Industrial security

That is why industrial security is so important

As the use of Ethernet connections all the way down to the field level increases, the associated security issues are becoming a more urgent topic for industry. After all, open communication and increased networking of production systems involve not only huge opportunities, but also high risks. To provide an industrial plant with comprehensive security protection against attacks, the appropriate measures must be taken. Siemens can support you here in selectively implementing these measures – within the scope of an integrated range for Industrial Security.

Threat overview

¹⁾ Industrial Control Systems (ICS)

Source: BSI-A-CS 004 | Version 1.00 dated April 12, 2012; page 2 of 2

Note:
The list of threats came about as a result of close cooperation between BSI and business representatives.
With its BSI analyses, the Federal Office for Information Security (BSI) publishes statistics and reports on current topics in cyber security.
Please send comments and notes to: cs-info@bsi.bund.de

Network security as a central component of the Siemens Industrial Security concept

Siemens Industrial Security – continuous protection for your plant

An optimum industrial security solution can only be implemented if new approaches are taken because they must be continuously adapted to new threats. There is no such thing as absolute security. To ensure a comprehensive and permanent solution, we provide in-depth advice, partner-like cooperation, and constant further development of our security measures and products.

All-round, but also in-depth protection

With Defense in Depth, Siemens provides a multi-level concept that offers your plant both all-round and in-depth protection. The concept is based on the components, plant security, network security, and system integrity, as recommended by ISA 99 / IEC 62443 – the leading standard for security in industrial automation. While conventional plant security defends the plant against physical attacks, network protection and and protection of system integrity protect against cyber attacks and unauthorized access by operators or external persons.

Factors for success: Network security

Network security means protecting automation networks from unauthorized access. This includes the monitoring of all interfaces such as the interfaces between office and plant networks or the remote maintenance access to the Internet, which can be accomplished by means of firewalls and, if applicable, by establishing a DMZ (demilitarized zone = secure, protected zone). The DMZ is used to provide data for other networks, without granting direct access to the automation network. The secure segmenting of the plant network into individually protected automation cells minimizes risks and increases security. Cell division and device assignment are based on communication and protection requirements. Data transmission is encrypted by means of a VPN and is thus protected from data espionage and manipulation. The communication stations are securely authenticated. The cell protection concept can be implemented and communication can be secured using "Security Integrated" components such as SCALANCE S Security Modules, SCALANCE M wireless routers, or Security CPs for SIMATIC.

Initial risk assessment and information on the Internet

You want to know now how good the security of your industrial plant is? We can provide you with detailed information about the special security issues in your industry. Use the opportunity to contact our consulting team about any open issues. Our experts will gladly prepare a security concept that is adapted to the needs of your production plant or process infrastructure. You can download the additional "Operational Guidelines" with many recommendations for protecting your production plant from our Internet site.

Secure communication, network access protection and network segmentation with Security Integrated products

Security Integrated

Cell protection concept

Industrial communication is a key factor for corporate success – as long as the network is protected. As your partner, Siemens provides its customers with Security Integrated components, which not only have communication functions but also include special security functions such as firewall and VPN functionality, in order to implement the cell protection concept. With the cell protection concept, a plant network is subdivided into protected automation cells within which all devices are able to communicate with each other securely. The individual cells are connected to the plant network protected by a VPN and firewall. Cell protection reduces the susceptibility to failure of the entire production plant and thus increases its availability. Security Integrated products such as SCALANCE S, SCALANCE M and SIMATIC S7/PC communications processors can be used for implementation.

The following Security Integrated products are available: 

SIMATIC S7-1200 / S7-1500:

• Protection of the controller by access protection (authentication) via the S7-1200/S7-1500 CPU:
  • Know-how protection
  • Manipulation protection
  • Copy protection
  • Graded security concept for HMI connection
• Expandable access protection (firewall and VPN ) for S7-1200/S7-1500 with Security CP 1243-1/CP 1543-1 by means of
  • Integrated firewall (monitoring of the data flow)
  • Protection against data manipulation and espionage by means of a VPN

SIMATIC S7-300 and S7-400

• Protection of controllers by CP 343-1 Advanced and CP 443-1 Advanced communications processors, which contain both firewall and VPN (virtual private network) functionality. 

SCALANCE S security modules

SCALANCE S modules protect industrial networks and automation systems by means of security-related segmentation (cell protection) with a firewall against authorized access and protect data transmission with VPN against manipulation and espionage.

SCALANCE M router

Mobile radio router

SCALANCE M industrial router for secure access to plants via mobile radio, e.g. GPRS or UMTS, with integral security functions – firewall for protection against unauthorized access and VPN for protection of the data transmission.

DSL routers

The SCALANCE M DSL routers are ADSL routers (M812-1 and M816-1) for the secure connection of Ethernet-based subnets and automation devices to hard-wired DSL networks or SHDSL routers (M826) for connection via existing wire-pairs or multi-wire cables. They have integral security functions – firewall for protection against unauthorized access and VPN for protection of the data transmission.

Industrial PCs

• Via the CP 1628 communications processor, the industrial PCs are protected by firewall and VPN – for secure communication without special operating system settings. This means that computers equipped with the module can be connected to protected cells. 

Software

• The SOFTNET Security Clientsoftware enables VPN access via the Internet or a company intranet to automation cells or PCs protected by SCALANCE S or another security component with VPN functionality.

Security Integrated products for industrial use with special security functions to improve the standard of security