Siemens products
Security Monitoring for
Siemens Products
Konstantin Knorr, CT IC CERT konstantin.knorr@siemens.com
TF-CSIRT Meeting in Espoo, Finland
September 22th, 2006
Slide version 0.8
K. Knorr, CT IC CERT, Copyright © Siemens AG 2006. All rights reserved.
Agenda
Motivation
Introduction
Siemens
Siemens CERT
Security Monitoring for Siemens Products
Information Flow
Affected Processes
Statistics
CERT Community Issues
Challenges
Page 2 Sep. 2006 K. Knorr, CT IC CERT © Siemens AG, Corporate Technology
Motivation: Major IT Trends & Vulnerabilities
Increasing use of 3rd party software
Increasing use of standard (routable) protocols like IP / TCP / UDP / Ethernet
Interconnection of formerly isolated networks
7.000
6.000
5.000
4.000
3.000
2.000
1.000
0
Page 3
1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 Q1-2
2006
Ye ar
Source: http://www.cert.org/stats/
Sep. 2006 K. Knorr, CT IC CERT © Siemens AG, Corporate Technology
Siemens is active in six business areas
Information and
Communications
Automation and
Control
Power Transportation Health Care Lighting
Communications
Automation and Drives
Power Generation
Transportation
Systems
Siemens
Business Services
Industrial Solutions and Services
Power Transmission and Distribution
Siemens VDO
Automotive
Siemens Building
Technologies
26%
23%
16%
19%
Medical Solutions OSRAM
Source:
Siemens Annual Report 2005, available from http://www.siemens.com
€16.8 bn €18.6 bn €12.0 bn €
External sales of Operations Groups excluding Other Operations
Page 4 Sep. 2006 K. Knorr, CT IC CERT
1 3.7 bn
10%
€7.6 bn
6%
€4.2 bn
© Siemens AG, Corporate Technology
Siemens CERT Overview
Secure Enterprise
Applications
Support of CIO and of
Application Owners
Security Assurance,
Assessments,
Policies
Critical IT Applications
Web Applications,
Core Applications, …
CT IC CERT
Hacking Defense for the Company
Know-how
Partners
Research
Trend Scouts
Hack-Proof
Products
Support of Product
Owners
Assessments, Hardening,
Security Monitoring
Service,
Product Lifecycle Support
All Siemens Products containing standard IT
Corporate CERT Services
Governance on behalf of CIO
Alerts, Policies, Information, Tools, Support, Incident Handling, Community
Page 5 Sep. 2006 K. Knorr, CT IC CERT © Siemens AG, Corporate Technology
Working Areas of the Siemens CERT & the Siemens Security Organization
Corporate CERT Services
Secure Enterprise Applications
Additional Security Professionals
- CIO
- Corporate Technology
- Virus Competence Center
- Security Scanning Community
- …
Siemens
COM, MED, PTD, …
Hack-Proof Products
Additional Security Professionals
- Product Development
- Service
- Marketing / Sales
- …
Customers
Page 6 Sep. 2006 K. Knorr, CT IC CERT © Siemens AG, Corporate Technology
Rationale:
Centralized Security Monitoring for the Siemens Groups
To get the latest security news for their products in time e.g. information on threats, attacks, vulnerabilities, exploits e.g. information on available patches, countermeasures, …
To avoid overload through an abundance of general security news by prefiltering for the products ( Synergy)
To provide efficient means for assessing incoming alerts determine urgency agree on required actions possibly: recommend customer communication to Service
Departments
Page 7 Sep. 2006 K. Knorr, CT IC CERT © Siemens AG, Corporate Technology
Security Monitoring: Information Flow
"SCAN"
"FILTER"
“EVALUATE"
Siemens CERT
SecSpec
SRP
SRP
OEM suppliers
SecSpec
SecSpec
SRP
SRP
SRP
Products
(groups)
Development / Test
Customers
(possibly via Service)
SRP
Other Public
Sources
SW Components
SecSpec
SRP
SRP
Security Notifications
SecSpec
Security Specialists
SRP
Security Responsible Person
Security Recommendations
Patches / Updates
“DELIVER"
“DEPLOY"
Page 8
Service
Export Control & Customs
Service Levels
Customer
Sep. 2006 K. Knorr, CT IC CERT
Customer Information
© Siemens AG, Corporate Technology
Affected Processes
Product Development Process
Definition Realization
Product Pricing Process
Commercialization Product Phase out
OEM (Original Equipment Manufacturer) Process
Security Services Process
Page 9 Sep. 2006 K. Knorr, CT IC CERT © Siemens AG, Corporate Technology
Statistics for CERT’s Security Monitoring for
Siemens Products
(from Sep. 2006)
Several hundred Siemens products are currently in the database.
These products use over 1.000 different software components and protocols .
Several hundred persons (SRPs, service, sales, product management) are regularly notified.
Around 30.000 security notifications have been sent from Feb. 05 to Sep. 06.
Vulnerabilities are stored in a database. Major „trouble makers“ are standard operating systems, browsers, web servers, databases, but also programming languages / environments and specific protocols.
140 Security relevant RSS Feeds are regularly analyzed.
Page 10 Sep. 2006 K. Knorr, CT IC CERT © Siemens AG, Corporate Technology
Information Sources and Access Channels for Security Monitoring
The following categories of information sources are used:
These sources are accessed via
Siemens CERT Resources and international CERT network
Homepages and Security Mailing
Lists of “Component producers”, e.g. Microsoft, Linux (SuSe, Debian,
Red Hat), SUN, Oracle
Commercial Notification Services
Other publicly accessible security web pages like security related magazines, newspapers, portals
Mailing Lists
Web Sites
News Groups
Personal contact
SMS notifications
RSS Feeds
Page 11 Sep. 2006 K. Knorr, CT IC CERT © Siemens AG, Corporate Technology
Tooling: User Groups & Application Architecture
Siemens
CERT
Partners’
Security
Offices
SRPs
Web
Server
Application Logic
Server
Information Sources
• CERT network
• Manufacturers
• …
CERT
Table(s)
Database
Partner1
Table(s)
Page 12 Sep. 2006 K. Knorr, CT IC CERT
System Test
Product Dev.
Customized
SecTels
Sales / Service
© Siemens AG, Corporate Technology
Security Monitoring & CERT community issues
CVE & CME Number(s) included in security notifications (if available)
Vulnerability exchange in EISPP / DAF (=Deutsches / German
Advisory Format) with commercial partner (secunia.com) internal RSS feed based on EISPP / DAF running
RSS Feeds / XML used to systematically search for new security notifications
Page 13 Sep. 2006 K. Knorr, CT IC CERT © Siemens AG, Corporate Technology
Challenges
More sophisticated data model for software and system components desirable
CMSI (Common Model of System Information)
Fast Patching (e.g. 24h roll-out time)
Testing of security patches / updates is time-consuming
Dependencies from OEMs (Original Equipment Manufacturers)
Standard components and protocols IT Security
Page 14 Sep. 2006 K. Knorr, CT IC CERT © Siemens AG, Corporate Technology
Contact
Dr. Konstantin Knorr
Siemens, CT IC CERT
+49 89 636 52862 konstantin.knorr@siemens.com
Page 15 Sep. 2006 K. Knorr, CT IC CERT © Siemens AG, Corporate Technology
Backup Slides
K. Knorr, CT IC CERT, Copyright © Siemens AG 2006. All rights reserved.
Common Vulnerability Scoring System (CVSS)
Page 17 Sep. 2006
Source: http://www.first.org/cvss/cvss-guide.html
K. Knorr, CT IC CERT © Siemens AG, Corporate Technology
References
CME = Common Malware Enumeration, http://cme.mitre.org/
CMSI = Common Model of System Information, http://www.cert-verbund.de/cmsi/en.html
CVE = Common Vulnerabilities and Exposures, http://cve.mitre.org/
CVSS = Common Vulnerability Scoring System, http://www.first.org/cvss/cvss-guide.html
DAF = Deutsches Advisory Format, http://www.cert-verbund.de/daf/index.html
Page 18 Sep. 2006 K. Knorr, CT IC CERT © Siemens AG, Corporate Technology
