Industrial Security

“The problem is that security is not a product you can pick off a shelf, security is something you have to create”,
explains Siemens Manager Marketing Industrial Security Tino Hildebrand. Security begins on the management level and ends with each and every employee. When staff members write their PC access codes in the telephone directory or even attach them to the monitor in full view scribbled on a memo note, then there is a lack of understanding about security awareness.

These bad habits are widespread and offer a simple route into the network for would-be perpetrators. Only when every individual understands the risks involved and when a security policy is firmly rooted into all their actions, will hackers, saboteurs or spies be deterred.

Security is afforded by such simple measures as locking doors to server cabinets and distribution boards, providing access control systems to restrict entry to rooms and computers, installing locks for USB ports and setting up extensive security checks before allowing access to programs. “Security is a process. Once it has been introduced it has to go on being tested, updated and maintained over the entire life cycle of a plant or system,” emphasizes Hildebrand. In the face of ever more specialized attacks on individual complex systems, new and different defense strategies are called for.

Security concepts borrowed from classical office IT systems cannot be directly transposed for use in automation technology. Quite distinct protection needs and requirements in fields such as real time behavior call for a different approach and a different type of security solution. Another factor is that universal IT security product suppliers such as McAfee, Symantec, Trend Micro, Cisco and others have only recently turned their attention to developing components specifically for industrial controls. Standard IT software products currently offered are not well-suited for use in production. To be truly effective, virus databases have to be updated on a daily basis. In a production environment, scope for these regular updates is restricted: Regular virus checks would increase the system load to such an extent that it would compromise real-time capability. Importantly too, many systems operate around the clock, allowing maintenance teams only limited scope for keeping operating systems abreast of the latest developments.

Siemens runs a Security Lab dedicated to improving security for SIMATIC PCS 7 and WinCC. Founded in 2004, the lab works independently of conventional facilities used for product and system testing. Alongside continuous testing, the Security Lab is also responsible for the development of new industrial security architecture and security concepts. Different architecture models are regularly subjected to penetration tests by the Siemens Corporate Technology Computer Emergency Response Team (CERT).

Siemens CERT has been responsible for protecting Siemens’ own internal IT infrastructure and for secure product development since 1998. The team enjoys widespread recognition as an independent test body and trustworthy partner in dealing with security problems, developing preventive measures and assessing IT security. Head of Siemens CERT, Johann Fichtner, is well aware that Stuxnet is not the last instance in which a computer virus is likely to succeed in penetrating high-level industrial systems in a targeted attack. The worm was, to all intents and purposes, ordinary malware which capitalized very effectively on Microsoft weak spots. However, what Stuxnet demonstrated was that even proprietary systems present no obstacle where perpetrators have sufficient motivation and adequate resources to throw at them. The Stuxnet episode also clearly highlighted that separating automation and control systems from other networks offers no guarantee of security. Fichtner considers the most important approach to prevention to be in driving forward secure encryption and in subjecting not only processes but also products to security checks. On the corporate security level, he also considers it vital that the same level of importance be attached to setting up minimum requirements for IT security as for protecting infrastructures and safeguarding life and property.

Alongside changing codes of conduct, the automation components used naturally also have to comply with the same enhanced requirements in terms of IT security. A first line of defense for individual automation components entails restricting network and internet communication to an essential minimum. Making use of what is known as the cell protection concept, automation components can be grouped on a logical or communication-specific basis and separated from the rest of the network by means of firewalls and other security components.

This is something we are all familiar with from our own home office environment: Printers are hardly ever password-protected, theoretically allowing anyone gaining access to the printer to print out documents. Generally speaking this situation does not arise, as we lock the front door when no-one is home. Once we are working ourselves in the home office, the PC, notebook, DSL router and firewall protect the printer from outside access over the Internet. In this way, the printer is integrated into a “secure” cell. The same thing applies to the production environment: System components in secure automation cells are internally exposed. Although internal communication is permitted, the link between individual cells and the overall network is VPN and firewall protected. For servicing purposes, security modules open separate network access channels, restricted if required, in a similar way to systems used for instance for remote maintenance over the Internet.

Right from the outset, all the automation components of the SIMATIC family were designed to be so robust and equipped with such defined communication mechanisms that they enable a control system to continue processing its program as usual even in extreme situations such as Denial-of-Service attacks or targeted violation of individual communication services. This affects both the lower communication layers (2 to 4) with their Ethernet and IP protocols and also the higher-level application protocols (layers 5 to 7) of the OSI model. In addition, for years now Siemens has been performing regular tests to ascertain the network robustness of its components, using load scenarios and protocol attacks which are continuously adjusted in line with the current threat situation. The experience gained through the performance of these tests has allowed the network robustness of these devices to be increased across the board. A cooperative arrangement of many years’ standing with CERN openlab (Conseil Européen pour la Recherche Nucléaire) has also made a major contribution towards enhancing the security of SIMATIC controls.