1 Operational Guidelines for Industrial Security Siemens 2020 Version Siemens 2020. Operational Guidelines Operational Guidelines provide recommendations to general Security measures for the secure operation of plant and machinery in Industrial environments. Based on these, machine builders and system integrators can evaluate their systems accordingly and apply improvements if necessary. Siemens 2020. Page 2 Contents 1 Overview 2 Risk Analysis 3 Security Concept: Defense-in-Depth Plant Security Network Security system Integrity 4 Validation and Improvement 5 Summary Siemens 2020.
2 Page 3 Industrial Security protection goals & value added aspects 1 Availability 2 Integrity 3 Confidentiality Increased plant availability through Increased protection of system and Protection of confidential data reduced interference from attacks data integrity to avoid malfunctions and information as well as or malware. and production errors intellectual property Protecting productivity through risk minimization Secure Availability, Integrity and Confidentiality at reasonable risk Siemens 2020. Page 4 Industrial Security from risk to resilience !
3 ! ! ! Unprotected business Secure business People and assets exposed to risk Safer and more resilient environments Business vulnerable to disruptions, sabotage and theft More sustainable business, Costs and liability resume operations faster Reputational damage Improved plant uptime to maximize profitability Trust with customers and shareholders Siemens 2020. Page 5 Industrial Security Risk in Industrial automation Information technologies are Increased Security threats demand actions to avoid: used in Industrial automation Loss of intellectual property, recipes.
4 Horizontal and Plant standstill, due to viruses or malware Vertical integration Sabotage in the production plant Manipulation of data or application software Open standards PC-based systems Unauthorized use of system functions Noncompliance with standards and regulations Establishment of Security measures required according to the individual risks Siemens 2020. Page 6 Industrial Security works only with cooperation between plant operators, system integrators and component manufacturers IEC 62443 Standard for Industrial Security Roles Product Vendor: 1-1 Terminology, 1-2 Master 1-4 IACS Products (Components, Systems) with General 1-3 system Security concepts and glossary of terms compliance metrics Security lifecycle integrated and configurable Security models and abbreviations and use-cases features system Integrator.
5 Policies and procedures 2-4 Security program 2-1 Security program 2-3 Patch 2-2 IACS Security requirements for requirements for management in the Secure configuration and Integration of program ratings IACS service IACS asset owners IACS environment providers products into the entire system Plant operator: 3-1 Security 3-2 Security risk 3-3 system Security system technologies for assessment and requirements and Security Management, incl. Maintenance IACS system design Security levels and update of Security functionality according to changing circumstances Definition and metrics ( new known Security vulnerabilities, Components 4-1 Secure product 4-2 Technical Security changes of topology of networks, etc.)
6 Development lifecycle requirements for Processes / procedures requirements IACS components Functional requirements Siemens 2020. Page 7 The Industrial Security Concept from Siemens: Defense in Depth - based on IEC 62443. Security solutions in an Industrial context must take account of all protection levels Siemens 2020. Page 8 Security measures in a plant must be continuously checked and realigned Security Management Process Security Management forms a major part of any Industrial Security concept Definition of Security measures depending on hazards and risks 1.
7 Identified in the plant Risk Analysis Attaining and maintaining the necessary Security Level calls for a rigorous and continuous Security Management process with: 4 2. Policies, Risk analysis including definition of countermeasures aimed at Validation &. Organizational reducing the risk to an acceptable level Improvement Measures Coordinated organizational / technical measures 3. Regular / event-driven repetition Technical Measures Products, systems and processes must meet applicable duty-of-care requirements, based on laws, standards, internal Guidelines and the state of the art Siemens 2020.
8 Page 9 Contents 1 Overview 2 Risk Analysis 3 Security Concept: Defense-in-Depth Plant Security Network Security system Integrity 4 Validation and Improvement 5 Summary Siemens 2020. Page 10 Risk analysis is the first step to determine Security measures The risk analysis is an important precondition for Security Management relating to a plant or machine, aimed at identifying and assessing individual hazards and risks. very high unacceptable risks high Amount of loss Typical content of a risk analysis: medium Identification of threatened objects low Analysis of value and damage potential acceptable very risks Threat and weak points analysis low Identification of existing Security measures very low low medium high very high Risk assessment Probability of occurrence The identified and unacceptable risks must be ruled out or reduced by applying 1.
9 Risk Analysis compensating measures. 4 2. Policies, Validation &. Which risks are ultimately acceptable can only be specified individually Improvement Organizational Measures for the application concerned. However, neither a single measure nor a 3. combination of measures can guarantee absolute Security . Technical Measures Siemens 2020. Page 11 Overview 1 Overview 2 Risk Analysis 3 Security Concept: Defense-in-Depth Plant Security Network Security system Integrity 4 Validation and Improvement 5 Summary Siemens 2020. Page 12 Protecting productivity but how?
10 The solution: with a holistic Defense-in-Depth concept Wall o A single defense layer o Easy to overcome just one successful attack can be enough Defense-in-Depth o Multiple, independent Security layers o Hard to overcome attacker needs to invest tremendous time, effort and know- A single layer of defense does not provide how to have a chance for success adequate protection! Siemens 2020. Page 13 The Industrial Security Concept from Siemens: Defense in Depth - based on IEC 62443. Security solutions in an Industrial context must take account of all protection levels Siemens 2020.