Segmentation of the plant into security cells
Segmentation is the division of the process plant into individual, well-organized and manageable areas, each forming its own security cell. The size of the security cell can vary from a small automation unit up to an entire building. The cells are defined by dividing the plant into logical segments according to location and/or function. They are protected with all necessary security mechanisms and work completely autonomously. The data and personnel traffic between the individual cells is regulated by defined and supervised access
Virus protection and firewalls
Firewalls and virus scanners at dedicated access points protect individual computers or networks within the security cells against unauthorized access and infiltration. Therefore, additional firewalls are no longer needed within the cells. This simplifies the management of the computers and maintains the performance of the system.
The SIMATIC PCS 7 Security Concept supports the use of the Microsoft® Forefront Threat Management Gateway, the Windows firewall as well as Scalance S security modules and VPN connections to IPSec. These modules differ from office equipment due to their industrial capability and optimized communication of process information. In addition to firewalls, virus scanners are the most well-known security precautions. SIMATIC PCS 7 supports the three most commonly used virus scanners for production and control systems.
Trendmicro™ Office Scan Corporate Edition
Symantec™ Antivirus Corporate Edition
McAfee™ VirusScan Enterprise
Windows security patch management
The SIMATIC PCS 7 Security Concept recommends the installation of the appropriate security patches to protect individual workstations within the process control system. In order to assess the vulnerability of the computer against security threats, the Microsoft Baseline Security Analyzer (MBSA) scans and analyzes the computers in question. The security analyzer summarizes detected vulnerabilities and a list of missing security patches in a report. Based on this report, the user can then weigh the risk of continuing operation without the proper security patches against the work and cost involved in their installation, which may require rebooting of the computers.
Microsoft makes the patches available at regular intervals to close the most recently identified security gaps. The SIMATIC PCS 7 Security Lab continually reviews these patches to ensure their compatibility with the current versions of SIMATIC PCS 7. These test results are published online immediately after the test.
User and rights management
Consistent user and rights management with precise access control is another key element of the security concept. The Least Privilege Principle applies here. This means that the individual user or the individual application receives only those rights required for the actual task at hand. This is the best way to avoid intentional or unintentional operation errors. SIMATIC PCS 7 supports central user management with the SIMATIC Logon software package, which enables the assignment of permissions for SIMATIC applications and plant areas. SIMATIC Logon uses the Windows user management tools for functions such as automatic logoff and automatic expiration of passwords.
Time synchronization in a SIMATIC PCS 7 plant helps to minimize timing errors and supports synchronization, documentation and archiving of all time-critical processes. Time synchronization is often neglected but should not be underestimated. A potential risk in non-synchronized systems is that a domain client may be denied the right to sign onto their domain controller. This is caused by a security feature in Windows, which prevents possible unauthorized access to an existing session when a specified time difference between client and server is exceeded.
Service and remote access
The use of VPN connections reduces potential danger involved in the temporary admittance of “outside” computers in the plant for purposes of maintenance and support. Virtual Private Networks (VPN) provide reliable and safe connection from an external device to a protected control system. The Siemens Security Concept recommends this approach and the use of Microsoft® Forefront Threat Management Gateway (TMG) in combination with a quarantine network.
If plant data is accessed via a Web browser, the Security Concept recommends data encryption and server authentication, either through Secure Socket Layer (SSL) with HTTPS or IPSec and user authentication based user name and password.
Network structuring and management
Implementation of DHCP servers, assignment of IP addresses, and mapping of the plant segments into subnets as well as centralized management of the plant computers or users via Windows Active Directory are offered for support flexible network structures and efficient management of SIMATIC PCS 7 systems.
Application whitelisting protection mechanisms guarantee that only trustworthy applications and programs are executed on a station of the SIMATIC PCS 7 process control system. They prevent both the execution of illegal software and the modification of installed applications, thus adding to the existing protection against malware (malicious software).
The automation firewall is based on the Microsoft ®Forefront Threat Management Gateway 2010 , and it is provided with stateful inspection packet filters, application layer firewall, VPN gateway functionality, URL filtering, Web proxy, virus scan, and intrusion prevention. It thus protects the access point to the production environment e.g. from the office or intranet/Internet networks. It can be used as follows, depending on plant size:
Access point firewall for secure remote access in process plants and IT networks
Three-homed firewall for plants with complex perimeter networks
Front and back firewall for maximum protection in larger plants with extensive perimeter networks
The automation firewall is supplied preinstalled. A user-friendly configuration wizard is provided for setup.
The purpose of disaster recovery is to regain access to data, hardware and software and to restart operation following natural or man-made accidents. Since process engineering is more and more data-driven, the capability to quickly restore data is becoming critically important.
In SIMATIC PCS 7 systems, each PC comes supplied with a complete image of the system software, which can be used to restore the system partition at any time in the event of data loss. Siemens offers several programs for archiving process data, for example, StoragePlus, Central Archive Server (CAS), Process Historian and SIMATIC IT Historian.
Siemens Industrial Security Control System Application
The diagram below shows how a security system can be designed to provide maximum security protection.
SIMATIC Security Lab
As part of our security portfolio, Industrial Security is identified as an integral part of our system testing and is a prerequisite for product releases. The dedicated SIMATIC Security Lab is continuously working in the field of industrial data security and the results of their testing, flow directly into product and software development.