Five Key Points toward Cybersecurity “Defense in Depth”
Best practices for mitigating cybersecurity threats, and how Security Integrated products can help you protect your systems, networks, and plants
Globally, the number of network connections is exploding. In 2003, there was less than one connected device per person based on the world’s population; by 2020, the number will exceed seven per person! The trends associated with this development (e.g., cloud computing, mobile and wireless technology, the smart grid, the Internet of Things) all require a reliable network infrastructure that is resistant to malware and hackers.
- PC workstations
- Network infrastructure
- Mobile storage devices
- Tablet PCs
- Data centers
- Production systems
- Policies and guidelines
The broad range of exposure calls for a holistic approach to address the security issue; moreover, policies that cover devices, systems, processes, and employees are an increasingly important security requirement.
Today, this development comes as no surprise. Enterprise vulnerabilities have become common headline news. Sadly, the risks and results of hack attacks are increasingly seen as a fait accompli of doing business. Their rise parallels the explosion of network connections: in 1995, only a handful of industrial vulnerabilities were reported; at the outset of this decade, more than 8,000 were cited.
Key among the trends that have impacted the vulnerability of industrial automation plant:
- Horizontal and vertical integration at all network levels
- Connection of automation networks with IT networks and the Internet for remote maintenance
- Increased use of open standards and PC-based systems
Consequently, security threats have increased, including access violations by unauthorized individuals, espionage and manipulation of data, and damages/data loss caused by malware. The results can be serious, including production downtime and loss of revenue, health and safety issues, intellectual property loss, and serious damage to one’s brand.
According to the German Federal Office for Information Security (BSI), here are the top 10 threats for industrial automation and control systems (ICS):
- Unauthorized use of remote maintenance access
- Online attacks via office/enterprise networks
- Attacks against standard components used in the ICS network
- (Distributed) Denial of Service Attacks ((D)DoS Attacks)
- Human error and sabotage
- Introduction of harmful code via removable media and external hardware
- Reading and writing messages in the ICS network
- Unauthorized access to resources
- Attacks on network components
- Technical faults and acts of God
Providing “Defense in Depth”
The Defense in Depth concept is the key “weapon” in the protection of industrial control systems. As best practice in the industrial security industry, Siemens industrial security solutions are based on this concept. We also advise our customers to follow this approach.
Consider Defense in Depth as three rings of security around the production plant. The first is plant security, in which access for unauthorized personnel is blocked, and there is physical prevention of access to critical components. The second is network security, in which interfaces between office and plant networks are controlled (e.g., via firewalls) and there is further segmentation of the plant network. The third is system integrity, which includes antivirus and whitelisting software, maintenance and update processes, user authentication for plant or machine operators, and integrated access protection mechanisms in automation components.
Siemens’ approach to industrial security is based on five key concepts that relate to this Defense in Depth paradigm:
- The outermost ring (plant security) requires implementation of practicable and comprehensive security management in terms of the technology used as well as the engineering and production processes.
- In the middle and inner rings (network security and system integrity), the interfaces to office IT and the Internet/Intranet are subject to clearly defined regulations, and are monitored accordingly.
- In the middle ring, PC-based systems (HMI, engineering, and PC-based controls) must be protected with the aid of anti-virus software, whitelisting (positive lists), and integrated security mechanisms.
- In the middle ring, communication must be monitored and can be intelligently segmented by means of firewalls.
- In the inner ring, the control level is protected by various integrated security functions.
Siemens’ Support Strategy
Siemens provides support by selectively implementing a Defense in Depth concept within the scope of an integrated range for industrial security. Indeed, industrial security is not only about technical implementation, but includes security awareness across all layers of management and employees. It is an ongoing task and must be ensured through all lifecycle phases.
The Siemens Solution consists of three parts that form the Siemens Industrial Security Solution pyramid:
- Industrial Security Services
Professional consulting from the initial planning steps, through implementation and operation of a tailor-made solution, and on to its modernization.
- Security Management
Operational guidelines in terms of processes and policies form an essential part of every industrial security concept.
- Products and Systems
In keeping with the spirit of Totally Integrated Automation, well-thought-out concepts for the security of PCs, controllers, and networks are part of the program.
The Industrial Security Services are structured into three parts: Security Assessments identify the customer needs and gain awareness within the customer’s organization, Security Packages address specific demands, and Managed Security Services solve complex problems as well as implement security measures and support over the lifetime.
Security Management consists of four steps:
- Risk analysis that defines mitigation measures depending on the identified threats and risks to the plant
- Setting up policies and coordinating organizational measures
- Coordinating technical measures
- Regular/event-based repetition of the risk analysis to achieve and continuously preserve the necessary security level
Siemens products and systems that support industrial safety include:
- SCALANCE S Security Modules
- UMTS Router SCALANCE M875 with Security Integrated
- CP 343-1/ CP 443-1 Advanced with Security Integrated
- CP 1543-1 with Security Integrated
- CP 1628 with Security Integrated
- SOFTNET Security Client
- Automation Firewall
Siemens Security Integrated components not only have communication functions, but also include special security functions such as firewall and VPN functionality. This enables implementation of the cell protection concept.
With the cell protection concept, a plant network is segmented into individual, protected automation cells within which all devices are able to communicate with each other securely. The individual cells are connected to the plant network protected by a VPN and firewall. Cell protection reduces the susceptibility to failure of the entire production plant and thus increases its availability. Security Integrated products are perfect for implementing this concept.Have an Inquiry for Siemens about this article? Click Here >>