Filter products

Industrial Security

Industrial Security

Security devices and software – protecting productivity 

Spurred on by the rapid advance of digitalisation, trends and changes, far-reaching implications are emerging in industrial communication.  Open communication and the ever-stronger networking of production systems not only offer huge opportunities, but also a major risk of being hit by a cyber attack.Security Integrated network components from Siemens, such as SCALANCE S Industrial Security , SCALANCE M Internet and mobile wireless routers, can be added for protected and simultaneously practical remote access to widespread machinery and plants.

Threat overview

No.

Threat

Explanation

1

Unauthorized use of remote maintenance access

Maintenance access provides deliberate openings to the outside in the ICS network 1). However, they are often inadequately protected.

2

Online attacks via office/enterprise networks

In general, office IT equipment is connected with the Internet in many ways. Usually, there are also network connections from the office network to the ICS network, allowing attackers to use this route.

3

Attacks against standard components used in the ICS network

Standard IT components (commercial off-the-shelf, COTS) such as operating systems, application servers, or databases generally contain flaws and weak points which can be exploited by attackers. If these standard components are also used in the ICS network, this increases the risk of a successful attack on the ICS systems.

4

(D)DoS attacks

(Distributed) denial of service attacks can be used to disrupt network connections and required resources and cause systems to crash, e.g. to disrupt the functionality of an ICS.

5

Human error and sabotage

Deliberate actions – regardless of whether by internal or external agents – are a massive threat for all security goals. In addition, negligence and human error are a great danger, especially when it comes to protecting confidentiality and availability.

6

Introduction of harmful code via removable media and external hardware

The use of removable media and mobile IT components of external employees always presents a great risk of malware infections. The importance of this aspect was demonstrated by Stuxnet, for example.

7

Reading and writing messages in the ICS network

Because most control components presently communicate via plain-text protocols, and are thus unprotected, it is often possible to read and insert commands without great difficulty.

8

Unauthorized access to resources

In particular, insiders or follow-up attacks after intrusion from the outside have an easy time if authentication and authorization for services and components in the process network are non-existent or insecure.

9

Attacks on network components

Network components can be manipulated by attackers, for example to carry out man-in-the-middle attacks or to make sniffing easier.

10

Technical faults and acts of God

Failures are always possible as a result of extreme environmental influences or technical defects – the risk and the potential for damage can only be minimized here.

1) Industrial Control Systems (ICS)

Source: BSI-CS 029 | Version 2.0 dated July 11, 2018 page 2 of 2

Note:

This list of threats was compiled in close cooperation between the BSI (German Federal Office for Information Security) and representatives of industry.

Siemens Industrial Security – continuous protection for your plant 

A reliable and integrated industrial security solution can only be successfully established and maintained if it is based on a holistic and continuous approach. This means, among other things, that it must be possible to adapt the overall solution to constantly changing threats, and that the interplay between plant operators, system integrators, service providers and product suppliers always has to be taken into consideration. Generally speaking, the issue of cyber security must be taken into account right from the development phase for all components used in production. With the aim of taking a further step toward a secure digital world, Siemens is the first company to receive TÜV SÜD (German Technical Inspectorate/South) certification based on IEC 62443-4-1 for the interdisciplinary process of developing Siemens automation and drive products, and is also the initiator of the “Charter of Trust”. Based on 10 key principles, the members of the “Charter of Trust” set themselves the three goals of protecting the data of individuals and companies, preventing harm to people, companies and infrastructures and creating a reliable basis upon which trust is established and can grow in a connected, digital world.

However, despite our best efforts, there is no such thing as absolute security. To keep the residual risk as low as possible, we have established a protection concept based on in-depth advice, cooperative partnerships, and constant further development of our security measures in addition to our comprehensive portfolio of security products.

Network security as a central component of the Siemens Industrial Security concept

Complete, in-depth protection

With Defense in Depth, Siemens provides a multi-level concept that offers your plant both all-round and in-depth protection. The concept is based on plant and network security elements as well as system integrity, and complies with the recommendations specified in the leading standard for security in industrial automation – IEC 62443. Whereas classic plant protection mainly addresses the physical protection of the entire plant, network security and the protection of system integrity focus on the networks or terminal devices themselves, keeping them safe from cyber attacks, unauthorized access, or simply from negligent handling.

Factors for success: Network security

Simply put, network security means protecting automation networks from unauthorized access. It includes the monitoring of all interfaces such as those between office and plant networks or of remote maintenance access to the Internet and can be accomplished by means of firewalls and, if applicable, by establishing a secure and protected “demilitarized zone” (DMZ). The DMZ is used for making data available to other networks without granting them direct access to the automation network itself. The additional segmentation of the plant network into individual, protected automation cells is used to minimize risks, for example against the horizontal spread of malware, and thus also contributes to enhancing security. Division into cells and the assignment of the associated devices are based on communication and protection requirements. The transfer of data between the cells can be encrypted using virtual private networks (VPNs) and can thus be protected against data espionage and tampering, with the communication partners being securely authenticated beforehand. The cell protection concept can be implemented as needed and communication secured using Security Integrated network components from Siemens, such as SCALANCE S Industrial Security Appliances, SCALANCE M Internet and mobile wireless routers, or security communications processors for SIMATIC. SINEMA Remote Connect, the management platform for remote networks, can be added for protected and simultaneously practical remote access to widespread machinery and plants.

Secure communication, network access protection and network segmentation with Security Integrated products

Security Integrated

Industrial communication is a key factor for corporate success, which is why the network and the terminal devices must be well protected. As a partner, Siemens therefore provides its customers with Security Integrated components, which not only have integrated communication functions but also include special security features such as firewalls and VPN capability in order to implement a needs-oriented protection concept. Thanks to their complete integration in the TIA Portal engineering platform, security functions can be configured and managed during plant configuration. Within the scope of the cell protection concept, the integrated firewalls help you to segment your plant network into individual, protected automation cells within which all devices are able to communicate with each other securely. These individual cells are also securely connected to the plant network via virtual private networks (VPNs). These targeted measures reduce susceptibility to failure of the entire production plant and, in turn, increase its availability. A wide range of products with integrated protection mechanisms is available for implementing your needs-oriented cell protection concept:

Cell protection for industrial networks:

SCALANCE S Industrial Security appliances protect industrial networks and automation systems by segmenting the automation network into separate cells. The integrated firewall and flexible assignment of the network interfaces to dedicated zones enable multiple network segments to be integrated with just one appliance. Thanks to integrated VPN functionality, data transfer from and to the appliances can also be protected against tampering and espionage.

Cell protection within the scope of telecontrol, teleservice and industrial remote communication:

SCALANCE M industrial routers for wire-based communication are available for the secure connection of Ethernet-based networks and programmable controllers to the hard-wired broadband network, or for secure connection via existing two-wire or multi-wire cables. These ADSL, SHDSL and PROFIBUS/MPI routers feature integrated firewalls and VPN functionalities to protect against unauthorized access, data tampering or espionage. Depending on the device version, one or multiple network segments can be set up with just one device.

For protected access to plants via mobile wireless networks, e.g. via 2G, 3G or 4G, we offer SCALANCE M mobile wireless routers, which also feature the above security functions.

Cell protection for SIMATIC S7-1200:

The SIMATIC CP 1243-1, CP 1243-7 LTE and CP 1243-8 IRC communications processors are available to protect single SIMATIC S7-1200 controllers. In addition to their communications functions, they offer an integrated firewall and the possibility of terminating VPN endpoints, thereby making additional, separate security components superfluous. Furthermore, the communications processors can also be used for integrating the SIMATIC S7 stations into the Telecontrol Server Basic control center software.

Cell protection for SIMATIC S7-1500:

The SIMATIC CP 1543-1 and CP 1543SP-1 communications processors are available to protect single SIMATIC S7-1500 controllers. In addition to their communication functions, they offer an integrated firewall and the possibility of terminating VPN endpoints, thereby making additional and separate security components superfluous.

Cell protection for SIMATIC S7-300 and S7-400:

The SIMATIC CP 343-1 Advanced and CP 443-1 Advanced communications processors are available to protect SIMATIC S7-300 and S7-400 controllers. In addition to an integrated switch and Layer 3 routing functionality, they also feature firewalls and VPN functionalities to protect against unauthorized access, data tampering or espionage.

Protected communication with industrial PCs:

Via the SIMATIC CP 1628 communications processor, industrial PCs too can be protected by firewall and VPN without the need for special operating system settings. In this way, industrial PCs equipped with the module can also be connected to protected network cells.

Software for protected remote access:

The SOFTNET Security Client software enables VPN tunnel access via the Internet or company intranet to automation cells or PCs that are equipped with SCALANCE S Industrial Security Appliances or other security components with VPN functionality.

The SINEMA Remote Connect software allows secured management of VPN tunnel connections to plants and machines distributed around the world. Communication takes place exclusively via a rendezvous server. The service technician and the machine to be serviced establish separate connections to the SINEMA Remote Connect server. This then verifies the identity of the participants by an exchange of certificates before any access is granted.

Did you know, we are an entrusted Siemens approved partner?

Loading...