Post on 16-Oct-2021
transcript
Secure OperationsEnsuring Cybersecurity to enable Industrial IoT
siemens.com/dcuUnrestricted © Siemens Mobility GmbH
1 Protecting the data of individualsand companies
2 Preventing damage from people,companies and infrastructures
3 Establishing a reliable foundation on which confidencein a networked, digital world can take root and grow
Leading global companies joined forces to encourage security in a networked world.
Evolving Landscape
AutomationInformation Processing Digital Connectivity and Intelligence
1950s – 1960s
Military, governments andother organizations implement computer systems
1980s
Computers make their way into schools, homes, business and industry
2015
Industry 4.0, Internet of Things & Big Data.
1999
The globe is connected by the internet
1970s
Home computer is introduced
1991
The World Wide Web becomespublicly accessible
2010s
Cloud computing enters the mainstream
1990s
Digital enhancement of electrification and automation
2020s
Smart and autonomous systems, Artificial Intelligence
2000s
Mobile flexibility
Blue Boxing
Cryptovirology
AOHell
Level Seven Crew hack
Denial-of-service attacks
Cloudbleed
sl1nk SCADA hacks
Meltdown/Spectre
Infinion/TPM
AT&T Hack
Morris WormMelissa Worm
ILOVEYOU
WannaCry
NotPetya
HeartbleedIndustroyer/Chrashoverride
Stuxnet
Cybersecurity solutions focused on (OT) Security
IT Security OT Security
3-5 years
Forced migration (e.g. PCs, smart phone)
High (> 10 “agents” on office PCs)
Low (~2 generations, Windows 7 and 10)
Standards based (agents & forced patching)
20-40 years
Usage as long as spare parts available
Low (old systems w/o “free” performance)
High (from Windows 95 up to 10)
Case and risk based
Asset lifecycle
Software lifecycle
Options to add security SW
Heterogeneity
Main protection concept
Confidentiality Availability
Risk vs Budget
Your RiskEver growing risk landscape
Your BudgetWait or use your creativity
Ye
ste
rda
y To
da
y
To
mo
rro
w
Ye
ste
rda
y
To
da
y
To
mo
rro
w
?
Aft
er
a m
ajo
r in
cid
en
t
…costly impacts on operations
$38-88MAverage annual spend
on unplanned downtime2
$1-2M / dayEconomic impact of
buying energy to replace
energy production
capabilities1
225,000Customers without
power due to Black
Energy attack, 20153
$300MCost of NotPetya ransom
ICS attack to single
industrial company in
20174
Sources: 1)Richmond Times, 2)GEOilandGas, 3)E-ISAC, 4)CNBC
Structure by IEC 62443
IEC 62443 - Roles and Scope
IEC 62443 - Roles and Scope
Cybersecurity Concepts for Mobility
Perimeter protection & IDS
…”installed base (legacy) and automation
products without built-in cybersecurity”
Defense in Depth - IEC 62443
…”for future deployments, with products with
built-in cybersecurity features”
IEC 62443 Security Levels
Protection against
unintentional or accidental
attacks
Protection against
deliberate attacks with simple
means
Attacker type
Script Kiddie
Protection against
intentional attacks with
advanced means
Attacker type
Criminal organization
Protection against
intentional attacks with
advanced resources
Attacker type
Nations / Agencies
SL 1 SL 2 SL 3 SL 4
Cybersecurity goal
Cybersecurity Pillars
IDS JRS / SPX DCU
DCUData Capture Unit (Data Diode)
CONFIDENTIAL
© Siemens Mobility GmbH 2020
Enabling connectivity while keeping networks physically isolated? …Data Diode technology
▪ Guarantees protection and network
isolation via hardware design that
lacks the vulnerability of firewalls
▪ Reliable - MTBF +16yrs
▪ Galvanic isolation & physical
separation ensures only one-way
communication
Critical network Open network
Rx
TxPHY
PHY
Rx
Tx
Rx
Tx
Rx
Tx
Rx
Tx
4Siemens
DCU
Electromagnetic induction
Connectivity Concept
Industrial Edge RuntimeOWG
Cloud Connector
Connectors
StorageApp
VPN
Rail Operator
Cloud App
Device Management
Vendor
DCU
OWG
Real-time
data collection
– OWG sender
Deploy Security
Patches
– Worldwide
0% risk of customer
operation disruption
– DCU
Diagnostics and
Local data storage
- OWG receiver
Rollout Applications
and Updates
– Worldwide
TVDIXL
OCC
3. Cloud
2. IT Network
1. OT Network (SIG)
Router + FW
Designed to be modular
OWG - Receiver
VPN
Rail Operator
Cloud App
Asset Management
Vendor
DCU
OWG - Sender
SCADA / Interlocking
3. Cloud
2. IT Network
1. OT Network (SIG)
Router + FW
Safety assessmentSL3 - IEC 62443 4- 2
Vendor neutralStandard protocols
0% riskoperation disruption
USP´s
IDSIntrusion Detection System
CONFIDENTIAL
© Siemens Mobility GmbH 2020
IDS Server
Syslog
Endpoints
Port mirror
IDS Sensor IDS Sensor
Industrial Switches
Topology with DCU
IT/Enterprise network
OT / Signaling (safety) network
Port mirror
Industrial SwitchesEndpoints
Security logs Security logs
Se
cu
rity lo
gs
Se
cu
rity lo
gs
JRSJuridical Recording System & Encryption
© Siemens Mobility GmbH 2020
What & Why
What
JRS collects, stores and validates all critical
SIG system data.
JRS provides “Proof” that the stored data is
unaltered and complete (integrity intact).
JRS prevents the alteration and/or deletion
of data acc. to IEC 62443 security concept:
• Components
• Communication
Why
Data from juridical recorders is needed for all
legal or formal investigations of accidents or
“near-miss” situations.
CENELEC 50701 will require data integrity tools
for new railway systems.
Main features
1. Modular juridical recorder - Based on X.509 Certificates (PKI)
2. RAID 6 - High performance and reliable of data storage
3. Secure OS – S2L2 with Certificates, Secure Boot and Whitelisting.
4. IEC 62443 4-2 SL3 - Compliant
5. Interference Free – Compatible with DCU
Funtionality
1 | Data collection 2 | Data Storage 3 | Evaluation & Validation
DCU / Diagnostic PCs RAID 6 JRS software
4 | Data Extraction
Customer or Siemens
Components
IXL
POLLUTION-FREE TOMORROW
WORKING FOR A
…ONE JOURNEY AT A TIME
SIEMENSMobility
Disclaimer
© Siemens AG 2020
Subject to changes and errors. The information given in this document
only contains general descriptions and/or performance features which
may not always specifically reflect those described, or which may
undergo modification in the course of further development of the
products. The requested performance features are binding only when
they are expressly agreed upon in the concluded contract.
All product designations may be trademarks or other rights of
Siemens AG, its affiliated companies or other companies whose use by
third parties for their own purposes could violate the rights of the
respective owner.
Unrestricted | © Siemens Mobility 2020 | Andres G. Guilarte | SMO RI PR | 2020-12-02Page 26
ContactPublished by Siemens Mobility GmbH
Andres G. Guilarte
Global Product Manager
SMO RI PR SD
Germany
E-mail andres.guilarte@siemens.com
Page 27 Unrestricted | © Siemens Mobility 2020 | Andres G. Guilarte | SMO RI PR | 2020-12-02