ci industrial security - pccweb.com · industrial networking certification training* secure it / ot...

Unrestricted © Siemens 2019 All rights reserved. Paul Nuss

Industrial Network Security

PCC Octoberfest │ 10/24/2019

Steve Pickhardt

usa.siemens.com/industrial-networksUnrestricted © Siemens 2019


ICS CYBERSECURITY IS A MAJOR PRIORITY, BUT…

In 2018, Kaspersky Lab released the second annual

report “The State of Industrial Cybersecurity 2018,” a

publication based on a survey of 320 worldwide

professionals with decision-making power regarding ICS

cybersecurity.

Over three-quarters of the companies surveyed state that

it is very likely or at least quite likely they will become a

target of a cybersecurity attack in the ICS space, only

23% are compliant with minimal mandatory industry or

government guidance and regulations around

cybersecurity of industrial control systems.

Although more than half of the companies

(51%) said that they did not experience any

incident or breach in the past 12 months, the

question is whether or not they would even

have recognized it. Many companies do not

even detect or track attacks.

Moreover, since the companies surveyed have

only just started the digital transformation, it can

be said that their attack surface will increase as

they raise their level of digitalization.

2/27/19 article in Tripwire: Trends in Industrial Control Systems Cybersecurity


Siemens Industrial Security

A successful security strategy is multifaceted

People

TechnologyProcess



A successful security strategy includes strong partners

Understands security challenges

& digitalization

Has vertical industry

know-how

Understands industrial

communication

Expertise withindustrial security

products and services

Has processes and products that are

proven and certified

In a fast-paced industry full of challenges and risk, it’s important to have a reliable, qualified and proven partner for Network Security!


Page 5

Unrestricted © Siemens 2019 All rights reserved. Paul NussPage 6

Cyber crime is wide spread and costs the global economy US$600 billion annually.1

Cyber attacks are impacting companies of all sizes, in all markets

1 McAfee

Stay secure in the

age of digitalization

Page 6



Challenges: Industrial Control Systems Incidents Response

In the ICS-CERT fiscal year (October 2013 until September 2014)

ICS-CERT analyzed 245 attacks to control systems in the USA.

Critical Manufacturing includes:

Transportation Equipment manuf. – e.g. Vehicles, Aerospace, Transit cars

Machinery manuf. - e.g. Engine and turbine, Power transmission equipment

Electrical Equipment, Appliance and Comp. manuf. – e.g. Electric motor

Primary Metals manuf. – e.g. Iron and steel mills, aluminum, nonferrous metal



Challenges: Industrial Control Systems Incidents Response

“Malware infections”“Unauthorized access and exploitation of Internet

facing ICS / SCADA devices”

In the ICS-CERT fiscal year (October 2013 until September 2014)

ICS-CERT analyzed 245 attacks to control systems in the USA.

Critical Manufacturing includes:

Transportation Equipment manuf. – e.g. Vehicles, Aerospace, Transit cars

Machinery manuf. - e.g. Engine and turbine, Power transmission equipment

Electrical Equipment, Appliance and Comp. manuf. – e.g. Electric motor

Primary Metals manuf. – e.g. Iron and steel mills, aluminum, nonferrous metal

“Network scanning and probing” “Lateral movement between network zones”

The scope of incidents included:

“Targeted spear-phishing”“Strategic website compromises”



Challenges: Real-World Cyberattacks

A leading supplier of aluminum products in North America and

European markets, Norsk Hydro, was hit by a

cyberattack in 2019. They were forced to shut down several

automated product lines. According to the report, "the impact

was widespread as several plants in the US and Europe were

stopped due to a lack of ability to connect to production

systems and customs data."1

In recent years, global leaders Merck (pharmaceuticals) and

Mondelez (Oreo, Ritz and other food brands producer)

experienced cyberattacks. Merck lost nearly $700M and

Mondelez over $100M in damages. In addition, they

encountered claim denials from Insurers.2 Sources:

1www.bloomberg.com, Nordic Metals Giant Restarts Some Systems

After Ransomware Attack, March 2019

2www.nytimes.com, Big Companies Thought Insurance Covered

a Cyberattack. They May Be Wrong, April 2019

3www.wsj.com, Russian Hackers Reach U.S. Utility Control Rooms,

Homeland Security Officials Say, July 2018

Critical infrastructure continues to be a target for hackers. A

long-running campaign recently put hackers “inside the control

rooms of U.S. electric utilities where they could have caused

blackouts". The strategic importance of critical infrastructure to

national security and a functioning society can lead to an

increase in the frequency and intensity of cyberattacks on those

facilities.3

These are just a few attacks that have been reported. There are

many other examples, some not reported as companies often

try to handle them discreetly.



Challenges

“The Internet of Things would be inconceivable without Cybersecurity.”

• Horizontal and

Vertical integration

• Open standards

• PC-based systems

Information technologies (IT) are

used in industrial automation and

became operational technologies (OT)

Increased security threats demand actions to avoid:

Loss of intellectual property

Plant standstill, e.g. due to viruses or malware

Sabotage in the production plant

Manipulation of data or application software

Unauthorized use of system functions

Compliance to standards and regulations is required

*https://new.siemens.com/global/en/company/innovation/pictures-of-the-future/cybersecurity.html



Challenges


Discrete Manufacturing

Oil & GasElectric Utilities

Process Manufacturing

Transportation


Discrete Manufacturing



Asset Protection

Physical access

protection

Company Data:

Employee, processes,

trade secrets, IP, software

Equipment, machines,

materials, robots, AGVs

Assets requiring protection

Equipment, machines, materials, e.g. robots, AGVs

Software, applications, production and process data

Employee and or customer personal data

Process documentation, programs, know how

Future plans, trade secrets, Intellectual Property (IP)

Production applications, process

documentation, know how

Personal safety


The Industrial Security Concept from Siemens

Defense in Depth



Risk Management Methodology

Evaluation of current Security Status

• Analysis of threats and vulnerabilities

to identify, evaluate and classify risks

• Detailed Audit provided with security assessment

results to specific standards

Risk mitigation through implementation

of security measures

• Design and implement technical

security measures

• Develop and deploy security

relevant processes

• Enhance security awareness

Comprehensive security through

monitoring and pro-active protection

• Close security gaps with continuous

updates and backups

• Early adaption to changing threat

scenarios


The Industrial Security Concept from Siemens

Defense in Depth



Network Security

“All the benefits of data-driven

decisions without the vulnerability

of exposing your network”

Industrial Networking Security Services

Industrial Networking Certification Training*

Secure IT / OT Collaboration

Secure OT & Automation Networking

Secure Remote Access

Asset Discovery & Management

Secure Access Management System

* Coming soon,

custom training

available now



Network Security

Siemens industrial network security protects against

vulnerabilities with proven solutions

✓ Network Security expertise

✓ Best-in-class security products and services

✓ Proven implementation and success

Layer 2/3

OT

Layer 2

OT

Layer 3

IT / OT

Enterprise

IT

Field

Devices

Secure

Remote

Access

Secure Plant

/ Physical

Secure IT / OT

Collaboration

Asset Discovery &

Management

Secure OT &

Automation Network

Secure Access

Management



Network Security: Use Case

The Project at a Glance…

➢ One of the world’s largest manufacturers and marketers of spirits, wine and beer

➢ Implemented a comprehensive Siemens network including network security measures

with assistance of Siemens networking Professional Services

➢ Newly expanded secure network connects 4,000 production-related devices including

1,500 SINAMIC G120 drives, SIMATIC S7 200, 300 and 400 PLCs, ET200SP remote I/O,

WinCC servers and HMIs

➢ Implemented a secure wireless network to support operation of 126 laser-guided vehicles

which communicate with the manufacturing execution system (MES)

➢ More than 200 switches

➢ Expanded plant capacity by 250% in 3 years

➢ After network expansion the Nava brewery has become the world’s largest of its kind with

an annual production capacity of nearly 27.5 million hectoliters



Network Security: Use Case

Partnered with Siemens Professional Services for network security and design

Segmented the automation network with VLAN and firewall: Scalance XC & S

Utilized a ring with High-speed Redundancy Protocol (HRP) to ensure network

availability

Implemented secure communication between operation network and the

Manufacturing Execution System (MES)

Implemented firewall and VPN with Scalance S for secure remote access

Utilized SINEMA Server software for network management providing full visibility

of the plants network, topology, monitoring and diagnostics – integrated into the

plants WinCC HMI/SCADA system and can issue warnings and error messages

via the OPC interface along with event logs for performance audits






Network security measures implemented


Network Security Implementation


Secure

Remote

Access

Secure Plant

/ PhysicalLayer 2/3

OT

Layer 2

OT

Layer 3

IT / OT

Enterprise

IT

Field

Devices

Secure IT / OT

Collaboration

Asset Discovery &

Management

Secure OT &

Automation Network

Secure Access

Management




A vulnerability assessment is the first step to security

Siemens certified security experts:

✓ Conduct a network vulnerability scan with security software

✓ Perform an evaluation with interviews based on security standards

✓ Provide a detailed audit report with a prioritized implementation

plan based on established security standards

Layer 2/3

OT

Layer 2

OT

Layer 3

IT / OT

Enterprise

IT

Field

Devices

Secure

Remote

Access

Secure Plant

/ Physical

Secure IT / OT

Collaboration

Asset Discovery &

Management

Secure OT &

Automation Network

Secure Access

Management










Secure Access Management

Offering Deliverable

On-Site Services & Support • Industrial Network Auditing:

• Provide a documented audit report to include:

• Existing network architectures

• Inventory of devices

• Benchmark tests results

• Recommended steps

Network Security

Assessments

• Discovery and analysis based on security stand.

• Vulnerability scan, assessments & reports

• Implementation plans

• Design, development and delivery of security

solutions

Design & Consulting • Network Design Services

• Site Survey

• RF Planning

Integration & Deployment • Pre-Configuration & Testing Services

• Implementation Services

Training Services • Certified Professional For Industrial Networks

• Certified Expert For Industrial Networks

• Customized Trainings




Examples of Siemens Industrial Network Security Assessments

Customer: U.S. Electric Utility Company

Assessment period: Two months

Methodology: The security assessment included interviews

with engineers, technicians, IT and management. The

security was evaluated for physical access. The network was

assessed with packet captures, logs, configuration files and

network scanning tools. Systems evaluated included

workstations, servers, switches, routers, firewalls, encryption

and cellular devices.

Deliverable: The assessment report (less than 100 pages)

provided a comprehensive analysis of the current security

posture and a prioritized list of recommendations.

Customer: U.S. Industrial Manufacturing Facility

Assessment period: One week

Methodology: A security assessment of network

documentation, passwords, architecture, switches, routers,

firewalls, encryption, computers, servers and other devices

was completed. Data communication was verified with

traffic analysis and network health information from all

devices was evaluated.

Deliverable: The near 50-page assessment report provided

network health results, traffic load of the network, a network

validation checklist, data communication results and

recommendations on future enhancements to further secure

the network and eliminate potential vulnerabilities.


Network Security

Industrial Networking Security Certification Training

Secure

Remote

Access

Secure Plant

/ Physical

Secure IT / OT

Collaboration

Asset Discovery &

Management

Layer 2/3

OT

Layer 2

OT

Layer 3

IT / OT

Enterprise

IT

Field

Devices

Secure OT &

Automation Network

Secure Access

Management

* Coming soon,

custom training

available now


Network Security

Industrial Networking Security Certification Training

Elevate your security knowledge and implement your

security strategy

✓ Learn about common security threats and how to prevent them

✓ Gain experience implementing security measures

✓ Hand-on exercises scanning networks for vulnerabilities

Secure

Remote

Access

Secure Plant

/ Physical

Secure IT / OT

Collaboration

Asset Discovery &

Management

Layer 2/3

OT

Layer 2

OT

Layer 3

IT / OT

Enterprise

IT

Field

Devices

Secure OT &

Automation Network

Secure Access

Management

* Coming soon,

custom training

available now



Network Security








• Strengthen security knowledge to implement a security strategy

• Learn about proven security concepts, tools, implementation,

encryption, firewall, Next Generation Firewall (NGFW)

• Gain hands-on experience…➢ Creating firewalls

➢ Scanning non-secure and secure networks

➢ Enabling secure protocols, disabling non-secure protocols

➢ Implementing secure availability with VRRP

➢ Setting up and testing NAPT

➢ Segmenting at network with VLAN and firewall

➢ Creating a protected WLAN

➢ Enabling password protection and access control

➢ & more…

* Coming soon,

custom training

available now


Network Security

Secure OT & Automation Network

Layer 2/3

OT

Layer 2

OT

Layer 3

IT / OT

Enterprise

IT

Field

Devices

Secure

Remote

Access

Secure Plant

/ Physical

Secure IT / OT

Collaboration

Asset Discovery &

Management

Secure OT &

Automation Network

Secure Access

Management


Network Security


Protect the data that keeps your operation productive

✓ Siemens is a global leader in automation and industrial networking

✓ Secure your most valuable assets with proven experts and solutions

✓ Utilize proven security solutions focused on safety and uptime

✓ Prevent threats like network intrusion and manipulation

Layer 2/3

OT

Layer 2

OT

Layer 3

IT / OT

Enterprise

IT

Field

Devices

Secure

Remote

Access

Secure Plant

/ Physical

Secure IT / OT

Collaboration

Asset Discovery &

Management

Secure OT &

Automation Network

Secure Access

Management


Network Security

Secure OT & Automation Network: Cell Segmentation


✓ Risk mitigation by dividing an OT or automation network into different

protected segments or cells

✓ Allow only the connections and data needed to reach respective

segments with VLAN

✓ Implement secure protocols, availability and access control

Layer 2/3

OT

Layer 2

OT

Layer 3

IT / OT

Enterprise

IT

Field

Devices

Secure

Remote

Access

Secure Plant

/ Physical

Secure IT / OT

Collaboration

Asset Discovery &

Management

Secure OT &

Automation Network

Secure Access

Management


Network Security


Layer 2/3

OT

Layer 2

OT

Layer 3

IT / OT

Enterprise

IT

Field

Devices

Secure

Remote

Access

Secure Plant

/ Physical

Secure IT / OT

Collaboration

Asset Discovery &

Management

SC646-2C

Secure OT &

Automation Network


✓ Allow only data required for the operation to access specific network

segments with VLAN, Firewall, VPN, IPsec

✓ Protection with availability by using HRP / MRP, VRRPv3

✓ Secure protocols and NAT / NAPT

✓ Access control lists (e.g. MAC, password or RADIUS) and logging

Secure Access

Management


Network Security


Layer 2/3

OT

Layer 2

OT

Layer 3

IT / OT

Enterprise

IT

Field

Devices

Secure

Remote

Access

Secure Plant

/ Physical

Secure IT / OT

Collaboration

Asset Discovery &

Management

Secure OT &

Automation Network







SC646-2C

Secure Access

Management


Network Security


Layer 2/3

OT

Layer 2

OT

Layer 3

IT / OT

Enterprise

IT

Field

Devices

Secure

Remote

Access

Secure Plant

/ Physical

Secure OT &

Automation Network

Secure IT / OT

Collaboration

Asset Discovery &

ManagementProtect the data that keeps your operation productive

✓ Cell 1 is segmented (VLAN) so only essential traffic will have access

✓ Availability is achieved with HRP / MRP

✓ Secure protocols and NAT are implemented for additional security


Network Security


Layer 2/3

OT

Layer 2

OT

Layer 3

IT / OT

Enterprise

IT

Field

Devices

Secure

Remote

Access

Secure Plant

/ Physical

Secure OT &

Automation Network

Secure IT / OT

Collaboration

Asset Discovery &

Management

XC206-2SFP G


✓ Cell 1 is segmented (VLAN) so only essential traffic will have access

✓ Availability is achieved with HRP / MRP

✓ Secure protocols and NAT are implemented for additional security


Network Security



✓ The Cell 1 VLAN segment has additional protection with a firewall,

VPN, IPsec

✓ Communication across the network for transparency is protected

✓ Availability protection with redundant VRRPv3, HRP / MRP


Layer 2/3

OT

Layer 2

OT

Layer 3

IT / OT

Enterprise

IT

Field

Devices

Secure

Remote

Access

Secure Plant

/ Physical

Secure OT &

Automation Network

Secure IT / OT

Collaboration

Asset Discovery &

Management

XC206-2SFP G

SC646-2C


Network Security


Layer 2/3

OT

Layer 2

OT

Layer 3

IT / OT

Enterprise

IT

Field

Devices

Secure

Remote

Access

Secure Plant

/ Physical

Secure OT &

Automation Network

Secure IT / OT

Collaboration

Asset Discovery &

Management

CP 1543-1

XC206-2SFP G

SC646-2C



VPN, IPsec





Network Security


Layer 2/3

OT

Layer 2

OT

Layer 3

IT / OT

Enterprise

IT

Field

Devices

Secure

Remote

Access

Secure Plant

/ Physical

Secure OT &

Automation Network

Secure IT / OT

Collaboration

Asset Discovery &

Management

CP 1543-1

XC206-2SFP G



segments with VLAN, Firewall and VPN

✓ Protection with availability by using HRP / MRP

✓ Secure protocols and access control


Network Security


Layer 2/3

OT

Layer 2

OT

Layer 3

IT / OT

Enterprise

IT

Field

Devices

Secure

Remote

Access

Secure Plant

/ Physical

Secure IT / OT

Collaboration

Asset Discovery &

Management

Secure OT &

Automation Network

Secure Access

Management







Network Security


Layer 2/3

OT

Layer 2

OT

Layer 3

IT / OT

Enterprise

IT

Field

Devices

Secure

Remote

Access

Secure Plant

/ Physical

Secure IT / OT

Collaboration

Asset Discovery &

Management

SC646-2C

Secure OT &

Automation Network








Network Security


Layer 2/3

OT

Layer 2

OT

Layer 3

IT / OT

Enterprise

IT

Field

Devices

Secure

Remote

Access

Secure Plant

/ Physical

Secure OT &

Automation Network

Secure IT / OT

Collaboration

Asset Discovery &


✓ Cell 2 allows only data required for the operation to access specific

segments of the network with VLAN


✓ Secure protocols SSH / SSL, HTTPS



Network Security



✓ Cell 2 allows only data required for the operation to access specific

segments of the network with VLAN


✓ Secure protocols SSH / SSL, HTTPS


Layer 2/3

OT

Layer 2

OT

Layer 3

IT / OT

Enterprise

IT

Field

Devices

Secure

Remote

Access

Secure Plant

/ Physical

Secure OT &

Automation Network

Secure IT / OT

Collaboration

Asset Discovery &

ManagementXP208


Network Security


Layer 2/3

OT

Layer 2

OT

Layer 3

IT / OT

Enterprise

IT

Field

Devices

Secure

Remote

Access

Secure Plant

/ Physical

Secure OT &

Automation Network

Secure IT / OT

Collaboration

Asset Discovery &

ManagementXP208

SC646-2C



VPN, IPsec





Network Security


Layer 2/3

OT

Layer 2

OT

Layer 3

IT / OT

Enterprise

IT

Field

Devices

Secure

Remote

Access

Secure Plant

/ Physical

Secure IT / OT

Collaboration

Asset Discovery &

Management

Secure OT &

Automation Network

Secure Access

Management







Network Security


Layer 2/3

OT

Layer 2

OT

Layer 3

IT / OT

Enterprise

IT

Field

Devices

Secure

Remote

Access

Secure Plant

/ Physical

Secure IT / OT

Collaboration

Asset Discovery &

Management

SC646-2C

Secure Access

Management







Secure OT &

Automation Network


Network Security


Layer 2/3

OT

Layer 2

OT

Layer 3

IT / OT

Enterprise

IT

Field

Devices

Secure

Remote

Access

Secure Plant

/ Physical

Secure OT &

Automation Network

Secure IT / OT

Collaboration

Asset Discovery &


✓ Cell 3 is utilizing wireless technology

✓ The network is kept secure with MAC based access control list

✓ Cipher encryption (AES) is implemented for additional security

✓ Access protection according to IEEE802.11i & radius (WPA2-PSK)


Network Security


Layer 2/3

OT

Layer 2

OT

Layer 3

IT / OT

Enterprise

IT

Field

Devices

Secure

Remote

Access

Secure Plant

/ Physical

Secure OT &

Automation Network

Secure IT / OT

Collaboration

Asset Discovery &

Management

SC646-2C



VPN, IPsec




Network Security

Secure OT & Automation Network: Within the Automation Cell

Protection against:

➢ Theft of intellectual property

➢ Unauthorized modification

➢ Unauthorized access

➢ Manipulation

➢ Malware

➢ …

Bind to serial number of the CPU


Network Security


Cell Protection: Firewall, VPN, IPsec,

access control, secure protocols, NAPT

Availability: HRP / MRP rings,

OSPF, RSTP, redundant firewall







Secure Access Management SystemCell Segmentation: VLAN, Firewall


Network Security


Layer 2/3

OT

Layer 2

OT

Layer 3

IT / OT

Enterprise

IT

Field

Devices

Secure

Remote

Access

Secure Plant

/ Physical

Secure IT / OT

Collaboration

Asset Discovery &

Management

Secure OT &

Automation Network

Secure Access

Management


Network Security


Layer 2/3

OT

Layer 2

OT

Layer 3

IT / OT

Enterprise

IT

Field

Devices

Secure

Remote

Access

Secure Plant

/ Physical

Secure IT / OT

Collaboration

Asset Discovery &


✓ Create a layer of security to protect your IT and OT networks from

external and internal threats

✓ Benefit from integrated operational and enterprise data to make the

best decisions while knowing your data is secure and only transparent

to you

Secure OT &

Automation Network

Secure Access

Management


Network Security


Layer 2/3

OT

Layer 2

OT

Layer 3

IT / OT

Enterprise

IT

Field

Devices

Secure

Remote

Access

Secure Plant

/ Physical

Secure OT &

Automation Network

Secure IT / OT

Collaboration

Asset Discovery &


✓ Allow only data required for the operation to access the OT network

with NGFW, Intrusion Prevention System (IPS)

✓ Protection with availability by using HRP / MRP, VRRPv3, OSPF




Network Security


Layer 2/3

OT

Layer 2

OT

Layer 3

IT / OT

Enterprise

IT

Field

Devices

Secure

Remote

Access

Secure Plant

/ Physical

Secure OT &

Automation Network

Secure IT / OT

Collaboration

Asset Discovery &



with NGFW, Intrusion Prevention System (IPS)




XR524-8C

APE 1808

NGFW w/ IPS

RX1500


Network Security


Layer 2/3

OT

Layer 2

OT

Layer 3

IT / OT

Enterprise

IT

Field

Devices

Secure

Remote

Access

Secure Plant

/ Physical

Secure OT &

Automation Network

Secure IT / OT

Collaboration

Asset Discovery &

Management

RX1500

APE w/ IDS



with Firewall, Intrusion Detection System (IDS)





Network Security


Layer 2/3

OT

Layer 2

OT

Layer 3

IT / OT

Enterprise

IT

Field

Devices

Secure

Remote

Access

Secure Plant

/ Physical

Secure OT &

Automation Network

Secure IT / OT

Collaboration

Asset Discovery &

Management

SC646-2C

XR524-8C



with Firewall, VPN, IPsec





Network Security


Layer 2/3

OT

Layer 2

OT

Layer 3

IT / OT

Enterprise

IT

Field

Devices

Secure

Remote

Access

Secure Plant

/ Physical

Secure OT &

Automation Network

Secure IT / OT

Collaboration

Asset Discovery &

Management

XM416-4C

SC646-2C








Network Security


Layer 2/3

OT

Layer 2

OT

Layer 3

IT / OT

Enterprise

IT

Field

Devices

Secure

Remote

Access

Secure Plant

/ Physical

Secure OT &

Automation Network

Secure IT / OT

Collaboration

Asset Discovery &

Management

RX1400







w/ IDS


Network Security


Layer 2/3

OT

Layer 2

OT

Layer 3

IT / OT

Enterprise

IT

Field

Devices

Secure

Remote

Access

Secure Plant

/ Physical

Secure OT &

Automation Network

Secure IT / OT

Collaboration

Asset Discovery &

Management

SC646-2C








IDS

Network Security


Layer 2/3

OT

Layer 2

OT

Layer 3

IT / OT

Enterprise

IT

Field

Devices

SC646-2C








DMZ APE 1808 NGFW w/ IPS


IDS

Network Security









APE 1808 NGFW w/ IPS

Coming soon!

Examples of Secure-NOK detectable anomalies

✓ Abnormal traffic patterns and volume

✓ New IP connections and removable media insertions

✓ Detection of changes in PLC memory blocks

✓ And plug-and-play installation with RUGGEDCOM APE

Secure-NOK Intrusion Detection System (IDS)

➢ Continuously monitors network traffic and endpoints

➢ Non-intrusive, anomaly based detection software

➢ Establishes a baseline of normal network behavior

➢ Detects anomalies in ICS and OT networks before

damage is done or limit the spread

➢ Provides early and actionable alerts

Available now


Network Security


Solution Description

Intrusion Detection

System (IDS)

• Statistical & behavioral algorithms

• Non-intrusive, non-signature based

Deep Pack Inspection

(DPI)

• Deep packet inspection for protocol

specific commands

• (e.g. S7, 61850, Modbus, …)

Intrusion Prevention

System (IPS)

• Monitors traffic

• Drops malicious packets

• Blocks traffic from the source

address

• Resets connection

Next Generation Firewall

(NGFW)

• Application level detection &

protection (e.g. Malware

Monitoring)

• Integrated IDS/DPI functionalities

• Scalable management for multiple

security services and zones

OSI Reference Model

7 Application • Access to application (e.g. web browser)

6 Presentation • Type of data; HTTPS – encryption services

5 Session • Starts, ends and isolates sessions

4 Transport • Defines ports and reliability

3 Network • Logical or IP addressing, path determination

2 Data Link • Switches, MAC accessing

1 Physical • Cable, Network interface cards

10101010101010101010

10101010101010101010

10101010101010101010

10101010101010101010

10101010101010101010

10101010101010101010


Network Security


Layer 2/3

OT

Layer 2

OT

Layer 3

IT / OT

Enterprise

IT

Field

Devices

Secure

Remote

Access

Secure Plant

/ Physical

Secure IT / OT

Collaboration

Asset Discovery &

Management

Secure OT &

Automation Network

Secure Access

Management


Network Security


Layer 2/3

OT

Layer 2

OT

Layer 3

IT / OT

Enterprise

IT

Field

Devices

Secure

Remote

Access

Secure Plant

/ Physical

Secure IT / OT

Collaboration

Asset Discovery &

Management

Secure OT &

Automation Network

Secure Access

Management

Save time with remote connectivity by securely assessing

and troubleshooting your operation from a distance

✓ Utilize secure connectivity to enable transparency without sacrificing

productivity or security

✓ Cellular data plans and SIM cards available directly from Siemens

✓ IPSec, VPN encryption for secure remote access


Network Security


Layer 2/3

OT

Layer 2

OT

Layer 3

IT / OT

Enterprise

IT

Field

Devices

Secure

Remote

Access

Secure Plant

/ Physical

Secure IT / OT

Collaboration

Asset Discovery &

Management

Secure OT &

Automation Network








Network Security


Layer 2/3

OT

Layer 2

OT

Layer 3

IT / OT

Enterprise

IT

Field

Devices

Secure

Remote

Access

Secure Plant

/ Physical

Secure IT / OT

Collaboration

Asset Discovery &

Management

Secure OT &

Automation Network

Scalance M876-4







SINEMA Remote Connect


Network Security


Layer 2/3

OT

Layer 2

OT

Layer 3

IT / OT

Enterprise

IT

Field

Devices

Secure

Remote

Access

Secure Plant

/ Physical

Secure IT / OT

Collaboration

Asset Discovery &

Management

Secure OT &

Automation Network

SC646-2C









Network Security


Layer 2/3

OT

Layer 2

OT

Layer 3

IT / OT

Enterprise

IT

Field

Devices

Secure

Remote

Access

Secure Plant

/ Physical

Secure IT / OT

Collaboration

Asset Discovery &

Management

Secure OT &

Automation Network

RX1400








Network Security


Layer 2/3

OT

Layer 2

OT

Layer 3

IT / OT

Enterprise

IT

Field

Devices

Secure

Remote

Access

Secure Plant

/ Physical

Secure IT / OT

Collaboration

Asset Discovery &

Management

Secure OT &

Automation Network

CP 1543-1









Network Security









or

Scalance M876-4


Remote Access Management


Dedicated Device Access (DDA)

RUGGEDCOM CROSSBOW also is

an option for secure remote access








Network Security


Layer 2/3

OT

Layer 2

OT

Layer 3

IT / OT

Enterprise

IT

Field

Devices

Secure

Remote

Access

Secure Plant

/ Physical

Secure IT / OT

Collaboration

Asset Discovery &

Management

Secure OT &

Automation Network

Secure Access

Management


Network Security


Scan your network to identify assets and be alerted of any

device additions, topology changes or failed logon

✓ Authenticate users and manage access

✓ Create an inventory list and deploy mass firmware installations to keep

your devices equipped with the most up-to-date security defenses

✓ Prevent rogue access by monitoring your network

Layer 2/3

OT

Layer 2

OT

Layer 3

IT / OT

Enterprise

IT

Field

Devices

Secure

Remote

Access

Secure Plant

/ Physical

Secure IT / OT

Collaboration

Asset Discovery &

Management

Secure OT &

Automation Network

Secure Access

Management


Network Security









Centrally monitor, manage,

and configure networks with

50 to 12,500 devices around

the clock with SINEC NMS

RUGGEDCOM CROSSBOW also is

an option for secure access

management and station access

control compliant with many standards

SINEC NMS


Network Security


Layer 2/3

OT

Layer 2

OT

Layer 3

IT / OT

Enterprise

IT

Field

Devices

Secure

Remote

Access

Secure Plant

/ Physical

Secure IT / OT

Collaboration

Asset Discovery &

Management

Secure OT &

Automation Network

Secure Access

Management


Network Security


Layer 2/3

OT

Layer 2

OT

Layer 3

IT / OT

Enterprise

IT

Field

Devices

Secure

Remote

Access

Secure Plant

/ Physical

Secure IT / OT

Collaboration

Asset Discovery &

Management

Secure OT &

Automation Network

Secure Access

Management

Secure Access Management Systems offer remote

access and the next level of cybersecurity

✓ Integration with Active Directory, RSA SecurID and other enterprise

authentication solutions compliant with many security standards

✓ Individual user accounts with highly configurable permissions

✓ Ability to block commands on a per device type/per user basis


Network Security









SINEC NMS also an option to centrally monitor, manage, and configure networks with 50 to 12,500 devices

RUGGEDCOM CROSSBOW

RUGGEDCOM CROSSBOW is a unique

cybersecurity system associated with:

◾ Secure Remote Access

◾ Asset condition monitoring

◾ Event response and investigation

◾ Maintenance (including vendors)

◾ Control, protection and telecommunications

engineering

Benefits

◾ Meets standards for cybersecurity

◾ Strong (2-factor) authentication

◾ Individual user accounts and privileges

◾ Audit log of activity

◾ WAN or dial-up access to remote devices

Security

◾ Integration with Active Directory, RSA SecurID and other

enterprise authentication solutions

◾ Individual user accounts with highly configurable permissions

◾ Audit log/reports of all activity

◾ Ability to block commands on a per device type/per user basis

◾ Role based user access control

◾ Local access control through either Station Access Controller or

the Secure Access Manager Local (SAM-L)



Security Certifications

• Development process

• Certification of “Secure Product

Development Lifecycle” for

Division DF and PD based on

IEC 62443-4-1

• TIA Ethernet based devices

• E.g. S7-1500, 1505S, S7-300,

CP343-1 SCALANCE S, …

• Protection against DoS

attacks

• Defined behavior in case of

attack

• Improved AvailabilityFind more information: https://www.siemens.com/global/en/home/company/topic-areas/future-of-manufacturing/industrial-

security/certification-standards.html

SIEMENS

Security by design

Security verification and

validation testing

Security update

management

https://www.siemens.com/global/en/home/company/topic-areas/future-of-manufacturing/industrial-security/certification-standards.html



Network Security: More information available

Videos

White papers,

articles, brochures

Case studies

Website

Contact your local representative for

more information!



A successful security strategy is multifaceted

People

TechnologyProcess


Thank you for your attention

Questions?

Steven Pickhardt

Industrial Networking Consultant

E-mail: [email protected]

ci industrial security - pccweb.com · industrial networking certification training* secure it / ot...

Documents