SlideShare a Scribd company logo
Unrestricted © Siemens A/S siemens.com/industrial security
Industrial Security
Getting Started…
So…
how do we start?
Caught between regulation, requirements, and standards
Unrestricted © Siemens A/S 2018
The all-encompassing Industrial Security Standard
Provides greater clarity by clearly defining the roles and responsibilities
Unrestricted © Siemens A/S 2018
IEC 62443 gives us the ability to communicate
In an unambiguous way
Unrestricted © Siemens A/S 2018
IEC 62443 addresses the Defense in Depth concept
Unrestricted © Siemens A/S 2018
Network Security
• Cell protection, DMZ,
and remote maintenance
• Firewall and VPN
• Segmentation
• Asset and Network Management
System integrity
• System hardening
• Authentication and user administration
• Patch management
• Logging and Monitoring
• Detection of attacks
Plant Security
• Physical access protection
• Processes and guidelines
• Security service protecting production plants
IEC 62443 focus on the interfaces between all stakeholders
Unrestricted © Siemens A/S 2018
Operator,
Integrator, and
Manufacturer
IEC 62443 from machines to corporates
Unrestricted © Siemens A/S 2018
It is scalable
IEC 62443 provides a complete Cyber Security Management System
Unrestricted © Siemens A/S 2018
Risk based approach
That covers the setup of:
Risk analysis
Addressing risk
security organization and security processes
security countermeasures
and Implementation
Monitoring and improving
IEC 62443 from the beginning to the end
Unrestricted © Siemens A/S 2018
It addresses the entire life cycle
Cybersecurity Life Cycle
Unrestricted © Siemens A/S 2018
Maintain
phase
Assess
phase
Develop &
implement
phase
Cybersecurity Life Cycle
Unrestricted © Siemens A/S 2018
Getting started
Assess phase
High-level Cyber Risk Assessment
Allocation of IACS Assets to Zones or Conduits
Detailed Cyber Risk Assessment
Develop & implement phase
Cybersecurity Requirements Specification
Design and Engineering of countermeasures or other means of risk reduction
Installation, commissioning, and validation of countermeasures
Maintain phase
Maintenance, Monitoring and Management of change
Incident Response and Recovery
Maintain
phase
Assess
phase
Develop &
implement
phase
Assess phase
Unrestricted © Siemens A/S 2018
Risk Assessment
Risk = Likelihood x Consequence
Where: Likelihood = Threat x Vulnerability
Assess phase
Risk methods and frameworks
The Information Security
Forum (ISF)
National Institute of Standards
and Technology (NIST) and…
…
Unrestricted © Siemens A/S 2018
More info: https://www.ncsc.gov.uk/guidance/summary-risk-methods-and-frameworks
A
good
overview
Assess phase
Unrestricted © Siemens A/S 2018
Segmentation of TI and OT
Assess phase
Unrestricted © Siemens A/S 2018
Trusted/Untrusted
Zones and Conduits
PL1
PL2
Zone Control #1
PL3
Zone Control #2
Conduit
Zone Enterprise Network
Zone Plant
Assess phase
Unrestricted © Siemens A/S 2018
Risk based development of security levels
Evaluate Business Risk to
determine Criticality
Assign Target
Protection Levels
Evaluate
Protection Levels
Achieved
Protection Levels
Security Assessment
Consequence
But…
how specific
is the IEC 62443?
What is the structure of IEC 62443?
Unrestricted © Siemens A/S 2018
1-1 General
Terminology, concepts
and models
2-1 Policies and procedures
Establishing an IACS
security program
3-1 System
Security technologies
for IACS
4-1 Component
Product development
requirements
1-2 General
Master glossary of terms
and abbreviations
2-2 Policies and procedures
Operating an IACS
security program
3-2 System
Security assurance levels
for zones and conduits
4-2 Component
Technical sec. requirements
for IACS products
1-3 General 2-3 Policies and procedures 3-3 System
System security
compliance metrics
Patch management in
the IACS environment
System sec. requirements
and security assurance levels
1-4 General
IACS sec. life cycle and use
case
2-4 Policies and procedures
Certification of IACS
supplier security policies
1-5 General
IACS protection levels
Functional requirements
Processes / procedures
Definition and metrics
Phases in product and IACS life cycles
Unrestricted © Siemens A/S 2018
Product life cycle
Product Supplier
Commercialization / maintenance
Control
Systems
Embedded
devices
Network
components
Host
devices
Applications
IACS life cycle
Asset Owner System
Integrator
Automation solution
Project application
Asset Owner
(Service provider)
Automation solution
Security measures and settings
Configuration, User Management
Security measures and settings
Operational policies and
procedures
Specification
Asset Owner
Automation solution
Decommissioning
policies and
procedures
Decommissioning
Operation / Maintenance
Integration / Commissioning
Security
targets
Phase Out
Design
Specification
Phases in product and IACS life cycles
Unrestricted © Siemens A/S 2018
Product life cycle
Product Supplier
Commercialization / maintenance
2-3 3-3
4-1 4-2
IACS life cycle
Asset Owner System
Integrator
Automation solution
Project application
Asset Owner
(Service provider)
Automation solution
Security measures and settings
2-1
Specification
Configuration, User Management
Security measures and settings
2-3 3-2
2-4 3-3
2-1
2-3
Operational policies and
procedures
2-4
3-2
3-3
Asset Owner
Automation solution
Decommissioning
policies and
procedures
2-1
2-4
Decommissioning
Operation / Maintenance
Integration / Commissioning
Security
targets
Phase Out
Design
Specification
Control
Systems
Embedded
devices
Network
components
Host
devices
Applications
Protection Levels
Unrestricted © Siemens A/S 2018
Page 30
SL 1 Capability to protect against casual or coincidental violation
SL 2
Capability to protect against intentional violation using simple means with
low resources, generic skills and low motivation
SL 3
Capability to protect against intentional violation using sophisticated means
with moderate resources, IACS specific skills and moderate motivation
SL 4
Capability to protect against intentional violation using sophisticated means
with extended resources, IACS specific skills and high motivation
ML 1 Initial - Process unpredictable, poorly controlled, and reactive.
ML 2 Managed - Process characterized, reactive
ML 3 Defined - Process characterized, proactive deployment
ML 4
Optimized - Process measured, controlled, and continuously
improved
4
3
2
1
4
3
2
1
Cover security functionalities and processes
Security functionalities Security processes
Protection Levels
Security Level
Maturity
Level
PL 1 Protection against casual or coincidental violation
PL 2
Protection against intentional violation using simple means with low resources, generic skills and low
motivation
PL 3
Protection against intentional violation using sophisticated means with moderate resources, IACS
specific skills and moderate motivation
PL 4
Protection against intentional violation using sophisticated means with extended resources, IACS
specific skills and high motivation
IEC 62443 Security measures
Unrestricted © Siemens A/S 2018
It is unambiguous …
Secure Physical
Access
Organize
Security
Secure Solution
Design
Secure
Operations
Secure Lifecycle
management
Revolving doors with
card reader and PIN;
Video Surveillance
and/or IRIS Scanner at
door
Dual approval for
critical actions Firewalls with Fail
Close (e.g. Next
Generation Firewall)
Monitoring of all device
activities
Online security
functionality verification
…
Revolving doors with
card reader
No Email, No WWW, etc.
in Secure Cell
2 PCs (Secure
Cell/outside)
Monitoring of all human
interactions
Automated backup /
recovery
… … …
Remote access with
cRSP or equivalent
Doors with card reader
Persons responsible for
security within own
organization
Mandatory security
education
Physical network
segmentation or
equivalent (e.g.
SCALANCE S)
Continuous monitoring
(e.g. SIEM)
…
Backup verification
Remote access
restriction (e.g. need to
connect principle)
Locked building/doors
with keys
Awareness training (e.g.
Operator Aware. training)
Mandatory rules on USB
sticks (e.g. Whitelisting)
Network segmentation
(e.g. VLAN)
Security logging on all
systems
…
Backup / recovery
system
+
PL 3
+
PL 2
+
PL 1
PL 4
Protection Levels
Cover security functionalities and processes
Unrestricted © Siemens A/S 2018
IEC 62443-3-3
Unrestricted © Siemens A/S 2018
7 Foundational Requirements
FR 1 – Identification and authentication control
FR 2 – Use control
FR 3 – System integrity
FR 4 – Data confidentiality
FR 5 – Restricted data flow
FR 6 – Timely response to events
FR 7 – Resource availability
Defines security requirements for industrial control systems
FR 1 – Identification and authentication control
Unrestricted © Siemens A/S 2018
System Requirement Overview (Part 1)
SRs und REs SL 1 SL 2 SL 3 SL 4
SR 1.1 – Human user identification and authentication    
SR 1.1 RE 1 – Unique identification and authentication   
SR 1.1 RE 2 – Multifactor authentication for untrusted networks  
SR 1.1 RE 3 – Multifactor authentication for all networks 
SR 1.2 – Software process and device identification and authentication   
SR 1.2 RE 1 – Unique identification and authentication  
SR 1.3 – Account management    
SR 1.3 RE 1 – Unified account management  
SR 1.4 – Identifier management    
SR 1.5 – Authenticator management    
SR 1.5 RE 1 – Hardware security for software process identity credentials  
SR 1.6 – Wireless access management    
SR 1.6 RE 1 – Unique identification and authentication   
FR 1 – Identification and authentication control
Unrestricted © Siemens A/S 2018
SR 1.1 – Human user identification and authentication
5.3 SR 1.1 – Human user identification and authentication
5.3.1 Requirement
The control system shall provide the capability to identify and authenticate all human users.
This capability shall enforce such identification and authentication on all interfaces which
provide human user access to the control system to support segregation of duties and least
privilege in accordance with applicable security policies and procedures.
5.3.2 Rationale and supplemental guidance
All human users need to be identified and authenticated for all access to the control system.
Authentication of the identity of these users should be accomplished by using methods such
as passwords, tokens, biometrics or, in the case of multifactor authentication, some
combination thereof. The geographic location of human users can also be used as part of
the authentication process…….
FR 1 – Identification and authentication control
Unrestricted © Siemens A/S 2018
System Requirement Overview (Part 2)
SRs und REs SL 1 SL 2 SL 3 SL 4
SR 1.7 – Strength of password-based authentication    
SR 1.7 RE 1 – Password generation and lifetime restrictions for human users  
SR 1.7 RE 2 – Password lifetime restrictions for all users 
SR 1.8 – Public key infrastructure certificates   
SR 1.9 – Strength of public key authentication   
SR 1.9 RE 1 – Hardware security for public key authentication  
SR 1.10 – Authenticator feedback    
SR 1.11 – Unsuccessful login attempts    
SR 1.12 – System use notification    
SR 1.13 – Access via untrusted networks    
SR 1.13 RE 1 – Explicit access request approval   
FR 2 – Use control
System Requirement Overview (Part 37
)
Unrestricted © Siemens A/S 2018
SRs und REs SL 1 SL 2 SL 3 SL 4
SR 2.1 – Authorization enforcement    
SR 2.1 RE 1 – Authorization enforcement for all users   
SR 2.1 RE 2 – Permission mapping to roles   
SR 2.1 RE 3 – Supervisor override  
SR 2.1 RE 4 – Dual approval 
SR 2.2 – Wireless use control    
SR 2.2 RE 1 – Identify and report unauthorized wireless devices  
SR 2.3 – Use control for portable and mobile devices    
SR 2.3 RE 1 – Enforcement of security status of portable and mobile devices  
SR 2.4 – Mobile code    
SR 2.4 RE 1 – Mobile code integrity check  
SR 2.5 – Session lock    
FR 2 – Use control
System Requirement Overview (Part 38
)
Unrestricted © Siemens A/S 2018
SRs und REs SL 1 SL 2 SL 3 SL 4
SR 2.6 – Remote session termination   
SR 2.7 – Concurrent session control  
SR 2.8 – Auditable events    
SR 2.8 RE 1 – Centrally managed, system-wide audit trail  
SR 2.9 – Audit storage capacity    
SR 2.9 RE 1 – Warn when audit record storage capacity threshold reached  
SR 2.10 – Response to audit processing failures    
SR 2.11 – Timestamps   
SR 2.11 RE 1 – Internal time synchronization  
SR 2.11 RE 2 – Protection of time source integrity 
SR 2.12 – Non-repudiation  
SR 2.12 RE 1 – Non-repudiation for all users 
FR 3 – System integrity
System Requirement Overview
U
SRs und REs SL 1 SL 2 SL 3 SL 4
SR 3.1 – Communication integrity    
SR 3.1 RE 1 – Cryptographic integrity protection  
SR 3.2 – Malicious code protection    
SR 3.2 RE 1 – Malicious code protection on entry and exit points   
SR 3.2 RE 2 – Central management and reporting for malicious code protection  
SR 3.3 – Security functionality verification    
SR 3.3 RE 1 – Automated mechanisms for security functionality verification  
SR 3.3 RE 2 – Security functionality verification during normal operation 
SR 3.4 – Software and information integrity   
SR 3.4 RE 1 – Automated notification about integrity violations  
SR 3.5 – Input validation    
SR 3.6 – Deterministic output    
SR 3.7 – Error handling   
SR 3.8 – Session integrity   
SR 3.8 RE 1 – Invalidation of session IDs after session termination  
SR 3.8 RE 2 – Unique session ID generation  
SR 3.8 RE 3 – Randomness of session IDs 
SR 3.9 – Protection of audit information   
SR 3.9 RE 1 – Audit records on write-once media
nrestricted © Siemens A/S 2018 
FR 4 – Data confidentiality
System Requirement Overview
Unrestricted © Siemens A/S 2018
SRs und REs SL 1 SL 2 SL 3 SL 4
SR 4.1 – Information confidentiality    
SR 4.1 RE 1 – Protection of confidentiality at rest or in transit via untrusted networks   
SR 4.1 RE 2 – Protection of confidentiality across zone boundaries 
SR 4.2 – Information persistence   
SR 4.2 RE 1 – Purging of shared memory resources  
SR 4.3 – Use of cryptography    
FR 5 – Restricted data flow
System Requirement Overview
Unrestricted © Siemens A/S 2018
SRs und REs SL 1 SL 2 SL 3 SL 4
SR 5.1 – Network segmentation    
SR 5.1 RE 1 – Physical network segmentation   
SR 5.1 RE 2 – Independence from non-control system networks  
SR 5.1 RE 3 – Logical and physical isolation of critical networks 
SR 5.2 – Zone boundary protection    
SR 5.2 RE 1 – Deny by default, allow by exception   
SR 5.2 RE 2 – Island mode  
SR 5.2 RE 3 – Fail close  
SR 5.3 – General purpose person-to-person communication restrictions    
SR 5.3 RE 1 – Prohibit all general purpose person-to-person communications  
SR 5.4 – Application partitioning    
FR 6 – Timely response to events
System Requirement Overview
Unrestricted © Siemens A/S 2018
SRs und REs SL 1 SL 2 SL 3 SL 4
SR 6.1 – Audit log accessibility    
SR 6.1 RE 1 – Programmatic access to audit logs  
SR 6.2 – Continuous monitoring   
FR 7 – Resource availability
System Requirement Overview
Unrestricted © Siemens A/S 2018
SRs und REs SL 1 SL 2 SL 3 SL 4
SR 7.1 – Denial of service protection    
SR 7.1 RE 1 – Manage communication loads   
SR 7.1 RE 2 – Limit DoS effects to other systems or networks  
SR 7.2 – Resource management    
SR 7.3 – Control system backup    
SR 7.3 RE 1 – Backup verification   
SR 7.3 RE 2 – Backup automation  
SR 7.4 – Control system recovery and reconstitution    
SR 7.5 – Emergency power    
SR 7.6 – Network and security configuration settings    
SR 7.6 RE 1 – Machine-readable reporting of current security settings  
SR 7.7 – Least functionality    
SR 7.8 – Control system component inventory   
Recap - System Security Levels
Unrestricted © Siemens A/S 2018
Plant environment
Automation solution
Control System as a combination of
Independent of plant environment
Control System capabilities
Capability SLs
Risk assessment
System
Integrator
Asset Owner
Product supplier
Target SLs
Achieved SLs
Embedded
devices
Network
components
Host
devices Applications
IEC 62443
2-1 Establishing an IACS
security program
3-2 Security risk
assessment and system
design
2-4 Certification of IACS
supplier security policies
3-3 System security
requirements and Security
levels
4-1 Product development
requirements
4-2 Technical security
requirements for IACS
products
Contributions of the stakeholders
A piece of a bigger picture
Unrestricted © Siemens A/S 2018
ISO 27001
The Functional
Safety standard
Risk assessment
framework
IEC 62443
NIST 800-30
Well known IT-
security standard
The OT-security
standard
Recap…
Act now
Everyoneis a target – also small and medium sized plants
IEC62443 is a Risk based framework that can help
you getting started in a very structured way
Define your Risk…
Define your organization
Define your Protection level
Define your Zones and Conduits
Security information
Unrestricted © Siemens A/S 2018
Page 49
Thank You
for your attention

More Related Content

What's hot

microsoft-cybersecurity-reference-architectures (1).pptx
microsoft-cybersecurity-reference-architectures (1).pptxmicrosoft-cybersecurity-reference-architectures (1).pptx
microsoft-cybersecurity-reference-architectures (1).pptx
GenericName6
 
Enterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to auditEnterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to audit
Bob Rhubart
 
Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443
Yokogawa1
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
The Current ICS Threat Landscape
The Current ICS Threat LandscapeThe Current ICS Threat Landscape
The Current ICS Threat Landscape
Dragos, Inc.
 
What is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the BasicsWhat is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the Basics
Sagar Joshi
 
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
IBM Security
 
Security and Compliance Initial Roadmap
Security and Compliance Initial Roadmap Security and Compliance Initial Roadmap
Security and Compliance Initial Roadmap
Anshu Gupta
 
Nist 800 82 ICS Security Auditing Framework
Nist 800 82 ICS Security Auditing FrameworkNist 800 82 ICS Security Auditing Framework
Nist 800 82 ICS Security Auditing Framework
MarcoAfzali
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza Adineh
ReZa AdineH
 
Bulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalBulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat Landscapefinal
Mahmoud Yassin
 
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3
Jim Gilsinn
 
PaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPaloAlto Enterprise Security Solution
PaloAlto Enterprise Security Solution
Prime Infoserv
 
Nozomi networks-solution brief
Nozomi networks-solution briefNozomi networks-solution brief
Nozomi networks-solution brief
Nozomi Networks
 
SOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOCSOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOC
Priyanka Aash
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
Michael Nickle
 
Active Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldActive Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The Field
Digital Bond
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
Shriya Rai
 
CLASS 2022 - Sergio Sevileanu (Siemens) e Felipe Coelho (Claroty) - Habilitan...
CLASS 2022 - Sergio Sevileanu (Siemens) e Felipe Coelho (Claroty) - Habilitan...CLASS 2022 - Sergio Sevileanu (Siemens) e Felipe Coelho (Claroty) - Habilitan...
CLASS 2022 - Sergio Sevileanu (Siemens) e Felipe Coelho (Claroty) - Habilitan...
TI Safe
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity Chasm
Priyanka Aash
 

What's hot (20)

microsoft-cybersecurity-reference-architectures (1).pptx
microsoft-cybersecurity-reference-architectures (1).pptxmicrosoft-cybersecurity-reference-architectures (1).pptx
microsoft-cybersecurity-reference-architectures (1).pptx
 
Enterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to auditEnterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to audit
 
Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
The Current ICS Threat Landscape
The Current ICS Threat LandscapeThe Current ICS Threat Landscape
The Current ICS Threat Landscape
 
What is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the BasicsWhat is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the Basics
 
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
 
Security and Compliance Initial Roadmap
Security and Compliance Initial Roadmap Security and Compliance Initial Roadmap
Security and Compliance Initial Roadmap
 
Nist 800 82 ICS Security Auditing Framework
Nist 800 82 ICS Security Auditing FrameworkNist 800 82 ICS Security Auditing Framework
Nist 800 82 ICS Security Auditing Framework
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza Adineh
 
Bulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalBulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat Landscapefinal
 
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3
 
PaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPaloAlto Enterprise Security Solution
PaloAlto Enterprise Security Solution
 
Nozomi networks-solution brief
Nozomi networks-solution briefNozomi networks-solution brief
Nozomi networks-solution brief
 
SOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOCSOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOC
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
 
Active Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldActive Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The Field
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
 
CLASS 2022 - Sergio Sevileanu (Siemens) e Felipe Coelho (Claroty) - Habilitan...
CLASS 2022 - Sergio Sevileanu (Siemens) e Felipe Coelho (Claroty) - Habilitan...CLASS 2022 - Sergio Sevileanu (Siemens) e Felipe Coelho (Claroty) - Habilitan...
CLASS 2022 - Sergio Sevileanu (Siemens) e Felipe Coelho (Claroty) - Habilitan...
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity Chasm
 

Similar to Industrial Security.pdf

10. industrial networks safety and security tom hammond
10. industrial networks safety and security   tom hammond10. industrial networks safety and security   tom hammond
10. industrial networks safety and security tom hammond
PROFIBUS and PROFINET InternationaI - PI UK
 
SIEM brochure A4 8pp FINAL WEB
SIEM brochure A4 8pp FINAL WEBSIEM brochure A4 8pp FINAL WEB
SIEM brochure A4 8pp FINAL WEB
Merlin Govender
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence Overview
Camilo Fandiño Gómez
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence Overview
Camilo Fandiño Gómez
 
[CLASS 2014] Palestra Técnica - Oliver Narr
[CLASS 2014] Palestra Técnica - Oliver Narr[CLASS 2014] Palestra Técnica - Oliver Narr
[CLASS 2014] Palestra Técnica - Oliver Narr
TI Safe
 
Ooredoo%20Security%20Managed%20Services
Ooredoo%20Security%20Managed%20ServicesOoredoo%20Security%20Managed%20Services
Ooredoo%20Security%20Managed%20Services
Muhammad Mudassar
 
Skybox security
Skybox security Skybox security
Skybox security
Alejandro Cadarso
 
Cyber security: A roadmap to secure solutions
Cyber security: A roadmap to secure solutionsCyber security: A roadmap to secure solutions
Cyber security: A roadmap to secure solutions
Schneider Electric
 
Cyber Security in the market place: HP CTO Day
Cyber Security in the market place: HP CTO DayCyber Security in the market place: HP CTO Day
Cyber Security in the market place: HP CTO Day
Symantec
 
Irv Badr: Managing Risk Safety and Security Compliance
Irv Badr: Managing Risk Safety and Security Compliance Irv Badr: Managing Risk Safety and Security Compliance
Irv Badr: Managing Risk Safety and Security Compliance
EnergyTech2015
 
Securing Industrial Control System
Securing Industrial Control SystemSecuring Industrial Control System
Securing Industrial Control System
Hemanth M
 
IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future
IBM
 
.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session
Splunk
 
Walls of Steel, Doors of Wood - Relevance of Application Security
Walls of Steel, Doors of Wood - Relevance of Application SecurityWalls of Steel, Doors of Wood - Relevance of Application Security
Walls of Steel, Doors of Wood - Relevance of Application Security
Abdul Jaleel
 
ICS Cyber Security Effectiveness Measurement
ICS Cyber Security Effectiveness MeasurementICS Cyber Security Effectiveness Measurement
ICS Cyber Security Effectiveness Measurement
Aleksey Lukatskiy
 
Securing control systems v0.4
Securing control systems v0.4Securing control systems v0.4
Securing control systems v0.4
CrispnCrunch
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)
Shah Sheikh
 
The Charter of Trust
The Charter of TrustThe Charter of Trust
The Charter of Trust
DefCamp
 
Security hardening and drown attack prevention for mobile backend developers
Security hardening and drown attack prevention for mobile backend developersSecurity hardening and drown attack prevention for mobile backend developers
Security hardening and drown attack prevention for mobile backend developers
Jiri Danihelka
 
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SCCyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
AT-NET Services, Inc. - Charleston Division
 

Similar to Industrial Security.pdf (20)

10. industrial networks safety and security tom hammond
10. industrial networks safety and security   tom hammond10. industrial networks safety and security   tom hammond
10. industrial networks safety and security tom hammond
 
SIEM brochure A4 8pp FINAL WEB
SIEM brochure A4 8pp FINAL WEBSIEM brochure A4 8pp FINAL WEB
SIEM brochure A4 8pp FINAL WEB
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence Overview
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence Overview
 
[CLASS 2014] Palestra Técnica - Oliver Narr
[CLASS 2014] Palestra Técnica - Oliver Narr[CLASS 2014] Palestra Técnica - Oliver Narr
[CLASS 2014] Palestra Técnica - Oliver Narr
 
Ooredoo%20Security%20Managed%20Services
Ooredoo%20Security%20Managed%20ServicesOoredoo%20Security%20Managed%20Services
Ooredoo%20Security%20Managed%20Services
 
Skybox security
Skybox security Skybox security
Skybox security
 
Cyber security: A roadmap to secure solutions
Cyber security: A roadmap to secure solutionsCyber security: A roadmap to secure solutions
Cyber security: A roadmap to secure solutions
 
Cyber Security in the market place: HP CTO Day
Cyber Security in the market place: HP CTO DayCyber Security in the market place: HP CTO Day
Cyber Security in the market place: HP CTO Day
 
Irv Badr: Managing Risk Safety and Security Compliance
Irv Badr: Managing Risk Safety and Security Compliance Irv Badr: Managing Risk Safety and Security Compliance
Irv Badr: Managing Risk Safety and Security Compliance
 
Securing Industrial Control System
Securing Industrial Control SystemSecuring Industrial Control System
Securing Industrial Control System
 
IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future
 
.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session
 
Walls of Steel, Doors of Wood - Relevance of Application Security
Walls of Steel, Doors of Wood - Relevance of Application SecurityWalls of Steel, Doors of Wood - Relevance of Application Security
Walls of Steel, Doors of Wood - Relevance of Application Security
 
ICS Cyber Security Effectiveness Measurement
ICS Cyber Security Effectiveness MeasurementICS Cyber Security Effectiveness Measurement
ICS Cyber Security Effectiveness Measurement
 
Securing control systems v0.4
Securing control systems v0.4Securing control systems v0.4
Securing control systems v0.4
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)
 
The Charter of Trust
The Charter of TrustThe Charter of Trust
The Charter of Trust
 
Security hardening and drown attack prevention for mobile backend developers
Security hardening and drown attack prevention for mobile backend developersSecurity hardening and drown attack prevention for mobile backend developers
Security hardening and drown attack prevention for mobile backend developers
 
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SCCyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
 

Recently uploaded

Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
Edge AI and Vision Alliance
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
Things to Consider When Choosing a Website Developer for your Website | FODUU
Things to Consider When Choosing a Website Developer for your Website | FODUUThings to Consider When Choosing a Website Developer for your Website | FODUU
Things to Consider When Choosing a Website Developer for your Website | FODUU
FODUU
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
IndexBug
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
Wouter Lemaire
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 

Recently uploaded (20)

Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
Things to Consider When Choosing a Website Developer for your Website | FODUU
Things to Consider When Choosing a Website Developer for your Website | FODUUThings to Consider When Choosing a Website Developer for your Website | FODUU
Things to Consider When Choosing a Website Developer for your Website | FODUU
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 

Industrial Security.pdf

  • 1. Unrestricted © Siemens A/S siemens.com/industrial security Industrial Security Getting Started…
  • 3. Caught between regulation, requirements, and standards Unrestricted © Siemens A/S 2018
  • 4. The all-encompassing Industrial Security Standard Provides greater clarity by clearly defining the roles and responsibilities Unrestricted © Siemens A/S 2018
  • 5. IEC 62443 gives us the ability to communicate In an unambiguous way Unrestricted © Siemens A/S 2018
  • 6. IEC 62443 addresses the Defense in Depth concept Unrestricted © Siemens A/S 2018 Network Security • Cell protection, DMZ, and remote maintenance • Firewall and VPN • Segmentation • Asset and Network Management System integrity • System hardening • Authentication and user administration • Patch management • Logging and Monitoring • Detection of attacks Plant Security • Physical access protection • Processes and guidelines • Security service protecting production plants
  • 7. IEC 62443 focus on the interfaces between all stakeholders Unrestricted © Siemens A/S 2018 Operator, Integrator, and Manufacturer
  • 8. IEC 62443 from machines to corporates Unrestricted © Siemens A/S 2018 It is scalable
  • 9. IEC 62443 provides a complete Cyber Security Management System Unrestricted © Siemens A/S 2018 Risk based approach That covers the setup of: Risk analysis Addressing risk security organization and security processes security countermeasures and Implementation Monitoring and improving
  • 10. IEC 62443 from the beginning to the end Unrestricted © Siemens A/S 2018 It addresses the entire life cycle
  • 11. Cybersecurity Life Cycle Unrestricted © Siemens A/S 2018 Maintain phase Assess phase Develop & implement phase
  • 12. Cybersecurity Life Cycle Unrestricted © Siemens A/S 2018 Getting started Assess phase High-level Cyber Risk Assessment Allocation of IACS Assets to Zones or Conduits Detailed Cyber Risk Assessment Develop & implement phase Cybersecurity Requirements Specification Design and Engineering of countermeasures or other means of risk reduction Installation, commissioning, and validation of countermeasures Maintain phase Maintenance, Monitoring and Management of change Incident Response and Recovery Maintain phase Assess phase Develop & implement phase
  • 13. Assess phase Unrestricted © Siemens A/S 2018 Risk Assessment Risk = Likelihood x Consequence Where: Likelihood = Threat x Vulnerability
  • 14. Assess phase Risk methods and frameworks The Information Security Forum (ISF) National Institute of Standards and Technology (NIST) and… … Unrestricted © Siemens A/S 2018 More info: https://www.ncsc.gov.uk/guidance/summary-risk-methods-and-frameworks A good overview
  • 15. Assess phase Unrestricted © Siemens A/S 2018 Segmentation of TI and OT
  • 16. Assess phase Unrestricted © Siemens A/S 2018 Trusted/Untrusted Zones and Conduits PL1 PL2 Zone Control #1 PL3 Zone Control #2 Conduit Zone Enterprise Network Zone Plant
  • 17. Assess phase Unrestricted © Siemens A/S 2018 Risk based development of security levels Evaluate Business Risk to determine Criticality Assign Target Protection Levels Evaluate Protection Levels Achieved Protection Levels Security Assessment Consequence
  • 19. What is the structure of IEC 62443? Unrestricted © Siemens A/S 2018 1-1 General Terminology, concepts and models 2-1 Policies and procedures Establishing an IACS security program 3-1 System Security technologies for IACS 4-1 Component Product development requirements 1-2 General Master glossary of terms and abbreviations 2-2 Policies and procedures Operating an IACS security program 3-2 System Security assurance levels for zones and conduits 4-2 Component Technical sec. requirements for IACS products 1-3 General 2-3 Policies and procedures 3-3 System System security compliance metrics Patch management in the IACS environment System sec. requirements and security assurance levels 1-4 General IACS sec. life cycle and use case 2-4 Policies and procedures Certification of IACS supplier security policies 1-5 General IACS protection levels Functional requirements Processes / procedures Definition and metrics
  • 20. Phases in product and IACS life cycles Unrestricted © Siemens A/S 2018 Product life cycle Product Supplier Commercialization / maintenance Control Systems Embedded devices Network components Host devices Applications IACS life cycle Asset Owner System Integrator Automation solution Project application Asset Owner (Service provider) Automation solution Security measures and settings Configuration, User Management Security measures and settings Operational policies and procedures Specification Asset Owner Automation solution Decommissioning policies and procedures Decommissioning Operation / Maintenance Integration / Commissioning Security targets Phase Out Design Specification
  • 21. Phases in product and IACS life cycles Unrestricted © Siemens A/S 2018 Product life cycle Product Supplier Commercialization / maintenance 2-3 3-3 4-1 4-2 IACS life cycle Asset Owner System Integrator Automation solution Project application Asset Owner (Service provider) Automation solution Security measures and settings 2-1 Specification Configuration, User Management Security measures and settings 2-3 3-2 2-4 3-3 2-1 2-3 Operational policies and procedures 2-4 3-2 3-3 Asset Owner Automation solution Decommissioning policies and procedures 2-1 2-4 Decommissioning Operation / Maintenance Integration / Commissioning Security targets Phase Out Design Specification Control Systems Embedded devices Network components Host devices Applications
  • 22. Protection Levels Unrestricted © Siemens A/S 2018 Page 30 SL 1 Capability to protect against casual or coincidental violation SL 2 Capability to protect against intentional violation using simple means with low resources, generic skills and low motivation SL 3 Capability to protect against intentional violation using sophisticated means with moderate resources, IACS specific skills and moderate motivation SL 4 Capability to protect against intentional violation using sophisticated means with extended resources, IACS specific skills and high motivation ML 1 Initial - Process unpredictable, poorly controlled, and reactive. ML 2 Managed - Process characterized, reactive ML 3 Defined - Process characterized, proactive deployment ML 4 Optimized - Process measured, controlled, and continuously improved 4 3 2 1 4 3 2 1 Cover security functionalities and processes Security functionalities Security processes Protection Levels Security Level Maturity Level PL 1 Protection against casual or coincidental violation PL 2 Protection against intentional violation using simple means with low resources, generic skills and low motivation PL 3 Protection against intentional violation using sophisticated means with moderate resources, IACS specific skills and moderate motivation PL 4 Protection against intentional violation using sophisticated means with extended resources, IACS specific skills and high motivation
  • 23. IEC 62443 Security measures Unrestricted © Siemens A/S 2018 It is unambiguous … Secure Physical Access Organize Security Secure Solution Design Secure Operations Secure Lifecycle management Revolving doors with card reader and PIN; Video Surveillance and/or IRIS Scanner at door Dual approval for critical actions Firewalls with Fail Close (e.g. Next Generation Firewall) Monitoring of all device activities Online security functionality verification … Revolving doors with card reader No Email, No WWW, etc. in Secure Cell 2 PCs (Secure Cell/outside) Monitoring of all human interactions Automated backup / recovery … … … Remote access with cRSP or equivalent Doors with card reader Persons responsible for security within own organization Mandatory security education Physical network segmentation or equivalent (e.g. SCALANCE S) Continuous monitoring (e.g. SIEM) … Backup verification Remote access restriction (e.g. need to connect principle) Locked building/doors with keys Awareness training (e.g. Operator Aware. training) Mandatory rules on USB sticks (e.g. Whitelisting) Network segmentation (e.g. VLAN) Security logging on all systems … Backup / recovery system + PL 3 + PL 2 + PL 1 PL 4
  • 24. Protection Levels Cover security functionalities and processes Unrestricted © Siemens A/S 2018
  • 25. IEC 62443-3-3 Unrestricted © Siemens A/S 2018 7 Foundational Requirements FR 1 – Identification and authentication control FR 2 – Use control FR 3 – System integrity FR 4 – Data confidentiality FR 5 – Restricted data flow FR 6 – Timely response to events FR 7 – Resource availability Defines security requirements for industrial control systems
  • 26. FR 1 – Identification and authentication control Unrestricted © Siemens A/S 2018 System Requirement Overview (Part 1) SRs und REs SL 1 SL 2 SL 3 SL 4 SR 1.1 – Human user identification and authentication     SR 1.1 RE 1 – Unique identification and authentication    SR 1.1 RE 2 – Multifactor authentication for untrusted networks   SR 1.1 RE 3 – Multifactor authentication for all networks  SR 1.2 – Software process and device identification and authentication    SR 1.2 RE 1 – Unique identification and authentication   SR 1.3 – Account management     SR 1.3 RE 1 – Unified account management   SR 1.4 – Identifier management     SR 1.5 – Authenticator management     SR 1.5 RE 1 – Hardware security for software process identity credentials   SR 1.6 – Wireless access management     SR 1.6 RE 1 – Unique identification and authentication   
  • 27. FR 1 – Identification and authentication control Unrestricted © Siemens A/S 2018 SR 1.1 – Human user identification and authentication 5.3 SR 1.1 – Human user identification and authentication 5.3.1 Requirement The control system shall provide the capability to identify and authenticate all human users. This capability shall enforce such identification and authentication on all interfaces which provide human user access to the control system to support segregation of duties and least privilege in accordance with applicable security policies and procedures. 5.3.2 Rationale and supplemental guidance All human users need to be identified and authenticated for all access to the control system. Authentication of the identity of these users should be accomplished by using methods such as passwords, tokens, biometrics or, in the case of multifactor authentication, some combination thereof. The geographic location of human users can also be used as part of the authentication process…….
  • 28. FR 1 – Identification and authentication control Unrestricted © Siemens A/S 2018 System Requirement Overview (Part 2) SRs und REs SL 1 SL 2 SL 3 SL 4 SR 1.7 – Strength of password-based authentication     SR 1.7 RE 1 – Password generation and lifetime restrictions for human users   SR 1.7 RE 2 – Password lifetime restrictions for all users  SR 1.8 – Public key infrastructure certificates    SR 1.9 – Strength of public key authentication    SR 1.9 RE 1 – Hardware security for public key authentication   SR 1.10 – Authenticator feedback     SR 1.11 – Unsuccessful login attempts     SR 1.12 – System use notification     SR 1.13 – Access via untrusted networks     SR 1.13 RE 1 – Explicit access request approval   
  • 29. FR 2 – Use control System Requirement Overview (Part 37 ) Unrestricted © Siemens A/S 2018 SRs und REs SL 1 SL 2 SL 3 SL 4 SR 2.1 – Authorization enforcement     SR 2.1 RE 1 – Authorization enforcement for all users    SR 2.1 RE 2 – Permission mapping to roles    SR 2.1 RE 3 – Supervisor override   SR 2.1 RE 4 – Dual approval  SR 2.2 – Wireless use control     SR 2.2 RE 1 – Identify and report unauthorized wireless devices   SR 2.3 – Use control for portable and mobile devices     SR 2.3 RE 1 – Enforcement of security status of portable and mobile devices   SR 2.4 – Mobile code     SR 2.4 RE 1 – Mobile code integrity check   SR 2.5 – Session lock    
  • 30. FR 2 – Use control System Requirement Overview (Part 38 ) Unrestricted © Siemens A/S 2018 SRs und REs SL 1 SL 2 SL 3 SL 4 SR 2.6 – Remote session termination    SR 2.7 – Concurrent session control   SR 2.8 – Auditable events     SR 2.8 RE 1 – Centrally managed, system-wide audit trail   SR 2.9 – Audit storage capacity     SR 2.9 RE 1 – Warn when audit record storage capacity threshold reached   SR 2.10 – Response to audit processing failures     SR 2.11 – Timestamps    SR 2.11 RE 1 – Internal time synchronization   SR 2.11 RE 2 – Protection of time source integrity  SR 2.12 – Non-repudiation   SR 2.12 RE 1 – Non-repudiation for all users 
  • 31. FR 3 – System integrity System Requirement Overview U SRs und REs SL 1 SL 2 SL 3 SL 4 SR 3.1 – Communication integrity     SR 3.1 RE 1 – Cryptographic integrity protection   SR 3.2 – Malicious code protection     SR 3.2 RE 1 – Malicious code protection on entry and exit points    SR 3.2 RE 2 – Central management and reporting for malicious code protection   SR 3.3 – Security functionality verification     SR 3.3 RE 1 – Automated mechanisms for security functionality verification   SR 3.3 RE 2 – Security functionality verification during normal operation  SR 3.4 – Software and information integrity    SR 3.4 RE 1 – Automated notification about integrity violations   SR 3.5 – Input validation     SR 3.6 – Deterministic output     SR 3.7 – Error handling    SR 3.8 – Session integrity    SR 3.8 RE 1 – Invalidation of session IDs after session termination   SR 3.8 RE 2 – Unique session ID generation   SR 3.8 RE 3 – Randomness of session IDs  SR 3.9 – Protection of audit information    SR 3.9 RE 1 – Audit records on write-once media nrestricted © Siemens A/S 2018 
  • 32. FR 4 – Data confidentiality System Requirement Overview Unrestricted © Siemens A/S 2018 SRs und REs SL 1 SL 2 SL 3 SL 4 SR 4.1 – Information confidentiality     SR 4.1 RE 1 – Protection of confidentiality at rest or in transit via untrusted networks    SR 4.1 RE 2 – Protection of confidentiality across zone boundaries  SR 4.2 – Information persistence    SR 4.2 RE 1 – Purging of shared memory resources   SR 4.3 – Use of cryptography    
  • 33. FR 5 – Restricted data flow System Requirement Overview Unrestricted © Siemens A/S 2018 SRs und REs SL 1 SL 2 SL 3 SL 4 SR 5.1 – Network segmentation     SR 5.1 RE 1 – Physical network segmentation    SR 5.1 RE 2 – Independence from non-control system networks   SR 5.1 RE 3 – Logical and physical isolation of critical networks  SR 5.2 – Zone boundary protection     SR 5.2 RE 1 – Deny by default, allow by exception    SR 5.2 RE 2 – Island mode   SR 5.2 RE 3 – Fail close   SR 5.3 – General purpose person-to-person communication restrictions     SR 5.3 RE 1 – Prohibit all general purpose person-to-person communications   SR 5.4 – Application partitioning    
  • 34. FR 6 – Timely response to events System Requirement Overview Unrestricted © Siemens A/S 2018 SRs und REs SL 1 SL 2 SL 3 SL 4 SR 6.1 – Audit log accessibility     SR 6.1 RE 1 – Programmatic access to audit logs   SR 6.2 – Continuous monitoring   
  • 35. FR 7 – Resource availability System Requirement Overview Unrestricted © Siemens A/S 2018 SRs und REs SL 1 SL 2 SL 3 SL 4 SR 7.1 – Denial of service protection     SR 7.1 RE 1 – Manage communication loads    SR 7.1 RE 2 – Limit DoS effects to other systems or networks   SR 7.2 – Resource management     SR 7.3 – Control system backup     SR 7.3 RE 1 – Backup verification    SR 7.3 RE 2 – Backup automation   SR 7.4 – Control system recovery and reconstitution     SR 7.5 – Emergency power     SR 7.6 – Network and security configuration settings     SR 7.6 RE 1 – Machine-readable reporting of current security settings   SR 7.7 – Least functionality     SR 7.8 – Control system component inventory   
  • 36. Recap - System Security Levels Unrestricted © Siemens A/S 2018 Plant environment Automation solution Control System as a combination of Independent of plant environment Control System capabilities Capability SLs Risk assessment System Integrator Asset Owner Product supplier Target SLs Achieved SLs Embedded devices Network components Host devices Applications IEC 62443 2-1 Establishing an IACS security program 3-2 Security risk assessment and system design 2-4 Certification of IACS supplier security policies 3-3 System security requirements and Security levels 4-1 Product development requirements 4-2 Technical security requirements for IACS products Contributions of the stakeholders
  • 37. A piece of a bigger picture Unrestricted © Siemens A/S 2018 ISO 27001 The Functional Safety standard Risk assessment framework IEC 62443 NIST 800-30 Well known IT- security standard The OT-security standard
  • 38. Recap… Act now Everyoneis a target – also small and medium sized plants IEC62443 is a Risk based framework that can help you getting started in a very structured way Define your Risk… Define your organization Define your Protection level Define your Zones and Conduits
  • 39. Security information Unrestricted © Siemens A/S 2018 Page 49 Thank You for your attention