ENG_88572.XML
G_IK10_XX_10362
Secure communication, network access protection, and network segmentation with Security Integrated components
Cybersecurity for Industry
Protected in every aspect
Spurred on by the rapid advance of digitalization, trends and changes with far-reaching implications are emerging in industrial communication. The associated security issues are gaining in significance due to the ensuing increase in networking of formerly stand-alone machinery, the use of cloud-based technologies and the growing use of Ethernet-based protocols all the way down to the field level. This is because open communication and the ever-stronger networking of production systems not only offer huge opportunities, but also pose a major risk of being hit by a cyber attack. To provide an industrial plant with comprehensive industrial security protection against such attacks, appropriate measures must be taken. It is essential in such cases to protect production against sabotage or espionage without having a negative impact on availability. Siemens helps you to achieve this aim by providing support in reaching a common understanding of the general threat situation and implementing suitable protective measures in a targeted manner as part of an integrated industrial security concept.
A list of threats was compiled in close cooperation between the BSI (German Federal Office for Information Security) and representatives of industry.
The BSI (German Federal Office for Information Security) regularly publishes documents on current topics concerning cyber security. Readers can send comments and information to info@cyber-allianz.de
Siemens Industrial Security – continuous protection for your plant
A reliable and integrated industrial security solution can only be successfully established and maintained if it is based on a holistic and continuous approach. This means, among other things, that it must be possible to adapt the overall solution to constantly changing threats, and that the interplay between plant operators, system integrators, service providers and product suppliers always has to be taken into consideration. Generally speaking, the issue of cyber security must be taken into account right from the development phase for all components used in production. With the aim of taking a further step toward a secure digital world, Siemens is the first company to receive TÜV SÜD (German Technical Inspectorate/South) certification based on IEC 62443-4-1 for the interdisciplinary process of developing Siemens automation and drive technology products, and is also the initiator of the "Charter of Trust". Based on 10 key principles, the members of the "Charter of Trust" set themselves the three goals of protecting the data of individuals and companies, preventing harm to people, companies and infrastructures, and creating a reliable basis upon which trust is established and can grow in a connected, digital world.
Find out more about the key principles and our partners: www.charter-of-trust.com
However, despite our best efforts, there is no such thing as absolute security. To keep the residual risk as low as possible, we have established a protection concept based on in-depth advice, cooperative partnerships, and constant further development of our security measures in addition to our comprehensive portfolio of security products.
"Defense in Depth" - Complete, in-depth protection
With "Defense in Depth", Siemens provides a multi-level concept that offers your plant both all-round and in-depth protection. The concept is based on plant and network security elements as well as system integrity, and complies with the recommendations specified in the leading standard for security in industrial automation – IEC 62443. Whereas classic plant protection mainly addresses the physical protection of the entire plant, network security and the protection of system integrity focus on the networks or terminal devices themselves, keeping them safe from cyber attacks, unauthorized access, or simply from negligent handling. Expansion of the "Defense in Depth" concept with Zero Trust principles enables secure access to operational technology (OT) systems and applications in the production network from the workplace in the office or on the go.
G_IK10_XX_51220
Network security as a central component of the Siemens Industrial Security concept
Factor for success: Network security
Simply put, network security means protecting automation networks from unauthorized access. It includes the monitoring of all interfaces such as those between office and plant networks or of remote maintenance access to the internet and can be accomplished by means of firewalls and, if applicable, by establishing a secure and protected "demilitarized zone" (DMZ). The DMZ is used for making data available to other networks without granting them direct access to the automation network itself. The additional segmentation of the plant network into individual, protected automation cells is used to minimize risks, for example against the horizontal spread of malware, and thus also contributes to enhancing security. Division into cells and the assignment of the associated devices are based on communication and protection requirements. The transfer of data between the cells can be encrypted using virtual private networks (VPNs) and can thus be protected against data espionage and tampering, with the communication partners being securely authenticated beforehand.
The cell protection concept can be implemented as needed and communication protected using the "Security Integrated" network components from Siemens, such as SCALANCE S Industrial Security Appliances, SCALANCE M industry routers for wired and wireless networks (4G/5G) and security communications processors for SIMATIC.
Application-specific remote access for an end-to-end OT-IT security concept is possible through the combination of the cell protection concept and Zero Trust principles from the IT sector. According to "least privilege access", Zero Trust only allows application-specific access by clearly identified and authorized users. For integration of Zero Trust principles, Zscaler Private Access, a security solution from Zscaler Inc., is made available on the local processing platform SCALANCE LPE. In combination with the existing OT security mechanisms such as cell protection firewalls, a granular access concept can thus be implemented.
In addition, software products for various security requirements are available. SINEMA Remote Connect, the management platform for remote networks, can be added for protected and convenient remote access to widely distributed machinery and plants. With the SINEC NMS network management system, networks with up to tens of thousands of stations can be monitored, managed, and configured centrally around the clock. It also enables efficient security management according to the directive IEC 62443. For example, access to the system and the range of functions available to each authorized user can be precisely controlled via the user role administration. SINEC INS (Infrastructure Network Services), the software tool for central network services, offers general network services in a clear and simple way. The tool comprises security-relevant servers such as a RADIUS server for user and device authentication (MAC authentication) in the network, e.g. to check who can access which devices.
Initial risk evaluation and information on the internet
Want to find out how secure your industrial plant is, or what further security measures are available for your systems? We can provide you with detailed information about the special security needs in your industry. Use the opportunity to contact our consulting team about any open issues. Our experts will gladly prepare a security concept tailored to the needs of your production plant or process infrastructure. You can download more information on the Siemens protection concept as well as specific guidelines with numerous recommendations for protecting your production plant from our web page:
https://www.siemens.com/industrialsecurity
Security Integrated
Industrial communication is a key factor for corporate success, which is why the network and the terminal devices must be well protected. As a partner, Siemens therefore provides its customers with Security Integrated components, which not only have integrated communication functions but also include special security features such as firewalls and VPN capability in order to implement a needs-oriented protection concept. Thanks to their complete integration in the TIA Portal engineering platform, security functions can be configured and managed during plant configuration. Within the scope of the cell protection concept, the integrated firewalls help you to segment your plant network into individual, protected automation cells within which all devices are able to communicate with each other securely. These individual cells are also securely connected to the plant network via virtual private networks (VPNs). These targeted measures reduce susceptibility to failure of the entire production plant and, in turn, increase its availability. A wide range of products with integrated protection mechanisms is available for implementing your needs-oriented cell protection concept: