control to protect against malware and unwanted applications Seite 31 Attempt to execute a software Check against whitelist Granted permission to run the application Denied permission to run the application Device in automation environment with whitelist Application Control tested and approved for compatibility How does Whitelisting work? Unrestricted © Siemens AG 2018 Transparency over data exchange within the plant networks provides you continuous & proactive identification of changes (anomalies) in the system • Automated asset identification to assist in risk analysis and mitigation • Correlation of the current traffic against your own baseline of normal operation allows the detection of anomalies in the network, including advanced deep packet inspection Industrial Anomaly Detection The challenge: transparency of the industrial network Unrestricted © Siemens AG 2018 Customer’s challenge • Shop-floor landscape has changed from isolated islands to highly complex networks • Detection capabilities of malicious communication in the shopfloor are not given Today’s solutions • Perimeter protection to the Office IT with deep packet inspection • Endpoint Firewalls Weak points of today’s solution • No transparency about the “normal” communication in OT plants • Perimeter protection in the direction of the office IT is not detecting malicious behavior in the plant network itself • Automation solutions use proprietary protocols • No detection of new/changed assets Goal Support customers by providing an Industrial Anomaly Detection solution delivering transparency, situational awareness and traceability in the shopfloor networks Industrial Anomaly Detection Unrestricted © Siemens AG 2018 optional SIEM Combo 500 Solution Architecture: • Normal network topology of industrial plants is a ring or star with industrial components connected (Engineering Systems, PLCs, HMIs…). • Switches connect systems and mirror traffic to Span Port. • Anomaly detection Sensor is connected to span port and examines all the mirrored traffic • The Server can be connected to several Sensors and is the user interface for operators. • Multiple Servers can be connected to an Enterprise Management Console for a view across multiple plants. • Management console integrates with existing SOC tools (SIEM, Log Management, Analytics…) • Server, Sensor and the Management Console are installed on Siemens IPC 427E • 100% passive monitoring with a one-way network connection through the span port provides safe monitoring of industrial networks. Connection via Span Port or Tap Sensor Central Console Industrial Anomaly Detection Solution Architecture Unrestricted © Siemens AG 2018 Industrial Anomaly Detection Communications View • Automated discovery • Assets and communication pathways • Powerful and easy dashboard allows oversight and event mangement with minimal configuration • Includes vulnerability information • Supports 3rd party devices Unrestricted © Siemens AG 2018 Transparency of communication with your production assets. Industrial Anomaly Detection Benefits Transparency over data exchange within the plant networks provides you continuous & proactive identification of changes (anomalies) in the system Correlation of the current traffic against your own baseline of normal operation allows the detection of anomalies in the network, including advanced deep packet inspection Aligned with requirements of standards, regulations and acts to protect critical infrastructure 100% passive monitoring oversees the plant network without impact to the monitored systems Automated asset identification to assist in risk analysis and mitigation Page 38 Use of an advanced machine learning system, so the detection rate will be enhanced over time Unrestricted © Siemens AG 2018 Industrial Security Monitoring The challenge: Increasing vulnerability and more attacks Seite 39 1) Source: © Booz Allen Hamilton 2015 2) Source: © https://www.datenschutzbeauftragterinfo.de/itforensik-und-incident-response-daten-und-fakten/ 2016 3) Source: © SANS Institute InfoSec Reading Room March 2016 4) Source: CNN Money 44% of them could not identify the origin of these incidents1 In a study from 2015, 34% of the operators of automation and process control systems responded, that their systems were attacked at least twice in the last 12 months1 In 2015 companies needed on average 205 days to detect an attack2 55% of these companies needed more than 3 hours, to get the systems again up and running3 When hackers are successfully breaking into a company, they use within 24 hours the same method, in order to attack another company of the same vertical4 To be able to react fast to potential security threats, indicators of compromise need to be identified fast Unrestricted © Siemens AG 2018 Industrial Security Monitoring Challenges: Increasing vulnerability, connectivity & need for fast reaction Seite 40 Introduction of malware via removable media and external hardware Control components connected to the Internet Human error and sabotage Intrusion via remote access Compromising of smartphones in the production environment Compromising of extranet and cloud components Malware infection via the Internet and Intranet (Distributed) denial-ofservice ((D)DOS) attacks Technical malfunctions Source © BSI analysis on cyber security 2016, German Federal Office for Information Security Unrestricted © Siemens AG 2018 Industrial Security Monitoring Security Information and Event Management Technology Seite 41 Security Event Management (SEM) • provides near real-time monitoring, collecting, correlation of security events, alarms and console views Security Information Management (SIM) • provides long-term storage and reporting of log data to comply with security policies and regulations Security Information Event Management • required by standards, certification and market: • IEC 62443 / ISA-99 • NERC-CIP Industry SIEM • enables proactive detection of attacks and anomalies • enhances Defense in Depth protection of industrial plants against cyber attacks ++ Motivation Definition Unrestricted © Siemens AG 2018 Industrial Security Monitoring Most important supported devices Seite 42 OPERATING SYSTEMS Windows XP to Windows 8 Windows Server 2003 to 2012 Linux/UNIX systems NETWORK DEVICES Automation Firewall SCALANCE S, M and X 3rd Party (NG and Application Layer FWs, IDS/IPS, Switches) INDUSTRIAL CONTROL SYSTEMS SIMATIC S7 with specific application DB SIMATIC CP with Security Integrated SINUMERIK PCU SOFTWARE AND SECURITY APPLICATIONS McAfee ePO TrendMicro Symantec Unrestricted © Siemens AG 2018 Industrial Security Monitoring Supported mechanisms for security data collection Windows Event Logs: • Windows based computer • Windows embedded devices Syslog (UDP, TCP & TLS): • Network Components • Firewalls • Software Flat Files: • Software logs • Via SCP, (S)FTP, CIFS & NFS • HTTP –Push/Pull XML files Database Connections: • Oracle • MSSQL Product Specific Log Formats: • OPSEC LEA • Checkpoint Firewall • Qualis • Nessus • SDEE • CISCO IDS Logs Flow Data (netFlow, sFlow IPFIX): • Router • Switches • Firewalls Configuration changes Product Specific Log Formats Database Connections Windows Event Logs Flat Files SIEM Syslog Unrestricted © Siemens AG 2018 Industrial Security Monitoring Typical Customer Use Cases Seite 44 Configuration changes New network devices Network and port scans Brute force and suspicious user activities Unauthorized and suspicious network communications Spread of malware Unrestricted © Siemens AG 2018 Hardened LINUX with Siemens own hypervisor to run separated Virtual Machines Ruggedized design • mounting on DIN rail • no rotating equipment • 24V power supply 3 LAN ports to separate different networks: • Production network • Office/ DMZ network • Remote service Security receiver supporting - Syslog, WMI, others - Special automation data forwarder from Siemens Industrial SIEM 1) with local dashboard to be used with a web browser • Correlation of events • Notifications in case of alerts 1) Security Information and Event Management Based on proven Siemens hardware of IPC 427E outlook: will be based on Simatic Edgebox SIEM Combo 500 Industrial Security Monitoring SIEM Combo 500 – designed for your industrial space Unrestricted © Siemens AG 2018 Your way to protect your business in the digital enterprise Industrial Security Monitoring Benefits Transparency and fast reaction upon security threats Correlation with OT-specific Threat Intelligence feeds Real time and historical correlation of data which enables, amongst others, checking if systems have already been impacted by recently discovered threats (e.g. zero-day exploits) In line with standards and regulations like IEC 62443 and acts to protect critical infrastructure Developed for OT environments Proven security technology and Trusted Site Infrastructure data center for critical data Extensive know-how for professional cyber security in industrial applications Unrestricted © Siemens AG 2018 Manage Security for a comprehensive, always up-to-date industrial security solution Seite 47 Manage Security means the continuous monitoring and renewal of implemented measures through our centralized services) Unrestricted © Siemens AG 2018 Manage Security for a comprehensive, always up-to-date industrial security solution Seite 48 • Patch Management • Security Vulnerability Information • Anti Virus Management • Industrial Security Monitoring* • Remote Incident Handling * upon request Unrestricted © Siemens AG 2018 Patch Management Managing critical updates in Microsoft products Seite 49 Customer’s challenge • In 90% of attacks in 2014, old vulnerabilities that already had patches available were leveraged – some of which were more than decade old1 • Patches contribute toward stable system operation and/or eliminate known security vulnerabilities. Regular and prompt installation of patches represents a vital element of a comprehensive security concept • Patching with an incompatible patch can cause unplanned downtimes Common approach • Customer has to release the Microsoft patches manually on a WSUS, based on Siemens SIMATIC PCS 7 compatibility excel sheet or • No patching is performed at all or • No WSUS server is used, but patches are downloaded directly by the endpoints • Other customer specific solutions (e.g. usage of 3rd party software) are possible Weak points of common approach • Possibility of system disruption due to missing consideration of compatibility • Possibility of security incident due to obsolete patch status • Possibility of failures due to manual work • Need to manual check for updated excel sheet on Siemens Website • Labor intensive process (monthly occurring) Goal Support customers by testing SIMATIC PCS 7 with Microsoft security and critical patches when new patches are released in order to check the compatibility of the PCS 7 software with these patch classifications2 and providing metadata about approved patches at the customer site 1) Source © CNN Money 2) Only "Security Patches" and "Critical Patches" are necessary to ensure that SIMATIC PCS 7 operation is secure and stable ?=X Unrestricted © Siemens AG 2018 Our Solution Solution Architecture The patch & vulnerability Management Service will ease & automate the customers patch process: 1. Monthly patch release by Microsoft (Patch Tuesday) 2. SIMATIC PCS 7 compatibility test 3. Release of patches on Siemens Master WSUS: We will provide a central Update Server (WSUS) that provides metadata about patches that have been tested and approved for compatibility with SIMATIC PCS 7 4. Medata information will be transferred to the customer fully automated 5. Customer gets a notification, when new patches have been released 6. Customer downloads approved patches directly from Microsoft. Patch installation will be started on-site Patch Management Managing critical updates in Microsoft products Central Siemens Master WSUS Distribution of patch information (WSUS replication) Microsoft Update Service Download of Microsoft patches Master WSUS at customer plant Internal distribution of Microsoft patches Unrestricted © Siemens AG 2018 Solution Scope Microsoft products: • Windows 10, 7, Embedded, Server 2003 to 2012 • .NET • Internet Explorer • Office • Office Excel Viewer, Powerpoint Viewer, Word Viewer • SQL Server For supported SIMATIC PCS 7 versions (V8.0 or newer) For more details see SIMATIC PCS 7 compatibility list. Our Solution The patch & vulnerability Management Service will ease & automate the customers patch process: 1. Monthly patch release by Microsoft (Patch Tuesday) 2. SIMATIC PCS 7 compatibility test 3. Release of patches on Siemens Master WSUS: We will provide a central Update Server (WSUS) that provides metadata about patches that have been tested and approved for compatibility with SIMATIC PCS 7 4. Medata information will be transferred to the customer fully automated 5. Customer gets a notification, when new patches have been released 6. Customer downloads approved patches directly from Microsoft. Patch installation will be started on-site Patch Management Managing critical updates in Microsoft products Unrestricted © Siemens AG 2018 Patch Management Benefits Solution designed combining Security know how with SIMATIC PCS 7 expertise Reduce probability of wrong implementation of patches and its consequences that might have impact on plant availability Timely release of patches after finishing of tests (approx. 2 weeks after Microsoft patch day) Fully automatic release of patch information (only metadata, no automatic installation to avoid plant downtime) Reduction of manual work on-site Managing vulnerabilities and critical updates in Microsoft products Unrestricted © Siemens AG 2018 Security Vulnerability Information Management Get transparency on increasing cyber threats Seite 53 Customer’s challenge • Every day new software vulnerabilities get reported • Currently manufacturers and operators of automation technology with a multitude of different software components struggle to identify if their manufactured or used automation products are affected Today’s solutions • Manual checking of different web pages from providers of automation technology (e.g. on the Siemens web page https://www.siemens.com/cert/en/cert-security-advisories.htm) • Customers need to compare the findings on these web pages against their lists of software components in their products or in the automation environment Weak points of today’s solution • High manual effort and consequently neglecting already officially reported vulnerabilities • Customers stay unaware of the real threat and consequently they do not trigger proactive measures (e.g. patching). In most cases action is taken after an event (e.g. new installation of a system after a ransomware attack). Goal Provide relevant security informationen, to enable manufacturers and operators of automation technology to proactively manage their cyber risks ?=X Unrestricted © Siemens AG 2018 Definition what software components to monitor Notifications in case of detected vulnerabilities and possible patches Risk based management of vulnerabilities Security Vulnerability Information Management Realtime oversight on vulnerabilities and patch status - realized as a MindSphere App Unrestricted © Siemens AG 2018 Anti Virus Management Continuous virus protection for an up-to-date defense strategy Seite 55 Customer’s challenge • Anti-virus programs protect against disclosed viruses, worms and trojaner • Regular and prompt update of virus patterns for the anti-virus program and continuous monitoring of the malware protection solutions represent a vital element of a comprehensive security concept • An obsolete virus pattern status reduces enormously the effectiveness of the anti virus solution Common approach • No installed anti virus solution at all or • Obsolete anti virus solution or • Heterogeneous status of the installed anti virus solution in different systems Weak points of common approach • Possibility of system infection due to obsolete virus pattern status • Possibility of malware spread due to lack of monitoring of the anti virus solution • Labor intensive process in case of changes e.g. new systems Goal Support customers by continuously managing their McAfee anti virus solution via central management server ePO for an up-to-date defense strategy ?=X Unrestricted © Siemens AG 2018 Anti Virus Management Continuous virus protection for an up-to-date defense strategy Seite 56 Our Solution Solution Architecture Anti Virus Management will ease and automate the customers anti virus management process: 1. Taking care of the installed McAfee anti virus solution a) Maintaining the logical groups b) Maintaining the ruleset c) Deployment of the actual pattern files d) Cyclic monitoring of the agent status 2. Adding or removing additional anti-virus clients 3. In case of an alarm the alarm will be transferred via e-mail to the customer contact 4. Monthly report delivery Management of ePO (central management server) via cRSP1) Production systems with McAfee AV client installed ePO manages AV clients on production system ePO on customer site Alarms via emails 1) cRSP = common Remote Service Platform Monthly reports Siemens Customer Unrestricted © Siemens AG 2018 Industrial Security Monitoring Management of a SIEM solution for the customer… Seite 57 Correct and protect Implement Security and Manage Security Detect Industrial Security Monitoring Entry Unrestricted © Siemens AG 2018 Industrial Security Monitoring Transparency and fast reaction thanks to proactive security monitoring Seite 58 • Industrial Security Monitoring uses Security Information and Event Management technology from McAfee • SIEM is a log-file based solution to monitor security status and identify threats and securityrelevant events • Industrial Security Monitoring provides continuous monitoring and analysis of shopfloor security from a local or remote Cyber Security Operation Center • Fast alarming and reaction in case of threat identification • Monthly status reports Unrestricted © Siemens AG 2018 Industrial Security Monitoring Architecture and Components Seite 59 LOG Correlation EVENT Gathers events via different mechanisms, normalizes and provides them to central management console Distributed as well as central log collection SIEM Collector (Receiver) EVENT EVENT EVENT EVENT LOG LOG LOG LOG LOG LOG LOG Storage of all collected raw log data Central & tamper-proofed archiving of log data Automatic and manual realization of „retention periods“ Centralized Log Management (optional) Central management of all gathered events Root-cause analysis Creation of events after filtering logs Creation of alarms and reports Centralized Security Management Analysis and correlation Advanced analysis platform real-time Historical analysis Security Event Correlation Devices to be monitored LOG LOG EVENT Unrestricted © Siemens AG 2018 Industrial Security Monitoring Delivery from local SIEM for continuous & proactive protection 0100010101100011001010011101001010010001 101101011001110101 00100010101100011001010011101001010010001 Discrete Manufacturing Process Industries Security Correlation and Management Security Information Collector 101101011001110101 Security Information Collector ! Unrestricted © Siemens AG 2018 Remote Incident Handling Fast reaction upon security relevant threats Seite 61 1) Source © GMI Research, Cebr Analytics 2) Source © Booz Allen Hamilton 2015 59% of companies admit that they suffered a security incident in the last 5 years1 Manufacturing and Process Industries estimated the highest loss in revenue with 27.000 Millions Euro due to consequences of security incidents in the last 5 years1 44% of them were unable to identify the source of the incident2 In a 2015 survey, 34% of Industrial Automation and Control Systems operators indicated that their systems were breached more than twice in the last 12 months2 Unrestricted © Siemens AG 2018 Remote Incident Handling Fast reaction to security relevant threats Seite 62 • Root-cause analysis performed by Siemens experts for industrial security • Analysis of root-cause and criticality • Report incl. suggestions how to clean the affected systems Team of experts • What shall I do with the system? • What protects me for the future? Unrestricted © Siemens AG 2018 Remote Incident Handling Fast reaction to security relevant threats Seite 63 • Done remotely • Applicable for Windows OS (XP and newer) • Core of the workflow is FERRET, a Siemens-own system for root-cause analysis of indicators of compromise in IT and OT environments by:
