Siemens AG Powerpoint Presentation
Total Page:16
File Type:pdf, Size:1020Kb
Secure Operations Ensuring Cybersecurity to enable Industrial IoT Unrestricted © Siemens Mobility GmbH siemens.com/dcu Leading global companies joined forces to encourage security in a networked world. Protecting the data of individuals 1 and companies Preventing damage from people, 2 companies and infrastructures Establishing a reliable foundation on which confidence 3 in a networked, digital world can take root and grow Evolving Landscape 1950s – 1960s 1980s 1999 2010s 2015 Military, governments and Computers make their The globe is Cloud computing Industry 4.0, Internet of Things other organizations implement way into schools, homes, connected enters the & Big Data. computer systems business and industry by the internet mainstream Information Processing Automation Digital Connectivity and Intelligence 1970s 1990s 1991 2000s 2020s Home computer Digital enhancement The World Wide Mobile flexibility Smart and autonomous is introduced of electrification and Web becomes systems, Artificial Intelligence automation publicly accessible Industroyer/Chrashoverride Heartbleed WannaCry Melissa Worm Stuxnet Morris Worm ILOVEYOU AT&T Hack Blue Boxing AOHell NotPetya Cryptovirology Cloudbleed Level Seven Crew hack sl1nk SCADA hacks Infinion/TPM Denial-of-service attacks Meltdown/Spectre Cybersecurity solutions focused on (OT) Security IT Security OT Security Confidentiality Availability 3-5 years Asset lifecycle 20-40 years Forced migration (e.g. PCs, smart phone) Software lifecycle Usage as long as spare parts available High (> 10 “agents” on office PCs) Options to add security SW Low (old systems w/o “free” performance) Low (~2 generations, Windows 7 and 10) Heterogeneity High (from Windows 95 up to 10) Standards based (agents & forced patching) Main protection concept Case and risk based Risk vs Budget Ever growing Ever growing risklandscape Your Risk Your Yesterday Today Tomorrow ? Wait or use your creativity Wait Your Budget Your Yesterday Today Tomorrow After a major incident …costly impacts on operations $1-2M / day $38-88M 225,000 $300M Economic impact of Average annual spend Customers without Cost of NotPetya ransom buying energy to replace on unplanned downtime2 power due to Black ICS attack to single energy production Energy attack, 20153 industrial company in capabilities1 20174 Sources: 1)Richmond Times, 2)GEOilandGas, 3)E-ISAC, 4)CNBC Structure by IEC 62443 IEC 62443 - Roles and Scope IEC 62443 - Roles and Scope Cybersecurity Concepts for Mobility Defense in Depth - IEC 62443 …”for future deployments, with products with built-in cybersecurity features” Perimeter protection & IDS …”installed base (legacy) and automation products without built-in cybersecurity” Cybersecurity goal IEC 62443 Security Levels SL 1 SL 2 SL 3 SL 4 Protection against Protection against Protection against Protection against deliberate attacks with simple intentional attacks with intentional attacks with unintentional or accidental means advanced means advanced resources attacks Attacker type Attacker type Attacker type Script Kiddie Criminal organization Nations / Agencies Cybersecurity Pillars IDS JRS / SPX DCU CONFIDENTIAL DCU Data Capture Unit (Data Diode) © Siemens Mobility GmbH 2020 Enabling connectivity while keeping networks physically isolated? …Data Diode technology Critical network Open network Tx Tx Electromagnetic induction Rx Rx PHY Tx Rx Tx Tx Rx Rx PHY ▪ Guarantees protection and network isolation via hardware design that lacks the vulnerability of firewalls Siemens 4 DCU ▪ Reliable - MTBF +16yrs ▪ Galvanic isolation & physical separation ensures only one-way communication Connectivity Concept 3. Cloud Vendor Deploy Security Patches Cloud App VPN – Worldwide Device Management Rollout Applications Router + FW and Updates 2. IT Network – Worldwide Cloud Connector OWG App Storage Industrial Edge Runtime Diagnostics and Connectors Local data storage - OWG receiver Rail Operator DCU 1. OT Network (SIG) 0% risk of customer operation disruption OWG – DCU Real-time data collection OCC – OWG sender TVD IXL Designed to be modular 3. Cloud Vendor Cloud App Asset Management VPN 2. IT Network Router + FW OWG - Receiver Rail Operator DCU 1. OT Network (SIG) OWG - Sender SCADA / Interlocking USP´s Safety assessment 0% risk Vendor neutral SL3 - IEC 62443 4- 2 operation disruption Standard protocols CONFIDENTIAL IDS Intrusion Detection System © Siemens Mobility GmbH 2020 Topology with DCU IT/Enterprise network IDS Server Syslog IDS Sensor IDS Sensor Security logs Security Security logs Security Port Port mirror mirror Security logs Security logs OT / Signaling (safety) network Industrial Switches Industrial Switches Endpoints Endpoints JRS Juridical Recording System & Encryption © Siemens Mobility GmbH 2020 What & Why What Why JRS collects, stores and validates all critical Data from juridical recorders is needed for all SIG system data. legal or formal investigations of accidents or “near-miss” situations. JRS provides “Proof” that the stored data is unaltered and complete (integrity intact). CENELEC 50701 will require data integrity tools for new railway systems. JRS prevents the alteration and/or deletion of data acc. to IEC 62443 security concept: • Components • Communication Main features 1. Modular juridical recorder - Based on X.509 Certificates (PKI) 2. RAID 6 - High performance and reliable of data storage 3. Secure OS – S2L2 with Certificates, Secure Boot and Whitelisting. 4. IEC 62443 4-2 SL3 - Compliant 5. Interference Free – Compatible with DCU Funtionality 1 | Data collection 2 | Data Storage 3 | Evaluation & Validation 4 | Data Extraction IXL Components DCU / Diagnostic PCs RAID 6 JRS software Customer or Siemens WORKING FOR A POLLUTION-FREE TOMORROW …ONE JOURNEY AT A TIME SIEMENS Mobility Disclaimer © Siemens AG 2020 Subject to changes and errors. The information given in this document only contains general descriptions and/or performance features which may not always specifically reflect those described, or which may undergo modification in the course of further development of the products. The requested performance features are binding only when they are expressly agreed upon in the concluded contract. All product designations may be trademarks or other rights of Siemens AG, its affiliated companies or other companies whose use by third parties for their own purposes could violate the rights of the respective owner. Page 26 Unrestricted | © Siemens Mobility 2020 | Andres G. Guilarte | SMO RI PR | 2020-12-02 Contact Published by Siemens Mobility GmbH Andres G. Guilarte Global Product Manager SMO RI PR SD Germany E-mail [email protected] Page 27 Unrestricted | © Siemens Mobility 2020 | Andres G. Guilarte | SMO RI PR | 2020-12-02.