Siemens AG PowerPoint Presentation - ITEA 3

transcript

Secure OperationsEnsuring Cybersecurity to enable Industrial IoT

siemens.com/dcuUnrestricted © Siemens Mobility GmbH

1 Protecting the data of individualsand companies

2 Preventing damage from people,companies and infrastructures

3 Establishing a reliable foundation on which confidencein a networked, digital world can take root and grow

Leading global companies joined forces to encourage security in a networked world.

Evolving Landscape

AutomationInformation Processing Digital Connectivity and Intelligence

1950s – 1960s

Military, governments andother organizations implement computer systems

Computers make their way into schools, homes, business and industry

Industry 4.0, Internet of Things & Big Data.

The globe is connected by the internet

Home computer is introduced

The World Wide Web becomespublicly accessible

Cloud computing enters the mainstream

Digital enhancement of electrification and automation

Smart and autonomous systems, Artificial Intelligence

Mobile flexibility

Blue Boxing

Cryptovirology

AOHell

Level Seven Crew hack

Denial-of-service attacks

Cloudbleed

sl1nk SCADA hacks

Meltdown/Spectre

Infinion/TPM

AT&T Hack

Morris WormMelissa Worm

ILOVEYOU

WannaCry

NotPetya

HeartbleedIndustroyer/Chrashoverride

Stuxnet

Cybersecurity solutions focused on (OT) Security

IT Security OT Security

3-5 years

Forced migration (e.g. PCs, smart phone)

High (> 10 “agents” on office PCs)

Low (~2 generations, Windows 7 and 10)

Standards based (agents & forced patching)

20-40 years

Usage as long as spare parts available

Low (old systems w/o “free” performance)

High (from Windows 95 up to 10)

Case and risk based

Asset lifecycle

Software lifecycle

Options to add security SW

Heterogeneity

Main protection concept

Confidentiality Availability

Risk vs Budget

Your RiskEver growing risk landscape

Your BudgetWait or use your creativity

…costly impacts on operations

$38-88MAverage annual spend

on unplanned downtime2

$1-2M / dayEconomic impact of

buying energy to replace

energy production

capabilities1

225,000Customers without

power due to Black

Energy attack, 20153

$300MCost of NotPetya ransom

ICS attack to single

industrial company in

Sources: 1)Richmond Times, 2)GEOilandGas, 3)E-ISAC, 4)CNBC

Structure by IEC 62443

IEC 62443 - Roles and Scope

Cybersecurity Concepts for Mobility

Perimeter protection & IDS

…”installed base (legacy) and automation

products without built-in cybersecurity”

Defense in Depth - IEC 62443

…”for future deployments, with products with

built-in cybersecurity features”

IEC 62443 Security Levels

Protection against

unintentional or accidental

attacks

Protection against

deliberate attacks with simple

Attacker type

Script Kiddie

Protection against

intentional attacks with

advanced means

Attacker type

Criminal organization

Protection against

intentional attacks with

advanced resources

Attacker type

Nations / Agencies

SL 1 SL 2 SL 3 SL 4

Cybersecurity goal

Cybersecurity Pillars

IDS JRS / SPX DCU

DCUData Capture Unit (Data Diode)

CONFIDENTIAL

Enabling connectivity while keeping networks physically isolated? …Data Diode technology

▪ Guarantees protection and network

isolation via hardware design that

lacks the vulnerability of firewalls

▪ Reliable - MTBF +16yrs

▪ Galvanic isolation & physical

separation ensures only one-way

communication

Critical network Open network

4Siemens

Electromagnetic induction

Connectivity Concept

Industrial Edge RuntimeOWG

Cloud Connector

Connectors

StorageApp

Rail Operator

Cloud App

Device Management

Vendor

Real-time

data collection

– OWG sender

Deploy Security

Patches

– Worldwide

0% risk of customer

operation disruption

– DCU

Diagnostics and

Local data storage

- OWG receiver

Rollout Applications

and Updates

– Worldwide

TVDIXL

3. Cloud

2. IT Network

1. OT Network (SIG)

Router + FW

Designed to be modular

OWG - Receiver

Rail Operator

Cloud App

Asset Management

Vendor

OWG - Sender

SCADA / Interlocking

3. Cloud

2. IT Network

1. OT Network (SIG)

Router + FW

Safety assessmentSL3 - IEC 62443 4- 2

Vendor neutralStandard protocols

0% riskoperation disruption

USP´s

IDSIntrusion Detection System

CONFIDENTIAL

IDS Server

Syslog

Endpoints

Port mirror

IDS Sensor IDS Sensor

Industrial Switches

Topology with DCU

IT/Enterprise network

OT / Signaling (safety) network

Port mirror

Industrial SwitchesEndpoints

Security logs Security logs

rity lo

JRSJuridical Recording System & Encryption

What & Why

JRS collects, stores and validates all critical

SIG system data.

JRS provides “Proof” that the stored data is

unaltered and complete (integrity intact).

JRS prevents the alteration and/or deletion

of data acc. to IEC 62443 security concept:

• Components

• Communication

Data from juridical recorders is needed for all

legal or formal investigations of accidents or

“near-miss” situations.

CENELEC 50701 will require data integrity tools

for new railway systems.

Main features

1. Modular juridical recorder - Based on X.509 Certificates (PKI)

2. RAID 6 - High performance and reliable of data storage

3. Secure OS – S2L2 with Certificates, Secure Boot and Whitelisting.

4. IEC 62443 4-2 SL3 - Compliant

5. Interference Free – Compatible with DCU

Funtionality

1 | Data collection 2 | Data Storage 3 | Evaluation & Validation

DCU / Diagnostic PCs RAID 6 JRS software

4 | Data Extraction

Customer or Siemens

Components

POLLUTION-FREE TOMORROW

WORKING FOR A

…ONE JOURNEY AT A TIME

SIEMENSMobility

Disclaimer

Subject to changes and errors. The information given in this document

only contains general descriptions and/or performance features which

may not always specifically reflect those described, or which may

undergo modification in the course of further development of the

products. The requested performance features are binding only when

they are expressly agreed upon in the concluded contract.

All product designations may be trademarks or other rights of

Siemens AG, its affiliated companies or other companies whose use by

third parties for their own purposes could violate the rights of the

respective owner.

ContactPublished by Siemens Mobility GmbH

Andres G. Guilarte

Global Product Manager

SMO RI PR SD

Germany

E-mail andres.guilarte@siemens.com

Siemens AG PowerPoint Presentation - ITEA 3

Documents