Example: tourism industry

Operational Guidelines for Industrial Security - Siemens

Operational Guidelines for Industrial Security Siemens 2020 Version Siemens 2020. Operational Guidelines Operational Guidelines provide recommendations to general Security measures for the secure operation of plant and machinery in Industrial environments. Based on these, machine builders and system integrators can evaluate their systems accordingly and apply improvements if necessary. Siemens 2020. Page 2 Contents 1 Overview 2 Risk Analysis 3 Security Concept: Defense-in-Depth Plant Security Network Security System Integrity 4 Validation and Improvement 5 Summary Siemens 2020. Page 3 Industrial Security protection goals & value added aspects 1 Availability 2 Integrity 3 Confidentiality Increased plant availability through Increased protection of system and Protection of confidential data reduced interference from attacks data integrity to avoid malfunctions and information as well as or malware.

Usage of cell protection concept Page 24 05.03.2020 V2.1 A "cell" is a security relevant separated network segment Access control at "cell entry" with security network components Real time communication remains unaffected within a cell Provides also protection for safety Communication applications within a cell between cells via secured encrypted

Tags:

  Security, Cells

Information

Domain:

Source:

Link to this page:

Please notify us if you found a problem with this document:

Other abuse

Transcription of Operational Guidelines for Industrial Security - Siemens

1 Operational Guidelines for Industrial Security Siemens 2020 Version Siemens 2020. Operational Guidelines Operational Guidelines provide recommendations to general Security measures for the secure operation of plant and machinery in Industrial environments. Based on these, machine builders and system integrators can evaluate their systems accordingly and apply improvements if necessary. Siemens 2020. Page 2 Contents 1 Overview 2 Risk Analysis 3 Security Concept: Defense-in-Depth Plant Security Network Security System Integrity 4 Validation and Improvement 5 Summary Siemens 2020. Page 3 Industrial Security protection goals & value added aspects 1 Availability 2 Integrity 3 Confidentiality Increased plant availability through Increased protection of system and Protection of confidential data reduced interference from attacks data integrity to avoid malfunctions and information as well as or malware.

2 And production errors intellectual property Protecting productivity through risk minimization Secure Availability, Integrity and Confidentiality at reasonable risk Siemens 2020. Page 4 Industrial Security from risk to resilience ! ! ! ! Unprotected business Secure business People and assets exposed to risk Safer and more resilient environments Business vulnerable to disruptions, sabotage and theft More sustainable business, Costs and liability resume operations faster Reputational damage Improved plant uptime to maximize profitability Trust with customers and shareholders Siemens 2020. Page 5 Industrial Security Risk in Industrial automation Information technologies are Increased Security threats demand actions to avoid: used in Industrial automation Loss of intellectual property, recipes . Horizontal and Plant standstill, due to viruses or malware Vertical integration Sabotage in the production plant Manipulation of data or application software Open standards PC-based systems Unauthorized use of system functions Noncompliance with standards and regulations Establishment of Security measures required according to the individual risks Siemens 2020.

3 Page 6 Industrial Security works only with cooperation between plant operators, system integrators and component manufacturers IEC 62443 Standard for Industrial Security Roles Product Vendor: 1-1 Terminology, 1-2 Master 1-4 IACS Products (Components, Systems) with General 1-3 System Security concepts and glossary of terms compliance metrics Security lifecycle integrated and configurable Security models and abbreviations and use-cases features System Integrator: Policies and procedures 2-4 Security program 2-1 Security program 2-3 Patch 2-2 IACS Security requirements for requirements for management in the Secure configuration and Integration of program ratings IACS service IACS asset owners IACS environment providers products into the entire system Plant operator: 3-1 Security 3-2 Security risk 3-3 System Security System technologies for assessment and requirements and Security Management, incl.

4 Maintenance IACS system design Security levels and update of Security functionality according to changing circumstances Definition and metrics ( new known Security vulnerabilities, Components 4-1 Secure product 4-2 Technical Security changes of topology of networks, etc.). development lifecycle requirements for Processes / procedures requirements IACS components Functional requirements Siemens 2020. Page 7 The Industrial Security Concept from Siemens : Defense in Depth - based on IEC 62443. Security solutions in an Industrial context must take account of all protection levels Siemens 2020. Page 8 Security measures in a plant must be continuously checked and realigned Security Management Process Security Management forms a major part of any Industrial Security concept Definition of Security measures depending on hazards and risks 1. identified in the plant Risk Analysis Attaining and maintaining the necessary Security Level calls for a rigorous and continuous Security Management process with: 4 2.

5 Policies, Risk analysis including definition of countermeasures aimed at Validation &. Organizational reducing the risk to an acceptable level Improvement Measures Coordinated organizational / technical measures 3. Regular / event-driven repetition Technical Measures Products, systems and processes must meet applicable duty-of-care requirements, based on laws, standards, internal Guidelines and the state of the art Siemens 2020. Page 9 Contents 1 Overview 2 Risk Analysis 3 Security Concept: Defense-in-Depth Plant Security Network Security System Integrity 4 Validation and Improvement 5 Summary Siemens 2020. Page 10 Risk analysis is the first step to determine Security measures The risk analysis is an important precondition for Security Management relating to a plant or machine, aimed at identifying and assessing individual hazards and risks.

6 Very high unacceptable risks high Amount of loss Typical content of a risk analysis: medium Identification of threatened objects low Analysis of value and damage potential acceptable very risks Threat and weak points analysis low Identification of existing Security measures very low low medium high very high Risk assessment Probability of occurrence The identified and unacceptable risks must be ruled out or reduced by applying 1. Risk Analysis compensating measures. 4 2. Policies, Validation &. Which risks are ultimately acceptable can only be specified individually Improvement Organizational Measures for the application concerned. However, neither a single measure nor a 3. combination of measures can guarantee absolute Security . Technical Measures Siemens 2020. Page 11 Overview 1 Overview 2 Risk Analysis 3 Security Concept: Defense-in-Depth Plant Security Network Security System Integrity 4 Validation and Improvement 5 Summary Siemens 2020.

7 Page 12 Protecting productivity but how? The solution: with a holistic Defense-in-Depth concept Wall o A single defense layer o Easy to overcome just one successful attack can be enough Defense-in-Depth o Multiple, independent Security layers o Hard to overcome attacker needs to invest tremendous time, effort and know- A single layer of defense does not provide how to have a chance for success adequate protection! Siemens 2020. Page 13 The Industrial Security Concept from Siemens : Defense in Depth - based on IEC 62443. Security solutions in an Industrial context must take account of all protection levels Siemens 2020. Page 14 Defense-in-Depth Security architecture to protect automated production plants Plant Security Remote- Access Office network Interface to Office-IT / for Remote Access Firewalls Proxy-Server Intrusion Detection / Prevention Systems (IDS/IPS).

8 Protection of PC-based Systems Plant network User management / Policies ( password lifetime). Antivirus- / whitelisting software Network segmentation depending on protection goals Firewall VPN-Gateway Protection of control level Access protection, integrity & manipulation protection Know-how and copy-protection Safety Availability Know-how Hardening (network robustness). Siemens 2020. Page 15 Contents 1 Overview 2 Risk Analysis 3 Security Concept: Defense-in-Depth Plant Security Network Security System Integrity 4 Validation and Improvement 5 Summary Siemens 2020. Page 16 1. Plant Security Establishing Security in the organization Industrial Security cannot be put into effect by technical measures alone, but has to be actively applied in all relevant company units as a continuous process. Industrial Security as a management duty Support for Industrial Security by Senior Management Clearly defined and agreed responsibilities for Industrial Security , IT Security and physical Security in the company 1.

9 Establishing a cross-disciplinary organization / network Risk Analysis with responsibility for all Industrial Security affairs 4 2. Policies, Validation &. Organizational Improvement measures Enhancing Security awareness 3. Drafting and regular holding of training programs for Technical production-related Security topics Measures Security assessments with Social Engineering aspects Siemens 2020. Page 17 1. Plant Security Policies and Processes Policies and processes must be defined to ensure a uniform procedure and to uphold the Industrial Security concept. Examples of Security -relevant policies Uniform stipulations for acceptable Security risks Reporting mechanisms for unusual activities and events Communication and documentation of Security incidents Use of mobile PCs and data storage in the production area ( forbidding their use outside this area / the production network) 1.

10 Policies for suppliers of products, solutions or services Risk Analysis 4 2. Examples of Security -relevant processes Validation &. Policies, Organizational Improvement Dealing with known / corrected weak points in components used measures Procedure in the event of Security incidents (Incident Response Plan) 3. Procedure for restoring production systems after Security incidents Technical Measures Recording and evaluation of Security events and configuration changes Test / inspection procedure for external data carriers before use in the production area Siemens 2020. Page 18 1. Plant Security Physical access protection of critical production facilities Measures and processes to prevent access by unauthorized persons to the plant 1. Risk Analysis Physical separation of various production areas with 4 2. Policies, differentiated access authorizations Validation &.


Related search queries