Security Guideline SIMATIC Wincc Open Architecture
Total Page:16
File Type:pdf, Size:1020Kb
Preamble 1 Targets of the Security Guideline 2 Security Guideline References 3 SIMATIC WinCC Open Architecture Definitions 4 3.16 FP2 (P009) Strategy of the Security Guideline 5 Implementation of the Security Strategy for 6 Security Solutions Security Checklist 7 Glossary 8 Lists 9 05/2019 Legal Information Warning Concept This manual contains notes that need to be considered, to heed the secure configuration of a plant and to prevent damage to property. The notes on security impacts are shown by a warning triangle in different colors or a warning light. Notes referring to a minor or an improbably security issue have no symbols. The alerts and warnings are illustrated here in descending order of its level. DANGER Means that death or severe security issues will occur, if the corresponding precautions are not taken. WARNING Means that death or severe security issues may occur, if the corresponding precautions are not taken. CAUTION With a warning triangle means that moderate security issues may occur, if the corresponding precautions are not taken. ATTENTION With a grey warning triangle means that an undesirable event or condition may occur if the corresponding note is not heeded. CAUTION Without a warning triangle means that damage to property may occur, if the corresponding precautions are not taken. With the occurrence of multiple hazardous levels, the warning for the highest level is used. If a caution with the warning triangle warns of personal injury, it may also have a warning of damage to property. ETM professional control GmbH | A Siemens Company 05/2019 Copyright © ETM professional control GmbH | A Siemens Company A Siemens Company Marktstraße 3 A-7000 Eisenstadt subject to alterations 7000 Eisenstadt AUSTRIA Qualified Staff The product/system associated with this documentation should be handled only by personnel qualified for the task. They should handle the tasks assigned to them and paying attention to the associated documentation, like this document. Qualified persons, based on their training and experience, can detect risks and avoid possible hazards when handling these products/systems. Proper Use of ETM professional control GmbH products Please take note of the following: WARNING ETM professional control GmbH products should be used only for the application areas foreseen in the associated technical documentation. If third party products and components are used, they must be recommended and/or approved by ETM professional control GmbH. The fault-free and secure operation of the products assumes proper transport and storage, assembly, installation, commissioning, operation and maintenance. The permissible ambient conditions must be followed. Notes (Instructions) in the associated documentation must be seen and followed. Brands All names and designations marked with the registered trademark ® are registered brands of the Siemens AG or affiliated companies like e.g. ETM professional control GmbH. The use of the registered brands by a third party for their own purposes may infringe the rights of the owner. Disclaimer We have checked the contents of the documentation to ensure that they match the hardware and software described. Nevertheless, deviations cannot be entirely excluded, and we cannot, therefore, guarantee complete agreement. The information in this documentation is, however, reviewed regularly and any corrections necessary are incorporated in later editions. Information about the current version can be found in the page footer. Page 3 of 271 SIMATIC - WinCC Open Architecture3.16 FP2 (P009) Table of Content 1 PREAMBLE .......................................................................................................................................................................... 7 SCOPE .................................................................................................................................................................................. 7 INTENTION OF THIS DOCUMENT ................................................................................................................................................. 7 DISCLAIMER ........................................................................................................................................................................... 8 1.3.1 License ........................................................................................................................................................................... 8 STRUCTURE AND ORGANIZATION OF THIS DOCUMENT ................................................................................................................... 10 REQUIRED KNOWLEDGE.......................................................................................................................................................... 10 1.5.1 Training center ............................................................................................................................................................ 11 PRODUCTS USED .................................................................................................................................................................. 11 ABBREVIATIONS .................................................................................................................................................................... 13 2 TARGETS OF THE SECURITY GUIDELINE ............................................................................................................................. 16 3 REFERENCES ..................................................................................................................................................................... 17 IEC 62443/ISA99 ............................................................................................................................................................... 17 OTHER STANDARDS AND RULES ................................................................................................................................................ 21 OPERATIONAL GUIDELINES FOR INDUSTRIAL SECURITY ................................................................................................................. 22 4 DEFINITIONS ..................................................................................................................................................................... 23 NAMING SCHEME IN FIGURES AND EXAMPLES ............................................................................................................................. 23 NAMES OF THE NETWORKS IN THE “SECURITY GUIDELINE WINCC OPEN ARCHITECTURE" ................................................................... 24 5 STRATEGY OF THE SECURITY GUIDELINE ........................................................................................................................... 25 SECURITY MANAGEMENT PROCESS .......................................................................................................................................... 26 DEFENSE IN DEPTH ................................................................................................................................................................ 29 5.2.1 Defense in Depth concept ............................................................................................................................................ 30 5.2.2 Layers of protection ..................................................................................................................................................... 31 5.2.3 Implement Defense in Depth for different Types of Access ......................................................................................... 34 DIVISION IN SECURITY CELLS .................................................................................................................................................... 37 5.3.1 Process cells and security cells ..................................................................................................................................... 37 TASK-RELATED OPERATION AND ACCESS RIGHTS ........................................................................................................................ 39 TASK-BASED GROUPING, CENTRAL ADMINISTRATION AND LOCAL CONFIGURATION .............................................................................. 44 5.5.1 Requirements ............................................................................................................................................................... 44 5.5.2 Tasks ............................................................................................................................................................................ 44 5.5.3 Workstation authorization in WinCC OA ..................................................................................................................... 45 USAGE OF ENCRYPTED COMMUNICATION PROTOCOLS .................................................................................................................. 46 5.6.1 Usage of TLS protocol .................................................................................................................................................. 46 5.6.2 Usage of Kerberos........................................................................................................................................................ 51 6 IMPLEMENTATION OF THE SECURITY STRATEGY FOR SECURITY SOLUTIONS ...................................................................