Secure 223

advertisement
Technical Sales Slides
Industrial Security Services | April 2018
Unrestricted www.siemens.com/industrial-security-services
Unrestricted © Siemens AG 2018
Challenges
Productivity, Cost Pressure and Regulations
Seite 2
Protect against
• externally caused incidents
through increasing connectivity
• internal misbehavior
• the evolving Threat Landscape
Costs
• for qualified personell
• for essential Security
Technologies
Comply to
• Reporting Requirements
• Minimum Standards
• Security Knowhow
Protect Productivity Reduce cost Comply to
regulations
§
§
§
Unrestricted © Siemens AG 2018
Industrial Security Services
Your way to protect your business in the
digital enterprise
Seite 3
Industrial Security Services
Protecting Productivity with
Industrial Security Services
Detect threats and vulnerabilites
at an early stage
React fast
Get a long-term, holistic
protection
Unrestricted © Siemens AG 2018
Industrial Security Services
Portfolio aligned with Risk Management
methodology
Seite 4
Manage Security
Comprehensive security through
monitoring and proactive protection:
• Monitor to detect indicators of
compromise
• Manage to keep security up-to-date
• React fast upon security relevant
threats
Assess Security
Evaluation of the current security
status of an ICS environment
Implement Security
Risk mitigation through implementation of
security measures for reactive protection
Unrestricted © Siemens AG 2018
Assess Security
following a risk-based approach
Seite 6
Assess Security
covers a holistic analysis
of threats and vulnerabilities,
the identification of risk
and recommendations
of security measures to close
the identified gaps
Unrestricted © Siemens AG 2018
Assess Security
following a risk-based approach
Seite 7
• Industrial Security Assessment
• IEC 62443 Assessment
• ISO 27001 Assessment
• Risk and Vulnerability Assessment*
* upon request
Unrestricted © Siemens AG 2018
Assess Security
How do we figure out which assessment we
need in each case?
Seite 8
Which assessment do I need?
Or do I rather get a
deep, time intensive
analysis of my
industrial environment,
including data
collection?
Would I like to have a
quick check against
the best known
security standard?
Would I like to have a
quick check against the
best known security
standard for Industrial
Control Systems?
Would I like to have a
compact one-day on
site assessment based
on Siemens long tem
experience in
automation security
Unrestricted © Siemens AG 2018
Assess Security
How do we figure out which assessment we
need in each case?
Seite 9
Which assessment do I need?
Risk & Vulnerability
Assessment
IEC 62443
Assessment
ISO 27001
Assessment
Industrial Security
Assessment
Unrestricted © Siemens AG 2018
Industrial Security Assessment
Identify security gaps and define measures to
mitigate risks
Seite 10
Assessment derived from to IEC 62443 standards and based
on
Siemens Industrial Defense in Depth Concept.
• Ad-hoc identification of current security gaps based on the
assessment scope
• Proposal of appropriate mitigation measures
• Available for Siemens and third party systems
• 1 day on-site
• Coordinated by a security consultant
• Questionnaire-based checklist to identify and classify risks
• Compact report containing recommendations for risk mitigation
measures
Unrestricted © Siemens AG 2018
IEC 62443 Assessment
Identify security gaps and define measures to
mitigate risks
Seite 11
Assessment of compliance to IEC 62443 international standard
(Industrial communication networks – Network and system
security)
• Focus on parts 2-1 “Establishing an industrial automation and
control system security program” and 3-3 “Security for
industrial process measurement and control – Network and
system security”
• Available for Siemens and third party systems
• 2 days on-site
• Coordinated by a security consultant and a security engineer
• Questionnaire-based checklist to identify and classify risks
• Up to 30 pages report containing recommendations for risk
mitigation measures
Unrestricted © Siemens AG 2018
ISO 27001 Assessment
Identify security gaps and define measures to
mitigate risks
Seite 12
Quick assessment of plant security according to the ISO 27001
international standard (Information Security Management)
• Onsite workshop incl. questionnaire-based checklist:
• 1 day on-site
• Coordinated by a security consultant and a security engineer
• Typical attendants: Management and customer‘s responsible for
production, IT security and physical security, maintenance staff,
engineering staff, …
• Offline evaluation of the results: Analysis, risk identification and
classification, definition of risk mitigation measures and prioritization of
actions (based on cost/benefit scenario)
• Up to 30 pages report containing recommendations for risk mitigation
measures
Unrestricted © Siemens AG 2018
Risk & Vulnerability Assessment
Identify, classify and evaluate risks for a riskbased security program
Seite 13
• Report (~ 100 pages) including:
• Project documentation:
• Scope description
• Current network topology
• Current system architecture
• Risk analysis and scoring methodology
• Findings:
• Network topology analysis results
• Installed Base data analysis results
• Evaluation of system criticality results (likelihood and
business impact)
• Risk classification and risk level including scoring
• Training needs
• Risk mitigation measures for each finding
• Management presentation as a first step to establish a security
roadmap
Unrestricted © Siemens AG 2018
Implement Security
to mitigate risks
Seite 15
Implement Security
Covers the Implementation
of security measures
to increase the protection level
of shop-floor environments
Unrestricted © Siemens AG 2018
Implement Security
to mitigate risks
Seite 16
• Security Awareness Training
• Industrial Security Consulting
• Automation Firewall *
• Windows Patch Installation
• Application Whitelisting **
• Anti Virus Installation **
• System Back-Up
• Industrial Anomaly Detection
• Industrial Security Monitoring *
* Devices and implementation service
** Software and implementation service
Unrestricted © Siemens AG 2018
Security Awareness Training
Cyber Security knowledge transfer from a
shop-floor perspective
Seite 17
Customer’s challenge
• 91% of the security incidents in 2015 consisted of stolen
credentials by
use of phishing e-mails1
• Only 3% of targeted individuals reported the phishing e-mail1
• 70% of all security incidents are caused by human error 2
Common approach
• No cyber security training at all
• Cyber security training for the office environment focusing on
classic ITsecurity topics
Weak points of common approach
• Increased vulnerability due to human error threats
• Lack of automation perspective when training staff on cyber
security topics
Goal
Increase security
awareness among shopfloor staff to avoid
security incidents
caused by human error
1) Source © Verizon 2016 2) Source © Ponemon Institute Research 2013
?=X
Unrestricted © Siemens AG 2018
Security Awareness Training
Cyber Security knowledge transfer from a
shop-floor perspective
Seite 18
Our Solution Increasing industrial security
awareness
• SITRAIN training
• Web-based, one-hour training
• Generate security awareness for the staff:
• Introduce current threat landscape in industrial
control system environments
• Describe how to handle risks
• Help identifying security incidents
• Includes a final test
• Available in German and English – further languages on
request
• SCORM1) compatibility for simplified integration into
other e-learning software
1) Sharable Content Object Reference Model
Unrestricted © Siemens AG 2018
Security Awareness Training
Knowledge transfer to secure the “weakest
link”
Seite 19
“What would happen if a seemingly
unimportant control device was
manipulated in such a way that a
product recipe was changed and the
resulting product makes people sick.“
Typical daily situations Sample scenarios
Knowledge check
Unrestricted © Siemens AG 2018
Security Awareness Training
Knowledge transfer to secure the “weakest
link”
Seite 20
Potential vulnerabilities Statutory requirements
and
guidelines Statistics
Unrestricted © Siemens AG 2018
Industrial Security Consulting
Provide support for ICS policies and secured
network design
Seite 21
Policy Consulting
• Establish new or review and enhance existing
policies, processes, procedures and work
instructions which influence security in the shopfloor
• Integration with enterprise cyber security practice
• Examples: Patch and backup strategy, handling of
removable media
Security Consulting
• Cell segmentation in security cells support based on
IEC 62443 standard or SIMATIC PCS 7 & WinCC
security concept
• Design and planning of a perimeter protection
network: DMZ network (Demilitarized)
• Perimeter firewall rule establishment / review and
implementation
Protected Zone
DMZ Zone
Unsecure Zone
Industrial Security
Policy
Unrestricted © Siemens AG 2018
Automation Firewall
First line of defense against highly developed
threats
Seite 22
Customer’s challenge
• Shop-floor landscape changed from isolated islands to highly
complex
networks
• Automation networks historically grown and often evolved to huge
flat
networks without any segmentation
Today’s solutions
• Perimeter protection for the office environment or the whole site
• Perimeter protection for the automation network but controlled by
office IT
without automation know-how
Weak points of today’s solution
• Spread of failures due to flat networks
• Inconsistent configuration of protection measures due to lack of
automation expertise (e.g. perimeter firewall configured to protect
the
office against the automation network and not the other way
around)
• No perimeter protection at all
Goal
Support customers by
providing a perimeter
protection solution in
line with security
requirements for
industrial automation
and tested and
approved for usage with
Siemens process control
system
Unrestricted © Siemens AG 2018
Automation Firewall classic
Feature set
Seite 23
Our Solution Feature Overview
First line of defense against highly developed threats:
• Based on Microsoft® Windows Server 2012 R2 and
SecureGUARD Communication Gateway
• Application layer and stateful inspection firewall
• VPN gateway
• Secure web publishing
• Intrusion detection and prevention system (IDS/IPS)
• Antivirus (optional add-on)
• Self-Protection (i.e. against Denial of Service Attacks)
• Standard provider service (1 year included, extendable up
to 5 years in total):
• Updates for Automation Firewall software
• Hardware spare parts (shipment of a replacement
unit on the next business day)
• Hotline support
• Migration for existing Forefront TMG 2010 possible if
standard provider service contract in place
Unrestricted © Siemens AG 2018
Automation Firewall - classic
Included in the Security Concept for SIMATIC
PCS 7
Seite 24
Our Solution Network Integration
Perimeter protection in accordance with the Security
Concept for SIMATIC PCS 7
• Tested and validated in a PCS 7 environment and with
Siemens industrial communication appliances
• Listed in the PCS 7 Addon Catalogue
• It can be used as front-firewall and/or back-firewall in
line with the white paper "Security concept PCS 7 and
WinCC"
• It protects the PCS 7 and WinCC based automation
network from external threats by controlling the access
point to the automation network
• Additional services like Perimeter Firewall Installation
and/or Management support commissioning, continuously
operation and maintenance
Unrestricted © Siemens AG 2018
Automation Firewall - classic
Industrial Wizard for SIMATIC PCS 7 for
installation and configuration
Seite 25
Our Solution Industrial Wizard
The Industrial Wizard simplifies the configuration and
commissioning:
• Preinstalled on the Automation Firewall
• Maintained in accordance with PCS 7 / WinCC
requirements
• Suitable for the initial firewall configuration (can be
executed several times)
• Based on the PCS 7 / WinCC Security concept
• Automatically creates firewall rules based on inserted
network clients
• Migration wizard for existing Forefront TMG 2010
configurations available
Unrestricted © Siemens AG 2018
Automation Firewall NG (Next-Generation)
Feature set
Seite 26
Our Solution Feature Overview
First line of defense against highly developed threats:
• Based on Palo Alto Networks Next-Generation Firewall
Appliances
• Palo Alto Networks is a “Gartner Magic Quadrant Leader” for
Enterprise Network Firewalls for the 6th Consecutive Year
• Application layer and stateful inspection firewall
• IPSec VPN gateway
• Threat Prevention (additional subscription required)
• Advanced Malware Protection (additional WildFire
subscription required)
• File and Data Filtering
• Classifies all applications, on all ports, all the time
• Enforces security policies for any user, at any location
• Prevents against known and unknown threats
• High availability (active/active and active/passive) modes
• Redundant power input for increased reliability (PA-220 and
PA-850)
• Fan-less design (for PA-220 model)
Unrestricted © Siemens AG 2018
Automation Firewall - NG (NextGeneration)
Different options for different needs
Seite 27
PA-220
Firewall throughput
Use cases
Onboard interfaces
(copper)
Optional interfaces
(SFPs)
Redundant power
supply
PA-820
PA-850
PA-3020
500 Mbps
940 Mbps
Mid-size automation
networks
with a small amount of
copper
interfaces (4 + x SFPs),
plus (fiber) SFPs optional
1,9 Gbps
Big automatio
with a
small amoun
interfaces (4
plus (fiber) S
optional
(8) 10/100/1000
(4) 10/100/1000
(4) 10/100/10
-
(8) SFP
(4/8) SFP,
(0/4) 10 SFP
Yes
No
Yes
Small automation
networks with copper
interfaces only
(8 x copper)
Dimensions in inch
(HxDxW)
1.62”H X 6.29”D X
8.07”W
Dimensions in cm
(HxDxW)
4,11H X 15,98 D X 20,50
W
1U, 19” standard rack
(1.75”H x 14”D x
17.125”W)
1U, 19” standard rack
(4,45 H x 35,56 D x 43,50
W)
Unrestricted © Siemens AG 2018
Optional
Automation Firewall - NG (NextGeneration)
Description of mandatory support & optional
subscriptions
Seite 28
• Threat Prevention Subscription (3 or 5 years)
• The Threat Prevention subscription adds integrated protection against
network-borne threats, including
exploits, malware, command and control traffic, and a variety of hacking
tools, through IPS functionality
and stream-based blocking of millions of known malware samples. ->
LINK TO PALO ALTO
• URL Subscription (3 or 5 years)
• URL Filtering provides you with granular, user-based controls over
Web activity through URL categories
and customizable white- and black-lists, as well as protection from Webborne threats through malicious
categories like “malware” and “phishing.” -> LINK TO PALO ALTO
• Wildfire Subscription (3 or 5 years)
• The WildFire™ subscription actively analyzes unknown threats,
including malware, websites, and
command and control traffic, and delivers automatically created
protections and intelligence back to
subscribed firewalls all over the world for proactive global prevention. ->
LINK TO PALO ALTO
Premium Support (3 or 5 years)
• Premium Support provides you with services for maintaining your Palo
Alto Networks deployment.
Premium Support is directly provided by Palo Alto Networks and
includes e.g. following features:
• Premium support hours: 24/7 for all severities, next-business-day
delivery for parts and hardware
1U, 19” stand
(1.75”H x 14.
17.125”W)
1U, 19” stand
(4,45 H x 36,
W)
replacement, feature releases and software updates, subscription
services updates, documentation
and FAQ, online customer-support portal, etc. LINK TO PALO ALTO
Mandatory
TP
UF
WF
Unrestricted © Siemens AG 2018
Anti Virus Installation
Virus protection solution for malware detection
and prevention
Seite 29
Challenges Our Solution Benefits
McAfee VirusScan protects systems and
single files from virus infections, trojans and
other malware by using continuously updated
signature files.
Siemens uses McAfee’s enterprise anti-virus
solution to enhance the protection level of
shop-floor computer systems for an up-todate defense strategy against
malicious
software while not interfering with the
operation mode of a plant.
McAfee VirusScan is approved for use in
different Siemens’ software products like
SIMATIC PCS 7, WinCC or TIA Portal.
By adapting McAfee VirusScan to
industrial security needs:
• Protection against viruses, worms, rootkits,
trojans and other threats and lower impact
of outbreaks caused by malware
• Detected malware can be removed, moved
to quarantine or simply remain at the
system to prevent deletion of files required
for the automation process
• Easy, centralized operation via
management server
The total number of 2015 vulnerabilities
reflects 77% increase compared to 20111
.
Almost one million never-before-seen
malware are being released on a daily
basis2
.
Until now, more than 550 Millions malware
have been released in 20163
.
Information technologies are used in
industrial automation. The number of open
standards and PC-based systems has
increased enormously in the last years.
1) Source © Risk Based Security 2016; 2) Source © Symantec 3) Source © AV-Test
Unrestricted © Siemens AG 2018
Whitelisting Installation
Application control to protect against malware
and unwanted applications
Seite 30
Challenges Our Solution Benefits
With McAfee Application Control, only
trusted applications are allowed to run on the
computer systems. These applications are
maintained in a positive list (whitelist). It
prevents executions of unknown applications
and executables like malware or unwanted
applications.
Siemens uses McAfee Application Control to
enhance the protection level of shop-floor
computer systems.
Application Control is approved for use in
different Siemens’ software products like
SIMATIC PCS 7, WinCC, TIA Portal and
SINUMERIK3.
With the McAfee Application Control
adapted to industrial security needs,
Siemens offers:
• Block known and unknown threats
(new/unknown viruses, zero-day exploits,
system manipulations, ) and allow
approved, trusted applications to run
• Easily protect unsupported legacy /
obsolete systems (e.g. Microsoft XP)
• As it requires few resources, protection
of real-time systems and less powerful
devices
• No pattern/signature updates required
• It allows patching without disabling
whitelist protection
• Easy, centralized operation via
management server
In 90% of attacks in 2014, old
vulnerabilities that already had patches
available were leveraged – some of which
were more than decade old1.
Total zero-day vulnerabilities increased
exponentially in the last years2:
• 2013: 23
• 2014: 24 (+4%)
• 2015: 54 (+125%), more than one per
week
1) Source © CNN Money 2) Source © Symantec 3) Selected SINUMERIK 840D PCU50.X versions
Unrestricted © Siemens AG 2018
Whitelisting Installation
Application control to protect against malware
and unwanted applications
Seite 31
Attempt to
execute a
software
Check
against
whitelist
Granted permission to
run the application
Denied permission to
run the application
Device in automation
environment with whitelist
Application Control tested
and approved for
compatibility
How does Whitelisting work?
Unrestricted © Siemens AG 2018
Transparency over data exchange within the plant
networks provides you continuous & proactive
identification of changes (anomalies) in the system
• Automated asset identification to assist in
risk analysis and mitigation
• Correlation of the current traffic against
your own baseline of normal operation
allows the detection of anomalies in the
network, including advanced deep packet
inspection
Industrial Anomaly Detection
The challenge: transparency of the industrial
network
Unrestricted © Siemens AG 2018
Customer’s challenge
• Shop-floor landscape has changed from isolated islands to highly
complex networks
• Detection capabilities of malicious communication in the shopfloor are
not given
Today’s solutions
• Perimeter protection to the Office IT with deep packet inspection
• Endpoint Firewalls
Weak points of today’s solution
• No transparency about the “normal” communication in OT plants
• Perimeter protection in the direction of the office IT is not detecting
malicious behavior in the plant network itself
• Automation solutions use proprietary protocols
• No detection of new/changed assets
Goal
Support customers by
providing an Industrial
Anomaly Detection
solution delivering
transparency, situational
awareness and
traceability in the shopfloor networks
Industrial Anomaly Detection
Unrestricted © Siemens AG 2018
optional
SIEM Combo
500
Solution Architecture:
• Normal network topology of industrial plants is a ring or star with
industrial components connected (Engineering Systems, PLCs,
HMIs…).
• Switches connect systems and mirror traffic to Span Port.
• Anomaly detection Sensor is connected to span port and
examines all the mirrored traffic
• The Server can be connected to several Sensors and is the
user interface for operators.
• Multiple Servers can be connected to an Enterprise
Management Console for a view across multiple plants.
• Management console integrates with existing SOC tools (SIEM,
Log Management, Analytics…)
• Server, Sensor and the Management Console
are installed on Siemens IPC 427E
• 100% passive monitoring with a one-way network
connection through the span port provides
safe monitoring of industrial networks. Connection
via Span
Port or Tap
Sensor
Central
Console
Industrial Anomaly Detection
Solution Architecture
Unrestricted © Siemens AG 2018
Industrial Anomaly Detection
Communications View
• Automated discovery
• Assets and communication
pathways
• Powerful and easy dashboard
allows oversight and event
mangement with minimal
configuration
• Includes vulnerability information
• Supports 3rd party devices
Unrestricted © Siemens AG 2018
Transparency of communication with your
production assets.
Industrial Anomaly Detection
Benefits
Transparency over data exchange within the plant networks
provides you continuous & proactive identification
of changes (anomalies) in the system
Correlation of the current traffic against your own baseline of
normal operation allows the detection of
anomalies in the network, including advanced deep packet
inspection
Aligned with requirements of standards, regulations and acts to
protect critical infrastructure
100% passive monitoring oversees the plant network without
impact to the monitored systems
Automated asset identification to assist in risk analysis and
mitigation
Page 38
Use of an advanced machine learning system, so the detection
rate will be enhanced over time
Unrestricted © Siemens AG 2018
Industrial Security Monitoring
The challenge: Increasing vulnerability and
more attacks
Seite 39
1) Source: © Booz Allen Hamilton 2015 2) Source: © https://www.datenschutzbeauftragterinfo.de/itforensik-und-incident-response-daten-und-fakten/ 2016 3) Source: © SANS Institute InfoSec
Reading Room March 2016 4) Source: CNN Money
44% of them could not identify
the origin of these incidents1
In a study from 2015, 34% of the operators of
automation and
process control systems responded, that their systems
were
attacked at least twice in the last 12 months1
In 2015 companies needed on average
205 days to detect an attack2
55% of these companies needed more than
3 hours, to get the systems again up and running3
When hackers are successfully breaking into a
company, they use
within 24 hours the same method, in order to attack
another
company of the same vertical4
To be able to react fast to potential security
threats, indicators of compromise need to be
identified fast
Unrestricted © Siemens AG 2018
Industrial Security Monitoring
Challenges: Increasing vulnerability,
connectivity & need for fast reaction
Seite 40
Introduction of malware via removable
media and external hardware
Control components
connected to the Internet
Human error and sabotage
Intrusion via remote access
Compromising of smartphones
in the production environment
Compromising of extranet
and cloud components
Malware infection via the
Internet and Intranet
(Distributed) denial-ofservice ((D)DOS) attacks
Technical malfunctions
Source © BSI analysis on cyber security 2016, German Federal Office for Information Security
Unrestricted © Siemens AG 2018
Industrial Security Monitoring
Security Information and Event Management
Technology
Seite 41
Security Event Management
(SEM)
• provides near real-time
monitoring, collecting,
correlation of security
events, alarms and console
views
Security Information
Management (SIM)
• provides long-term storage
and reporting of log data to
comply with security policies
and regulations
Security Information Event
Management
• required by standards,
certification and market:
• IEC 62443 / ISA-99
• NERC-CIP
Industry SIEM
• enables proactive detection
of attacks and anomalies
• enhances Defense in Depth
protection of industrial plants
against cyber attacks
++
Motivation Definition
Unrestricted © Siemens AG 2018
Industrial Security Monitoring
Most important supported devices
Seite 42
OPERATING SYSTEMS
Windows XP to Windows 8
Windows Server 2003 to 2012
Linux/UNIX systems
NETWORK DEVICES
Automation Firewall
SCALANCE S, M and X
3rd Party (NG and Application Layer FWs, IDS/IPS, Switches)
INDUSTRIAL CONTROL SYSTEMS
SIMATIC S7 with specific application DB
SIMATIC CP with Security Integrated
SINUMERIK PCU
SOFTWARE AND SECURITY APPLICATIONS
McAfee ePO
TrendMicro
Symantec
Unrestricted © Siemens AG 2018
Industrial Security Monitoring
Supported mechanisms for security data
collection
Windows Event Logs:
• Windows based computer
• Windows embedded devices
Syslog (UDP, TCP & TLS):
• Network Components
• Firewalls
• Software
Flat Files:
• Software logs
• Via SCP, (S)FTP, CIFS & NFS
• HTTP –Push/Pull XML files
Database Connections:
• Oracle
• MSSQL
Product Specific Log Formats:
• OPSEC LEA
• Checkpoint Firewall
• Qualis
• Nessus
• SDEE
• CISCO IDS Logs
Flow Data (netFlow, sFlow IPFIX):
• Router
• Switches
• Firewalls
Configuration changes
Product Specific
Log Formats
Database Connections
Windows Event Logs
Flat Files
SIEM Syslog
Unrestricted © Siemens AG 2018
Industrial Security Monitoring
Typical Customer Use Cases
Seite 44
Configuration changes
New network devices
Network and port scans
Brute force and suspicious
user activities
Unauthorized and
suspicious network
communications
Spread of malware
Unrestricted © Siemens AG 2018
Hardened LINUX with
Siemens own hypervisor to
run separated Virtual
Machines
Ruggedized design
• mounting on DIN rail
• no rotating equipment
• 24V power supply
3 LAN ports to separate different
networks:
• Production network
• Office/ DMZ network
• Remote service
Security receiver supporting
- Syslog, WMI, others
- Special automation data
forwarder from Siemens
Industrial SIEM 1) with local
dashboard to be used with a web
browser
• Correlation of events
• Notifications in case of alerts
1) Security Information and Event Management
Based on proven Siemens
hardware of IPC 427E
outlook: will be based on
Simatic Edgebox
SIEM Combo 500
Industrial Security Monitoring
SIEM Combo 500 – designed for your
industrial space
Unrestricted © Siemens AG 2018
Your way to protect your business in the
digital enterprise
Industrial Security Monitoring
Benefits
Transparency and fast reaction upon security threats
Correlation with OT-specific Threat Intelligence feeds
Real time and historical correlation of data which
enables, amongst others, checking if systems have
already been impacted by recently discovered threats (e.g.
zero-day exploits)
In line with standards and regulations like IEC 62443 and
acts to protect critical infrastructure
Developed for OT environments
Proven security technology and Trusted Site
Infrastructure data center for critical data
Extensive know-how for professional cyber security in
industrial applications
Unrestricted © Siemens AG 2018
Manage Security
for a comprehensive, always up-to-date
industrial security solution
Seite 47
Manage Security
means the continuous monitoring
and renewal
of implemented measures
through our centralized services)
Unrestricted © Siemens AG 2018
Manage Security
for a comprehensive, always up-to-date
industrial security solution
Seite 48
• Patch Management
• Security Vulnerability Information
• Anti Virus Management
• Industrial Security Monitoring*
• Remote Incident Handling
* upon request
Unrestricted © Siemens AG 2018
Patch Management
Managing critical updates in Microsoft
products
Seite 49
Customer’s challenge
• In 90% of attacks in 2014, old vulnerabilities that already had patches
available
were leveraged – some of which were more than decade old1
• Patches contribute toward stable system operation and/or eliminate
known
security vulnerabilities. Regular and prompt installation of patches
represents a
vital element of a comprehensive security concept
• Patching with an incompatible patch can cause unplanned downtimes
Common approach
• Customer has to release the Microsoft patches manually on a WSUS,
based on
Siemens SIMATIC PCS 7 compatibility excel sheet or
• No patching is performed at all or
• No WSUS server is used, but patches are downloaded directly by the
endpoints
• Other customer specific solutions (e.g. usage of 3rd party software) are
possible
Weak points of common approach
• Possibility of system disruption due to missing consideration of
compatibility
• Possibility of security incident due to obsolete patch status
• Possibility of failures due to manual work
• Need to manual check for updated excel sheet on Siemens Website
• Labor intensive process (monthly occurring)
Goal
Support customers by
testing SIMATIC PCS 7
with Microsoft security
and critical patches when
new patches are released
in order to check the
compatibility of the PCS 7
software with these patch
classifications2 and
providing metadata about
approved patches at the
customer site
1) Source © CNN Money 2) Only "Security Patches" and "Critical Patches" are necessary to ensure that
SIMATIC PCS 7 operation is secure and stable
?=X
Unrestricted © Siemens AG 2018
Our Solution Solution Architecture
The patch & vulnerability Management Service will
ease & automate the customers patch process:
1. Monthly patch release by Microsoft (Patch
Tuesday)
2. SIMATIC PCS 7 compatibility test
3. Release of patches on Siemens Master WSUS:
We will provide a central Update Server
(WSUS) that provides metadata about patches
that have been tested and approved for
compatibility with SIMATIC PCS 7
4. Medata information will be transferred to the
customer fully automated
5. Customer gets a notification, when new patches
have been released
6. Customer downloads approved patches directly
from Microsoft. Patch installation will be started
on-site
Patch Management
Managing critical updates in Microsoft
products
Central Siemens
Master WSUS
Distribution of
patch information
(WSUS
replication)
Microsoft
Update
Service
Download of Microsoft
patches
Master WSUS at
customer plant
Internal distribution of
Microsoft patches
Unrestricted © Siemens AG 2018
Solution Scope
Microsoft products:
• Windows 10, 7, Embedded, Server 2003 to 2012
• .NET
• Internet Explorer
• Office
• Office Excel Viewer, Powerpoint Viewer, Word Viewer
• SQL Server
For supported SIMATIC PCS 7 versions (V8.0 or newer)
For more details see SIMATIC PCS 7 compatibility list.
Our Solution
The patch & vulnerability Management Service will
ease & automate the customers patch process:
1. Monthly patch release by Microsoft (Patch
Tuesday)
2. SIMATIC PCS 7 compatibility test
3. Release of patches on Siemens Master WSUS:
We will provide a central Update Server
(WSUS) that provides metadata about patches
that have been tested and approved for
compatibility with SIMATIC PCS 7
4. Medata information will be transferred to the
customer fully automated
5. Customer gets a notification, when new patches
have been released
6. Customer downloads approved patches directly
from Microsoft. Patch installation will be started
on-site
Patch Management
Managing critical updates in Microsoft
products
Unrestricted © Siemens AG 2018
Patch Management
Benefits
Solution designed combining Security know how with
SIMATIC PCS 7 expertise
Reduce probability of wrong implementation of
patches and its consequences that might have
impact on plant availability
Timely release of patches after finishing of tests
(approx. 2 weeks after Microsoft patch day)
Fully automatic release of patch information
(only metadata, no automatic installation to avoid plant
downtime)
Reduction of manual work on-site
Managing vulnerabilities and critical
updates in Microsoft products
Unrestricted © Siemens AG 2018
Security Vulnerability Information
Management
Get transparency on increasing cyber threats
Seite 53
Customer’s challenge
• Every day new software vulnerabilities get reported
• Currently manufacturers and operators of automation technology with a
multitude of different software components struggle to identify if their
manufactured or used automation products are affected
Today’s solutions
• Manual checking of different web pages from providers of automation
technology (e.g. on the Siemens web page
https://www.siemens.com/cert/en/cert-security-advisories.htm)
• Customers need to compare the findings on these web pages against
their lists
of software components in their products or in the automation
environment
Weak points of today’s solution
• High manual effort and consequently neglecting already officially
reported
vulnerabilities
• Customers stay unaware of the real threat and consequently they do
not trigger
proactive measures (e.g. patching). In most cases action is taken after
an event
(e.g. new installation of a system after a ransomware attack).
Goal
Provide relevant security
informationen, to enable
manufacturers and
operators of automation
technology to proactively
manage their cyber risks
?=X
Unrestricted © Siemens AG 2018
Definition what software components to monitor
Notifications in case of detected
vulnerabilities and possible patches
Risk based management of
vulnerabilities
Security Vulnerability Information
Management
Realtime oversight on vulnerabilities and
patch status - realized
as a MindSphere App
Unrestricted © Siemens AG 2018
Anti Virus Management
Continuous virus protection for an up-to-date
defense strategy
Seite 55
Customer’s challenge
• Anti-virus programs protect against disclosed viruses, worms and
trojaner
• Regular and prompt update of virus patterns for the anti-virus program
and
continuous monitoring of the malware protection solutions represent a
vital
element of a comprehensive security concept
• An obsolete virus pattern status reduces enormously the effectiveness
of the
anti virus solution
Common approach
• No installed anti virus solution at all or
• Obsolete anti virus solution or
• Heterogeneous status of the installed anti virus solution in different
systems
Weak points of common approach
• Possibility of system infection due to obsolete virus pattern status
• Possibility of malware spread due to lack of monitoring of the anti virus
solution
• Labor intensive process in case of changes e.g. new systems
Goal
Support customers by
continuously managing
their McAfee anti virus
solution via central
management server ePO
for an up-to-date defense
strategy
?=X
Unrestricted © Siemens AG 2018
Anti Virus Management
Continuous virus protection for an up-to-date
defense strategy
Seite 56
Our Solution Solution Architecture
Anti Virus Management will ease and automate
the customers anti virus management process:
1. Taking care of the installed McAfee anti
virus solution
a) Maintaining the logical groups
b) Maintaining the ruleset
c) Deployment of the actual pattern files
d) Cyclic monitoring of the agent status
2. Adding or removing additional anti-virus
clients
3. In case of an alarm the alarm will be
transferred via e-mail to the customer
contact
4. Monthly report delivery
Management of ePO (central
management server) via cRSP1)
Production systems
with McAfee AV
client installed
ePO manages
AV clients on
production
system
ePO on
customer site
Alarms
via emails
1) cRSP = common Remote Service Platform
Monthly
reports
Siemens
Customer
Unrestricted © Siemens AG 2018
Industrial Security Monitoring
Management of a SIEM solution for the
customer…
Seite 57
Correct and protect
Implement Security and
Manage Security
Detect
Industrial Security
Monitoring Entry
Unrestricted © Siemens AG 2018
Industrial Security Monitoring
Transparency and fast reaction thanks to proactive security monitoring
Seite 58
• Industrial Security Monitoring uses Security
Information and Event Management
technology from McAfee
• SIEM is a log-file based solution to monitor
security status and identify threats and securityrelevant events
• Industrial Security Monitoring provides
continuous monitoring and analysis of shopfloor security from a local
or remote Cyber
Security Operation Center
• Fast alarming and reaction in case of threat
identification
• Monthly status reports
Unrestricted © Siemens AG 2018
Industrial Security Monitoring
Architecture and Components
Seite 59
LOG
Correlation
EVENT
Gathers events via different mechanisms, normalizes and
provides them
to central management console
Distributed as well as central log collection
SIEM Collector (Receiver)
EVENT
EVENT
EVENT EVENT
LOG
LOG
LOG
LOG
LOG LOG
LOG
Storage of all collected raw log data
Central & tamper-proofed archiving of log data
Automatic and manual realization of „retention periods“
Centralized Log Management (optional)
Central management of all gathered
events
Root-cause analysis
Creation of events after filtering logs
Creation of alarms and reports
Centralized Security Management

Analysis and
correlation

Advanced analysis platform
real-time
Historical analysis
Security Event Correlation
Devices to be monitored
LOG
LOG
EVENT
Unrestricted © Siemens AG 2018
Industrial Security Monitoring
Delivery from local SIEM for continuous &
proactive protection
0100010101100011001010011101001010010001
101101011001110101
00100010101100011001010011101001010010001
Discrete Manufacturing Process Industries
Security Correlation
and Management
Security Information
Collector
101101011001110101
Security Information
Collector
!
Unrestricted © Siemens AG 2018
Remote Incident Handling
Fast reaction upon security relevant threats
Seite 61 1) Source © GMI Research, Cebr Analytics 2) Source © Booz Allen Hamilton 2015
59% of companies admit that they suffered a
security incident in the last 5 years1
Manufacturing and Process Industries
estimated the
highest loss in revenue with 27.000 Millions Euro
due to
consequences of security incidents in the last 5
years1
44% of them were unable to identify the
source of the incident2
In a 2015 survey, 34% of Industrial Automation
and Control Systems operators indicated that
their systems were breached more than twice
in the last 12 months2
Unrestricted © Siemens AG 2018
Remote Incident Handling
Fast reaction to security relevant threats
Seite 62
• Root-cause analysis performed by Siemens experts for
industrial security
• Analysis of root-cause and criticality
• Report incl. suggestions how to clean the affected systems
Team of experts
• What shall I do with the system?
• What protects me for the future?
Unrestricted © Siemens AG 2018
Remote Incident Handling
Fast reaction to security relevant threats
Seite 63
• Done remotely
• Applicable for Windows OS (XP and newer)
• Core of the workflow is FERRET, a Siemens-own system for
root-cause analysis
of indicators of compromise in IT and OT environments by:
Download
Related flashcards
Fictional hackers

61 Cards

Cybercrime

11 Cards

Create flashcards