DJ
Uploaded byDenis Jakuzza
PPTX, PDF337 views

Industry 4.0 and security

This document discusses security aspects related to developing enterprise applications for Industry 4.0. It begins with an overview of Industry 4.0 and its key components like cyber-physical systems, the internet of things, and smart factories. It then discusses the complexity of enterprise applications and important non-functional requirements like security, performance, and availability. The document outlines the OWASP top 10 security risks and provides examples of recent security incidents. It emphasizes that with Industry 4.0, security must extend from enterprise IT to connected industrial systems and devices. The document concludes with discussing building security into each phase of development from design through implementation, testing, and ongoing maintenance.

Technology
Related topics:
Industry4-0

Embed presentation

Downloaded 26 times
© Siemens Convergence Creators GmbH 2017. All rights reserved. Page 1 www.convergence-creators.siemens.comwww.convergence-creators.siemens.com Security aspects in development of enterprise applications Industry 4.0 and Cybersecurity Siemens Convergence Creators
© Siemens Convergence Creators GmbH 2017. All rights reserved. Page 2 www.convergence-creators.siemens.com Industry 4.0 Next Industrial Revolution Industry 4.0 - German federal government announced it in 2011 as one of their key strategic initiatives - “High-Tech Strategy 2020 for Germany”1 - An industrial revolution that‘s „predicted a-priori“1 - Was introduced as a strategy, giving vision and basic solutions it aims at and what it should be, yet „most companies in Germany do not have a clear understanding of what Industrie 4.0 is and what it will look like”1 Key Components  Cyber-Physical Systems (CPS)  Internet of Things (IoT)  Internet of Services (IoS)  Smart Factory (SF) CPS IoT IoS SF Interoperability X X X X Virtualization X - - X Decentralization X - - X Real-Time - - - X SOA - - X - Modularity - - X - Key Principles  Interoperability  Virtualization  Decentralization  Real-Time  SOA  Modularity
© Siemens Convergence Creators GmbH 2017. All rights reserved. Page 3 www.convergence-creators.siemens.com Enterprise Applications and Security Enterprise Application: MSDN definition 7 – “An enterprise application is a business application”, “complex, scalable, distributed, component-based, and mission- critical”, “In short, they are highly complex systems.” Martin Fowler 11 – “Enterprise applications are about the display, manipulation, and storage of large amounts of often complex data and the support or automation of business processes with that data. Examples include reservation systems, financial systems, supply chain systems, and many others that run modern business. Enterprise applications have their own particular challenges and solutions...” Systems that are: • Complex • Layered • Modularized • Distributed • Mission-critical ... a lot of REQUIREMENTS Functional Non-Functional Performance Availability Reliability Recoverability Integrity Scalability Security Serviceability Usability Maintainability Portability Interoperability Extendibility
© Siemens Convergence Creators GmbH 2017. All rights reserved. Page 4 www.convergence-creators.siemens.com OWASP Top 10 The Ten Most Critical Web Application Security Risks (2017 RC1)3 1 Injection Injection flaws – e.g. SQL/OS/XXE/LDAP injection 2 Broken Authentication and Session Management Incorrect authentication/session management implementation 3 Cross-Site Scripting (XSS) Allowing attackers to execute scripts in victim’s browser 4 Broken Access Control Improper enforcing of restrictions on authenticated users 5 Security Misconfiguration Old software, improper configuration of applications, application/database/web servers, frameworks, platforms, etc. 6 Sensitive Data Exposure Lack of encryption of sensitive data during it’s rest or transit 7 Insufficient Attack Protection Insufficient basic input validation or similar techniques 8 Cross-Site Request Forgery Forcing victim’s browser to generate requests a vulnerable application thinks are legitimate 9 Using Components with known vulnerabilities Exploits of vulnerable libraries, frameworks and other SW modules 10 Underprotected APIs Rich client apps and APIs (in JS) connecting to often unprotected and vulnerable WS APIs
© Siemens Convergence Creators GmbH 2017. All rights reserved. Page 5 www.convergence-creators.siemens.com Highlights in Security News spear phishing and social engineering to gain access to the steel mill’s office network Sirens in Dallas “singing” ~23:45 to ~01:30 Energy carrier network operators attacked Various targets WannaCry Ransomware
© Siemens Convergence Creators GmbH 2017. All rights reserved. Page 6 www.convergence-creators.siemens.com Industry 4.0 – Relevance of Security Shop-floor and Enterprise IT / Cloud connections must be secured! Siemens: • PLC interfaces • Industrial device data integration (incl. management) • IOT2040 devices Other HW vendors: • Other PLC interfaces support • OPC UA, MQTT, AMQP (standard Industry protocols)  Applications and Analytics: • Siemens • OEM / Solution Providers • End-Customer • Partners  Siemens Cloud: • Visualization • Data management • Analytics / rules • System management • Industrial device management  3rd Party Clouds • Interconnection  3rd Party Applications Securing Industry 4.0 digital enterprise transformation Security - In Practice - Continuous ImprovementShop-floor Industrial Devices Enterprise IT / Scada “Cloud”
© Siemens Convergence Creators GmbH 2017. All rights reserved. Page 7 www.convergence-creators.siemens.com Security of Enterprises and Information Security Principles Availability Integrity Confidentiality Security: ability to protect from unauthorized access to business, data, application and infrastructure Information Security: focused on enterprise related data information on its’ partners or customers stored within the enterprise Tools: Standards conformance, Access control, Encryption, Isolation/Zoning, Information Security Training, enforcing of policies, etc. Continuous application and evolution of implemented security principles enables relatively sufficient security of enterprises and information.
© Siemens Convergence Creators GmbH 2017. All rights reserved. Page 8 www.convergence-creators.siemens.com Design for Security Security Readiness Development Phases over time Design Implement QA Production Stage Design for Security: • Data security (CIA – policies, identities, encryption, checksum, signing) • Application security (authenticate, authorize, account) • Infrastructure security (Firewall, DMZ, HTTPS SSL/TLS, isolation, redundancy) During design phase, design for security aspects and devise sufficiently prioritized tasks/stories which ensure required security levels (network/HW/SW planning, user-data, accounts & history, manufacturing device management/controlling – e.g. melting furnace, boiler!), usage of architectural patterns
© Siemens Convergence Creators GmbH 2017. All rights reserved. Page 9 www.convergence-creators.siemens.com Implement for Security Security Readiness Development Phases over time Design Implement QA Production Stage Continuous Integration: • Implementation coding & testing simultaneously • On-commit/hourly/daily • Test builds • Test executions • IMMEDIATE (failure) result feedback Development scope = implementation, testing, documentation Expect the best, plan & prepare for the worst. Utilize: static code analyzers (e.g. PMD), automated production and testing platforms (e.g. Jenkins,ant/robot/junit/selenium/ etc.), vulnerability scanners (e.g. see SecTools.org). Always use GA SW / security patches in pre-staging testing.
© Siemens Convergence Creators GmbH 2017. All rights reserved. Page 10 www.convergence-creators.siemens.com Implement for Security Security Readiness Development Phases over time Design Implement QA Production Stage Staging: • Continuation of dev. cycle integration • Continuous Release Candidate testing with expanded scope • Distribution production, pre-on-site hardening (e.g. default passwords, HW firmware patching, recommended security updates od 3rd party SW) • Local installation, test creation & execution (before deploymente, in cooperation with customer/partners) Dedicated Project Team scope = testing, documentation Utilize: vulnerability scanners (Nessus, see SecTools.org). Always use latest GA SW / security patches in pre-staging testing.
© Siemens Convergence Creators GmbH 2017. All rights reserved. Page 11 www.convergence-creators.siemens.com Implement for Security Security Readiness Development Phases over time Design Implement QA Production Stage Going Live: • Cooperation with Customer • Installation steps as documented • System prep for Acceptance Testing incl. customer specific hardening requirements (usually you get that when on site ) • Acceptance procedure execution, Backup & Restore process • After go-live and acceptance  maintenance mode (EMCY, bugs, preventive maintenance, customer RfEs, CRs, etc.) Dev. scope = AT support, maintenance, opportunities Keep production “mirror” in local test environment, keep up to date with maintenance updates (i.e. corrections), patch SW, Track CVE / CWE sites4 5 6, CERTs, emergency support
© Siemens Convergence Creators GmbH 2017. All rights reserved. Page 12 www.convergence-creators.siemens.com References Literature & Web Sites Industry 4.0 & CyberSecurity (1) Design Principles for Industrie 4.0 Scenarios: A Literature Review; Working Paper; Hermann, Pentek, Otto; Technische Universität Dortmund, Fakultät Maschinenbau (2015) (2) http://www.plattform-i40.de – Platform Industry 4.0 (3) OWASP – Open Web Application Security Project – Top 10 https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project (4) CVE – Common Vunerabilities and Exposures http://cve.mitre.org/ (5) CWE – Common Weakness Enumeration http://cwe.mitre.org/ (6) CVEdetails - http://www.cvedetails.com/ (CVE/CWE DB search tool) (7) MSDN - https://msdn.microsoft.com/en-us/library/aa267045(v=vs.60).aspx (8) http://www.ioti.com/security/10-most-vulnerable-iot-security-targets (9) http://www.csoonline.com/article/3119765/security/hackers-found-47-new- vulnerabilities-in-23-iot-devices-at-def-con.html (10) https://www.wired.com/2015/12/2015-the-year-the-internet-of-things-got-hacked/ (11) Patterns of Enterprise Application Architecture, Martin Fowler, 2003 (12) http://gizmodo.com/u-s-government-fears-a-monday-explosion-of-the-ransomw- 1795208518 (13) http://jalopnik.com/renault-and-nissan-plants-hit-by-massive-ransomware-att- 1795190743
© Siemens Convergence Creators GmbH 2017. All rights reserved. Page 13 www.convergence-creators.siemens.com Thank You for Your attention! Denis Jakus, dipl. inf. Project Manager Siemens Convergence Creators d.o.o. E-mail: denis.jakus@siemens-convergence.com Speaker

More Related Content

PPTX
cyber-security-reference-architecture
byBirendra Negi ☁️
 
PDF
Application Secuirty in the Cloud
bySteven_Jackson
 
PDF
ECMDay2015 - Peter Daalmans – Master your Mac OS X Operating System with Conf...
byKenny Buntinx
 
PDF
Open Source and Security: Engineering Security by Design - Prague, December 2011
byJeremy Brown
 
PDF
Security is our duty and we shall deliver it - White Paper
byMohd Anwar Jamal Faiz
 
PDF
Experts Live Europe 2017 - Best Practices to secure Windows 10 with already i...
byAlexander Benoit
 
PDF
Cyber-menaces et cyber-préjudices : regards croisés par Gilles DESOBLIN & Red...
byTelecomValley
 
PDF
Experts Live Europe 2017 - Windows 10 Servicing - the do’s and don'ts
byAlexander Benoit
 
cyber-security-reference-architecture
byBirendra Negi ☁️
 
Application Secuirty in the Cloud
bySteven_Jackson
 
ECMDay2015 - Peter Daalmans – Master your Mac OS X Operating System with Conf...
byKenny Buntinx
 
Open Source and Security: Engineering Security by Design - Prague, December 2011
byJeremy Brown
 
Security is our duty and we shall deliver it - White Paper
byMohd Anwar Jamal Faiz
 
Experts Live Europe 2017 - Best Practices to secure Windows 10 with already i...
byAlexander Benoit
 
Cyber-menaces et cyber-préjudices : regards croisés par Gilles DESOBLIN & Red...
byTelecomValley
 
Experts Live Europe 2017 - Windows 10 Servicing - the do’s and don'ts
byAlexander Benoit
 

What's hot

PDF
Experts Live Europe 2017 - Windows 10 and the cloud - why the future needs hy...
byAlexander Benoit
 
PDF
Webinar – Risk-based adaptive DevSecOps
bySynopsys Software Integrity Group
 
PDF
Veritas Resiliency Platform
bySymantec
 
PDF
Your Datacenter at risk? – Patching for the Datacenter
byIvanti
 
PPTX
VMWARE Professionals - Cross-Plattform Mangement
byPaulo Freitas
 
PPT
Microsoft+securitate agora-rtm
byAgora Group
 
PDF
2017-07-12 GovLoop: New Era of Digital Security
byShawn Wells
 
PDF
Security As A Service
byOlav Tvedt
 
PPTX
What’s new in VMware vShield 5 - Customer Presentation
bySuministros Obras y Sistemas
 
PPTX
Microsoft Ignite 2019 State of the Browser: Microsoft Edge
byColleenWilliams31
 
PDF
CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...
byCloudIDSummit
 
PDF
Thinking of choosing Sophos?
bySymantec
 
DOCX
Brian P Milstead resume
byBrian Milstead
 
PPTX
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
byMaganathin Veeraragaloo
 
PDF
Validy netinc nsa_ops1_ops2_executive summary
byGilles Sgro
 
PDF
CSSLP & OWASP & WebGoat
bySurachai Chatchalermpun
 
PPT
Software Security Frameworks
byMarco Morana
 
PDF
Qualys Corporate Brochure
byQualys
 
PPTX
SCADA and HMI Security in InduSoft Web Studio
byAVEVA
 
DOC
Manoj Kumar_CA
byManoj Kumar M
 
Experts Live Europe 2017 - Windows 10 and the cloud - why the future needs hy...
byAlexander Benoit
 
Webinar – Risk-based adaptive DevSecOps
bySynopsys Software Integrity Group
 
Veritas Resiliency Platform
bySymantec
 
Your Datacenter at risk? – Patching for the Datacenter
byIvanti
 
VMWARE Professionals - Cross-Plattform Mangement
byPaulo Freitas
 
Microsoft+securitate agora-rtm
byAgora Group
 
2017-07-12 GovLoop: New Era of Digital Security
byShawn Wells
 
Security As A Service
byOlav Tvedt
 
What’s new in VMware vShield 5 - Customer Presentation
bySuministros Obras y Sistemas
 
Microsoft Ignite 2019 State of the Browser: Microsoft Edge
byColleenWilliams31
 
CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...
byCloudIDSummit
 
Thinking of choosing Sophos?
bySymantec
 
Brian P Milstead resume
byBrian Milstead
 
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
byMaganathin Veeraragaloo
 
Validy netinc nsa_ops1_ops2_executive summary
byGilles Sgro
 
CSSLP & OWASP & WebGoat
bySurachai Chatchalermpun
 
Software Security Frameworks
byMarco Morana
 
Qualys Corporate Brochure
byQualys
 
SCADA and HMI Security in InduSoft Web Studio
byAVEVA
 
Manoj Kumar_CA
byManoj Kumar M
 

Similar to Industry 4.0 and security

PPTX
Cybersecurity in the Era of IoT
byAmy Daly
 
PDF
Securing the Digital Frontier - An Analysis of Cybersecurity Landscape and Tr...
byDraup3
 
PPTX
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
bySilvioHayashi
 
PDF
Citrix security booklet
byBenjamin Jolivet
 
PDF
Luncheon 2015-06-18 Security Industry 2.0: Survival in the Boardroom by David...
byNorth Texas Chapter of the ISSA
 
PPTX
Cloud, DevOps and the New Security Practitioner
byAdrian Sanabria
 
PPTX
The New Security Practitioner
byAdrian Sanabria
 
PDF
New technologies - Amer Haza'a
byFahmi Albaheth
 
PPT
Cybersecurity for Control Systems: Current State and Future Vision pt.1
byEnergySec
 
PDF
G05.2013 gartner top security trends
bySatya Harish
 
PDF
Cyber Risk Management in 2017: Challenges & Recommendations
byUlf Mattsson
 
PDF
I.T.S P.r.o.f.i.l.e c.o.m.p.a.n.y
byesraabrega
 
PDF
InfoSec: Evolve Thyself to Keep Pace in the Age of DevOps
byVMware Tanzu
 
PPTX
Fortify-Application_Security_Foundation_Training.pptx
byVictoriaChavesta
 
PPTX
Fortify-Application_Security_Foundation_Training.pptx
byYoisRoberthTapiadeLa
 
PPTX
Forcepoint Corporate Presentation_Short.pptx
bycaesar92
 
DOCX
10 things to get right for successful dev secops
byMohammed Ahmed
 
PDF
Application security for the modern web - ISSA South Texas Houston DevOps
byPhillip Maddux
 
PPTX
Medtec - Cyber-security Challenges on the Horizon
byteam-WIBU
 
PDF
2017 InfraGard Atlanta Conference - Matthew Rosenquist
byMatthew Rosenquist
 
Cybersecurity in the Era of IoT
byAmy Daly
 
Securing the Digital Frontier - An Analysis of Cybersecurity Landscape and Tr...
byDraup3
 
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
bySilvioHayashi
 
Citrix security booklet
byBenjamin Jolivet
 
Luncheon 2015-06-18 Security Industry 2.0: Survival in the Boardroom by David...
byNorth Texas Chapter of the ISSA
 
Cloud, DevOps and the New Security Practitioner
byAdrian Sanabria
 
The New Security Practitioner
byAdrian Sanabria
 
New technologies - Amer Haza'a
byFahmi Albaheth
 
Cybersecurity for Control Systems: Current State and Future Vision pt.1
byEnergySec
 
G05.2013 gartner top security trends
bySatya Harish
 
Cyber Risk Management in 2017: Challenges & Recommendations
byUlf Mattsson
 
I.T.S P.r.o.f.i.l.e c.o.m.p.a.n.y
byesraabrega
 
InfoSec: Evolve Thyself to Keep Pace in the Age of DevOps
byVMware Tanzu
 
Fortify-Application_Security_Foundation_Training.pptx
byVictoriaChavesta
 
Fortify-Application_Security_Foundation_Training.pptx
byYoisRoberthTapiadeLa
 
Forcepoint Corporate Presentation_Short.pptx
bycaesar92
 
10 things to get right for successful dev secops
byMohammed Ahmed
 
Application security for the modern web - ISSA South Texas Houston DevOps
byPhillip Maddux
 
Medtec - Cyber-security Challenges on the Horizon
byteam-WIBU
 
2017 InfraGard Atlanta Conference - Matthew Rosenquist
byMatthew Rosenquist
 

Recently uploaded

PPTX
2026 SCORM Troubleshooting Rustici + dominKnow.pptx
byRustici Software
 
PDF
AI and Zero Trust: What it takes to do it right
byMark Simos
 
PDF
OpenCharacter AI Reviews: Features, Plans, and Best Alternative
byOpenCharacter AI
 
PDF
Agentic-Document-Extraction-2026-Presentation.pdf
byTamanna
 
PDF
Pneumatic Pressure Pump PPP01 for Calibration & Testing
bySERRAX TECHNOLOGIES LLP
 
PDF
What Thema can do: Leveraging metadata to support the discoverability of Firs...
byBookNet Canada
 
PDF
How to Design Premium Health (Public Health) PPT Using AI? Top Strategies
byPublic Health Concern Nepal
 
PDF
January 2026 OpenMetadata Community Spotlight - OpenMetadata @ Wix.pdf
byOpenMetadata
 
PDF
When Drones Decide for Themselves_ Inside the Rise of Machine-Led Flight.pdf
byLyra Anderson
 
PDF
Bettersize | BeSEC Series Product Brochure
byBettersize Instruments
 
PDF
Certified AI-Native Foundations Professional.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
PDF
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 
PDF
Computer-Based Training (CBT) The Backbone of Modern Technical & Defence Trai...
bycomputerbasedtrainin1
 
PDF
Real-Time AI Masterclass: Vector Search at Scale
byScyllaDB
 
PDF
Transcript: EU regulations for the North American book supply chain - Tech Fo...
byBookNet Canada
 
PPTX
INSY_7213_Theme Sessions 47 & 48 Advanced databases.pptx
bystormzy56
 
PDF
Why AI Girlfriends Are the Future of Digital Companionship
byAi Angels
 
PDF
Peculiar Findings Around CEX Activity and ETH Price
bytobbymnbvcxz
 
PDF
Real-Time AI at Scale Masterclass - Challenges of AI at Scale
byScyllaDB
 
PPTX
TechSprint WinterHack — Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
 
2026 SCORM Troubleshooting Rustici + dominKnow.pptx
byRustici Software
 
AI and Zero Trust: What it takes to do it right
byMark Simos
 
OpenCharacter AI Reviews: Features, Plans, and Best Alternative
byOpenCharacter AI
 
Agentic-Document-Extraction-2026-Presentation.pdf
byTamanna
 
Pneumatic Pressure Pump PPP01 for Calibration & Testing
bySERRAX TECHNOLOGIES LLP
 
What Thema can do: Leveraging metadata to support the discoverability of Firs...
byBookNet Canada
 
How to Design Premium Health (Public Health) PPT Using AI? Top Strategies
byPublic Health Concern Nepal
 
January 2026 OpenMetadata Community Spotlight - OpenMetadata @ Wix.pdf
byOpenMetadata
 
When Drones Decide for Themselves_ Inside the Rise of Machine-Led Flight.pdf
byLyra Anderson
 
Bettersize | BeSEC Series Product Brochure
byBettersize Instruments
 
Certified AI-Native Foundations Professional.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 
Computer-Based Training (CBT) The Backbone of Modern Technical & Defence Trai...
bycomputerbasedtrainin1
 
Real-Time AI Masterclass: Vector Search at Scale
byScyllaDB
 
Transcript: EU regulations for the North American book supply chain - Tech Fo...
byBookNet Canada
 
INSY_7213_Theme Sessions 47 & 48 Advanced databases.pptx
bystormzy56
 
Why AI Girlfriends Are the Future of Digital Companionship
byAi Angels
 
Peculiar Findings Around CEX Activity and ETH Price
bytobbymnbvcxz
 
Real-Time AI at Scale Masterclass - Challenges of AI at Scale
byScyllaDB
 
TechSprint WinterHack — Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
 

Industry 4.0 and security

  • 1.
    © Siemens ConvergenceCreators GmbH 2017. All rights reserved. Page 1 www.convergence-creators.siemens.comwww.convergence-creators.siemens.com Security aspects in development of enterprise applications Industry 4.0 and Cybersecurity Siemens Convergence Creators
  • 2.
    © Siemens ConvergenceCreators GmbH 2017. All rights reserved. Page 2 www.convergence-creators.siemens.com Industry 4.0 Next Industrial Revolution Industry 4.0 - German federal government announced it in 2011 as one of their key strategic initiatives - “High-Tech Strategy 2020 for Germany”1 - An industrial revolution that‘s „predicted a-priori“1 - Was introduced as a strategy, giving vision and basic solutions it aims at and what it should be, yet „most companies in Germany do not have a clear understanding of what Industrie 4.0 is and what it will look like”1 Key Components  Cyber-Physical Systems (CPS)  Internet of Things (IoT)  Internet of Services (IoS)  Smart Factory (SF) CPS IoT IoS SF Interoperability X X X X Virtualization X - - X Decentralization X - - X Real-Time - - - X SOA - - X - Modularity - - X - Key Principles  Interoperability  Virtualization  Decentralization  Real-Time  SOA  Modularity
  • 3.
    © Siemens ConvergenceCreators GmbH 2017. All rights reserved. Page 3 www.convergence-creators.siemens.com Enterprise Applications and Security Enterprise Application: MSDN definition 7 – “An enterprise application is a business application”, “complex, scalable, distributed, component-based, and mission- critical”, “In short, they are highly complex systems.” Martin Fowler 11 – “Enterprise applications are about the display, manipulation, and storage of large amounts of often complex data and the support or automation of business processes with that data. Examples include reservation systems, financial systems, supply chain systems, and many others that run modern business. Enterprise applications have their own particular challenges and solutions...” Systems that are: • Complex • Layered • Modularized • Distributed • Mission-critical ... a lot of REQUIREMENTS Functional Non-Functional Performance Availability Reliability Recoverability Integrity Scalability Security Serviceability Usability Maintainability Portability Interoperability Extendibility
  • 4.
    © Siemens ConvergenceCreators GmbH 2017. All rights reserved. Page 4 www.convergence-creators.siemens.com OWASP Top 10 The Ten Most Critical Web Application Security Risks (2017 RC1)3 1 Injection Injection flaws – e.g. SQL/OS/XXE/LDAP injection 2 Broken Authentication and Session Management Incorrect authentication/session management implementation 3 Cross-Site Scripting (XSS) Allowing attackers to execute scripts in victim’s browser 4 Broken Access Control Improper enforcing of restrictions on authenticated users 5 Security Misconfiguration Old software, improper configuration of applications, application/database/web servers, frameworks, platforms, etc. 6 Sensitive Data Exposure Lack of encryption of sensitive data during it’s rest or transit 7 Insufficient Attack Protection Insufficient basic input validation or similar techniques 8 Cross-Site Request Forgery Forcing victim’s browser to generate requests a vulnerable application thinks are legitimate 9 Using Components with known vulnerabilities Exploits of vulnerable libraries, frameworks and other SW modules 10 Underprotected APIs Rich client apps and APIs (in JS) connecting to often unprotected and vulnerable WS APIs
  • 5.
    © Siemens ConvergenceCreators GmbH 2017. All rights reserved. Page 5 www.convergence-creators.siemens.com Highlights in Security News spear phishing and social engineering to gain access to the steel mill’s office network Sirens in Dallas “singing” ~23:45 to ~01:30 Energy carrier network operators attacked Various targets WannaCry Ransomware
  • 6.
    © Siemens ConvergenceCreators GmbH 2017. All rights reserved. Page 6 www.convergence-creators.siemens.com Industry 4.0 – Relevance of Security Shop-floor and Enterprise IT / Cloud connections must be secured! Siemens: • PLC interfaces • Industrial device data integration (incl. management) • IOT2040 devices Other HW vendors: • Other PLC interfaces support • OPC UA, MQTT, AMQP (standard Industry protocols)  Applications and Analytics: • Siemens • OEM / Solution Providers • End-Customer • Partners  Siemens Cloud: • Visualization • Data management • Analytics / rules • System management • Industrial device management  3rd Party Clouds • Interconnection  3rd Party Applications Securing Industry 4.0 digital enterprise transformation Security - In Practice - Continuous ImprovementShop-floor Industrial Devices Enterprise IT / Scada “Cloud”
  • 7.
    © Siemens ConvergenceCreators GmbH 2017. All rights reserved. Page 7 www.convergence-creators.siemens.com Security of Enterprises and Information Security Principles Availability Integrity Confidentiality Security: ability to protect from unauthorized access to business, data, application and infrastructure Information Security: focused on enterprise related data information on its’ partners or customers stored within the enterprise Tools: Standards conformance, Access control, Encryption, Isolation/Zoning, Information Security Training, enforcing of policies, etc. Continuous application and evolution of implemented security principles enables relatively sufficient security of enterprises and information.
  • 8.
    © Siemens ConvergenceCreators GmbH 2017. All rights reserved. Page 8 www.convergence-creators.siemens.com Design for Security Security Readiness Development Phases over time Design Implement QA Production Stage Design for Security: • Data security (CIA – policies, identities, encryption, checksum, signing) • Application security (authenticate, authorize, account) • Infrastructure security (Firewall, DMZ, HTTPS SSL/TLS, isolation, redundancy) During design phase, design for security aspects and devise sufficiently prioritized tasks/stories which ensure required security levels (network/HW/SW planning, user-data, accounts & history, manufacturing device management/controlling – e.g. melting furnace, boiler!), usage of architectural patterns
  • 9.
    © Siemens ConvergenceCreators GmbH 2017. All rights reserved. Page 9 www.convergence-creators.siemens.com Implement for Security Security Readiness Development Phases over time Design Implement QA Production Stage Continuous Integration: • Implementation coding & testing simultaneously • On-commit/hourly/daily • Test builds • Test executions • IMMEDIATE (failure) result feedback Development scope = implementation, testing, documentation Expect the best, plan & prepare for the worst. Utilize: static code analyzers (e.g. PMD), automated production and testing platforms (e.g. Jenkins,ant/robot/junit/selenium/ etc.), vulnerability scanners (e.g. see SecTools.org). Always use GA SW / security patches in pre-staging testing.
  • 10.
    © Siemens ConvergenceCreators GmbH 2017. All rights reserved. Page 10 www.convergence-creators.siemens.com Implement for Security Security Readiness Development Phases over time Design Implement QA Production Stage Staging: • Continuation of dev. cycle integration • Continuous Release Candidate testing with expanded scope • Distribution production, pre-on-site hardening (e.g. default passwords, HW firmware patching, recommended security updates od 3rd party SW) • Local installation, test creation & execution (before deploymente, in cooperation with customer/partners) Dedicated Project Team scope = testing, documentation Utilize: vulnerability scanners (Nessus, see SecTools.org). Always use latest GA SW / security patches in pre-staging testing.
  • 11.
    © Siemens ConvergenceCreators GmbH 2017. All rights reserved. Page 11 www.convergence-creators.siemens.com Implement for Security Security Readiness Development Phases over time Design Implement QA Production Stage Going Live: • Cooperation with Customer • Installation steps as documented • System prep for Acceptance Testing incl. customer specific hardening requirements (usually you get that when on site ) • Acceptance procedure execution, Backup & Restore process • After go-live and acceptance  maintenance mode (EMCY, bugs, preventive maintenance, customer RfEs, CRs, etc.) Dev. scope = AT support, maintenance, opportunities Keep production “mirror” in local test environment, keep up to date with maintenance updates (i.e. corrections), patch SW, Track CVE / CWE sites4 5 6, CERTs, emergency support
  • 12.
    © Siemens ConvergenceCreators GmbH 2017. All rights reserved. Page 12 www.convergence-creators.siemens.com References Literature & Web Sites Industry 4.0 & CyberSecurity (1) Design Principles for Industrie 4.0 Scenarios: A Literature Review; Working Paper; Hermann, Pentek, Otto; Technische Universität Dortmund, Fakultät Maschinenbau (2015) (2) http://www.plattform-i40.de – Platform Industry 4.0 (3) OWASP – Open Web Application Security Project – Top 10 https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project (4) CVE – Common Vunerabilities and Exposures http://cve.mitre.org/ (5) CWE – Common Weakness Enumeration http://cwe.mitre.org/ (6) CVEdetails - http://www.cvedetails.com/ (CVE/CWE DB search tool) (7) MSDN - https://msdn.microsoft.com/en-us/library/aa267045(v=vs.60).aspx (8) http://www.ioti.com/security/10-most-vulnerable-iot-security-targets (9) http://www.csoonline.com/article/3119765/security/hackers-found-47-new- vulnerabilities-in-23-iot-devices-at-def-con.html (10) https://www.wired.com/2015/12/2015-the-year-the-internet-of-things-got-hacked/ (11) Patterns of Enterprise Application Architecture, Martin Fowler, 2003 (12) http://gizmodo.com/u-s-government-fears-a-monday-explosion-of-the-ransomw- 1795208518 (13) http://jalopnik.com/renault-and-nissan-plants-hit-by-massive-ransomware-att- 1795190743
  • 13.
    © Siemens ConvergenceCreators GmbH 2017. All rights reserved. Page 13 www.convergence-creators.siemens.com Thank You for Your attention! Denis Jakus, dipl. inf. Project Manager Siemens Convergence Creators d.o.o. E-mail: denis.jakus@siemens-convergence.com Speaker

Editor's Notes

  • #2 Content: industry, what’s an enterprise app + architectural aspects like non-functionals, top10 OWASP, news, security importance, what’s security.. Security in development phases – “best practices”..
  • #3 (1) Design Principles for Industrie 4.0 Scenarios: A Literature Review; Working Paper; Hermann, Pentek, Otto; Technische Universität Dortmund, Fakultät Maschinenbau (2015) CPS  “CPS are “integrations of computation and physical processes. Embedded computers and networks monitor and control the physical processes, usually with feedback loops where physical processes affect computations and vice versa.” (Lee, 2008, p. 363)” , “such as RFID, sensors, actuators, mobile phones, which, through unique addressing schemas, (…) interact with each other and cooperate with their neighboring ‘smart’ components, to reach common goals” IoT = Internet of Things  “.. network in which CPS cooperate with each other through unique addressing schemas. Application examples: Smart Factories, Smart Homes, and Smart Grids” IoS = Internet of Services  “enables “service vendors to offer their services via the internet. […] The IoS consists of participants, an infrastructure for services, business models and the services themselves. Services are offered and combined into value-added services by various suppliers; they are communicated to users as well as consumers and are accessed by them via various channels.” (Buxmann, Hess, & Ruggaber, 2009, p. 341).” … “allows the use of modular assembly stations that can be flexibly modified or expanded. The transportation between the assembly stations is ensured by automated guided vehicles. Both, assembly stations and automated guided vehicles offer their services through the IoS” SF = Smart Factory  “The Smart Factory is defined as a factory that context-aware assists people and machines in execution of their tasks. This is achieved by systems working in background, so-called Calm-systems and context aware means that the system can take into consideration context information like the position and status of an object. These systems accomplish their tasks based on information coming from physical and virtual world. Information of the physical world is e.g. position or condition of a tool, in contrast to information of the virtual world like electronic documents, drawings and simulation models. (Lucke, Constantinescu, & Westkämper, 2008, p. 115)”
  • #4 Martin Fowler: Patterns of Enterprise Application Architecture
  • #5 OWASP = Open Web Application Security Project
  • #6 Spomenuti Stuxnet kao prvi primjer cyberwarfare-a..
  • #7 OPC UA - Open Platform Communications – Unified Achitecture MQTT – Message Queue Telemetry Transport AMQP – Advanced Message Queuing Protocol MES = Manufacturing Execution Systems / MOM = Manufacturing Operations Management
  • #8 Confidentiality = povjerljivost Integrity, Availability (dostupnost)
  • #12 CVE / CWE = common vulnerabilities and exposures / common weakness enumeration CERT = computer emergency response team