Cyber Security in Industrial Automation

Primer for
Cybersecurity
in Industrial
Automation
PREFACE

concepts for installations in operation. It is intended to be

useful for decision makers, managers, technical leaders,
engineers, and technicians as well as for students.
Special thanks to Frank Garrabrant and

Lesley Morgan for their corrections
which improved substantially the
readability of the text.
CONTENTS
Protection Levels: A Holistic Approach Based on ISA/IEC 62443 Page 5

By Dr. Pierre Kobes
Interview Dr. Henning Rudolf Page 13

Head of Global Cybersecurity Offering at Siemens AG
Interview Dr. Pierre Kobes Page 20

Siemens Product and Solution Security Officer
Interview Dr. Norbert Gaus

Head of Research in Digitalization and Automation at Siemens AG Page 26
How Siemens is Addressing Security as an Automation Vendor
Security Concept for Process and Discrete Industries

Industrial Security Page 33
Siemens White Paper
Process Automation: PCS7 and Security Page 49

Protecting your production systems
Charter of Trust: For a Secure Digital World

Key principles essential for establishing a new charter of trust Page 52
between society, politics, business partners, and customers
Primer for Cybersecurity in Industrial Automation 3

CERT Info
Siemens Cybersecurity Emergency Response Team Page 54
by M. Spreitzenbarth
Industrial Security Provided by Siemens and McAfee

Siemens and McAfee collaboration to help protect industrial Page 55
automation systems from increased cyber threats
Industrial Cybersecurity for Small- and Medium- Sized

Page 58
Businesses
ISA White Paper
Industrial Automation and Control System Culture

versus IT Paradigms
ISA Publication: Chapter 3 of Industrial Automation Page 74
and Control System Security Principles: Protecting
Critical Infrastructure, Second Edition
By Ronald L. Krutz, PhD, PE
Ukrainian Power Grids cyberattack Page 89

ISA forensic analysis based on ISA/IEC 62443
Building a Business Case for Operational Technology

Cybersecurity Page 98
Management buy-in begins with establishing a business
rationale for security
What Executives Need to Know About Industrial Control

Systems Cybersecurity Page 105
By Joseph Weiss

Protection Levels
a holistic approach based on ISA/IEC 62443
By: Dr. Pierre Kobes
Abstract document and implement the orga-nizational

requirements will be evaluated and rated from ML 1
The concept of protection level is based on the con- to ML 4. The abstract gives an overview of the
sideration that a holistic protection concept based methodology as well as the usage and benefits for
on a defense in depth strategy always has to include the stakeholders involved in the protection of plants
three dimensions: technology, processes, and in operation.
people. The scope of the protection levels is the
onsite environment, e.g. installations in operation. 1 ISA/IEC 62443 is about technology, process,
The concept of protection levels recognizes the fact and people
that organi-zational and technical measures have to
be related and that the evaluation of the protection The technology dimension covers the functional
against cyber threats has to include in an integrated measures involved in the protection strategy, the
way the related technical and organizational process dimension includes the policies and pro-
measures. Protection levels provide an integrated cedures involved in the defense in depth approach
evaluation of the fulfilment of technical measures and the people dimension addresses the ability and
using the frame-work of the requirements of ISA/IEC competence of the involved humans to implement
62443-3-3 and their mapping to security levels SL 1 to the policies and procedures.
SL 4 and related organizational measures using the
framework of the requirements of ISA/IEC 62443-2-1 It has to be noted that the three mentioned dimen-
for the operational policies and procedures as well as sions differ heavily if the considered environment is
the framework of the requirements of ISA/IEC project specific (onsite) and refers to a given IACS or
62443-2-4 for the integration and maintenance is independent of a given project (offsite) or the ac-
activities. The maturity of the organization to

tivities of the product suppliers are mostly indepen-
dent of a specific project. The technology dimension 2 Protection Levels address installations
concerns the functional capabilities of the products. in operation
The process dimension addresses the development
process of the product supplier. Finally, the people The scope of the protection levels is the onsite envi-
dimension is the ability and competence of develop- ronment, e.g. installations in operation. They provide
ers to apply the development process from specifica- a combined evaluation of the technology, process,
tion through design, implementation and testing as and people dimensions to give an indication on how
well as ensuring the vulnerability management and a plant or production is protected during the opera-
incident handling. tional phase.
In the environment of a specific project (onsite) the The technology dimension is covering the function-
scope of the consideration is an IACS, e.g. an instal- al security capabilities realized in the automation
lation in operation. The process dimension is about solution based on the requirements of ISA/IEC
the operational policies and procedures as well as the 62443-3-3. The organizational measures include the
processes which have to be applied in the integration evaluation of the processes implemented by the
and the maintenance phase of the IACS. People are integrator when designing and deploying the
the personnel involved in all activities to operate the automation solution (integration policies and
automation solution, the persons who have designed procedures) as well as the processes used to operate
and deployed the automation solution (integration and maintain the auto-mation solution. ISA/IEC
activities) as well as the personnel responsible for 62443-2-1 and ISA/IEC 62443-2-4 provide the
maintenance of the IACS. The technology dimension framework for the evaluation of the orga-nizational
is about the functional capabilities provided by the measures. The competency of the involved
project specific automation solution. personnel (people dimension) should be included in
the evaluation of the organizational measures
Figure 1 The scope of protection levels are installations in operation.

and is part of the evaluation of the maturity of the IACS specific skills, and moderate motivation
organization to document the processes and act • SL 4:
according to the policies and procedures. Capability to protect against intentional violation
using sophisticated means with extended resources,
3 PLs combine Maturity Levels and IACS specific skills, and high motivation
Security Levels
On the other side, the evaluation of organizational
measures is about the assessment of processes. This
Evaluating technical measures is fundamentally
is done by evaluating how an organization defines
different from evaluating processes and people. The
and describes its processes and how the involved
realized capabilities of the automation solution are
persons act according to the processes. This is gen-
evaluated by using the framework of the require-
erally defined as the maturity of the organization to
ments of part 3-3 which are mapped to Security
implement and act according to processes. ISA/IEC
Levels according to the definitions:
62443 differentiates the maturity in four levels, ML 1
• SL 1: to ML 4.
Capability to protect against casual or coincidental • ML 1:
violation Initial - Process unpredictable, poorly controlled,
• SL 2: and reactive
Capability to protect against intentional violation • ML 2:
using simple means with low resources, generic Managed - Process characterized, reactive
skills, and low motivation • ML 3:
• SL 3: Defined - Process characterized, proactive
Capability to protect against intentional violation deployment
using sophisticated means with moderate resources,
Figure 2 PL provides an integrated evaluation of technical and organizational measures.

Figure 3 PL provides an integrated evaluation of technical and organizational measures.
• ML 4: automation solution
Improved - Process measured, controlled, and • If the ML is below three, then a value of the pro-
continuously improved tection level cannot be clearly defined
The result will be a value of ML between one and four 4 PLs are clustered in Security control
and will be the entry of the vertical axis of a 4 by 4 ma-
classes (SCC) and Views
trix. A protection level value between one and four is
assigned to each field of the matrix so that each com-
Protection levels will be reflected in values combin-
bination of SL and ML will result in a value of PL.
ing the evaluation of the technical measures based
on the requirements of part 3-3 with the evaluation
Considering the maturity level of the organization it
of the organizational measures based on the re-
should be noted that for ML equal to one or two there
quirements of part 2-1 and 2-4. It could be possible
is no assurance that the personnel is acting accord-
to include all requirements in one protection level.
ing to the policies and procedures or even that the
As security includes many - often independent -
processes are defined. Due to the lack of document-
dimensions, the significance of that value could be
ed processes or educated personnel the protection
questionable. A better approach is to group related
concept can have heavy weaknesses independently
requirements into slices. A slice includes related
of the level of security capabilities in the automation
requirements of part 2-1, 2-4, and 3-3 and addresses
solution. Considering that the processes have to be
one security dimension. The protection value of a
matched to the security level of the automation solu-
given slice reflects how good the IACS is protected
tion, the PL will be at least equal to SL. The matrix
regarding the security dimension of the slice.
can be described by the following rules:
Considering the complexity of security and the many
• If ML is equal or above three, then the protection dimensions to be addressed, the number of possible
level equals the achieved security level of the slices, e.g. the number of PL values might be fairly

high. Having many slices with homogeneous re- reduction provided by counter-measures within the
quirements makes sense for security experts who are given SCC. On the other hand, the views provide
involved in the detailed evaluation of a protection asset owners with a dashboard showing the levels of
concept. This approach is addressed by specifying so the protection concept of their IACS in operation.
called security control classes (SCCs). It can be used by the business responsible to define
On the other hand, the number of SCCs will be target protection levels based on the business impact
relatively high. It is a common understanding that of the plant. On the other hand, the comparison of
around fifteen to twenty SCCs would be necessary to the achieved levels and the target levels indicates
cover the security dimensions. This makes the han- where the enhancements should be focused to fill the
dling difficult. Many stakeholders need to have an eventual gaps.
overview of the security status expressed in a small
set of values. This is the main reason why we will 5 Protection Levels support in every phase
specify another category of slices called views. As for
of the IACS lifecycle
SCCs, views include related requirements of part 2-1,
2-4, and 3-3. The number of requirements included
Protection levels provide a consistent and repeatable
in a view is much higher but the number of views
way to evaluate the current security posture of a
is much lower which makes the handling of the PL
given IACS by assessing the achievement of protec-
values associated to the views much easier.
tion levels. Asset owners will mainly use the views to
better understand the security posture of their indi-
Security control classes provide a framework for a
vidual IACS. The asset owner can also use protection
structured evaluation of countermeasures. Protec-
levels in a consistent and repeatable way to evaluate
tion levels reflect the fulfillment of the requirements
capabilities of a subcontracted operator.
(technical and organizational) within given security
control classes by the countermeasures. A higher
In the specification phase, protection levels will be
protection level within a SCC reflects a higher risk
used by asset owners to provide a consistent and
Figure 4 Views and SCCs have different use cases.

Figure 5 Use of protection levels in the specification phase.
repeatable way to define security targets for solution classes as a methodology to differentiate the level of
providers, e.g. in request for quotation document. On risk reduction provided by a security control class,
the other side, asset owners will use protection levels e.g. how effective are the measures in a given security
to evaluate capabilities of solution providers (pro- control class in the specific application? Asset
cess capabilities and technical capabilities) during owners and solution providers will use the views to
procurement. provide a consistent and repeatable way to evaluate
the achieved security posture (i.e. the achievement
During the integration / commissioning phase of of PLs). As depicted previously this will be an
the IACS lifecycle, protection levels will be used by iterative process till one of the following is reached:
asset owners to provide a consistent and repeatable
• the achieved protection levels match the target
way to define security targets for solution providers
levels
preferably by using the views. Solution providers will
• the achieved protection levels don’t match the target
base these targets to specify a protection concept.
levels and the asset owner accepts the residual risk
They will use the protection levels in security control
Figure 6 Use of protection levels in the integration / commissioning phase.

Figure 7 Use of protection levels in the operation / maintenance phase.
During the operation and maintenance phase of tion bodies and auditors will use protection levels to
the IACS lifecycle, protection levels will be used by provide a verdict for rating the protection of an IACS
asset owners to provide a consistent and repeatable in support of business processes.
way to evaluate the current security posture (i.e. the
achievement of PLs). As the security environment 6 Product suppliers use PLs in a Holistic
may change during time asset, owners will use pro-
Security Concept (HSC)
tection levels to reassess the current security posture
either periodically, after a modification of the auto- Product suppliers primarily focus with the first four
mation solution, after a maintenance phase, or after levers - Security features, Improve process, Handle
a change of the threat situation. Asset owners will incident, Enhance Awareness - on the enhancement
also use protection levels to provide a consistent and of the quality of their products. On one side, they aim
repeatable way to demonstrate security posture to to offer cutting-edge security features in the products
governments, regulators, insurance companies, and to support integrators in the development of techni-
other authorities. Finally, experts will use protection cal measures in automation solutions as part of a ho-
levels as a methodology to evaluate the level of risk listic defense-in-depth strategy. On the other hand,
reduction provided by the measures in the security the development process has to integrate security
control classes to verify that the protection concept in all phases from specification, design, implemen-
still matches the agreed levels. tation, and testing. Security requires also providing
integration and hardening guidelines. An important
Regulators (governments, insurance companies, or aspect is those product suppliers have a process for
other interested authorities) will use protection levels managing vulnerabilities and handling incidents.
as a consistent and repeatable way to define target Finally, awareness is, like for any stakeholder in the
levels for various industries and installations, e.g. for game, an important lever for improving the security
critical infrastructures. Regulators as well as certifica- maturity in the organization.

Figure 8 ISA/IEC 62443 is the basis for a holistic security concept.
In addition, a fifth lever – IT infrastructure - will stations to the production machines. And here the
complete the overall strategy with the objective that product supplier is in the role of the asset owner of
the software that is in the products is exactly the one its production lines and will use protection levels as
which has been developed. The focus here is on the described above.
integrity of the products. The IT infrastructure in the
development areas and in the production sites must Asset owners and system integrators can trust in
be protected against manipulation of the software products from product suppliers which have imple-
along the whole chain from the developer’s work- mented a Holistic Security Concept.
Figure 9 Holistic Security Concept enhances trust in products

INTERVIEW
DR. HENNING RUDOLF

INDUSTRIAL MANUFACTURING THREAT LANDSCAPE & STRATEGIES
Cybersecurity threats are increasingly impacting a wide range

of people and industries including manufacturing and process-
ing plants. Understanding the options for cybersecurity protec-
tion, mitigation, and recovery, in advance of problems, would
seem to be an important management function when analyzing
strategic investments. I had the opportunity to discuss cyber-
security topics with Dr. Henning Rudolf, Head of Global
Cybersecurity Offering at Siemens AG. He has a passion for the
soft-ware business at the intersection of industrial machines
and IT systems.
Dr. Henning Rudolf is an experienced Industrial Engineering

and Management professional with special focus on produc-
tion technology. His responsibilities at Siemens included the
technical integration of UGS into Siemens PLM and various po-
sitions in product management and industrial automation and
"
software business development. Dr. Rudolf studied Industrial
Engineering and Management with special focus on production
If you go out technology at the Technical University of Darmstadt and Berlin.
Parts of this curriculum, he completed at the University of Cal-
and look on the ifornia Berkeley and the Massachusetts Institute of Technology.
Afterwards Dr. Rudolf received his PhD at the Technical Univer-
shop floor at sity of Munich where he led a research group on Digital Tools in
what has been production environments.
implemented, The discussion began with an the field and look on the shop
sometimes observation I made that many
companies appear to take the
floor and what has been imple-
mented sometimes the lack of
the lack of position that they have not been protection and preparedness is
impacted by cyber threats in the really shocking.” Dr. Rudolf went
preparedness past and, because of this, have on to talk about his personal
a difficulty justifying the invest- experience with cybersecurity
and protection ment of time and money for cy- attacks, “I have spoken to a cou-
is really
"
bersecurity now. Dr. Henning ple of customers that have been
responded, “Everyone is talking affected by ransomware attacks
shocking. at a company board level about

the importance of cybersecurity
like WannaCry and they told me
a couple of thousand devices
protection, but if you go out in were affected almost instantly,”

explained Dr. Rudolf, “There was basically nothing in
place to protect these systems from attacks.”
Dr. Rudolf’s Cyber Landscape View of the world has

changed since the year 2000. One main driver there
is more standard IT found in the production facili-
ty, both on the endpoint - using standard operating
systems (i.e. Windows, Linux) - and in the networks
using TCP/IP. A second driver is the dramatically
increasing number of exploits open in the field,
including WannaCry [https://en.wikipedia.org/wiki/
WannaCry_ransomware_attack] , Not Petya [https://
en.wikipedia.org/wiki/Petya_(malware) ] and Bad
Rabbit. Attacks and cyberattack methods are con-
tinuing to evolve in sophistication. The third driver
of the cybersecurity threat is functional networks are
becoming more interconnected in ICS (Industrial be patched anymore, because no patches exist for
Control System) environments. This connectivity Windows XP and Windows NT. The decision to keep
increases the attack surface and likelihood for cyber supporting these older systems is the responsibility
incidents. In addition to external threats, there are of the customer’s operations people, and we will help
cases of incidents that are not necessarily an evil them deal with the risk based on their decisions.
attack, but the collateral/accidental use of infect- There are a number of strategies to lower the risk of
ed USB sticks or service technicians connecting to successful cyber-attacks on older equipment that we
industrial networks with cyber-infected computers. can recommend.
These threats are real, and these are seen impacting
Siemens as a global manufacturing company as well It is important for users to understand their pres-
as impacting our customers. ent situation, and our experts perform vulnerability
assessments as a service that provides customers
Question: Why not let the IT people deploy and with information about risks to make informed in-
manage manufacturing cybersecurity? vestment decisions. This process provides an under-
standing of how much cybersecurity risk they have,
Dr. Rudolf: based on their current systems and configurations.
IT environments and OT environments are signifi- The assessment includes quantifying known vulnera-
cantly different from each other in many ways. bilities, and a Common Vulnerability Scoring System
IT software and hardware are typically more up-to- (CVSS) risk score. This leads to an understanding of
date since they have shorter technology replenish- how to protect and mitigate.
ment lifecycles than OT. For example, the product
lifecycles of employee personal computers is typical- Another crucial concern is that OT systems have a
ly 3-5 years. really high demand for availability for all types of
equipment – this means in many cases, a simple
Industrial automation customers demand 20-year solution from IT like patching is just not working in
support, obviously far longer than the 3-5 year lifes- OT environments. You cannot push the patches down
pan of typical IT systems. This creates an OT envi- to the machine level because the machine is not
ronment, with equipment and firmware that cannot available for shutdown until a planned outage.
be supported using standard IT practices such as
patching. Outdated operating systems simply cannot As you see, it is not straightforward to take standard

IT practices and personnel and apply them directly on the machines and allow updates or changes only
in an OT environment sporadically with maintenance engineer log-in on the
machines. Normally the systems will run in a de-fined
Question: Is cybersecurity protection of In- state. This defined state creates communication on
dustrial Control Systems different than other the network in a defined manner. Typically, only
systems in the company? certain machines and human-machine interfaces are
talking with each other, and the communication
Dr. Rudolf: between machines is very stable and defined. There-
Here, the answer is a clear ‘Yes!’. We, ourselves, are fore, if you see new communications or machines
working closely with IT providers that are responsible popping up on the network, this deviation from the
for protection of the office environment. In an office norm is easily detected and flagged, in contrast to the
environment, the solution is simple, and there is of- office environment where there is a new device every
ten one or several software agents installed, monitor- day.
ing and protecting the computers.
Question: When should a manufacturing com-
This kind of protection system is not feasible in most pany consider cybersecurity in automation
ICS environments, because in many industrial facil- planning, operating, or maintaining a factory?
ities, the machines have outdated operating systems
where these agents are not available at all, or they Dr. Rudolf:
might run on older hardware with limited perfor- The answer is clear. Cybersecurity needs to be
mance. Using such agents will negatively affect the considered in all three phases. As recommended in
stability, availability, and real-time behavior of the ISA/IEC 62443, in order to make security work, you
machines. need to ensure - in the planning phase – that you
have the right concept and the right partners
Another difference to note is that, in office environ- providing com-ponents that have security built-in,
ments, there is typically plenty of bandwidth in the with security by design, and the suppliers have
network – so if there is heavy scanning and load on followed best security practices, both in the
the network, it is not a problem. If an email has a development and in the feature set of the devices.
millisecond or several second delay, this does not This is important to consider in the planning phase
endanger the operation of the office environment. to ensure you have as much security built into the
In the ICS environment, even a small additional load factory as possible. In the operating phase and
might affect the real-time behavior and break the maintenance of the factory, neither of them can
overall system. really be separated from the other, because they are
executed in the same time frame. Here, it's important
So far, I have talked about where it is more difficult to follow practices (described in ISA/IEC 62443),
in ICS environments, but there are other areas where
it is easier. The main reason is the stability of these
systems over time. This can be used to have better
protection systems in place that may not be possible
in office environments
One example is the stability of the software on ma-

chines. Often the software on the machine does not
change, and you do not want the operator to be able
to change the software that is in place. One thing you
can do here is to solidify, or whitelist, the software

i.e. there are guidelines on how to use patching, reviewed on a higher management level to really see
password and security measures on end devices, etc. and track the progress of the security implemen-
These practices must be followed by the asset owner/ tation, both within a factory and across multiple
operator of the factory. factories.
So, it is not enough to just buy equipment from After this stage, the implementation is complete -
leading vendors, with security built into their prod- and here it is clear that the decision does not come
ucts. It must be installed and configured properly by to implement “protection concepts” or “detection
solution partners and then maintained by the asset concepts” – these tools need to be in sync. Some ba-
owner/operator to reach the maximum protection. sic hygiene protection concepts like patching policy,
hardening of devices and network segmentation
Question: What are the different cybersecurity from office and production network must always be
stages and topics to consider? in place.
Dr. Rudolf: This must be managed over time - it is important

The question I am most often asked is, “How to setup to see if any new risks are coming up. This can be
security in an end customer environment?” seen by monitoring behavior of the network or of
the endpoints or by monitoring vulnerabilities of SW
The first step is approval: get this topic approved, versions out in the field
typically at the board level of the end-customer’s
company. This is about having responsibilities One major topic to consider is always: How you do
defined, having people assigned the task, and hav- the assessments, the implementation, or the manage-
ing the budgets in place to really drive the program. ment? This comes down to a make-or-buy decision.
Justification is based on many factors including: For certain steps, customers are doing it themselves
• Production downtime and for more specialized or advanced topics, cus-
• Financial loss potential tomers are turning to service providers that help
• Employee safety them outsource certain security practices.
• Product quality
• Integrity In the area of automation systems, one topic that
Siemens, for example, offers is: How to optimally
Companies are also becoming more concerned protect your automation system in a way that the
about avoiding the negative publicity of the cyber availability is maintained. You have the tradeoff deci-
attack. sion to make - if you install certain security software
on your devices, this might impact the performance
The second step is the Processes: Targets of the of these devices. Here it is crucial to either have this
security program must be defined – again here the know-how in-house, or to have a trusted partner who
IEC62443 can help to clarify what are the protection knows both cybersecurity, and also your automation
targets of the end customer – as well as what is the systems. Otherwise, you could easily break things
risk profile. Using this, the target protection level can and affect the availability of the production systems.
be defined and mapped against the current situation When making these kinds of make-or-buy decisions,
on the shop floor. For that, assessments can be used staffing is also a topic - how to find and retain the
and, out of these assessments, certain findings are right people. In these sectors, it is difficult to find
derived. Here, it is important to note that an assess- people that are skilled in both security and auto-
ment is only one part of a security management mation, and further to keep them trained on the
system. The findings need to be tracked, by people sufficient level of know-how, while developing them
responsible for the implementation, and regularly within the organization.

Many customers might have small/limited access to security. Cybersecurity responsibility in smaller-part
these kinds of experts, and then have the risk that, manufacturers will typically fall under IT.
over time, these experts are looking for other oppor-
tunities on the competitive job market. In this case, What are the cybersecurity investment
it is best to leverage a service partner that is large alternatives a manufacturer should evaluate
enough to train, retain, and further develop these to protect their business?
experts.
Dr. Rudolf:
Who should be in charge, should the company This is an important question. On a high level, there
have a cybersecurity manager similar to other is protection, detection, and remediation that a
functions including the equivalent of a quality company can invest in. The answer is not an either-
manager, safety manager, and energy or...only detection does not make sense without
manager? protection measures in place. Only protection, and
assuming that it handles every problem, is also not
Dr. Rudolf: the correct answer.
Yes, many have an IT CISO [Chief Information Secu-
rity Officer] who reports to the board level, but they Going one lever deeper into the options a manufac-
don’t have OT knowledge. The interesting question turer has, it is really about the business value re-
is: Should this person be given responsibility for ceived from the investment alternatives. The ques-
cyber production environments or is this role so tion is: How much value is a company getting from
important that someone should be dedicated to this the measure and what is the associated cost?
role independent of IT security? This depends on the
size of the customer, and how important cybersecu- The value depends on a large extent to the associated
rity is for his production environment. If it is a large risk: What is the company defending against?
manufacturer, individual roles will be defined for OT

Is it a ransomware attack they are receiving as a 1-2 years longer. If these machines will be running
collateral damage, or are they defending against longer than the lifetime of the OS, then there needs
a sophisticated attacker? to be a migration, from a machine protected by AV, to
other security measures such as hardening, WL, or a
A point example here is whitelisting. Whitelisting has thorough segmentation of the machines.
a very low cost point, with very high effectiveness
against ransomware. If it is clear from the beginning that such concepts
need to be put in place, over the lifecycle of the ma-
If a customer is defending against high-end attacks, chine, then the question would be this: Should the
either from a nation-state or other well-funded/ end customer rely on these other measures from the
coordinated attackers, these attackers will probably beginning, because AV will not be sufficient over the
find ways around a whitelisting solution. In this case, long lifecycle of the asset?
whitelisting is not sufficient protection against these
kinds of attackers. Question: Industry 4.0, Industry for Process,
Industrial Internet of Things, Cloud Analytics,
So again, what is the target/intent of the attacker and and a range of smart devices would appear
what are his skill-sets, compared to the price point of to create significantly greater cybersecurity
the security measures. Endpoint protection costs are risks for manufacturing plants. Is there recom-
in the range of 50-100 euros ($60-$120) per endpoint mended process to deal with this new level of
+ firewall solutions (5-10k euros or $6-$12k at complexity?
perimeter, depending on traffic). High end
monitoring systems are higher priced - in the range Dr. Rudolf:
of 50-100k euros ($60-$118k). As mentioned earlier, the more devices that are
connected, the higher the exposure of these devices
What are the lifecycle cost considerations a to attackers, and the higher the risk the infection will
manufacturer should consider when defining spread to other devices. The recommendation here
manufacturing plant cybersecurity strategy? is to rely on manufacturers that build security by
design into their products. This could be something
Dr. Rudolf: like the identification of devices and the encryption
These are important questions to consider over time. of communication between devices - this is helping a
For example, if the manufacturer is adding additional lot to increase cybersecurity in the end-customer
security equipment to the plant for monitoring, then environment. If this is only implemented for new
he could have a risk this equipment will break in the products, then there needs to be additional security
lifecycle. So how will he react if the firewall breaks? measures in place in order to help protect the legacy
What is the recovery strategy? The equipment might systems that remain in place for decades. So, in ad-
entail that maintenance contracts are taken. (i.e. FW dition to the new devices with security built-in, there
must be continuously patched, and rules updated) so need to be additional protection measures, coming
investing in a firewall does not make much sense, if it out of a defense-in-depth concept, as discussed ear-
is not kept up to date to, nor reflective of, current lier, such as endpoint protection, network segmen-
plant conditions. tation, or the monitoring.
In addition, antivirus solutions must be updated with Another thing with industry 4.0 – a lot of people be-
signatures to stay current, these signatures are only lieve that everything needs to talk to everything. This
available during the lifecycle of the OS - maybe may be true in an academic concept, but we believe
that the communication should still be configured

very orderly, and that certain layer concepts should The user organization should have at least one
not be abolished to control the exposure and poten- person, who understands the fundamentals of OT
tial risks within the factory environment. Therefore, cybersecurity, to evaluate service providers. They
a device directly communicating to an SAP database also will work with the service providers and eval-
might be good in theory, but this is not the best practice uate their performance. This is similar to using
in general, and use of hierarchical concepts are advised. a systems integrator for automation projects and
ongoing services.
Question: How does a manufacturer assess
the risk of using an outside company for
cybersecurity services rather than internal
resources? RESOURCES
Dr. Rudolf:
Back again to the make-or-buy decision: Should a
Siemens Industrial Threat Landscape report
company do it themselves or use an external pro-
vider and what are the risks associated with each
pathway?
For smaller companies, the largest risk for doing the

work in-house is that the company is not of a suffi-
cient size to handle the complexity of cybersecurity
in the production environment and keep the talent
for a long enough time.
The risk in using a cybersecurity service provider is

two-fold:
1. If the wrong partner is selected, and this first
partner does not have sufficient knowledge,
know-how, or size to provide these services.
That is something that can be handled by asking
for references.
2. The company is losing, over time, the competency
to evaluate what the service provider is doing for
him/her. They might not have sufficient know-
how anymore to evaluate if the service provider
is making effective activities. For example,
either by implementing too much security,
costing unnecessary amount of money to the
end-customer, or the service provider might do
too little to reduce their costs, which leaves the
customer exposed to unnecessary security risk.

INTERVIEW
DR. PIERRE KOBES

EXPLORING HOLISTIC SECURITY
COMPREHENSIVE PLANT PROTECTION BASED ON ISA/IEC 62443
I had a discussion with Dr. Pierre Kobes about Holistic Securi-

ty which is an all-inclusive protection concept for industry.
Dr. Pierre Kobes is an experienced industrial automation pro-

fessional with many years of experience at Siemens including
positions in development, marketing, strategic planning as
well as general management. The past 8 years he has been
focused on Holistic Security and currently is Siemens Prod-
uct and Solution Security Officer, responsible for Standards,
Regulations, and Certifications for the Operating Company
“Digital Industries.” Dr. Pierre Kobes as a member of ISA-99
and IEC; actively participated in the development of the ISA/
IEC 62443 standard which is gaining wide acceptance
throughout industry worldwide. He developed the concept of
“Protection Levels” and “Security Program Rating” which is
"
focused on the evaluation of the protection of installations in
operation and is chairman of the working group to generate
Holistic the ISA/IEC 62443 part addressing this concept.
Security is not Dr. Pierre Kobes describes the overall concept of holistic
protection is based on a defense in depth strategy that must
only about include three dimensions: technology, processes, and people.
The scope of the protection levels is the onsite environment,
controllers, e.g. installations in operation. The concept of protection levels
recognizes the fact that organizational and technical measures
network have to be related and that the evaluation of the protection
devices, and against cyber threats has to be integrated with technical and
organizational measures. Protection levels provide an integrat-
other technical ed evaluation of the fulfillment of technical and organizational
measures. They use the framework of the technical require-
solutions, it ments of ISA/IEC 62443-3-3 and their mapping to security
levels SL 1 to SL 4 as well as related organizational measures
is also about using the framework of the requirements of ISA/IEC 62443-2-1
"
for the operational policies and procedures. In addition, the
processes. framework of the requirements of ISA/IEC 62443-2-4 is used for
the integration and maintenance activities. The maturity of the
organization to document and implement the organizational
requirements will be evaluated and rated from ML 1 to ML 4.

What is the Siemens Holistic Security Concept? The Holistic Security Concept is proof that as a
product manufacturer Siemens is following its own
The Siemens Holistic Security Concept is a set of recommendations for security best practices to be
internal measures implemented to improve the applied to protect installations in operation. The
secu-rity posture of our products. The HSC follows same principals we suggest to our customer to apply,
the ISA/IEC 62443 and ISO 27001 standards. In detail, that are outlined in the ISA/IEC 62443 standard, are
the HSC has 5 levers – the first 4 address quality and im-plemented at our own production sites.
the 5th is about integrity.
Lever 1 - is process oriented, and addresses security

from the beginning stages of product development
and throughout the whole product lifecycle. At first
step, for example - there is a threat and risk analysis:
what could happen, which threats apply, and what
countermeasures must be implemented to mitigate
the risks in the intended use environment of the
product.
Lever 2 - is regarding vulnerability management and

incident handling. The threat landscape in industrial
security is always changing. This lever ensures there
exists a useful process for handling in a professional
way vulnerabilities and incidents that are discovered
within our products.
Lever 3 - awareness: raising awareness of employees

within their various functions and duties, e.g. de-
velopers of a product would need higher awareness How does the Siemens Holistic Security Con-
than a general employee. cept leverage the ISA/IEC 62443 standard?
Lever 4 - security features: implement cutting-edge First, we have to explain that a comprehensive
features within the products against cyber attacks. cybersecurity program is all about technology,
processes, and people. The ISA/IEC 62443 standard
Lever 5 - addresses the surrounding IT infrastruc- addresses the three legs of the triangle for all
ture protecting the physical and digital environment stakeholders involved in the protection against
against any manipulation of software that is within cyber threats: the product suppliers, the system
the product throughout the lifecycle. integrators as well as the asset owners.

Can you provide more description of Maturity
level (processes)?
First of all, the operational and maintenance policies

and procedures have to be matched to the Security
Level provided by the capabilities of the automation
solution.
For example, let’s look at the implemented capabili-

ties of the automation solution regarding identifica-
For the product supplier, the “Technology” part is tion and authentication of human users.
about providing cutting-edge security capabilities. If you target a level 3 and have implemented in the
ISA/IEC 62443-3-3 and ISA/IEC 62443-4-2 provide a
useful framework to select the appropriate security Security Level Requirement
capabil-ities to reach the required security level SL in
project specific applications. The “Process” leg is Level 1 differentiate user accounts by groups
addressing the product development process which
Level 2 differentiate unique user accounts
is the scope of ISA/IEC 62443-4-1. Security must be
involved in all phases of the process including the Level 3 multifactor identification for unique accounts
support of the customer with integration and Level 4 dual approval: (2nd approval required for the
hardening guidelines as well as vulnerability action/access)
management and incident handling. The “People”
leg of the triangle refers to the maturity of the
product supplier to act according to the defined
process. Referring to HSC, Siemens is following automation solution the related capabilities – for ex-
these principles with the levers 1 to 4. ample using smart cards to provide multifactor iden-
tification – then the operational and maintenance
With lever 5 of HSC, Siemens is in the role of an asset policies and procedures (processes and people) must
owner of its own production sites and is applying the describe how you take care of your smart card. If it is
principles we recommend to our customers. The lost, it must be reported and disabled immediately.
main stakeholders involved in the integration of the You must have responsible management of the keys
products for the automation of a given plant are and certificates on the cards. If you would target a
system integrators and asset owners. The se-curity level 1 or 2 (single factor authentication), the policies
triangle is about protecting plants in opera-tion. The would be about password policy and confidential
“Technology” leg is reflecting the security handling of passwords. But this is not enough. If this
capabilities of the automation solution. Here again organization with a security level 3 technology has a
the framework of ISA/IEC 62443-3-3 can be applied low maturity, people might not know how to handle
to map these to security levels SL 1 to SL 4. The “Pro- the card because it has not been described yet. Or
cess” leg of the triangle is representing the policies maybe you have described smart card handling in a
and procedures applied for the development of the policy, but employees do not know where to find it.
automation solution as well as during operation and This might create a huge weakness which could be
maintenance. These are addressed by ISA/IEC used by a potential attacker. If the processes exist, the
62443-2-4 and ISA/IEC 62443-2-1 combined with the people are aware and educated on the processes and
general Infor-mation Security Management System act accordingly then you have a high maturity level
ISMS of the organization, e.g. based on ISO 27000. (ML 3 or above). A successful security program must
The “People” leg represents the maturity of the asset have both – Security and Maturity.
owner and its service providers to act according to
the processes.

The HSC concept relies on the Protection Level Con- The concept of Protection levels is described in the
cept. In the security triangle the Technology leg is rat- ISA/IEC 62443-1-5 which is currently a draft
ed in security levels SL 1 to 4 according to the imple- developed within ISA-99. The security level values
mented capabilities in the automation solution. The SL 1 to 4 and maturity level values ML 1 to 4 are
Process and People legs are rated in maturity levels combined in a matrix to lead to PL A (highest) to PL
ML 1 to 4 reflecting the maturity of the organization D (lowest) protection level. A minus (-) sign reflects
to act according to well described processes. The that the protection level value can be potentially
Protection level combines the maturity levels as de- reached but the maturity of the organization doesn’t
scribed in part 2-1 and 2-4 of the ISA/IEC 62443 reach the required level. A plus (+) sign gives credit
standard and the security levels from part 3-3. to organizations which continuously measure and
improve the quality of their processes and the
Dr. Kobes described the development of Protection competence of their personnel to act according to
Levels rating matrix that will be used to measure the the processes.
security of an organization.

The term holistic implies a very broad and weak link. A security concept is only as strong as the
deep approach. Does the Siemens Holistic weakest link. For example, if you have a very robust
Security go beyond software, computers, net- program regarding access control, with unique user
works, and controllers? accounts, using multi factor identification, differenti-
ated and restricted by function, etc., but your net-
Holistic Security is not only about controllers, network work is poor (i.e. a flat network) then you have here
devices, and other technical solutions, it is also a weak link. A potential attacker is first searching the
about processes. In our HSC we use as a basis the weakest link of your protection concept as the most
IEC62443 part 3-3 which is addressing all security appropriate attack surface.
dimensions which are necessary for the protection
of a plant. There are multiple dimensions in security. What impact do you think Industry 4.0, In-
For example, let’s consider the important concepts dustry 4.0 for Process, Industrial Internet of
of access control and network segmentation. You Things, Cloud Analytics, and a range of smart
might ask, what has access control in common with devices will have on cybersecurity?
segmentation for networks? These are independent
principals. You also have to handle malware protec- The basic concepts as described in Defense-in-depth
tion, back-up and restore functions, and so on and so – integrating technology and process into the protec-
on. Security is complex, with multiple dimensions. tion concept - will remain in Industry 4.0. It is more
When you use holistic security – you are addressing or less a kind of movement. Right now, we speak
ALL the dimensions, trying to avoid having a weak about factories/plants/installations in defined sites
link in your protection concept. and organizations operating them. With Industry 4.0
these Defense-in-depth principles will move into the
And why do we do this? Defense in Depth concept cyber-physical systems themselves.
is about covering every part, so you do not have a

The networking and cooperation of the cyber-physi- physical security, policies and procedures, proper
cal systems will be accessible over a distributed area network configuration, and computer protection.
(i.e. internet) and the components or “things” will
need to be more autonomous, and adaptable to a And finally, always have in mind that the threats are
changing environment. The concepts will then need coming from humans. And humans are creative. You
to go more into cyber-physical products and systems have to accept that 100 % security is not achievable
as we have described here. and that you have to continuously review your pro-
tection concepts in order to adapt to the evolution of
What are your final thoughts on security? the threat situation.
First, be aware about security, act and organize ac-

cording to common sense. For example, consider a
RESOURCES
night shift operator that installs a USB stick with mal-
ware in the operator station to see a movie or hear
music. You can imagine what would happen. It is Links to the book:
common sense to set operational policies and proce-
dures forbidding the connection of devices which are https://www.vde-verlag.de/books/604338/
not necessary for the intended functionality. The end guideline-industrial-security.html
user should be aware that they are a potential target
for cyber-attack or problems created by employees https://www.amazon.com/Guide-
that have been not been taught the rules. line-Industrial-Security-Pierre-Kobes/
dp/3800743388/ref=sr_1_2?s=books&ie=UT-
Second, be aware that Security cannot be achieved F8&qid=1512055949&sr=1-2&keywords=Pier-
by single measure, it is commonly accepted that re+Kobes
a defense in depth strategy is the best approach,
implementing a number of defense layers including

INTERVIEW
DR. NORBERT GAUS

SIEMENS HOLISTIC SECURITY CONCEPT (HSC) EXPLORED
I had the opportunity to explore how Siemens protects its own

infrastructure as well as its products and solutions from cyber-
security issues with Norbert Gaus, Executive Vice President at
Siemens Corporate Technology. He is responsible for Research
and Development in Digitalization and Automation. After earn-
ing a degree in electrical engineering from Technical University
Munich, he worked initially as a research assistant at the Ger-
man Aerospace Center. During that time, he earned a Ph.D. in
engineering from Ruhr University Bochum. He joined Corporate
Technology in 1991. Between 1994 and 2001, Gaus held various
positions in the Information and Communication Networks
Group with the rank of Vice President. In the following four
years, he served as President and CEO of Siemens Corporate Re-
search Inc., Princeton, NJ, USA. From 2005 to when he assumed
his current position, he held various executive positions in Sie-
mens Healthcare, ultimately as CEO of the Customer Solutions
Division. Since May 2015 he is in his current position.
" Cybersecurity Question: Cybersecurity is counterpart. Within Future of

one of Siemens Company Automation, Additive Manufac-
is about more Core Technologies, what are

the others?
turing and Autonomous Robotics
we are researching how we can
than just Cybersecurity is only one of

further advance the manufac-
turing lifecycle. Data Analytics/
technology; many important topics. For

Siemens, Digitalization is a key
Artificial Intelligence plays the
key role in automating decisions,
to me it is the driver for all businesses and

therefore most Company Core
optimizing the whole product
life-cycle from design to service
key enabler for Technologies are addressing it. and maintenance. Software
"
In Connectivity & Edge Devices Systems and Processes bring the
Digitalization. we define how all products and
solutions will become intelligent
latest IT technology into the OT
domain. Another very important
and connected, in Simulation research area is mobility, where
and Digital Twin we ensure full research is focused on the topic
and consistent alignment of the of Connected (e)Mobility. And
physical world with its digital we also explore the potential of

Blockchain for industrial applications. Even in ener- In this broad understanding, technology plays an
gy topics digitalization is becoming more and more important role, of course. The protection of a field
important. Therefore, we have two technology fields, device over a life span of several decades or the
namely, Distributed Energy Systems and Power automated detection and handling of intrusions in
Electronics, where we develop new concepts for the massively distributed systems are just a few examples
decentralization of the energy sector and innovations illustrating the technological challenges.
in controlling and converting electric power. Materi-
als and Energy Storage are the remaining Company For Siemens, cybersecurity presents a two-fold
Core Technologies. opportunity. On the one hand, the ability to supply
customers with secure products and systems is a
Question: Why is Cybersecurity considered a competitive advantage of growing importance. In a
Company Core Technology? survey of more than 300 oil and gas companies, 60
percent of C-level managers expected cybersecurity
Siemens is the leading player in the digital transfor- to be a competitive advantage by 2020; today only 25
mation of our industries as well as markets. Cyber- percent have this opinion (from Ponemon [https://
security is a key element. The growing exchange of www.ponemon.org/ ], US independent research
data and connectivity of devices in all industries and institute on cybersecurity).
infrastructure domains continuously increases the
target space for cyber-attacks. At the same time, the Cybersecurity is therefore a growing source of com-
threat landscape is expanding not only from the in- petitive advantage. Suppliers’ ability to assure the
ternet to infrastructures, but also from hobby hackers security of industrial systems and infrastructures
to criminal organizations. along their entire lifecycle increasingly influences
the buying decision of industrial customers. For this
Cybersecurity is about more than just technology; to reason, Siemens drives cybersecurity along three
me it is the key enabler for Digitalization. Any com- dimensions: (i) organizational readiness, (ii) tech-
pany that wishes not only to supply secure products nologies, and (iii) development of services for our
and systems to the market, but also to maintain customers.
cybersecurity along their entire life cycle, needs a
strategy that is clearly formulated and consistently Within Corporate Technology, the Technology Field
implemented across the entire organization. Cyber- IT Security is working on innovative new technolo-
security needs to be reflected in all product life cycle gies to further advance the competitive advantage of
management processes, from early threat & risk anal- Siemens. One important technology is our Identity
ysis, requirements engineering, development and and Access Management, which we are integrating
implementation assurance testing and certification into the Siemens products and solutions in order to
to service and support (e.g. fixing security vulnerabil- provide best-in-class security products to our cus-
ities emerging after product delivery). Cybersecurity tomers. In the recent years, we built a Product Public
depends on several things. It depends on engineers’ Key Infrastructure (Product PKI) and integrated it
ability to write secure software code. It depends on with Siemens factories. The Product PKI enables
development teams that understand the importance factories to manufacture products with integrated
of security testing and the danger of taking shortcuts keys and certificates. Based on these keys and certif-
on product success. It depends on product owners’ icates security services like secure SW update, secure
ability to deal with security issues in operations in a communication, or anti-counterfeiting features are
professional manner. Cybersecurity needs a dedicat- enabled. In addition, the product PKI is used to en-
ed organization of specialists, but it ultimately relies sure a secure access of service personnel to devices
on a culture adopted by managers and employees in the field.
alike, much like quality or product safety.

Security in brown field environments is important, when our products and solutions are operated, we
and therefore we developed a Data Diode, which need an adequate response when vulnerability must
prohibits that an insecure network is able to infiltrate be addressed. The Research Group ProductCERT is
a critical network. However, it allows that critical responsible for that process. [https://www.siemens.
systems can initiate a communication with other com/cert]
networks. This technology allows us to digitalize
legacy networks but still have a strong security in How does Siemens protect its own infrastruc-
such environments. Mobility launched the device ture from cybersecurity attacks?
recently as Data Capture Unit. It is a passive network
gateway that allows “live” data transmission, but only Cybersecurity is a top priority for Siemens. We hold
in one direction, i.e. from the hardware to the cloud. ourselves accountable to the highest standards and
As of 2018, all interlocking installations that German want to lead by example. This is why we have devel-
customers order from Siemens will already be “ready oped a Charter of Trust that outlines our core com-
to connect,” i.e. the hardware will be equipped for mitments. We protect our assets with a maximum
secure and controlled connection to the IoT. of security and we offer products and solutions with
Another important field is the area of security testing, highest security standards. We do this by maintaining
where one of our Research Groups developed the test information security and protection against indus-
system SiESTA. Using that technology, we are able to trial espionage, denial of service, as well as against
standardize the testing of our products and solu- attacks via malicious software. In addition, we are
tions in an efficient and very responsive way. Lastly, ensuring the availability of (critical) infrastructures.

We have therefore developed a holistic and compre- measures as it uses high-performing analysis meth-
hensive approach to secure our own IT infrastruc- ods in all kinds of application areas from detecting
ture, products, and solutions. We are also working attacks to damage assessment. At Corporate Technol-
closely with the most relevant players in the cyberse- ogy, IT security experts and data analytics experts are
curity community. joining forces to work on such cases. These teams are
generating usable information and security intelli-
The topic is not new for us. The first IT Security team gence from data enabling Siemens Business Units to
at Siemens was set up in 1986 – about 30 years ago pursue new and improved services and solutions.
– at the research department Corporate Technology
(CT). Since then, this team has grown into a highly Siemens Cybersecurity Emergency Response
regarded R&D and competence center of about 200 Team
specialists guiding and supporting our businesses
to further enhance their cybersecurity readiness. Computer Emergency Response Teams (CERT) are
Siemens in total has about 570 cybersecurity experts expert groups that handle computer security inci-
worldwide. This includes about 25 white hat hack- dents. Siemens formed the Siemens CERT team to
ers who continuously challenge the security of both provide consulting and support for network and
internal IT Systems and products to be shipped to system operators, Information Security organiza-
customers. Siemens operates three global cybersecu- tions, and Information Security service providers of
rity Operation Centers in Lisbon, Portugal; in Milford all Siemens companies worldwide to prevent cyber
(Ohio), USA; and in Suzhou, China. Here, we monitor incidents like internal and external hacking, denial
our own infrastructure and production plants and fa- of service attacks, and to limit their impact. Siemens
cilities around the world for cyber threats, warn them CERT also provides information on vulnerabili-
in the event of a security incident, and coordinate ties and appropriate countermeasures, support on
proactive countermeasures. Siemens is a member of incident handling, and many others. Siemens was
FIRST [ www.first.org ], a global organization of all one of the first major corporations to set up a CERT
CERTs (Cyber Emergency Response Team). Addition- team, and it has supported many other companies to
ally, we have a very good relationship with national establish CERTs.
CERTs (e.g. US-CERT, CERT-EU, ICS-CERT) and law
enforcement agencies (e.g. FBI, BKA, Europol). Via Awareness and Training as well as Rules and
these alliances, we gather and share cyber threat Policies for Siemens employees
intelligence.
Siemens is not only continuously investing in tech-
Some of the key initiatives and organization units for nology developments for IT protection and product
managing cybersecurity at Siemens holistically and security, but also in training to raise employee’s in-
comprehensively include: formation security awareness. For example, a yearly
mandatory InfoSec web-based training for employ-
Technical Research & Consulting ees regularly reaches participation rates of over 95
percent. We also publish so-called ISEC Cards that
Siemens continuously drives research and develop- give practical advice to employees about security
ment to deliver the optimum customer solution and rules and regulations.
apply the latest insights to its customer offerings.
Siemens partners with top universities and research How does Siemens protect its products?
institutions and registers around 70 new patents per
year in the area of Cybersecurity. We use a risk-based approach for managing Cy-
bersecurity. This means that we choose the level of
Data analytics plays an essential role in cybersecurity security according to the value / relevance of data

or systems, as determined by our assessment for the anti-virus management, or incident handling. We
customer. To ensure the best possible defense against offer our customers broad support when it comes to
cyberattacks, the Product & Solution Security (PSS) cybersecurity. Our in-depth knowledge of the
Initiative was launched in 2012. The PSS Initiative installed systems allows us to assess the threats and
is managed by representatives from all business' risks and propose appropriate solutions, including
divisions and CT. As a company-wide initiative, PSS for securing existing systems. Based on our clients’
actively drives security for Siemens products, solu- different needs, we analyze the security situation at
tions, and services. It identifies best practices and a customer’s site and make specific proposals how to
derives company-wide technical standards, process- improve its security in all operational areas. In doing
es, and policies. The PSS team has two overarching so, we take a holistic approach covering the entire
goals: early identification and proactive prevention system with all its components (security by design
of security issues and the efficient post-incident and defense in depth). We also support our custom-
management. The team uses threat-and-risk analysis ers to put the resulting security concept into practice.
in projects during the development or engineering
stage and in the integration of IT security in the Industry 4.0, Industry 4.0 for Process, Indus-
product lifecycle management. The PSS activities trial Internet of Things, and a range of smart
target people, communications, processes, and tech- devices essentially have single chip computers
nology. embedded in them. What is Siemens cyberse-
curity protection strategy for these devices?
The IT Security Technology Field at CT offers a full
range of cybersecurity methods, tools, and technol- In order to achieve the comprehensive protection
ogies in order to enable Siemens organizations to of any industrial plant from internal and external
adequately address IT security, to design, select and attacks, all security levels at such a site must be
implement security building blocks, and integrate protected simultaneously ranging from the plant
IT security in products and solutions. Siemens is management level to the field level and from access
constantly working on new ways to counteract cyber control to copy protection. Siemens has therefore
risks. For example, a team of internal ethical hackers developed the so-called Siemens Industrial Security
at CT searches for vulnerabilities in standard soft- Concept that provides comprehensive protection
ware by performing cyber-attacks. They set up hon- of plants and automation systems against cyber
eypots – a simulated piece of software, a network, or threats for industrial facilities. A key part of Industrial
a server – that leads a hacker to believe he is attack- Security is our ‘Defense in Depth’ concept, which is
ing the actual system. By carefully analyzing hacker’s a multiple-layer protection approach for industrial
methods, the team can improve their threat intel- plants providing all-round and in-depth protection
ligence and their ability to defend against attacks. for automation systems on all three levels: plant
Siemens’ business divisions work closely with its security, network security, and system integrity level.
suppliers to ensure a high standard of security across In addition, Siemens works closely with suppliers to
the entire supply chain, and also check software ensure a high standard of security across the entire
components from third-party suppliers for possible supply chain, and also check software components
weaknesses. from third-party suppliers for possible weaknesses.
Specifically, Siemens offers Plant Security Services, Siemens also developed and applies the Industrial
which include the assessment of security risks in Holistic Security Concept to themselves, which cover
factories and production plants as well as the imple- the following major processes.
mentation of security measures for our customers.
These may include the implementation of Antivirus Product Lifecycle Management (PLM), Supply Chain
software, security trainings, firewall management, Management (SCM), and Customer Relationship

Management (CRM). This concept gives a compre- been optimized through a partnership with Palo Alto
hensive protection of plants and automation systems Networks for the latest evolution of protection in
against cyber threats through plant security, network industrial control systems.
security, and system integrity protection layers.
Integrated into the TIA Portal (Totally Integrated System Integrity - includes protecting automation
Automation) these security layers enable efficient systems and controllers such as SIMATIC S7, SCADA
protection of industrial communication. and HMI systems against unauthorized access or
protecting the intellectual property embedded. Fur-
Plant Security – prevents unauthorized persons from thermore, integrity also involves authenticating users
gaining physical access to critical components using and their access rights as well as hardening the sys-
a number of different methods like conventional tem against attacks. Industrial Security also requires
building access, securing critical areas with key cards continued development and consistent monitoring
or through processes ,and guidelines for comprehen- of security measures in order to deliver the highest
sive plant protection. Building Technologies offers level of security of Siemens’ products and services.
an extensive portfolio of products, solutions, and
services for the protection of critical infrastructure Our unique and diverse industry expertise combined
ranging from video monitoring systems to command with our technological know-how makes Siemens a
and control platforms. reliable and preferred partner for customers to reach
an adequate level of cybersecurity for their industrial
Network Security - Protecting production networks systems – from factories to power grids. As the lead-
against unauthorized access particularly at interfac- ing provider of industry-hardened automation and
es to other networks like office networks or Inter- networking equipment in the world, we work across
net, reducing risks via network segmentation and many industries. This allows us to transfer knowledge
protecting the industrial communications against between domains, identify best practices that are ap-
espionage and manipulation. Siemens offers a range plicable to any industry, and build solutions that are
of solutions for network security and segmentation, best in class. Since we are very much accustomed to
from the SCALANCE S for lighter applications to the selling and servicing equipment with very long lifecy-
Next Generation Firewall using in-line deep packet cles, we are acutely aware of the need for long-term
inspection (DPI), an intrusion prevention system cybersecurity in the field and determined to meet
(IPS) and encrypted traffic inspection which has this challenge together with our customers.

How Siemens
is addressing
Security
as an
Automation
Vendor
Security concept
for process
and
discrete industries
1. Introduction and universal standards make it much easier for
attackers and malware to access systems. Studies
Hand in hand with the increasing digitalization of in- and incidents show not only are OT networks and
dustrial automation systems go ever-deeper integra- production areas recognized as lucrative targets for
tion, vast volumes of data and the adoption of open attacks, but the people behind these attacks are be-
standards to provide the necessary direct access coming more aggressive in their tactics, using more
across all levels. The enormity of the opportunities effective tools, and applying more resources to the
and benefits – in both discrete manufacturing and attacks.
the process industries – promised by these changes
has led commentators to speak of a new industrial The reality today is that industrial systems face also
revolution and the dawn of what they call “Industry professionally implemented attacks. The “cyber
4.0”. war” is already upon us. The changed threat situa-
tion demands a fundamental rethink of information
However, this trend has a significant dark side in the security, access protection and the whole process of
form of increasing vulnerability to cyber-attack. Far- establishing industrial security concepts. The attack-
reaching integration, mushrooming data volumes ers are upgrading their arsenal; never has it been

more important for automation and production
Security disclaimer
system vendors and operators to take on the threat
Siemens provides products and solutions they pose.
with industrial security functions that support
the secure operation of plants, systems, Fortunately, it is entirely possible to mount an
machines and networks. In order to protect effective defense. While 100 % security is out of the
plants, systems, machines and networks question, there are certainly ways and means of re-
against cyber threats, it is necessary to ducing the risk to an acceptable level. Bringing risk
implement – and continuously maintain – a under control in this way requires a comprehensive
holistic, state-of-the-art industrial security security concept that takes account of the different
concept. Siemens’ products and solutions features and the professional nature of attacks and
constitute one element of such a concept. promotes strong cooperation between the various
parties involved (that is to say automation system
Customers are responsible for prevent- operators, integrators, machine builder and ven-
ing unauthorized access to their plants, dors).
systems, machines and networks. Such
systems, machines and components should Organizational and technical measures must be
only be connected to an enterprise network carefully coordinated: a holistic security concept
or the internet if and to the extent such a relies on people, processes and technology in uni-
connection is necessary and only when son to achieve the necessary level of protection.
appropriate security measures (e.g. firewalls
and/or network segmentation) are in place. This White Paper describes such a comprehensive
security concept for the protection of industrial
For additional information on industrial se- plants.
curity measures that may be implemented,
please visit https://www.siemens.com/indus- 2. Overview of the Siemens
trialsecurity. industrial security concept
Siemens’ products and solutions undergo All aspects, from the operating level to the field lev-
continuous development to make them el and from physical access control to network and
more secure. Siemens strongly recom- terminal protection, have to be tackled simultane-
mends that product updates are applied ously in order to protect industrial systems against
as soon as they are available and that the internal and external cyber-attacks. The most suit-
latest product versions are used. Use of able approach for this is a defense in depth concept
product versions that are no longer support- in accordance with the recommendations set out
ed, and failure to apply the latest updates in ISA/IEC 62443, the leading standard for security
may increase customer’s exposure to cyber in industrial automation.
threats.
The plant security, network security and system
To stay informed about product updates, integrity elements form the foundation for the
subscribe to the Siemens Industrial Security industrial security concept at Siemens. All of the
RSS Feed under https://www.siemens.com/ key factors are considered in this approach, includ-
industrialsecurity. ing physical access protection and organizational
measures such as guidelines and processes as

Figure 1: Defense in depth concept for industrial plants
well as technical measures to protect networks and 3.1 Physical access protection
systems against unauthorized access, espionage and
manipulation. Protection at multiple levels and the The following points can be covered here:
combined effect of different protective measures
provides a high degree of security, reducing the risk • Measures and processes that prevent unauthorized
of successful attacks and ultimately improving plant persons from entering the vicinity of the plant.
availability and productivity (Figure 1).
• Physical separation of different production areas
with differentiated access authorizations.
3. Plant security • Physical access protection for critical automation
components (for example, securely locked con-
Plant security puts in place the conditions necessary
trol cabinets)
to ensure that the technical IT security measures im-
plemented cannot be circumvented by other means. The guidelines pertaining to physical access pro-
Plant security measures include physical access tection measures also have impact on the question
protection infrastructure, such as barriers, turnstiles, of which IT security measures are required and in
cameras and card readers. Organizational measures what strength. If, for example, access to a particular
include most notably a security management process area is already strictly limited to selected authorized
to ensure the security of a plant. persons, the network access interfaces or automa-

Figure 2: Physical protection against unauthorized access to production areas
tion systems do not need to be secured as robustly (Figure 3). Failure to conduct a proper risk analysis
as would be the case in generally accessible areas and ascertain security objectives is more than likely
(Figure 2).
3.2 Security management
Appropriate organizational measures and the in-

troduction of effective security processes are vital
for plant security. Organizational measures must be
tightly coordinated with technical measures, as the
effectiveness of each depends to a significant degree
on the effectiveness of the other; indeed, most secu-
rity objectives can only be achieved through a com-
bination of organizational and technical measures.
Organizational measures include the establishment

of a security management process. The first step in
determining which measures are likely to be required
in a given situation is to analyze the specific risks
that exist and identify which cannot be tolerated. The
significance of an identified risk in this connection Figure 3: Risk assessment decision table for use
depends on the damage associated with its mate- in conjunction with a prior plant-specific risk
rialization as well as its probability of occurrence analysis. The risks involved are reviewed regularly.

to result in both the measures implemented being The risk analysis brings transparency as to the
ineffective or unnecessarily expensive and some security status of a plant and identifies weaknesses,
weaknesses not being identified or addressed thus providing a basis on which the corresponding
risk can be derived. The measures required are then
The risk analysis yields security objectives that form compiled in an action plan (roadmap) showing how
the basis of specific organizational and technical the security status of a plant can be raised to a new,
measures. The measures must be reviewed after higher level. One example is the ISA/IEC 62443
implementation. The risk must be assessed again Assess-ment, which establishes the actions
from time to time or after material changes just in necessary to bring a specific plant into compliance
case the threat situation or underlying factors have with the ISA/IEC 62443 standard. Scanning Services
altered. The risk analysis provides the foundation for can be used as alternative or in combination to
the procedure to implement protective and, where achieve transpar-ency on existing computing
applicable, monitoring measures. devices in the asset
as well as vulnerabilities, including checks against
3.3 Plant security services pre-defined security levels.
Special security services can assist operators in many The next step is to implement the measures
respects with the design of secure production en- proposed to close the gaps identified. Resources
vironments. This assisted process extends from an encompassing both hardware (such as firewalls)
analysis of the risk (assess security) and the design and software (such as antivirus, whitelisting and
and realization of a secure production operation (im- anomaly detection) are available for this
plement security) to the continuous monitoring of purpose. Also included are clear instructions and
the plant security status (manage security) (Figure 4). guide-lines on IT security. Ultimately, security
solutions can only work properly if employees
have been
Figure 4: Siemens Plant Security Services provide assistance with risk analysis, the implementation of mea-
sures, and the continuous management of the plant

Figure 5: The Plant Security Services portfolio built around industrial standard ISA/IEC 62443
educated and trained accordingly. Employee 4. Network security

awareness and understanding should be promot-
ed continuously through workshops, web-based A central element of the industrial security concept is
training or equivalent measures. the network security. It comprises mainly the protec-
tion of automation networks against unauthorized
Another key aspect of the Siemens service in this access as well as the control of all interfaces to other
area is support for customers with the ongoing networks, such as the conduit to the office network.
continuous monitoring of industrial plants and In particular the remote maintenance gateways to
production machines as well as the management the internet need to be protected in this context.
of vulnerabilities and patches, thus reaching Protecting communications against interception and
transparency on increasing cyber threats manipulation by means of encrypted data transmis-
sion and communication node authentication is also
The defense in depth strategy creates a suitable basis in the scope of network security.
for enhancing security in industrial plants. Siemens
Plant Security Services provide assistance for compa- 4.1 Securing interfaces to other networks
nies with the implementation of corresponding mea-
sures. The comprehensive range of services offered, Interfaces to other networks can be monitored and
from security assessments to firewall installation protected using firewalls and, where appropriate,
and training to continuous monitoring and attack by setting up a demilitarized zone (DMZ). A DMZ is
detection, help customers in industry to reduce the a network in which technical security mechanisms
security risk associated with their plants (Figure 5). protect access to data, devices, servers, and services

Figure 6: Using a demilitarized zone to transfer data between the company network and a plant network
within this area. The systems installed within the and to increase security. Network segmentation
DMZ are shielded from other networks by firewalls involves protecting elements of a network, such as
that control access. This separation makes it possible an IP subnet, with a security appliance that separates
to provide data from internal networks (for example them from the rest of the network for technical se-
the automation network) on external networks with- curity purposes. The devices within a segmented cell
out having to admit direct access to the automation are protected against unauthorized access from out-
network. A DMZ is typically designed so that it also side without the need of any compromise in terms of
does not permit access automation network, which real-time capability, performance or other functions.
means that the automation network remains protect-
ed even if a hacker gains control of a system inside The firewall is able to control access attempts to and
the DMZ (Figure 6). from the cell. It is even possible to stipulate which
network nodes are permitted to communicate with
4.2 Network segmentation and cell each other and, where appropriate, which protocols
protection concept they are allowed to use. This means that unauthorized
access attempts can be blocked, first and foremost,
The segmentation of the plant network to create and also makes it possible to reduce the load on the
separated automation cells protected by technical network, as only those communications that are ex-
security mechanisms helps to minimize risk further plicitly desired and permitted are able to proceed.

Figure 7: Network segmentation and cell protection with Security Integrated products
(see red padlock symbol)
The division of the cells and the allocation of the plants via mobile networks (GPRS, UMTS, LTE). This
devices reflect the communication and protection is done to enable remote maintenance, use remote
requirements of the network stations. Data trans- applications, and also to facilitate monitoring of ma-
mission to and from the cells can, in addition, be chines installed all over the world.
encrypted by the security appliances using a VPN to
protect against data espionage and manipulation. Securing access is particularly important in this
This comprises the authentication of communication context. Attackers can find unsecured access points
participants and, where applicable, authorization of easily and inexpensively using search engines, port
access attempts. The cell protection concept can be scanners, or automated scripts. It is therefore very
implemented and the communication between the important to ensure that communication nodes are
cells can be protected by using components such authenticated, data transmission is encrypted, and
as the Industrial Security Appliances SCALANCE S data integrity is protected, especially in the case of
or the security communications processors for the critical infrastructure plants. Incidents such as intru-
SIMATIC S7 automation system (Figure 7). The In- sion by unauthorized persons, the escape of confi-
dustrial Security Appliances SCALANCE S provide the dential data and the manipulation of parameters or
possibility to define and protect network cells flexible control commands can result in enormous damage,
on the basis of VLANs. including to the environment and endanger even
personnel.
4.3 Secure remote access
VPN mechanisms, which provide the very functions
It is becoming increasingly common to connect (authentication, encryption, and integrity protection)
plants directly to the internet and to link up remote required, have proven to be particularly effective in

securing communications in this context. Siemens specific activation s that there is always a clear record
industrial internet and mobile communication of exactly who has gained access when, which can be
routers support VPN, allowing data to be sent se- very important for maintenance and services.
curely over these networks with protection against
unauthorized access. The SCALANCE S variants with more than two ports
also provide a way around a dilemma all too familiar
Typically, devices for use in secure communication to many system integrators, OEMs and end users:
are authenticated as trustworthy communication machine builders need to be able to access their
nodes using for instance certificates and the relevant machines on the end user’s premises for mainte-
IP addresses or DNS names are applied in the firewall nance purposes, but end-user IT departments are
rules to permit or block access. The SCALANCE M most reluctant to allow outsiders into the network to
industrial router and the SCALANCE S Industrial Se- which the machine is connected. With the variants
curity Appliances support also user-specific firewall of the Industrial Security Appliances it is possible
rules, creating the additional possibility of linking to connect the machine both to the plant network
access rights to specific users. Therefore, a user must and, using the additional firewall-protected port, to
log on to a web interface using its login credentials the internet. This means that the machine can be
to temporarily unlock a specific set of firewall rules accessed from the internet without allowing access
matched to his or her personal access rights. One to the plant network from the internet, so have direct
particular advantage of this temporal and user access to the plant network (Figure 8).
Figure 8: Secure remote access to plant units without direct access to the plant network with three-port
firewall.

Facilitation of secured remote access using Management platforms are particularly suitable for
management platforms use in connection with series and special-purpose
machine manufacturing. This enables OEMs, for
Industrial plants are often widely distributed, some- example, to definitively identify a large number of
times even spread across different countries. In these similar machines in use with different customers and
cases, public infrastructure is often used to access address them for remote maintenance.
plants and machines in discrete manufacturing and
process industries. In other instances, particularly The SINEMA Remote Connect management platform
complex connections are involved. One valuable is a server application that provides secure man-
option for secured and efficient remote access is to agement of VPN tunnels between HQ, the service
deploy a management platform to manage these engineers and the installed plants. The identity of the
connections and to secure, authenticate and autho- nodes is determined by an exchange of certificates
rize all communications. before access to the machines can proceed. Unau-
Figure 9: SINEMA Remote Connect is a management platform for efficient and secured remote access to
globally distributed plants and machines.

Figure 10: Secured remote access to distributed plants using SINEMA Remote Connect.
thorized attempts to access the company network to 5.1 Protection of PC-based systems in the
which the plant or machine is connected can thus be plant network
prevented. The allocation of rights for access to ma-
chines can be controlled centrally via the manage- PC systems used in the office setting are typically
ment platform’s user management facility. The fact protected against malicious software and have any
that the connection is only ever set up from the plant weaknesses detected in their operating system or
to the server and only when actually required further application software rectified by the installation of
enhances security, as there is no need to permit in- updates or patches. Equivalent protective measures
coming connections to the plant (Figures 9 and 10). can also be required for industrial PCs and PC-based
control systems, depending on how they are used.
5. System integrity Protective mechanisms familiar from the office
environment, such as anti-virus software, can also be
The third pillar of a balanced security concept is used in industrial settings in principle, although it is
system integrity. The systems whose integrity is to essential to ensure that they have no adverse impact
be protected in this context comprise control com- on the automation task.
ponents and automation, SCADA and HMI systems.
These require protection against unauthorized Whitelisting solutions can be used in addition to
access and malware or have to meet special require- antivirus software. Whitelisting involves the creation
ments in areas such as the protection of expertise. of approved lists in which the user explicitly specifies

those processes and programs that are permitted in part of communication protocols for controller
to run on the computer. Any attempt by a user or configuration or HMI connection. These include
malware package to install a new program is then integrated security mechanisms for significantly en-
denied, preventing the associated damage. hanced detection of manipulation attempts.
Siemens supports the protection of industrial PCs Safeguarding intellectual property is another matter
and PC-based systems in its capacity as an industrial of growing concern: machine builders invest heavily
software vendor by testing its software for compati- in the development of their products and they can-
bility with virus scanners and whitelisting software. not afford to see their proprietary expertise compro-
mised. The know-how protection and copy protec-
The numerous integrated security mechanisms pro- tion functions provided by the Siemens controllers
vided in the Windows operating systems are of course give users convenient and straightforward support in
also available for use in hardening systems to the this area as well.
extent required. These include not just user manage-
ment and the management of rights, but also options The know-how protection function enables highly
such as finely differentiated settings using security specific protection of program modules to prevent
policies. Siemens provides support here too in the access to their content and the copying and modifi-
form of thorough guidelines. cation of algorithms.
The copy protection function links program com-

5.2 Protection of the control level ponents to the serial number of the memory card or
CPU. This helps to prevent copying of the machines,
Efforts to protect the control level are concerned as protected programs can only be used in the ma-
primarily with ensuring the availability of the auto- chines for which they are intended. These functions
mation solution. The security mechanisms integrated assist machine builders to safeguard their investment
into the standard automation components provide and maintain their technological edge.
the starting point for protecting the control level.
These mechanisms are enabled and configured in Further security features like Stateful Inspection Fire-
line with the level of protection required for the ma- wall and VPN are integrated into the security com-
chine or plant concerned. Configurations of the secu- munications processors for S7 controllers. Amongst
rity mechanisms of the automation components as others, this makes the CP343-1 Advanced communi-
well as developing the engineering programs for the cations processor for the SIMATIC S7-300 controller,
automation solution are conveniently and efficiently the CP443-1 Advanced communications processor
accomplished using TIA Portal. Ever-increasing infor the SIMATIC S7-400 controller, the CP1543-1
terconnection and the integration of IT mechanisms communications processor for the S7-1500 controller
into automation technology are, however, changing and others the secure interfaces to the entire plant
the requirements for production plants in terms of network. The protection they provide extends to the
access protection and protection against manipu- respective controllers connected, to the underlying
lation, which are absolutely essential for modern networks and, where necessary, to communication
control systems. These features are already integrat- between them and thus supplements and enhances
ed into the SIMATIC S7-1200 and S7-1500 controller the cell protection concept in a plant (see figure 7).
families – including the software controller.
Used with PCs is the CP1628 Ethernet card, which
The protection afforded consists in part of multi-ac- can also protect communication with industrial PCs
cess protection with differentiated access rights and by means of VPN and firewall. All of these Security

Integrated products are compatible with one another The implementation of a security concept therefore
and can establish secure VPN connections with one helps not only to defend against direct attacks, but
another, making them suitable to protect just about also to institute an authorization concept. Authori-
any plant unit and all kinds of automation components. zation concepts are intended to ensure that access is
restricted to authorized persons based on the specific
6. Roles and rights concepts rights assigned to them. Usually this involves de-
fining roles, each of which confers a specified set of
Defending against the various threats posed rights, rather than creating a separate rights profile
and realizing an appropriate level of protection for every user. Users or user groups are then assigned
demands a defense-in-depth concept that sets these roles and thereby receive the corresponding
up multiple obstacles for would-be attackers to access rights. Proper management of users and rights
overcome. These obstacles, of course, cannot be is therefore very important for Industrial Security.
allowed to hinder authorized users. It is common
in practice to establish a system of graduated A universal configuration for all of the automation
access rights or categories of rights under which components facilitates user management in this
some users are only able to access specific plant case, because the roles and rights of the different
units, devices, or applications, for example, some people involved can be defined and maintained cen-
have administrator rights and some have only read trally. Figure 11 shows a screenshot of user and rights
or write access rights. management in the TIA Portal.
Figure 11: User management in the TIA Portal with assignment of roles and rights

Figure 12: Holistic Security Concept takes security on the next level, a holistic approach for IT and OT
7. Consideration of attack scenarios in breach – or a breach that passes completely unde-

product development and production tected – would have high security risks.
A security by design approach is increasingly being The benefits of a holistic security concept extend to
required of product manufacturers. This means to the portfolios of both security products and standard
consider security aspects as part of product devel- products. Security products such as the Industrial
opment and production (see Security Standard ISA/ Security Appliances SCALANCE S, the Industrial
IEC 62443). An automation product shall be tracked Router SCLANCE M, or the communications proces-
and embedded in a holistic security concept (HSC) sors for SIMATIC with integrated firewall and VPN,
from creation to production to use. Assets in this and others address specific security requirements.
context can include source code, IT processes and Standard products contain several integrated security
produc-tion machines. The security requirement functions available in the TIA Portal Engineering tool,
pertaining to assets and organization, with respect to SIMATIC S7-1200, and SIMATIC S7-1500 controllers.
processes and methods, grows progressively more These standard products can reduce risk for the end
difficult user thanks to the vulnerability testing, risk analyses
as the desired security level increases. The product and associated design optimization work carried out
owner is responsible for specifying the security level in the course of development.
to be applied to the product and associated assets
(Figure 12). 8. Summary: Industrial security for
production plants
Security requirements are particularly high when
developing and manufacturing automation products Even just a few years ago, security for production
that have security functions. The security keys used plants was very much a peripheral issue. The threats
must be reliably protected against unauthorized ac- seemed rather abstract and theoretical and few man-
cess in storage. In the event of a security breach, for ufacturers and operators had much of an interest in
example, generating and distributing new keys would the issues involved.
be a very laborious operation. Delays in detecting the

Figure 13: Industrial security portfolio: concept, products, and services
A series of security incidents reported prominently in attacks is consequently a fundamental prerequisite

the media changed everything. Suddenly it was clear for the digital transformation. Companies would be
to all that automation systems and production plants well advised to conduct a careful review of their data
were also on the target list for cyber-attacks, that they security situation even without motivation from the
were vulnerable and that the potential consequences EU General Data Protection Regulation that recently
could be severe. A combination of the sheer num- came into force.
ber of cases recorded and investigations carried out
using honeypots – traps set up to trick hackers into Siemens is well placed to help integrators and oper-
exposing their methods and to generate attack statis- ators meet these increasingly demanding challenges
tics – revealed the true extent of the
threats posed.
The path to the digital factory is

associated with numerous trends,
such as increasing interconnec-
tion, ever-greater volumes of data
for transmission and storage and
the continuing spread of the open
standards used, that increase the
risk of cyber-attacks. Shying away
from these developments on secu-
rity grounds alone is no solution, as
this course would result in steadily
decreasing competitiveness and
a contraction in sales revenue.
Defending against threats and

Figure 14: Industrial Security for comprehensively protected production plants
in its capacity as a vendor and single-source supplier offers a capable portfolio of security products and
of industrial automation and communication sys- services as well as an effective industrial security
tems. Risks can be successfully minimized by taking concept (Figure 13).
security factors into account during the design, de-
velopment and production phases by implementing
a holistic security concept to create correspondingly
robust components equipped with effective security RESOURCES
functions.
But engineering and technology alone can never Download Siemens White Paper
suffice. Processes and organizational measures must
be implemented and the relevant specific Siemens Industrial Security:
requirements adapted. Siemens can assist here if https://www.siemens.com/industrialsecurity
necessary, with its security services.
Siemens Industrial Security Services:
Armed with expertise in both automation and securi- https://www.siemens.com/iss
ty, Siemens is a strong partner for machine builders,
integrators and operators of production plants and

Process Automation:
PCS7 and Security
Introduction of SIMATIC PCS 7
the process flow via different views and, if necessary,
Interruption-free operation, consistent product qual- intervene in a controlled manner. The architecture is
ity, and reduction of plant costs are just some of the highly variable and can be flexibly adapted to dif-
challenges faced by the process industry. The control ferent plant sizes and customer requirements. The
system plays a decisive role in solving these many bases for this are perfectly matched operator stations
tasks. SIMATIC PCS 7 from Siemens is a process con- for single-user and multi-user systems.
trol system for process and manufacturing plants,
e.g., in the field of chemistry, pharmaceuticals, water With the engineering system, data entered once is
& wastewater, cement, glass, etc. available system-wide – duplicate entries are avoid-
ed. Hardware and software engineering the smart
The SIMATIC PCS 7 system components form a ho- way: SIMATIC PCS 7 utilizes a central engineering
mogenous automation landscape. Thus, the operator system, offers optimally coordinated tools, and
system is your window and provides access to the allows for a user-friendly graphically guided opera-
process: From here, you can monitor and control all tion. The powerful engineering tools for the appli-
process operations. The operator system enables a cation software, the hardware components, and the
convenient and safe guidance of the process. The communication are called up from a central project
plant operator can observe manager (SIMATIC Manager).

For special tasks, SIMATIC PCS 7 provides a wide The process control system is based on a compre-
range of options, for example: hensive SIMATIC PCS 7 security concept for the effi-
cient protection of the network and plant data. From
• BATCH – handling of complex batch processes the segmentation into zones and security cells to the
• Route Control – automatic management of securing of access points and user authentication
materials transport to the secure communication, patch management,
system hardening, virus scanners, and whitelisting –
• Safety Integrated – homogeneous integration of
the comprehensive security measures and functions
safety technology
of SIMATIC PCS 7 help to safeguard the plant oper-
• Archiving and reporting – powerful archive ation and thus avoid plant stoppages and expensive
system, customized reports downtimes.
• PCS 7 Maintenance Station – value-adding and
value-preserving maintenance concepts The developers and product managers of SIMATIC
PCS 7 are continuously working on comprehensive
• SIMATIC PDM – management of intelligent field security measures, functions, and improvements to
devices ensure secure plant operations:
• PCS 7 TeleControl – efficient remote access for
central and distant plant sections • Protection against network overload/failure
• PCS 7 PowerControl – integrated process and • User management and access protection
energy automation • License management
• Management Console – plant-wide, central, • Safeguarding of intellectual property
standardized software administration and
• Increase of the plant availability
overview of the PCS 7 software and hardware
components
Industrial security with SIMATIC PCS 7
The new version of the SIMATIC PCS 7 process

control system V9.0 makes it possible: End-to-end
networking with PROFINET down to the field level
opens up new perspectives for demanding applica-
tions in the process industry, and further pushes the
digitalization in the industrial environment.
Data from the entire production facility can be easily
and economically captured and then evaluated and
utilized by management or cloud systems. Intelligent
plants in a production environment collaborate with
other plants through the exchange of information.
The strengths of PROFINET – such as openness,

standardization, compatibility with standard Eth-
ernet IT services (e.g., TCP/IP), or the communica-
tion between production networks and the office IT
require a particular attention in order to make the
whole process environment secure and SIMATIC PCS
7 herewith plays a significantly role.

TÜV certification for SIMATIC PCS 7 SIMATIC Logon introduces two-factor au-
thentication
Siemens was the first company to receive a security
certification by TÜV SÜD (technical inspectorate) With user authentication, specific roles are assigned
for an automation system based on ISA/IEC to each plant operator, e.g., read or write access to
62443-4-1 and ISA/IEC 62443-3-3. Already specific applications. Two-fac-
in August 2016, Siemens tor authentication allows the
was first to receive the TÜV user to log into the system via
SÜD security certification identification card and PIN.
according to ISA/IEC 62443-4-1 The new method combines
for the all-encompassing the two factors “possession of
development process of card” and “knowledge of PIN,”
automation and drive tech- and thus greatly increases the
nology products – including security.
the industrial software – at
seven German development CPU 410 supports security
sites. This is now followed by events
the first product certification
according to ISA/IEC 62443-4-1 Security events in the network
and 62443-3-3. In certifying are generated by a wide range
the product according to of communication partners,
ISA/IEC 62443-4-1 and 62443-3-3, e.g., firewalls, operator stations,
TÜV SÜD has checked and web servers, web clients, and
verified the security functions routers. These are messages
implemented in the SIMATIC triggered by various events,
PCS 7 process control system. such as the unauthorized
access to the communication
SIMATIC PCS 7 V9.0 network from the outside or
an access attempt blocked by
In the new version of SIMAT- a firewall. Until now, corre-
IC PCS 7, the customer benefits from further im- sponding events were mainly generated at the man-
provements with regard to industrial security. For agement level. In the new version of SIMATIC PCS 7,
in-stance, the new version runs on Windows 10 and the AS 410 controller can now trigger security events
not on proprietary Siemens operating systems. at the control level. The new function helps protect
Windows 10 comes with the comprehensive the plant against cybercrime and thus increases the
Windows security concept consisting of user system availability. Uniform log files make data more
account control, firewalls, and secure web client. transparent and more usable.

Charter of Trust
For a secure digital world
The digital world is changing everything. Artificial transformation. Digitalization and cybersecurity
intelligence and big data analytics are revolutionizing must evolve hand in hand.
our decision-making; billions of devices are being
connected by the Internet of Things and interacting In order to keep pace with continuous advances in
on an entirely new level and scale. the market as well as threats from the criminal world,
companies and governments must join forces and
As much as these advances are improving our lives take decisive action. This means making every effort
and economies, the risk of exposure to malicious to protect the data and assets of individuals and
cyber-attacks is also growing dramatically. Fail- businesses; prevent damage from people, business-
ure to protect the systems that control our homes, es, and infrastructures; and build a reliable basis for
hospitals, factories, grids, and virtually all of our trust in a connected and digital world.
infrastructure could have devastating consequences.
Democratic and economic values need to be protect- Hedging the all-encompassing impact of digitaliza-
ed from cyber and hybrid threats. tion and cybersecurity and creating a holistic basis of
trust can’t be achieved by a single company or entity;
Cybersecurity is and has to be more than a seatbelt it must be the result of close collaborations on all
or an airbag here; it’s a factor that’s crucial to the suc- levels. In this charter, the signing partners outline the
cess of the digital economy. People and organizations key principles we consider essential for establishing
need to trust that their digital technologies are safe a new charter of trust between society, politics, busi-
and secure; otherwise they won’t embrace the digital ness partners, and customers.

Our principles
1 Ownership of cyber and IT security 5 Innovation and co-creation

Anchor the responsibility for cybersecurity at the Combine domain know-how and deepen a joint
highest governmental and business levels by desig- understanding between firms and policymakers
nating specific ministries and CISOs. Establish clear of cybersecurity requirements and rules in order
measures and targets as well as the right mindset to continuously innovate and adapt cybersecurity
throughout organizations – “It is everyone’s task.” measures to new threats; drive and encourage i.a.
contractual Public Private Partnerships.
2 Responsibility throughout the digital
supply chain 6 Education
Include dedicated cybersecurity courses in school
Companies – and if necessary – governments must
curricula – as degree courses in universities, profes-
establish risk-based rules that ensure adequate
sional education, and trainings – in order to lead the
protection across all IoT layers with clearly defined
transformation of skills and job profiles needed for
and mandatory requirements. Ensure confidential-
the future.
ity, authenticity, integrity, and availability by setting
baseline standards, such as
7 Certification for critical infrastructure
• Identity and access management: Connected
and solutions
devices must have secure identities and safeguard-
ing measures that only allow authorized users and Companies – and if necessary – governments estab-
devices to use them. lish mandatory independent third-party certifica-
tions (based on future-proof definitions, where life
• Encryption: Connected devices must ensure and limb is at risk in particular) for critical infrastruc-
confidentiality for data storage and transmission ture as well as critical IoT solutions.
purposes wherever appropriate.
8 Transparency and response
• Continuous protection: Companies must offer
updates, upgrades, and patches throughout a Participate in an industrial cybersecurity network in
reasonable lifecycle for their products, systems, order to share new insights, information on incidents
and services via a secure update mechanism. et al.; report incidents beyond today’s practice which
is focusing on critical infrastructure.
3 Security by default
9 Regulatory framework
Adopt the highest appropriate level of security and
data protection and ensure that it is preconfigured Promote multilateral collaborations in regulation and
into the design of products, functionalities, pro- standardization to set a level playing field matching
cesses, technologies, operations, architectures, and the global reach of the WTO; inclusion of rules for
business models. cybersecurity into Free Trade Agreements (FTAs).
4 User-centricity 10 Joint initiatives

Serve as a trusted partner throughout a reasonable Drive joint initiatives, including all relevant stake-
lifecycle, providing products, systems, and services holders, in order to implement the above principles
as well as guidance based on the customer’s cyberse- in the various parts of the digital world without
curity needs, impacts, and risks. undue delay.

CERT
info
Siemens was the first automation
vendor to run a CERT (Computer
Emergency Response Team) specif-
ically for products so that security
is addressed in every phase of the
SDLC (Secure Development Life
Cycle). For more than six years
Siemens ProductCERT is part of
Siemens’ Corporate Technology
department and supplying product
security with research-driven inno-
vations. Siemens ProductCERT is a
dedicated team of seasoned security Rupert Wimmer, Oliver Hambörger and Klaus Lukas (from left to right) are
responsible for cybersecurity worldwide.
experts that provides a holistic view
on the current threat landscape for
products and solutions to Siemens and its customers. The team acts as the central contact point for se-
Furthermore, it manages the receipt, investigation, curity researchers, industry groups, government
internal coordination, and public reporting of secu- organizations, and vendors to report potential
rity issues related to Siemens products, solutions, or Siemens product security vulnerabilities. This team
services. ProductCERT cultivates strong and credible will coordinate and maintain communication with
relationships with partners and security researchers all involved parties, internal and external, in order to
around the globe to advance Siemens product secu- appropriately respond to identified security issues.
rity, to enable and support development of industry Security Advisories are released in order to inform
best practices, and most importantly to help Siemens customers about necessary steps to securely operate
customers manage security risks. Siemens products and solutions.
ProductCERT’s three-step approach consists of prevention, early identification, and professional treatment of security vulnerabilities.

Industrial Security
provided by Siemens and McAfee
Industrial infrastructures are increasingly connect- and combat the effects of a growing cyber skills gap.
ed to the internet and to each other. This develop-
ment means that the control and surveillance of Billions of devices, technical equipment, and ma-
production facilities is much easier than before. chines are now connected in the growing “Internet
of Things.” Departments such as product develop-
However, every connected device can pose a risk to ment, production, and logistics have become united
the whole company, if they are unprotected, they under the banner “industry 4.0.” Permanent and
can be leveraged by hackers to infiltrate IT systems. quick availability of data is essential for companies to
Consequences range from theft of intellectual prop- keep their business running and maintain profitable
erty to cutting off the supply of vital goods such as productivity levels.
water and electricity. It is absolutely essential that
companies start prioritizing the protection of their However, the more we rely on data and connectivity,
industrial facilities. the more attractive cybercrime becomes for crimi-
nals. With the potential for a successful cyber attack
That’s why Siemens and the leading cybersecurity to result in serious rewards, cyber criminals are using
company McAfee have teamed up to develop auto- more and more sophisticated measures to exploit
mated security solutions for an effective protection any possible vulnerability.

The dangers of the connected world no sign of the trend slowing down: The latest McAfee
Threats Report in September revealed an increase of
The risk of cybercrime has been steadily increasing 47 percent ransomware samples in the last year.
over the past few years. As the number of connected
devices continues to increase, companies are strug- This growth signifies another great danger for in-
gling to ensure security across a mass of increasingly dustrial companies: cyber threats are evolving at
complex IT systems. such a large scale that companies are falling behind
in keeping their security measures up to date. The
Problems are arising as many devices were developed Dark Web unites hackers and enables the exchange
before infrastructures moved beyond the firewall and of knowledge and experiences about specific attack
into the cloud, leaving them vulnerable to attack. vectors, giving hackers the ability to constantly refine
While connection to other devices offers greater their method of attack. Adding to the dangers, even
efficiency, control, and convenience, these vulnera- amateurs are able to buy malware kits online , which
bilities pose a grave risk to many businesses. they can often use without having any previous
With an ever-growing amount of data stored online, knowledge.
cybercriminals have increasingly developed sophis-
ticated methods of exploiting vulnerabilities for their Companies, on the other side, are often left isolat-
benefit. Ransomware is one of the most popular ways ed. They are overwhelmed with the current threat
to scam money and has become a serious threat for landscape and struggle to keep up with the quickly
companies. Ransomware has the potential to turn evolving complexity of risks. This situation is exacer-
the nightmare of whole production lines being re- bated by a growing cyber skills gap, making it hard to
motely shut down by criminals a reality. And there is modernize traditional cybersecurity methods.

Cooperation across experts cybercrime. The cybersecurity industry has to work
together in order to keep up with a rapidly evolving
Siemens and McAfee teamed up in 2011 to provide threat landscape. By combining the knowledge and
security solutions and services for industrial cus- experience of industry experts, McAfee can provide
tomers to protect against rapidly evolving global better security to customers and has built its solu-
cyber threats. Companies lack the resources neces- tions and strategy to support security professionals
sary to respond efficiently to security incidents and with automated processes. McAfee’s Data Exchange
do not have access to the global threat intelligence Layer (DXL) is an open communication platform
that would allow proactive defensive measures. where different security providers can share infor-
This critical information is needed in order to keep mation among each other. Customers therefore have
up with evolving government regulations, industry access to a great variety of data about attack vectors
standards, sector specific best practices, and the and solutions from previous incidents. As more and
other information necessary for making informed more information is shared on this open platform,
business decisions. The partnership with McAfee will a more comprehensive security solution can be
complement Siemens’ service offerings by leveraging given to customers. For example, when a client from
security solutions such as next generation firewall, security provider X detects suspicious data, he can
security information and event management (SIEM), retrieve information from security provider Y, deter-
endpoint security, and global threat intelligence as mine what the data indicates, if it is a threat, and how
part of its Managed Security Service as well as of- to deal with it.
fering professional services. These offerings provide
greater visibility and control at a factory level while Germany heavily relies on its manufacturing industry
reducing the risk of IP theft. In addition, the compa- and, therefore, a partnership between McAfee and
nies will continue to cooperate on the development Siemens is a huge boon to the country.
of security products and solutions, specifically based
on industrial protocols, that will enhance managed This partnership brings together the expertise of
security service offerings for the process and factory leading companies in IT security and manufacturing,
automation industry. This partnership will enable and by working together, McAfee and Siemens can
our industrial customers to confidently benefit from drive the adoption of connected, managed, and se-
the unique advantages that connected and managed cured solutions at a plant level in order to help indus-
systems bring to the factory floor. trial customers improve the uptime and reliability of
the plant operations. This collaboration enables both
This collaboration is part of McAfee’s “Together is parties to address the unique requirements of an In-
Power” strategy, and the core belief that isolated dustrial Control System giving customers a complete
actors stand no chance against the growing risk of view of security across the entire company.

Industrial Cybersecurity for
Small- and Medium-Sized Businesses
A Practical Guide
Executive Summary
Effective cybersecurity management is essential for smaller companies might have difficulty implement-
all organizations, regardless of size. There are many ing much of the available guidance.
standards and guidance documents available to help
organizations determine a way forward. Standards and practices are often based on the as-
sumption that engineering and operations resources
This document is intended to provide a starting point are available to define, implement, and monitor the
for small- and medium-businesses (SMBs), partic- technology, business processes, and associated con-
ularly those that manage industrial processes and trols. Unfortunately, this is often not the case. Smaller
employ some level of automation. Specific examples operations are typically not staffed to include such
include SMBs in the chemical and water and waste- roles. It is more common to have broadly defined staff
water treatment sectors. roles, with support and operation of IT systems as
only part of an individual’s responsibilities. Smaller
While it is generally accepted that Operational Tech- companies may not even be fully aware of the risks
nology (OT) system security requires different or ad- they face or that they can contract for cybersecuri-
ditional measures than general-purpose Information ty-related services. This guide is intended to identify
Technology (IT) system security, it is also true that the essential controls that need to be established.

SMBs need to understand their cybersecurity risk abilities of each. It is essential that the underlying
and to take action to reduce this risk, just as they vulnerabilities are recognized and that these vulner-
do with other business risks. The absence of previ- abilities be mitigated to minimize the likelihood of
ous incidents, or the belief that the organization is potentially dire events.
not a likely target, is not sufficient justification for
ignoring this issue. SMBs can be at risk from a wide This document provides guidance based on well-es-
variety of threats, including amateur and profes- tablished frameworks and standards. Further
sional hackers, environmental activists, disgruntled reference should be made to these frameworks and
employees or contractors, and even nation states or standards, focusing on the recommendations in this
terrorists. In addition, many cybersecurity incidents document.
are a result of accidents or unintentional actions. A
company does not have to be a specific target to be Cybersecurity management is not a one-time ac-
affected. tivity. Like quality and safety management, cyber-
security management is an ongoing activity where
The consequence to an SMB can vary tremendously continuous improvement must be made in order to
based on the nature of operations and the vulner- manage the risks.

Why Cybersecurity Management is Important
Protecting businesses from the impact of a cybersecurity incident
Very few, if any, businesses today operate without some dependence on systems and equipment that are vulner-
able to a cybersecurity incident. The impact to the business of such an incident will vary. However, this impact
needs to be understood and managed accordingly if businesses are to be able to operate as expected.
There are two broad categories of systems and equipment: Information Technology (IT) and Operational Technol-
ogy (OT), each with their own characteristics, as shown in the table below.

Risk Assessment
Cybersecurity-related risks are evaluated using a process that: systematically identifies potential vulnerabilities to
valuable system resources and threats to those resources; quantifies loss exposures and consequences based on
probability of occurrence; and (optionally) recommends how to allocate resources to countermeasures to mini-
mize total exposure. In simple terms, risk can be defined as a function of threat, vulnerability, and consequence.
Each of these elements must be assessed in order to gain a full understanding of the situation.
Common threats
When considering cybersecurity threats, many consider only deliberate, targeted attacks from professional hack-
ers. As a result, some dismiss the risk to their facilities.
The table below shows that SMBs are subject to numerous types of threats, both deliberate and otherwise. Cyber-
security incidents can arise as a result of accidents or unintentional actions by authorized individuals (employees,
vendors, or contractors). Many threats are often non-targeted and SMBs can be impacted as collateral damage.
In all of the examples below, SMBs could be impacted indirectly, simply because they have equipment similar to
the primary target.
Table 1 – Threat Examples

Common vulnerabilities and key mitigations
A vulnerability is a deficiency that can be exploited by a threat to create an incident. The deficiency can arise from
technical (such as a software error), procedural (a lack of policy or standard), or people (lack of training) issues.
A mitigation is an action or solution that is implemented to: reduce the likelihood of a vulnerability being exploit-
ed or offset the adverse effects of an incident should that vulnerability be exploited.
There are many cybersecurity vulnerabilities, and each organization possesses different ones depending on the
equipment they use and the policies and procedures they have in place. As noted previously in this white paper,
SMBs can be impacted by a non-targeted attack, simply because they utilize equipment similar to that used by
the primary target. The table below provides a list of common vulnerabilities found in all organizations to some
degree, along with key mitigations that should be implemented to control these vulnerabilities.
These key mitigations are essential for all SMBs to provide a basic level of cybersecurity management. It is highly
recommended for SMBs to consider additional mitigations. Further guidance is available from several sources,
including:
• International Society of Automation (ISA). The ISA/IEC 62443 standards (Security for Industrial Automation and
Control Systems) provide detailed guidance on how to create a cybersecurity management system for OT environ-
ments. These standards are also available internationally as IEC 62443
• The US Chamber of Commerce [6], Department of Homeland Security (DHS) [7], US Small Business Administra-
tion (SBA) [9], National Institute of Standards and Technology (NIST) [10], as well as many business and technolo-
gy websites [5], [8]
• The Center for Internet Security (CIS). CIS produces the Critical Security Controls [2], which identify the top 20
mitigations that reduce the likelihood and/or consequence of a cybersecurity incident. These controls are refer-
enced in the Key Mitigations table below as CSC“xx” where “xx” is 1 to 20 (for example, CSC17)

Potential consequences of inadequate cybersecurity management
The potential consequences of a cyber incident will depend on the organization, but the following table outlines
the most common consequences for IT and OT equipment and systems.
Table 3 – Potential Consequences

Essential cybersecurity activities
Numerous standards and guidance documents are available to help SMBs implement proper cybersecurity man-
agement.
The US Cybersecurity Framework, produced by the National Institute of Standards and Technology (NIST) [1], is
an excellent starting point for SMBs. The Framework identifies five core functions that encapsulate cybersecurity
management. The Framework then further defines all the activities that may need to be undertaken for each func-
tion and identifies relevant standards to help identify how to implement these activities.
The table below identifies the essential cybersecurity activities that should be undertaken by all SMBs. These are
described in more detail below the table.
Table 4 – Essential Cybersecurity Activities

Identify
The identify function focuses on understanding the nature of the systems inventory owned by the SMB and what
risks are associated with this inventory.
Create an inventory of all IT and OT assets
This step is essential for all SMBs. Proper cybersecurity management is impossible without a definitive under-
standing of the assets involved. Organizations that fail to identify equipment or systems leave themselves vulner-
able to cyber incidents due to a lack of protection or monitoring.
The inventory of assets should include, as a minimum:
• Make and model of hardware
• Version number of all operating system and application software
Additionally, some organizations identify equipment location, owner, and other useful information.
Assess the risk of a cyber incident
Once an SMB understands what it is protecting from a cyber incident, it must conduct a risk assessment to identi-
fy what risks exist.
Risk assessments require the involvement of all key stakeholders (to ensure accuracy) and should identify the like-
ly threats and the vulnerabilities in the asset base. From this, the organization should identify the potential conse-
quences, e.g. loss of confidential information, loss of revenue, environmental impact, injury or death, and so on.
SMBs should rank their risks using a common methodology to allow the identification of risks in priority order.
Define a cybersecurity management policy
Every SMB should have a cybersecurity management policy to define:
• Those responsible for cybersecurity management activities
• The processes and procedures required for operational activities and to reduce cybersecurity risks
• The expectations of employees (e.g. appropriate use of IT equipment, use of personal devices, etc.)

Protect
The protect function is a core cybersecurity management activity that an organization must undertake on
an ongoing basis.
Secure network and equipment
Securing a network and equipment involves such actions as:
• Physically locking or disabling all equipment inputs to prevent unauthorized use, including smart device
charging
• Using only dedicated devices that are kept secure, with anti-virus software scanning before and after use
• Using a quarantine area to check incoming removable devices of unknown provenance and transfer files
to dedicated, known devices
• Only allowing a transfer of files from removable devices under strict supervision and in compliance with
anti-virus checks
• Applying recommended patches to operating system and application software in a timely manner
• Testing patches before applying to live equipment
• Keeping anti-virus software up to date
• Performing an anti-virus scan regularly and frequently (e.g. monthly)
• Maintaining a record of all updates applied to allow for identification of issues
• Limiting external access to equipment and networks to only those authorized to access them
Protect sensitive information
Protecting sensitive information involves such actions as:
• Keeping confidential information secure (e.g. in locked cabinet or safe) and disposing confidential infor-
mation in a secure manner (e.g. shredding)
• Being aware of who is around you and taking care to avoid disclosing sensitive information
• Being suspicious of emails if you do not recognize the sender
• Making sure you don’t click on links or open attachments unless you are certain the sender is trustworthy
• Making sure you do not download or install anything after following a link in a suspicious email

• Making sure you do not provide confidential information via email unless you are certain the recipient is
appropriate/authorized
• Making sure a supervisor or trained expert is available for advice before individuals take any action
Manage access to systems and equipment
Managing access to systems and equipment involves such actions as:
• Maintaining physical and electronic security to ensure that only authorized persons have access to the equip-
ment they require in performing their role
• Securing equipment in locked rooms or cabinets and monitoring access
• Performing background checks on all users before approving access
• Maintaining a register of approved users
• Preventing sharing of login credentials between users
• Removing or changing credentials when a user moves to a new role or leaves
• Removing or changing default accounts
• Enforcing strong passwords and changing regularly
• Providing temporary external access as required, supervise during use, and remove once complete
Detect
Having established an understanding of its asset base and the risks to it, the SMB must then have methods to
monitor for incidents, so that it is able to respond promptly and effectively to minimize the impact.
Define methods for monitoring

Monitoring methods will vary from organization to organization, based on the particular asset base and risk
assessment. In some cases, manual methods, such as checking log and system files, will suffice. For larger organi-
zations with more electronic activity, this may be impractical and automated tools may be needed.
Define responsibilities for monitoring

Having defined the methods for monitoring, the SMB must assign responsibilities for these activities.
In addition, all employees should receive awareness training, be instructed to be vigilant for signs of a cyber inci-
dent, and be trained to report any type of cyber incident.
Identify improvements
Cybersecurity is an ever-changing situation. Threats, vulnerabilities, and risks change and SMBs need to be able
to adapt. In the detect function, SMBs must regularly review their monitoring methods and adjust them to suit
changing circumstances and according to incident experiences.

Respond
The respond function comes into effect when an incident occurs. However, preparation is essential to a successful
response, and so an organization must take actions well in advance of any incident.
Maintain incident response plan

Key to a successful response, with minimal impact, is an effective cybersecurity incident management plan. The
plan needs to identify the possible cybersecurity incidents that may occur within the organization and document
the step-by-step procedures that should be followed in the event of each one. All employees should be aware of
the risks of cybersecurity incidents and their role in avoiding them.
Practice response processes

SMBs must test their cybersecurity incident management plan on a periodic basis. The test must be realistic
and exercise as many of the elements as possible, so as to be certain that established procedures will work when
required.
SMBs will need to update their incident management plans in response to changes in the cybersecurity land-
scape, and also as a result of their incident response tests.
Recover
While the respond function comes into effect when an incident occurs, the recover function comes into effect
once the respond function is completed. As with the respond function, preparation is essential to a successful
recovery, and so an SMB must take actions well in advance of any incident.
Maintain backups of all systems and equipment.
Key to a successful recovery from a cybersecurity incident is having the right backups in place. Having the right
backups in place requires an SMB to:
• Identify what needs to be backed up
• Determine back-up frequency based on operational requirements (How long can you operate without a working
system? How much data can you afford to lose?)
• Store clearly labeled backups securely on-site and off-site, preferably in a fireproof safe
Practice recovery processes

SMBs must test their cybersecurity incident recovery processes on a periodic basis. The test must be realistic
and exercise as many of the elements as possible, so as to be certain that established procedures will work when
required.

SMBs will need to update their recovery processes in response to changes in the cybersecurity landscape and also
as a result of their incident recovery tests.
Awareness and training

The importance of awareness and training for employees cannot be understated. No amount of technical and
procedural mitigations will help if an employee takes an insecure action (e.g. inserting a removable drive without
performing an anti-virus scan) due to lack of training or awareness.
External classroom and online training courses are recommended for SMBs to give their employees a clear un-
derstanding. Internal resources, such as assessment (surveys, tests) and awareness (videos, posters, emails) tools,
should be used to complement external courses and provide a constant reminder to employees.
Effective cybersecurity management should be a high-profile business objective that is reported on by manage-
ment so that employees are constantly reminded of its importance.
The International Society of Automation (ISA) provides training courses and certificate programs based on the
ISA/IEC 62443 (Security of Industrial Automation and Control Systems) standard [4].
Assessment and continuous improvement

Self-assessment
The International Society of Automation (ISA) has produced a survey that SMBs can take to self-assess their cur-
rent cybersecurity posture (as well as re-assess it after making changes).
To obtain a copy of the survey, contact ISA at info@isa.org.
Third-party assessment
For a nominal fee, ISA can review an SMB’s survey responses. ISA utilizes a pool of international cybersecurity
Subject Matter Experts (SMEs) to provide this service. This third-party assessment will provide a more compre-
hensive, and independent, review of the SMB’s cybersecurity posture, with advice on how to proceed.
Continuous improvement
Effective cybersecurity management requires continuous improvement. The essential activities outlined above
are only the beginning.

For each of the five core functions of the Cyberse-
curity Framework, there are many degrees to which REFERENCES FOR FURTHER READING
SMBs can go. For example:
• Network and equipment monitoring can be a The Cybersecurity Framework, National Insti-
manual activity in its simplest form, but SMBs can tute of Standards and Technology (NIST)
purchase speciality software to assist
Critical Security Controls, Center for Internet
• Third-party organizations can provide assessment Security (CIS)
services, including penetration testing, to validate
the effectiveness of cybersecurity mitigations IEC62443 Security For Industrial Automation
and Control Systems, International Society of
The degree to which SMBs should go will depend
Automation (ISA)
on the level of risk they perceive, and this may vary
with time.
IEC62443 Training Courses and Certificates,
In addition, cybersecurity is continuously evolv- International Society of Automation (ISA)
ing, with new vulnerabilities, exploits, and threats
arising all the time. SMBs must continuously review 5 Reasons Why Small Businesses Need Cyberse-
their risk and adapt their mitigations to suit this curity, Tech.Co,
changing landscape.
Ten Cybersecurity Strategies for Small Business-
es, US Chamber of Commerce
Cybersecurity Resources for Small Businesses,

Department of Homeland Security (DHS),
Cybersecurity: A Small Business Guide, Busi-

ness News Daily
Cybersecurity For Small Businesses Course, US

Small Business Administration (SBA)
Small Business Information Security: The Fun-

damentals, National Institute of Standards and
Technology (NIST)
Top Ten Cybersecurity Tips, US Small Business

Administration (SBA)
Cybersecurity for Small Business, Federal Com-

munications Commission (FCC)

Industrial Automation and
Control System Culture
vs
IT Paradigms
By Ronald L. Krutz, PhD, PE
Some of the basic principles of information system Differences in Culture, Philosophy,

security were presented in Chapter 2 as a prelude
to selectively and properly applying them to secur- and Requirements
ing industrial automation and control systems. As
a prerequisite to this adaptation, it is important to The major advances in securing computer systems
examine the differences in culture, requirements, and networks have come through the information
and operational issues between automation and system technology route, with origins in computer
control systems and IT systems. Critical areas that science and software engineering. The principal
have to be addressed include safety, real-time de- players are IT system administrators, systems ana-
mands, maintenance, productivity, training, and lysts, database administrators, software engineers,
personnel mindsets. These topics and related subject network administrators, chief information officers
areas are discussed in this chapter to help the reader (CIOs), and so on. On the other hand, a large number
better understand how to apply security principles to
of the personnel populating the industrial automa-
automation and control systems without negatively
tion and control system field come from engineering
impacting their primary mission and in full ac-
knowledgement of their special requirements. backgrounds, with training in such areas as electrical

engineering, chemical engineering, mechanical engi- cial losses, equipment damage, and personnel inju-
neering, systems engineering, and control engineering. ries. These severe consequences of operational errors
are not usually a common occurrence in IT facilities.
The motivation, requirements, and focus of each of Similarly, safety is a critical concern in a production
the groups are, in many instances, largely divergent, environment, and control system malfunctions can
with some overlapping common areas. For example, result in fires or explosions in some instances. Thus,
software quality and process improvement methods in a production environment, safety and perfor-
widely used in the IT environment are often foreign mance usually take precedence over information
to control engineers and in fact may be viewed as security, which is not the case in an IT system.
cumbersome in implementing SCADA and process
control algorithms. In addition, the performance of a Some of the major differences between IT and indus-
process in a plant is critical, and inadequate perfor- trial automation and control system requirements
mance in production areas can result in huge finan- are listed in Table 3-1.
Table 3-1. Comparison between IT and Industrial Control and

Automation Systems Issues


Figure 3-1 summarizes the important issues listed in One important starting point in incorporating these
Table 3-1 and emphasizes some of the common areas modifications is education. In general, most univer-
between IT and automation and control sities and certification programs addressing comput-
systems. er and network security have been heavily focused
on IT security. Automation and control systems,
The lesson to be learned from these comparisons is which are typically sitting on isolated networks and
that traditional information system security knowl- are relatively few in number compared to IT systems,
edge and methods provide a solid basis for address- have not been considered to be interesting targets.
ing industrial automation and control system securi- With the advent of the terrorism threat, this situation
ty, albeit with deliberate, appropriate, and intelligent is no longer the case. In addition, SCADA and plant
modifications required to address the unique charac- process control systems are now being connected to
teristics of automation and control systems. large networks and the Internet.

Figure 3-1. IT and Automation and Control System Issue Comparisons

The Certified Information System Security Profession- • Excessive checking, encryption, monitoring, and
al (CISSP) and related certifications do not address so on can interfere with the deterministic nature of
the security of industrial automation and control process control systems.
systems. Organizations, such as ISA, have addressed
this problem and are filling a critical need. NIST has • In many IACS environments, control engineers have
generated special publications that directly address multiple responsibilities that, in many instances,
industrial automation and control systems. How- violate the security principle of separation of duties.
ever, it is important that security training related to
the control of production lines, industrial processes, • Installing patches and upgrades in process control
electrical transmission and distribution, pipelines, systems can lead to serious and sometimes danger-
chemical plants, and so on moves to the fore in ous situations in production facilities.
universities, technical institutes, and certification
organizations. • Life-cycle design disciplines common in the IT field
are not widely used in industrial automation and
To understand how to adapt IT security methods to control systems.
industrial automation and control system security,
threats to the latter have to be identified and • Maintenance hooks and trap doors installed in
understood. One impediment to full disclosure of automation and control systems for remote main-
threats realized is the fact that a majority of affected tenance can be easy entry points to modify critical
facilities are privately owned, and these organiza- software and firmware with negative consequences.
tions are reluctant to publicize security breaches that
could negatively affect their reputation and value. • Many IACS vendors combine safety mechanisms
with security mechanisms, leading to single points
Organizations also need incentives to invest in up- of failure and less resiliency than separating these
grading their automation and control infrastructure. two functions logically and physically.
Many existing installations have been in place for
10 or 20 years, and investments in security have to • Many manufacturing facilities and SCADA installa-
compete with other compelling tions house legacy systems with outdated technol-
initiatives in an organization. ogy, minimal memory and computing power, and
little thought to security.
Considerations in Adapting IT Securi-
ty Methods to Industrial Automation • Port scanning of automation and control systems can
and Control Systems result in blockages and lack of system availability.
In order to secure an IACS, there are specific issues • Remote access into automation and control sys-
that have to be addressed that take into account the tems via older modems or newer wireless devices
differences between IT systems and IACSs. These poses a serious threat to security.
issues include the following:
• There is a trend to apply protocols used for IT sys-
• Accountability, authorization, and computer forensics tems to industrial control and automation systems
have not matured and have not been implemented because of their wide availability, their lower cost,
widely in IACSs as compared to IT systems. and the existence of trained personnel. However,
in most instances, these protocols were not de-
• Ethernet to serial line paths provide a means of signed for deterministic process control systems,
injecting malicious commands into a control network. and they are vulnerable to many existing attacks.

• There is heavy reliance on suppliers who provide The categories of terrorists, industrial espionage,
modified software and hardware for IACSs, resulting and insiders are of particular interest in connection
in nonstandard implementations that are difficult to with industrial automation and control systems.
maintain without support from these suppliers. Traditionally, insider threats have been considered
one of the most dangerous because they give insiders
• Weak authentication mechanisms in many SCADA the ability to bypass protective measures. However,
systems and networked plant control systems leave external threats are increasing and are also of grave
them vulnerable to attack. concern, particularly relating to our nation’s critical
infrastructure and resource processing plants. In
A variety of additional items must be considered addition, threats to automation systems can materi-
when discussing comparisons between IT and indus- alize from environmental and structural sources, as
trial automation and control systems. The concepts illustrated in the next section.
related to risk management and the means to protect
industrial automation and control systems will be Sensitivity of Industrial Automation
discussed in detail in Chapters 5 and 6, respectively. and Control Systems to Upgrades
However, it is important to now examine some relat- and Modifications
ed critical subject areas to provide a basis for devel-
oping more specific security solutions. One area that is not usually considered when dis-
cussing the relative sensitivities of IT systems and
Threats industrial automation and control systems is the
effects of equipment upgrades and modifications.
Threats to IT and industrial automation and control A particularly relevant example concerns the con-
systems come from different sources with different sequences of converting analog controls to digital
motivations. It is important to understand these controls. Digital systems transfer information via
threat sources and their characteristics in order to pulses, which inherently generate high frequency
counter any malicious activities on their part. NIST electromagnetic radiation that can interfere with
SP 800-301 summarizes the various types of threat control system operations. An article in the journal
sources and some of their driving factors, as shown Interference Technology2 describes the electromag-
in Table 3-2. Table 3-3, also from NIST SP 800-30, netic radiation emission environment in a nuclear
provides a listing of some general threat sources, plant that was being changed from analog to digital
including environmental ones, which can also cause controls. The authors obtained measurement data in
disruptions to industrial automation and control the range of 100 Hz to 6 GHz in instances before and
systems. after the conversion.

Table 3-2. Threats and Motivations for Attackers
Source: NIST SP 800-30 (2012)

The testing followed guidelines in U.S. Nuclear Regulatory Commission Regulatory Guide, NUREG 1.180,3 and
Electric Power Research Institute (EPRI) document TR-102023-2004.4. In the tests, antennas were installed next
to three cabinets housing control electronics, and radiation emission measurements were taken from the analog
and digital control installations. Some of the results obtained are summarized in Table 3-4, showing frequencies at
which peak amplitudes occur at antennas 1 and 2.
Table 3-3. Listing of General Threat Sources



Source: Keebler and Berger (2011)
This data is plotted in Figures 3-2 and 3-3 for antennas The sample electromagnetic emanations collected
1 and 2, respectively. Note that the digital electronics illustrate the necessity to ensure electromagnetic
generate more peak radiation generally and more at compliance (EMC) when equipment upgrades are
high frequencies compared to the analog equipment. made to plant control systems. These actions will
These peak emissions have the potential to interfere serve to protect against interruptions of control
with control system signals and cause malfunctions if systems’ operation due to electromagnetic emissions
proper shielding and isolation are not applied. from digital systems.

Figure 3-2. Analog and Digital Radiation Emissions Received at Antenna 1
IT and Industrial Automation and Control Systems Comparisons from

a Standards Perspective
Valuable insight into the contrasts and similarities between IT systems security focus areas and those of indus-
trial automation and control systems can be obtained from an example using standards that represent each of
the areas. In this example, ISO/IEC 27002, Code of Practice for Information Security Management,⁵ will be used to
represent IT systems security areas of emphasis while ANSI/ISA-62443-2-1 (99.02.01)-2009, Security for Industrial
Automation and Control Systems Part 2-1: Establishing an Industrial Automation and Control Systems

Figure 3-3. Analog and Digital Radiation Emissions Received at Antenna 2
Security Program,⁶ will be used to illustrate the major ital signatures, compliance, and business continuity
concerns of automation and control system security. planning are among the areas considered critical for
IT systems that are not emphasized in automation
In each document, there are common areas ad- and control system standards. Conversely, for auto-
dressed by both standards and other areas addressed mation and control systems, the significant domains
by one standard and not the other. Figure 3-4 sum- not covered include security architecture analysis,
marizes the main characteristics of each standard quantitative and qualitative analysis, information
and identifies common areas addressed by both, as security management, and information security
well as topics that are addressed mainly by one docu- testing. Areas of common emphasis include informa-
ment and not the other. tion security policy, risk assessment, training, media
physical security, remote access, event logging, and
Figure 3-4 shows that topics, such as change man- protection against malware.
agement, email security, access control policies, dig-

Figure 3-4. Standards Comparison Example of IT versus IACSs Important Security

Summary REFERENCES FOR FURTHER READING
Understanding the requirements of industrial auto-
mation and control systems security and how they
NIST SP 800-30. Guide for Conducting Risk
relate to IT systems requires a mapping of
Assessments. Revision 1. Washington, DC: NIST
these requirements onto the emerging technologies
(National Institute of Standards and Technolo-
being employed in the control of production pro-
gy), 2012.
cesses, as well as the critical infrastructure (repre-
sented primarily by the electrical generation and
Keebler, P., and S. Berger. “Going from Analog
distribution grid). The advances in capability and
to Digital.” Interference Technology, 2011 EMC
sophistication of industrial automation and control
Directory and Design Guide, 2011.
systems require a tailored approach to security. Some
of the factors pushing the industrial automation and
U.S. Nuclear Regulatory Commission (NRC)
control systems security envelope include:
Regulatory Guide NUREG 1.180. Guidelines
for Evaluating Electronic and Radio Frequency
• The Smart Grid
Interference in Safety-Related Instrumentation
• Advanced cryptography and key management and Control Systems. Revision 1. Washington,
applications DC: U.S. Nuclear Regulatory Commission,
2003.
• Advanced PLCs and PACs
EPRI TR-102323-2004. Guidelines for Electro-
• Advanced protective relaying
magnetic Interference Testing in Power Plants.
• Advanced wireless networks Revision 3. Palo Alto, CA: EPRI (Electric Power
Research Institute), 2004.
• Alarm processing
ISO/IEC Standard 27002-2005. Information
• Availability of real-time energy information Technology – Security Techniques – Code of
• Multisphere security among IT, transportation, and Practices for Information Security Management.
power systems Geneva 20 – Switzerland: IEC (International
Electrotechnical Commission) and ISO (Inter-
• Redundancy in networks, equipment, and sensors national Organization for Standardization).
• Fiber communication ANSI/ISA-62443-2-1 (99.02.01)-2009. Security

• Use of GPS tracking for Industrial Automation and Control Systems –
Part 2-1: Establishing an Industrial Automation
• Industry 4.0 and Control Systems Security Program. Research
Triangle Park, NC: ISA (International Society of
• Digitalization Automation)
• Internet of Things

Ukrainian power grids cyberattack
A forensic analysis based on ISA/IEC 62443
By Patrice Bock, with the participation of Jean-Pierre Hauet, Romain Françoise, and Robert Foley
Three power distribution companies sustained a cy- • applies this methodology; presents and discusses
berattack in western Ukraine on 23 December 2015. the estimated SL-A; reviews this SL-A per the
As the forensic information is extensive from a tech- foundational requirement (FR); and derives
nical point of view, it is an opportunity to put ISA/ conclusions and takeaways
IEC 62443-3-3 Security for industrial automation and
• evaluates the security level (SL-T) that should be
control systems Part 3-3: System security require-
targeted to detect and prevent similar attacks
ments and security levels to the test with a real-life
example. Several sources were used for this purpose
that, overall, provide unusually detailed information. Kinematics of the cyberattack
This article:
Although the attack itself was triggered on 23 De-
• reviews the kinematics of the attack using the cember 2015, it was carefully planned. Networks and
available reports and reasonable assumptions systems were compromised as early as eight months
based on our experience of cyberattack scenarios before. Keeping this time frame in mind is essential
and of typical operational technology (OT) systems for a proper understanding of the ways and means
and vulnerabilities that should be used to detect, and eventually pre-
vent, a similar attack.
• introduces a methodology for assessing the
Security Level - Achieved (SL-A) by one of the Our analysis of the cyberattack is threefold:
Ukrainian distributors (corresponding to the best
documented case)

1. Initial intrusion of the information technology
(IT) network using spear phishing
“The seeds for the attack were
2. Intelligence gathering on the IT and OT networks planted in the spring of 2015
and systems using the flexible BlackEnergy with a variant of the BlackEnergy
malware: network scans, hopping from one
system to another, identification of device vul- malware triggered when an
nerabilities, design of the attack, and installation
of further malware and backdoors
employee opened the Excel
3. Attack itself that lasted 10 minutes on 23 December attachment of an email.”
We can see that the company had proper firewalls
Step 1: Malware in the mail! set up, one between the IT network and the Internet,
and the second between the IT and OT (industrial)
In spring 2015, a variant of the BlackEnergy malware network. The OT network included a distribution
was triggered as an employee of Prykarpattya Oblen- management system (DMS) supervisory control and
ergo opened the Excel attachment of an email. Black- data acquisition with servers and workstations and
Energy is a malware “suite” that first hit the news in a set of gateways used to send orders from the DMS
2014, when it was used extensively to infiltrate energy to remote terminal units that controlled the breakers
utilities. Its aim was to gather intelligence about the and other equipment in the electrical substations.
infrastructure and networks and to help prepare for Additional devices were connected to the network too
future cyberattacks. (e.g., engineering workstations and historian servers)
but are not relevant for the attack kinematics.
The diagram in figure 1 is a simplified view of the
network architectures (i.e., Internet, IT, OT) and will At this step, the hacker managed to compromise one
help depict each step of the cyberattack. The hacker office laptop thanks to the BlackEnergy email attach-
is shown as the “black hat guy” at the top right side. ment. This is difficult to prevent as long as people
The hacker used the utility’s IT connection to the open attachments of legitimate-looking emails.
Internet as the channel to prepare and eventually
trigger the cyberattack.
Figure 1. Simplified diagram of

the control system architecture

Figure 2. Step two of the attack
Step 2: Attack preparation, network scans, an OT supervision platform, performed OT network

and advanced persistent threat (APT) scans, collected OT component information, and
eventually installed ready-to-trigger malware com-
During several months in the summer of 2015, the ponents on both the IT and OT systems.
BlackEnergy malware was remotely controlled to
collect data, hop from one host to another, detect This phase lasted weeks, maybe months, and allowed
vulnerabilities, and even make its way onto the OT for a custom exploit development. An exploit is a
network and perform similar “reconnaissance” activ- bit of software designed and developed to exploit a
ities. specific vulnerability. It is embedded as a payload on
malware that is configured to deliver the payload for
Forensic data analysis about this phase is incom- execution on a target. Actually, this effort was some-
plete, because the hacker did some cleaning up and what limited. The only original piece of malware
wiped out several disks during the actual attack. code developed was the one needed to cancel out the
Nevertheless, prior analysis of BlackEnergy, as well gateways as part of step three. And this really was not
as reasonable considerations about the standard a significant “effort,” as gateways have for a long time
process used for cyberattacks, makes the following been pointed out as vulnerable devices.
reconstitution probable with reasonable confidence.
Step 3: Triggering the cyberattack
“The attacker remotely took con- In the afternoon two days before Christmas, as stated
trol of the operator’s HMI mouse by an operator, the mouse moved on the human-ma-
chine interface (HMI) and started switching off
to switch off breakers” breakers remotely.
As displayed in figure 2, during step two, a large When the local operator attempted to regain control
amount of network activity took place. The re- of the supervision interface, he was logged off and
mote-controlled malware scanned the IT network, could not log in again, because the password had
detected an open connection from an IT system to been changed (figure 3).

The whole attack only lasted for a couple of minutes.
The hacker used the preinstalled malware to remote-
“As the local operator attempted
ly take control of the HMI and switch off most of to regain control of the super-
the switchgears of the grids. Additional malware, in
particular the custom-developed exploit, was used vision interface, he was logged
to prevent the operator from regaining control of the
network by wiping out many disks (using KillDisk)
off and could not log in again
and overwriting the Ethernet-to-serial gateway firm- because the password had been
ware with random code, thus turning the devices into
unrecoverable pieces of scrap. changed.”
Additional “bonus” activities included performing a But the attack was too fast to allow any reaction;
distributed denial-of-service attack on the call center, indeed, in a critical infrastructure environment,
preventing customers from contacting the distrib- operator actions may cause safety issues. Therefore,
utor, and switching off the uninterruptible power only predefined actions are allowed, and operators
supply to shut down the power on the control center have to follow guidelines for taking any action. In
itself (figure 4). the event of an unforecasted operational situation,
they are not trained to make decisions on the spot.
This step was obviously aimed at switching off This was exactly the situation in the Ukrainian case.
the power for hundreds of thousands of western “Obvious” actions could have stopped the attack
Ukrainian subscribers connected to the grid. Howev- (like pulling the cable connecting the OT to the IT
er, most of the effort was spent making sure that the network), but untrained operators cannot be ex-
power would not be switched on again: all specific pected to take such disruptive steps on their own
malwares were developed with that objective. Once initiative in a stressful situation where mistakes are
triggered, the only way for the operator to prevent quite possible.
that issue was to stop the attack as it was performed.
Figure 3. Step three of the attack (1)

Figure 4. Step three of the attack (2)
Takeaways Methodology to estimate the SL-A

In retrospect, once we know all the details about ISA/IEC 62443-3-3 lists 51 system requirements (SRs)
the cyberattack, it looks easy to detect, given quite structured in seven foundational requirements (FRs).
significant network activities and the levels of activity Each SR may be reinforced by one or more require-
taking place on numerous systems. ment enhancements (REs) that are selected based
on the targeted security levels (SL-Ts). Evaluating
But it is actually a challenge to figure out exactly what the achieved security levels (SL-As) can therefore be
is happening on a network, especially if you do not performed:
have a clue about what is “normal” network activity.
Once connections to both the Internet and to the OT • for each SR, checking whether the basic require-
network are allowed, detecting signs of cyberattacks ment and possible enhancements are met
is difficult because of the volume of traffic. Contin-
• for each FR, the SL-A being the maximum level
uous monitoring with the capability to identify the
achieved on all SRs
few suspect packets in the midst of all of the “good”
packets is needed. Multiple proofs of concept of such • with the overall SL-A evaluation being the maxi-
detection using correlated IT and OT detection have mum level achieved on all FRs
been performed and were presented at the confer-
ences GovWare 2016 in Singapore, Exera Cybersecu- Table 1 summarizes the result of the evaluation on an
rity days 2016 in Paris, and SEE Cybersecurity week FR that has few SRs for the sake of illustration.
2016 in Rennes (France).
The table 1 matrix is directly extracted from the ISA/
Yet other means exist, and using ISA/IEC 62443-3-3 to IEC 62443-3-3 appendix that summarizes the require-
scrutinize the Ukrainian distributor security helps to ments. As for the Prykarpattya Oblenergo case and
identify all the controls that were missing and that for each requirement (basic or RE), we have identi-
could have prevented the cyberattack. fied three possible cases:

• the available information is sufficient to consider to an SL-A of 2. This means that network segmen-
the requirement met:  tation (“restrict data flow”) was implemented for at
least the basic requirements and for a few require-
• the available information is enough to figure out
ment enhancements.
that the requirement was missed: 
• it is not possible to evaluate whether or not the
requirement was met: ?
Application to the Ukrainian case
This analysis was performed on all
SRs, and two situations were iden-
tified:
• The SR may not be applicable

(e.g., requirements about wire-
less communication in the
absence of such media).
• We may not have direct evidence
that the SR was met or missed,
but deduction based on typical
similar installations and other
inputs allows a reasonable
speculation about whether the
requirement was met or missed.
For instance, we can consider

“backup” missing, because disks
could not be restored several
Table 1. Result of the evaluation of the SL-A for FR5 weeks after the attack. Considering SR 5.2 RE(1), it
is reasonable to consider that the secure shell (SSH)
Once filled, table 1 corresponds to the actual evalua- connection through the firewall was an exception
tion of the FR5 for the case at hand (Ukraine), leading and that all the other traffic was denied. The hacker
Table 2. Estimation of the SL-A (FR5)

would not have gone through the burden of captur- that only half of the SRs could actually be evaluat-
ing the password if more direct ways to reach the OT ed. This actually favors a higher SL-A, because only
network existed. evaluated SRs are taken into account, and because by
default we consider that the SR is potentially met.
Out of the 51 SRs, four were deemed “not applicable”
(1.6, 1.8, 1.9, and 2.2), and 25 could not be deter- Another decision was made in terms of data presen-
mined (“?”). This is a large quantity, which means tation. Instead of presenting the information with one
Table 3. Overall estimation of the seven FRs

requirement (basic and RE) per line, as in table 1, we result of minimal logging being in place.
decided to have one line per SR and list the increas-
ing RE on the various columns. Table 2 illustrates the Table 4 shows a detailed analysis for some of the
same FR5 evaluation using this mode of presentation. most significant SRs.
Eventually, a more synthesized view was used

without the RE text in order to present the over-
all picture for all FRs, which would span several
pages otherwise. The overall estimated SLs are
regrouped in table 3.
The results depicted in table 3 are rather bad.

Furthermore, half of the requirements could
not be evaluated, and, therefore, this view is
probably optimistic.
On the right side, the estimated SL-As are listed

for the seven FRs. We can see that the SL-As are
zero except for:
• FR5 (restricted data flow): mainly due to

the IT-IACS firewall and strict flow control.
To comply with this requirement means
that traffic between zones on the OT net
work should be filtered. The Ukrainian
attack example demonstrates that this
requirement could be reviewed in future Table 4. Specific analysis for some the most significant SRs
updates of the standard:
• Complying with SR 5.2 does not require Takeaways
one to define zones. As in the Ukrainian
case, all OT systems could interact with At first, looking at the reports about the various
each other. Note that recommendations Ukrainian operator security controls, it looked like
about zone definitions are available in ISA/ they had paid significant attention to cybersecurity
IEC 62443-3-2 that should be used before issues. Indeed:
applying ISA/IEC 62443-3-3.
• The requirement about traffic filtering be • nonobvious passwords were used
tween zones is set for SL=1. The return on • a firewall with strict data flow restriction was in place
investment is questionable, as the cost and
risk of traffic filtering are high, and the • significant logging was performed
effectiveness is questionable, as demon
strated by the Ukrainian case. It may make But, as demonstrated in the SL-A evaluation, most FR
more sense to require detection as soon as security levels were null, because at least one of the
SL-T=1 is targeted, and require active filter SRs was not addressed at all. There is no point in set-
ing/preventing for higher SLs. ting up advanced security controls when some basic
• FR6 (timely response to events): The very exis ones are missing. The weakest link drives the overall
tence of detailed forensic information is the security effectiveness down. The fact that advanced

security controls are useless if other basic security cyberattack, which normally calls for SL-T=3 or even
controls are missing is best illustrated by the config- 4 to prevent.
uration of the firewall with a single SSH link requir-
ing a nonobvious password authentication. This is Actually, it is likely that the hacker could have
typically a painful operational constraint, as allowing matched SL-A=2 by developing more advanced
direct remote desktop protocol (RDP) access for sev- exploits and using attack vectors other than the
eral systems, or virtual network connections (VNCs), Internet, such as mobile media or mobile equipment
would have been easier to use. Unfortunately, these introduced by rogue employees or third parties. Nev-
additional constraints did not lead to increased secu- ertheless, those additional steps are more complex
rity, because: and expensive, and, because they were not needed,
less advanced means were used.
• The lack of IT network supervision did allow
extensive network scans, vulnerability searches, To summarize the takeaways of this cyberattack us-
and discovery of the allowed SSH link. ing ISA/IEC 62443-3-3 guidance:
• The lack of strong authentication (two-factor) or As a mandatory first step, power distribution utilities
local (OT) approval of remote connections made should aim for SL-T=2, ensuring at least minimal
it possible to frequently connect from the IT to the requirements about detection (SR 6.2) are met.
OT network without detection over several months.
• The lack of OT network intrusion detection To have several layers of defense, prevention, de-
allowed extensive OT network scans, vulnerabil tection, and time for reactions in anticipation of
ity detection, and mobile code (malware, the most sophisticated attacks, it is best to aim for
exploits) transfer restrictions. SL-T=3.
When deploying security controls, it is essential to In any case, it is essential to set up security con-
apply requirements in a consistent way across all as- trols in a consistent way to ensure that all FR have
pects of security: detection, prevention, and achieved the same SL-A before aiming for a higher
reaction. It is best to use a well-designed standard SL-T. Otherwise the efforts are useless, as demon-
such as ISA/IEC 62443-3-3. Do not aim for SL-T=2 or strated by the example at hand.
3 on some FRs if the SL-A is still zero on other FRs, as
this would likely be useless.
RESOURCES
Which SL would have been required to
prevent the attack?
Analysis of the Cyberattack on the Ukranian
Looking at the issues listed previously, it appears that Power Grid
raising the SL-A to level 2 would have allowed detec-
tion of the activity during step two, thus preventing “Utilities look back to the future”
the cyberattack. Plenty of time was available for the
post-detection reaction. Additional controls, such as BlackEnergy and Quedagh
strong/local authentication, anti-malware, and SL
2 requirements would actually have prevented the “Hackers attacked the U.S. energy grid 79 times
specific attack kinematics. this year”
The fact that setting the SL-T at level 2 would have Cybersécurité des installations industrielles
been enough to detect and prevent the attack with
several layers of defense may sound surprising to the “Basecamp for serial converters”
reader, as this was (quite certainly) a state-sponsored

Building a business case for
operational technology cybersecurity
Management buy-in begins with establishing a business rationale for security
By Don Dickinson
With the increasing prevalence of high-profile cyber- breaches in 2015 revealed that “exploit kits evolved to
attacks and security breaches, these events may seem stay one step ahead of security systems, with greater
unavoidable. The consequences, however, come at a speed, heightened stealth, and novel, shape-shifting
tremendous cost to businesses and consumers. More abilities.”
alarming is that the intent of cyberattacks has gone
beyond stealing personal and financial data and now Protecting critical infrastructure
includes extortion, destruction of intellectual proper-
ty, and damage to critical infrastructure. In the U.S., the potential for a cyberattack on criti-
cal infrastructure is a growing concern. In February
Cybercriminals are becoming more aggressive and 2013, the White House issued Presidential Policy Di-
sophisticated in their attacks. As noted in the 2016 rective (PPD)-21 – Critical Infrastructure Security and
Dell Security Annual Threat Report, a review of Resilience. The directive states, “The nation’s critical

infrastructure provides the essential services that gy). In December 2015, for example, an attack on
underpin American society. Critical infrastructure the Ukrainian power grid left hundreds of thou-
must be secure and able to withstand and rapidly sands without power. These attacks are a powerful
recover from all hazards.” Those hazards include reminder that the threat to critical infrastructure
cyberthreats. Presidential Executive Order 13636 – cannot be ignored.
Improving Critical Infrastructure Cybersecurity was
released in conjunction with PPD-21 to specifically NIST cybersecurity framework
deal with the cyberthreat to critical infrastructure.
Per the executive order, “The cyberthreat to critical Executive order 13636 directed the National Insti-
infrastructure continues to grow and represents one tute of Standards and Technology (NIST) to develop
of the most serious national security challenges we a cybersecurity framework to reduce risk to critical
must confront. The national and economic security infrastructure. The intent of the framework was to
of the United States depends on the reliable func- provide critical infrastructure owners and operators a
tioning of the Nation’s critical infrastructure in the flexible and repeatable approach to meeting baseline
face of such threats.” cybersecurity measures and controls. In February
2014, NIST released its Framework for Improving
OT security Critical Infrastructure Cybersecurity Version 1.0.
The framework is available at www.nist.gov/cyber-
A key component in protecting critical infrastructure framework.
from cyberattack is protecting the automated sys-
tems used to monitor and control critical processes. The cybersecurity framework (CSF) is a voluntary,
Systems that control water and wastewater process- risk-based approach for managing cybersecurity
es are known by many names. Industrial control risks for critical infrastructure. It references industry
systems, supervisory control and data acquisition, standards, guidelines, and best practices known as
distributed control systems, and industrial automa- informative references to help organizations manage
tion and control systems (IACSs) are just a few of the cybersecurity risks.
terms that fall under the general category of opera-
tional technology (OT). The water sector does not currently have specific
directives for securing OT, so the CSF is a useful
“High-profile cyberattacks and security resource for identifying relevant resources. The CSF
breaches are reminders that a com- is not meant to replace an existing program, but can
prehensive security plan is needed to be used as the foundation for a new cybersecurity
protect industrial control systems and program or to improve an existing program. The
the critical infrastructure they control.” framework consists of three parts: the implementa-
tion tiers, the framework profile, and the framework
Attacks on OT systems and networks are becoming core (figure 1).
more common. Although some high-profile attacks
on critical infrastructure have been reported, we do
not know the full extent, because cyberattacks do
not have to be reported unless there is a breach of
personal information or financial data.
Because we do not hear of many attacks on critical

infrastructure, some people assume the cyberthreat
to OT is not a great concern. We might not know
the actual number of attacks, but we do know that
malware has been developed specifically to attack
critical infrastructure (e.g., Stuxnet and Black Ener- Figure 1. NIST Cybersecurity Framework

Framework implementation tiers
define the organization’s risk
management practices by one of
four tiers. Tier 1 represents the
least amount of risk management,
and tier 4 the most. Each organiza-
tion must determine which tier is Figure 3. Linking cybersecurity function to informative references
appropriate for it, given the organiza-
tion’s unique goals, feasibility of imple- Figure 3 shows how a function (identify) is broken
mentation, and acceptable level of cybersecurity risk. down into various categories (asset management
for this example). Categories are broken down into
The framework profile helps an organization de- subcategories (physical devices and systems invento-
fine a road map for moving from a “current” profile ried), leading to specific informative references, such
that defines current risk management practices to a as the ISA-62443 standard. Additionally, the specific
“desired” profile that defines the outcomes needed to section of the informative reference associated with
achieve the desired cybersecurity risk management the subcategory is provided to clearly identify the
goals. Comparing the current profile to the desired content most relevant to that subcategory.
profile produces a gap analysis that can be used to
establish a plan defining actions required to meet The informative references listed by the CSF are not
organizational goals and to prioritize activities for mutually exclusive, but complement one another.
cost-effective allocation of resources. One resource is likely to provide more detailed
guidance than another on a particular aspect of
The framework core is a set of cybersecurity activities, cybersecurity. As a result, all relevant resources
desired outcomes, and applicable references com- should be considered when developing or updating
mon across all critical infrastructure sectors. They are a security plan.
segmented into five functions (figure 2). These func-
tions organize basic cybersecurity activities at their ISA-62443 is one of the key standards referenced in
highest level. The five functions are identify, protect, the CSF. ISA developed this multipart standard for
detect, respond, and recover. OT security. The standard provides a flexible frame-
work for developing a comprehensive security plan
for critical infrastructure entities such as water and
wastewater utilities.
One particularly important section is ANSI/ISA-

62443-2-1, Security for Industrial Automation and
Control Systems Part 2-1: Establishing an Industrial
Automation and Control Systems Security Program,
which is aimed at asset owners and operators re-
sponsible for establishing and managing a utility’s cy-
bersecurity program. Unlike other security standards
that cover only technical considerations for cyberse-
curity, ISA-62443-2-1 focuses on the critical elements
of a security plan relating to policies, procedures,
practices, and personnel. It is a valuable resource to
management for establishing, implementing, and
maintaining a utility-wide security plan.
Figure 2. The framework core

The first step in developing an OT security program business continuity, emergency preparedness, regu-
as defined by ISA-62443-2-1 is risk analysis, starting latory compliance, and the public’s confidence in the
with the business rationale for cybersecurity. As not- utility. Developing a business rationale for cyberse-
ed in the standard, “Establishing a business rationale curity identifies the business reasons for investing
is essential for an organization to maintain manage- in cybersecurity to lower risk and protect the utility’s
ment buy-in to an appropriate level of investment for ability to perform its mission.
the IACS cybersecurity program.”
Cybersecurity is not an absolute, but a matter of de-
Why a business case? gree. Because most water/wastewater systems have
limited funding and personnel, mitigating all threats
A well-defined business case for automation cy- is not feasible or practical. By defining a business ra-
bersecurity is essential for management buy-in to tionale for OT cybersecurity, executive management
ensure the long-term allocation of resources needed can define acceptable levels of risk for the utility, so
to develop, implement, and maintain a utility-wide that utility personnel can better understand the pri-
cybersecurity program for the OT controlling criti- orities to address in the security plan. By determining
cal infrastructure. Without a strong commitment by the cost-benefit aspects of security measures, the
senior management, utility personnel will find it dif- utility will get the maximum results from the money
ficult to prioritize the allocation of resources—espe- spent. Not having a well-defined security plan results
cially when faced with resource-intensive challenges in inefficient use of limited resources and can create
such as aging infrastructure. a false sense of security.
“A well-defined business case for auto- When analyzing the business rationale, execu-
mation cybersecurity is necessary for tives may find economic benefits similar to those
management buy-in to ensure long- of worker safety and health programs. Each year,
term allocation of resources.” workplace deaths and injuries cost U.S. businesses
tens of billions of dollars. The Occupational Safety
The business rationale for cybersecurity is based on and Health Administration reports that employers
the potential impact that a cybersecurity event can save $4 to $6 for every $1 invested in an effective
have on public health and safety, the environment, safety and health program.

Similarly, each year security breaches cost businesses IT’s job?
billions of dollars in fines, litigation, and lost cus-
tomers. According to the Ponemon Institute’s 2016 Many in the OT world assume that their information
Cost of Data Breach Study, the average cost of a data technology (IT) department is handling the cyberse-
breach is $4 million, a 29 percent increase since 2013. curity plan. IT professionals, who are responsible for
However, an attack on a critical water or wastewater ensuring the availability, integrity, and confidentiality
system could have significant consequences that far of business and enterprise networks, are important
exceed the monetary costs. A cybersecurity event members of a cross-functional team that develops
that negatively impacts operations could expose a and implements a utility-wide cybersecurity plan.
utility to litigation affecting business continuity and However, the responsibility for protecting OT systems
its ability to carry out its mission. and networks—and the critical infrastructure they
control—from a cybersecurity event lies with those
OT security is also fundamental to the creation of a who operate and maintain those networks.
culture of security within the utility, as noted in the
American Water Works Association (AWWA) standard An established cybersecurity business case will
ANSI/AWWA G430-14 – Security Practices for Oper- clearly define security roles and responsibilities for
ation and Management. A key directive of the stan- all utility personnel, including those involved with
dard is an “explicit and visible commitment of senior emergency preparedness and business continuity.
leadership to security.” The AWWA G430-14 standard
addresses the broad issues of security, and protecting
operational technology is a key facet of security. An
established business rationale for OT cybersecuri-
ty shows that management takes its commitment
to security seriously. Cybersecurity must become a
fundamental component of the utility’s culture, just
like safety.
Should I worry about a cyberattack?

The probability of a state-sponsored cyberattack on
a utility is most likely extremely low. However, water
and wastewater utilities might be viewed as easy tar-
gets by radicalized, lone-wolf threat actors. “Security
by obscurity” is no longer an option for small and
medium utilities that have not considered external
threats a concern in the past.
However, attacks make up only a small part of

cyberthreats, as most originate internally. Whether
malicious or accidental, the utility’s goal should be to
prevent or minimize any type of cybersecurity event Figure 4. High-profile cyberattacks and security
that will affect the availability and reliability of a criti- breaches are reminders that a comprehensive securi-
cal system. A comprehensive security plan recognizes ty plan is needed to protect industrial control systems
and prepares for both intended and unintended cy- and the critical infrastructure they control. A well-de-
bersecurity events. This will ultimately enhance the fined business case for automation cybersecurity will
utility’s overall security and minimize any negative ensure management buy-in and long-term allocation
consequences on business continuity. of resources.

Guidance for developing a be clear which ones are considered most credible by
business case management and which have the greatest potential
impact on business.
A useful feature of ISA-62443-2-1 is annex A, which
provides guidance on developing all elements of the Estimated annual business impact: The list of prior-
cybersecurity management system as defined in the itized business consequences should be evaluated
standard. Annex A includes helpful information for to determine an estimate of the annual business
applying the standard and tailoring it to the organi- impact, ideally in financial terms. There are costs
zation’s specific needs. Although it is not a step-by- associated with implementing countermeasures to
step process, it does offer useful guidance in devel- prevent or minimize a cybersecurity event. Unless
oping each element, including the requirement for a there is a much larger cost to the business than the
business rationale. cost of countermeasures, it will be difficult to justify
the cost of the countermeasures.
Per annex A, there are four key components of a
business rationale: prioritized business consequenc- Cost: The purpose of the business rationale is to
es, prioritized threats, estimated annual business justify the anticipated cost of the human effort and
impact, and cost of countermeasures. technical countermeasures required to manage cy-
berrisks. The larger the difference between that cost
Prioritized business consequences: For a water or and the estimated annual business impact, the easier
wastewater utility, there are numerous areas where a it will be to justify allocation of resources. Estimat-
cybersecurity event could cause significant negative ing the cost of technical countermeasures should be
consequences for operations. Those areas include straightforward. Estimating the cost of the human
public health and safety, the environment, business effort will be more challenging. Fortunately, ISA-
continuity, emergency preparedness, regulatory 62443-2-1 addresses all aspects of managing cyber-
compliance, and public confidence in the utility to risks, including the most important one: people. The
fulfill its mission. It is likely there will be compelling standard defines how to organize for security and
business reasons for ensuring that the consequences provides guidance to help estimate the human effort
of a cybersecurity event—intended or otherwise—are required to manage cyberrisks.
not realized.
First step
“ISA-62443-2-1 gives guidance on
developing all elements of the cyber- The cyberthreat scenario for critical infrastructure,
security management system.” including water and wastewater systems, is increas-
ing and will become only more challenging in the
Prioritized threats: As stated previously, it is neither future. The first step to creating a security plan is
practical nor feasible to fully mitigate all risks. Limit- to define a business case for OT cybersecurity. By
ed resources demand that the most credible threats justifying the business rationale, a utility can reduce
be given priority for developing mitigation strategies its cyberrisks, increase its resiliency, and ensure the
and allocating resources effectively. Unfortunately, availability and reliability of water and wastewater
there are many events that can negatively affect op- systems. ISA-62443-2-1 is a valuable resource for
erations, from disgruntled employees to radicalized, developing a cybersecurity management system that
lone-wolf threat actors, to common technical defects. is essential for protecting critical infrastructure.
By prioritizing threats in the business rationale, it will

ABOUT THE AUTHOR RESOURCES
Don Dickinson has 2016 Dell Security Annual Threat Report

more than 32 years of
sales, marketing, and “Critical Infrastructure Security and Resilience”
product application
experience in industrial “Improving Critical Infrastructure Cybersecurity”
automation and con-
trol systems, involving Analysis of the cyberattack on the Ukrainian
a wide range of prod- power grid
ucts and technologies in various industry
segments. Dickinson is the senior business Framework for Improving Critical Infrastruc-
development manager for Water Manage- ture Cybersecurity
ment, Phoenix Contact USA. He is a mem-
ber of the ISA Water/Wastewater Industry ANSI/ISA-62443-2-1 (99.02.01)-2009: Security
Division and served on the AWWA project for Industrial Automation and Control Systems:
advisory committee for development of pro- Establishing an Industrial Automation and
cess control system security guidance for Control Systems Security Program
the water sector.
OSHA Q&A for employers
2016 Cost of Data Breach Study
ANSI/AWWA G430-14: Security Practices for

Operation and Management
Industrial Automation and Control System Se-

curity Principles: Protecting the Critical Infra-
structure, Second Edition

What Executives Need to Know About
Industrial Control Systems Cybersecurity
By Joseph Weiss, PE, CISM, CRISC
Executive Summary
As more and more significant security breaches are • What risk exposure does my company have and
discovered, the protection of information and control what are the consequences of that exposure?
systems is becoming an important executive man-
agement and insurance issue. A company’s Board of • What is the maximum damage that might be done
Directors and executive management must contin- if one of these breaches occur?
uously and meticulously identify, categorize, and
mitigate risks to the organization’s success resulting • What specific security deployments protect each of
from cyberattacks. In many cases the largest risk to our assets?
the well-being of your company, your people, your
processes, and your profits may be the compromise • If our systems have cybersecurity vulnerabilities,
of your Industrial Control System—not a data breach. how do those vulnerabilities impact our safety-re-
lated goals and initiatives?
Ask yourself the following questions about your
company’s exposure to Industrial Control Systems • Who in our organization is responsible for these
Cybersecurity vulnerabilities: security measures? Are our IT and Operations
teams coordinated and working together to secure
• What opportunities exist for breach? our systems?

• Have we allocated the right resources, implemented • Supervisory Control and Data Acquisition (SCADA)
the right standards, and sourced the right equipment systems that monitor and control dispersed assets
to give us the best possible outcome? such as electric grids, pipelines, and water systems
This white paper addresses these and other questions • Programmable Logic Controllers (PLCs) that
in the context of the following objectives: control individual processes
• Introduce the unique characteristics and vulnera- • Remote Terminal Units (RTUs) that act as data
bilities of Industrial Control Systems; concentrators
• Explore the key differences between an IT and an • Field devices—such as sensors that measure the
operations perspective on cybersecurity; process (pressure, temperature, fl ow, etc.); analyzers
that monitor chemical constituents; drives that
• Detail potential impacts of attack on critical infra- open and close valves; etc.
structure and manufacturing processes;
Essentially, an Industrial Control System is a system
• Identify standards, training, and compliance made up of other systems, designed to monitor and
programs to aid companies in their approach to control physical processes and ensure safe oper-
these challenges; ations within specific known engineered states. It
carefully manages transitions to control risk between
• And offer some additional information on incidents operational states. These controlled states and transi-
that have already taken place. tions are defined to protect against random occur-
ring failures of a component or a few components.
In order to create and maintain secure systems, we However, focused logical attacks to push a system
have to first ensure that our processes and the into known dangerous states are not commonly ex-
communication between them is secure; Industrial pected or compensated for in the normal operational
Control Systems need to be targeted for more de- parameters of Industrial Control Systems.
tailed review on a consistent basis. Second, we need
to make sure that our operations staff have expertise “Focused logical attacks to push a
in Industrial Control Systems Cybersecurity and are system into known dangerous states
closely coordinating with our IT staff to protect our are not commonly expected or com-
systems and processes. Third, we need to make sure pensated for in the normal operational
our equipment is inherently secure and addresses parameters of Industrial Control Sys-
known vulnerabilities by leveraging industry stan- tems.”
dards and conformance programs.
Differentiating between IT Cyberse-
Introduction curity and ICS Cybersecurity
Industrial control system (ICS) is a general term that Malicious cyber-related incidents are occurring, or
encompasses several types of control systems used being identified, on what seems like a weekly basis.
in industrial production. Several of these terms are Almost all of these are data breaches, compromising
often used interchangeably, or generalized as SCADA: the confidentiality of supposedly private informa-
tion. However, the consequences are not confined to
• Distributed Control Systems (DCS) that monitor data breaches and compromises of personal data.
and control large centralized facilities such as
power plants and refineries Industrial Control Systems that are used in the critical

infrastructures of electric power, nuclear plants, as occurrences that jeopardize the confidentiality,
chemical plants, oil/gas, manufacturing, pipelines, integrity, or availability (CIA) of an information sys-
transportation, and building controls also use tem. The NIST definition is a conservative approach
computer controls. Often referred to as the “SCADA” to judging cybersecurity effectiveness. According to
systems, many are attached to very critical processes NIST, an incident doesn’t need to be malicious to be
that modern society depends on and cannot contin- significant and to carry risk to the process and the
ue to function without. They typically don’t look or people involved in the process.
act like those used in the conventional business IT
environment and are not being monitored for cyber However, because IT is so prevalent in the cyber-
threats like those in the business IT environment. security field, cybersecurity is effectively being
viewed as a malicious attack via the Internet against
It’s important to recognize and understand the differ- a Windows-based system with the intent of stealing
ences between IT cybersecurity and ICS cybersecu- information. Unfortunately, this paradigm does not
rity, and the table below highlights some of the most apply to ICSs and does not address the most import-
significant factors to consider. ant aspect of ICSs—safety. Generally, IT approaches
cybersecurity as an end to itself—IT works to identify
cyber vulnerabilities without evaluating the conse-
Attribute IT ICS
quences.
Confidentiality (Privacy) High Low
“If malicious code can affect a Pro-
Message Integrity Low-Medium Very High grammable Logic Controller the way
System Availability Low-Medium Very High that it did in the Stuxnet incident, that
same process can be used to attack a
Authentification Medium-High High PLC that operates a pipeline, a power
Non-Repudiation plant, a water/wastewater treatment
(Proof of the integrity High Low-Medium facility, a building’s security system,
and origin date) and more.”
Time Criticality Days Tolerated Critical
It is the consequences that are of the most interest
System Downtime Tolerated Not Acceptable when considering the security of critical control sys-
Security Skills/ tems. Many of these are installed in facilities with an
Usually Good Usually Poor
Awareness expected life expectancy of 10–25 years. The nature of
their design and the close connection to the underly-
System Life Cycle 3-5 Years 15-25 Years
ing process means that they often cannot be upgrad-
Inoperability Not Critical Critical ed to the latest cyber technologies easily, or even
Very Limited with
patched on an expedited basis.
Computing Resources “Unlimited”
Older Processors
Many professionals working in industry report a lack
Software Changes Frequent Rare
of senior management attention and consequent
Equiptment funding to address control system cybersecurity.
Frequent Loss
Worst case Impacts Destruction,
of Data
Inquiries Why aren’t we paying closer attention and working to
solve this imminent challenge facing our infrastruc-
Focusing on the Challenge ture? One of the biggest reasons given for this lack of
attention on arguably the most critical system in a
Cyber incidents have been defined by the US Na- modern economy is that there have been few reported
tional Institute of Standards and Technology (NIST) control system cyber incidents affecting these systems.

One exception to this was the Stuxnet in Iran. Un- “The more components that can be
fortunately, a common response to this incident compromised in an ICS, the greater
has been “Stuxnet doesn’t affect us—we don’t have the risk to the operator and value to
uranium centrifuges.” Nothing could be further from the attacker. Industrial Control Sys-
the truth—if malicious code can affect a Programma- tems are not designed to ensure resil-
ble Logic Controller the way that it did in the Stuxnet ience against concerted attacks that
incident, that same process can be used to attack a intend to place components in danger-
PLC that operates a pipeline, a power plant, a water ous operating states.”
or wastewater treatment facility, a building’s security
system, and more. The more components that can be compromised
in an ICS, the greater the risk to the operator and
The most important aspects of Industrial Control value to the attacker. Industrial Control Systems are
Systems are reliability and safety. Consequently, ICS not designed to ensure resilience against concerted
personnel have different concerns; they are focused attacks that intend to place components in danger-
on cyber threats (malicious or unintentional) only if ous operating states. This is expected to be a growing
they affect reliability or safety. This means that the area of cyber-attack and engineering research.
issues involved with ICS cybersecurity are not denial
of service issues, but rather: An Industrial Control Systems Cybersecurity Expert
looks at a facility and its systems in a holistic way,
• Loss of process visibility—if I’m driving a car, are all identifying physical vulnerabilities of the control-
of my displays working, and can I trust the infor- lers and the process and discovering ways to exploit
mation they’re conveying? vulnerabilities by cyber manipulations. There are
very few people with the expertise to understand the
• Loss of control—as I’m driving, do I have control physical process being controlled; the control system
of the gas pedal, the brake pedal, and the steering domain with its unique design features; and the
wheel? exploitation of IT vulnerabilities. ICS Cybersecurity
Experts bridge the gaps between these traditional
Both of these issues were key factors in Stuxnet— areas of expertise.
the centrifuges were spinning out of control, and the
displays told the operator there were no problems.
ICS Vulnerabilities: An Attacker’s

Dream and Our Worst Nightmare
Some attackers view exploits where you can damage
physical processes as the holy grail of cyber attacks—
imagine the devastation, and the resulting terror, that
would be caused by the damage or compromise of
the power grid or the water supply. Devices that can
cause catastrophic damage through remote oper-
ation of cyber components are an ideal target for
compromise.
Consequently, we should make these devices a “tar-

get” of more detailed review to a) protect them from
malicious attack and b) ensure that non-malicious ICS Cybersecurity Experts bridge the gap between IT Security
actions by an insider (facility staff or contractors) do expertise and Industrial Control Systems expertise—a rare
not cause unintentional cyber incidents. combination of skills in high demand today.

A basic diagram showing various components of Industrial Control Systems used in many different applications
across different industries
Developing the Industrial Control proper support of these devices also requires Opera-
Systems Cybersecurity Expert: Why tions expertise.
it Matters
Traditional cyber attacks often focus on the general
IT personnel generally have Computer Science back- purpose information systems—using zero-day vul-
grounds with minimal engineering backgrounds, nerabilities, buffer overflows, cross-site scripting, or
whereas Operations personnel come from engineer- other vulnerabilities. These attacks generally pursue
ing backgrounds with minimal security training. the capture of valuable data or aim to create deni-
There is a gulf between the IT and Operations organi- al-of-service incidents. Attacks targeting Industrial
zations—and it is the responsibility of senior execu- Control Systems can be built on top of these—but
tives and boards to break down these organizational take aim at the physical process, exploiting legiti-
divides. mate product or system design features.
An Industrial Control System includes a Human-Ma- “There is a gulf between the IT and
chine Interface (HMI), a software application that Operations organizations—and it is
presents information to an operator or user about the responsibility of senior executives
the state of a process, and allows the system to and boards to break down these
accept and implement the operator’s control in- organizational divides.”
structions. HMIs are generally designed to operate
on common commercial operation systems (e.g., The typical IT security function is focused on Ad-
Windows) that are understood by IT. However, the vanced Persistent Threats (APT) and traditional

insider threats, while threats such as Stuxnet and Au- systems have gone unseen for months. With critical
rora are Persistent Design Vulnerabilities (PDV) that infrastructure, it is very different. When an event
exploit features inherent in the systems’ design. We occurs in critical infrastructure such as an electric
use the term “infinite day vulnerabilities” instead of blackout or a pipe break, the results are immediate
“zero day vulnerabilities” when referring to ICS sys- and the impact can’t be hidden. Without the perspec-
tems, because the vulnerabilities are a combination tive of an Industrial Control Systems cybersecurity
of new and inherent vulnerabilities of the systems. expert, it can be difficult to determine if a cyber
breach is the cause of a failure incident.
IT security experts understand Windows and Internet
Protocol (IP) communications and have numerous Industrial Control Systems Cybersecurity Experts
types of technologies to look for cyber threats at the meet the following criteria:
Windows and IP layers, but very little understand-
ing and very few tools “below the IP layer.” Control • They understand the physical process being
systems personnel are typically focused on oper- controlled
ational reliability and safety— not cybersecurity.
Consequently, there are few computer forensics and • They understand the control system domain with
minimal training to identify ICS cyber incidents. its unique design features
Organizations such as Computer Emergency Re-
sponse Teams (CERT) have databases of hundreds of • They understand the risks and mitigations of ex-
thousands of cyber probes and attacks, but very few, ploitable IT vulnerabilities
if any, recorded ICS incidents. This is partially due to
the lack of training and education about Industrial • They are well versed in industry standards and
Control Systems; and conversely, the lack of training understand how they apply to people, processes,
of Operations personnel regarding security consider- and products
ations. Moreover, there are few, if any, regulations to
ensure ICS cyber incidents are forensically examined • They can bridge the gap between the IT organiza-
to identify possible pathways to failure. The lack of tion and the Operations organization
appropriate forensics can call official findings on ver-
ification and attribution into question; these factors The culture gap that exists between the IT organiza-
are important details for insurance and compliance tion and the Operations organizations exacerbate the
purposes and critical information as cyber technolo- physical threats and make it very difficult to secure
gies evolve into cyber weapons. Industrial Control Systems. Stuxnet was success-
ful, in large part, because it was arguably the only
“Stuxnet was successful, in large instance where IT, Operations, and Physical Security
part, because it was arguably the only teams tightly coordinated to plan and implement the
instance where IT, Operations, and attack. It is an unfortunate fact that this coordination
Physical Security teams tightly co- does not happen (with very rare exceptions) when
ordinated to plan and implement the trying to protect Industria Control Systems.
attack. It is an unfortunate fact that this
coordination does not happen (with Industry Standards and Compliance
very rare exceptions) when trying to Programs: A Solid Foundation to
protect Industrial Control Systems.” Build a Secure Future
In the IT environment, technology is available to ICS cybersecurity is a global issue—and the chal-
monitor and identify cyber attacks, although there lenge spans across processes, people, and equip-
have been many cases where IT cyber compromised ment. In order to create and maintain secure sys-

tems, we have to ensure that our processes and the of standards on industrial automation and control
communication between them is secure; we have to systems security, guided by the accredited processes
make sure our people are trained and we have exper- of the American National Standards Institute. The
tise in Industrial Control Systems Cybersecurity; and committee addresses industrial automation and
we have to make sure our equipment is inherently control systems whose compromise could result in
secure and addresses known vulnerabilities. That’s endangerment of the public or a company’s em-
a tall order, and when you multiply those challeng- ployees, violation of regulatory requirements, loss of
es with the number of industries and world regions proprietary or confidential information, economic
impacted, it can be overwhelming to consider how loss, or adverse impacts on national security.
we will coordinate our response.
The ISA/IEC 62443 standards define requirements
For hundreds of years, industries have relied on glob- and procedures for implementing electronically se-
al standards to help solve difficult technical problems cure automation and Industrial Control Systems and
and ensure harmonization and consistency in process security practices, and assessing electronic security
and product design. Standards Developing Organi- performance. The ISA/IEC 62443 standards approach
zations (SDOs) have led the charge in the consensus the cybersecurity challenge in a holistic way, bridging
development of industry standards in areas like alarm the gap between operations and information tech-
management, safety, batch processing, wireless com- nology; and between process safety and cybersecu-
munication, and others. The International Society rity. Given the interconnectivity of today’s advanced
of Automation (ISA) is the SDO for automation and computer and control networks—where vulnerabil-
control professionals in many different industries, ities exploited in one sector can impact and damage
including oil and gas, petrochemicals, utilities, food multiple sectors—it’s essential that cybersecurity
and beverage, pharmaceutical, and many more. standards be broadly applicable across industries or
sectors. The ISA/IEC 62443 Industrial Automation
ISA is the developer and applications-focused and Control Systems Security series of standards is a
thought leader behind the world’s only consen- multi-industry initiative applicable to all key industry
sus-based industrial cybersecurity standard. The sectors and critical infrastructure.
ISA99 standards development committee brings
together worldwide Industrial Control Systems In order to help industry solve the “people” part of the
Cybersecurity Experts from industry, governments, challenge, ISA has also developed a series of courses
and academia to develop the ISA/IEC 62443 series and certificate programs based on the standards,
culminating in the Industrial Control Systems Cyber-
security Expert designation for professionals who can
successfully com complete the courses and exams.
The final piece of the industrial cybersecurity puzzle

involves the actual equipment that makes up the
Industrial Control System—after all, a secure control
system requires that each system, communication
protocol, and communication media be secure. Un-
fortunately, many ICS devices, including new devices,
are still insecure by design and many legacy Industrial
Control Systems cannot implement IT security tech-
nologies yet won’t be replaced because they still work.

In response, the Automation Standards Compliance • What can actually happen during an incident
Institute created the ISASecure® ISA/IEC 62443 • The difficulty in recognizing an incident as
conformity assessment program for commercial-off- cyber-related
the-shelf (COTS) Industrial Control System products. • The need for appropriate policies and/or technolo-
The certification program evaluates the product gies to effectively mitigate the incidents
development practices of the supplier, along with • The lack of existing regulations and appropriate
detailed product security characteristics, with the guidance to prevent or mitigate the incidents
ultimate objective of securing the Industrial Control • The lack of design resiliency for systems that cannot
Systems supply chain. The ISASecure® certification be protected from cyber threats
program is an ISO/IEC 17065 conformity assessment • How companies have recovered and can recover
scheme that ensures that control systems conform from breaches
to relevant ISA/IEC 62443 cybersecurity standards
and it is applied using the security lifecycle concept The data could also help to provide an understand-
that forms the basis of the standards. Asset owners ing of a breadth of human factors, nation state
and integrators who include the ISASecure® des- actions, and processes being used in hostile acts
ignation as a procurement requirement for control against critical infrastructure such as:
systems projects have confidence that the selected
• Reconnaissance and testing
products are robust against network attacks and free
• Experimental use of destructive tools to test
from known vulnerabilities.
generic attacks
• Failures from design faults of control systems at dif-
Viewpoint: An Industrial Control ferent stages of the life cycle of industrial equipment
Systems Cybersecurity Expert Ex- • Combined factors, based on analysis of how differ-
plores ICS Cybersecurity Incidents ent factors interact and lead to incidents initiated
by failures in control systems
There have been nearly 750 actual Industrial Control
Systems cyber incidents, with impacts ranging from My goal in the analysis of the data is to identify previ-
trivial to significant equipment damage; significant ously unrecognizable single factor risks, unusual and
environmental damage; non-compliance with regu- previously unpredicted failures, or the as-yet-un-
latory requirements; and deaths of people involved simulated combinations of factors causing unusual
in the affected processes. Remember, an ICS cyber perturbations. The database identifies:
incident does not need to be malicious to create a
risk to the organization with potentially catastrophic • More than 50 cases that resulted in more than
consequences. The information from the incidents 1,000 deaths combined
is not classified, but neither is it public. I have been • More than 10 major cyber-related electric outages
studying these incidents for years, and I’ve created • More than 60 nuclear plant cyber incidents with
a database covering control system cyber incidents more than 15 resulting in reactor shutdowns
in Asia, Europe, North America, South America, and • More than 50 cases involving significant environ-
the Middle East. Following 9/11, there was supposed mental releases
to be a focus on “connecting the dots,” but that • More than 100 cases involving physical equipment
certainly has not happened with ICS cybersecurity. damage (not servers or other IT equipment)
ICS incidents keep occurring, many with common • Impacts conservatively totaling more than $30 Billion
threads, across multiple industries with little guid- (this comes from economic estimates from major
ance or training. cyber-related events such electric outages, pipeline
failures, dam failures, plane crashes, and train
The incident case histories that I’ve compiled pro- crashes) and bankruptcy of several companies as
vide an understanding of: a result of these failures

Three incidents in particular come to mind when Culture, knowledge, and experience gaps exist be-
considering the potential risk to the financial well- tween IT and Operations personnel in most compa-
being of organizations whose systems are compromised: nies, and the coordination of these functions with
guidance from a team of Industrial Control Systems
• The 2010 non-malicious natural gas pipeline rupture
Cybersecurity Experts is critical to the success of
of a major Investor Owned Utility resulting in more
a comprehensive cybersecurity program. Global,
than a $1.5 Billion fine and possible criminal violations
consensus standards focused on Industrial Control
• The 2014 sophisticated malicious “spear-phishing”
Systems cybersecurity can help to bridge the gaps
cyberattack at a German steel mill that caused
between IT and Operations and between safety
physical damage to the furnace, and thirdly
and cybersecurity. These standards can be applied to
• The on-going Volkswagen emissions scandal
processes; the associated training and certificate
demonstrating that ICS cyber-issues can come
programs can be leveraged to train people; and the
from within an organization and target business
associated compliance programs can be utilized to
considerations with billion dollar ramifications.
test and certify equipment.
These incidents showcase ICS cybersecurity vulner-
By using data from known incidents and vulnerabil-
abilities; in some cases, incidents led to the resigna-
ities and leveraging standards, training, and com-
tion of the CEO and several billion dollars of damage;
pliance programs, systems engineers and Industrial
many times, incidents are caused by intentional
Control Systems Cybersecurity Experts can reduce
activities but not often considered malicious in the
the risks to critical infrastructure from hostile actors,
traditional sense; and in both cases, IT has no knowl-
human mistakes, and design flaws. We can make our
edge of the relevant issues. In the case of the gas and
systems more reliable, less sensitive to malicious or
electric company, the public utility commission is
unintentional breaches, and secure the safety of our
now investigating a potential splitting up of the com-
people and processes in industry and critical infra-
pany’s assets because of the systemic safety issues
structure.
stemming from the rupture. In Volkswagon’s case, the
company may have lost their entire diesel car mar-
ket, as well as taken a serious hit to their reputation RESOURCES
as a manufacturer of well-designed vehicles.
Recommendations and Conclusions Download a brochure detailing ISA’s resources

for Control Systems Cybersecurity, including
Industrial Control Systems cybersecurity is an issue the ISA/IEC 62443 standards and associated
with multiple facets, spanning technology, processes, training, certificate programs, books, technical
equipment, and people—and it crosses traditional papers, and more:
barriers of geography, industry, and application. www.isa.org/cybersecurityresources
Vulnerabilities and associated attacks, whether
malicious or unintentional, can bring devastating Visit Applied Control Solutions at
financial, safety, and brand reputation consequenc- http://realtimeacs.com/ to learn more about
es—and executive management should be carefully Joe Weiss, the author of this white paper.
considering their exposure to these risks.

Cyber Security in Industrial Automation

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cyber Security in Industrial Automation

Uploaded by

Copyright:

Available Formats

Primer for

concepts for installations in operation. It is intended to be

Special thanks to Frank Garrabrant and

Protection Levels: A Holistic Approach Based on ISA/IEC 62443 Page 5

Interview Dr. Henning Rudolf Page 13

Interview Dr. Pierre Kobes Page 20

Interview Dr. Norbert Gaus

How Siemens is Addressing Security as an Automation Vendor

Security Concept for Process and Discrete Industries

Process Automation: PCS7 and Security Page 49

Charter of Trust: For a Secure Digital World

Primer for Cybersecurity in Industrial Automation 3

Industrial Security Provided by Siemens and McAfee

Industrial Cybersecurity for Small- and Medium- Sized

Industrial Automation and Control System Culture

Ukrainian Power Grids cyberattack Page 89

Building a Business Case for Operational Technology

What Executives Need to Know About Industrial Control

Primer for Cybersecurity in Industrial Automation 4

By: Dr. Pierre Kobes

Abstract document and implement the orga-nizational

Primer for Cybersecurity in Industrial Automation 5

Figure 1 The scope of protection levels are installations in operation.

Primer for Cybersecurity in Industrial Automation 6

Figure 2 PL provides an integrated evaluation of technical and organizational measures.

Primer for Cybersecurity in Industrial Automation 7

Primer for Cybersecurity in Industrial Automation 8

Figure 4 Views and SCCs have different use cases.

Primer for Cybersecurity in Industrial Automation 9

Figure 6 Use of protection levels in the integration / commissioning phase.

Primer for Cybersecurity in Industrial Automation 10

Primer for Cybersecurity in Industrial Automation 11

Figure 9 Holistic Security Concept enhances trust in products

Primer for Cybersecurity in Industrial Automation 12

DR. HENNING RUDOLF

Cybersecurity threats are increasingly impacting a wide range

Dr. Henning Rudolf is an experienced Industrial Engineering

what has been production environments.

shocking. at a company board level about

Primer for Cybersecurity in Industrial Automation 13

Dr. Rudolf’s Cyber Landscape View of the world has

Primer for Cybersecurity in Industrial Automation 14

One example is the stability of the software on ma-

Primer for Cybersecurity in Industrial Automation 15

Dr. Rudolf: This must be managed over time - it is important

Primer for Cybersecurity in Industrial Automation 16

Primer for Cybersecurity in Industrial Automation 17

Primer for Cybersecurity in Industrial Automation 18

For smaller companies, the largest risk for doing the

The risk in using a cybersecurity service provider is

Primer for Cybersecurity in Industrial Automation 19

DR. PIERRE KOBES

I had a discussion with Dr. Pierre Kobes about Holistic Securi-

Dr. Pierre Kobes is an experienced industrial automation pro-

Primer for Cybersecurity in Industrial Automation 20

Lever 1 - is process oriented, and addresses security

Lever 2 - is regarding vulnerability management and

Lever 3 - awareness: raising awareness of employees

Primer for Cybersecurity in Industrial Automation 21

First of all, the operational and maintenance policies

For example, let’s look at the implemented capabili-

Primer for Cybersecurity in Industrial Automation 22

Primer for Cybersecurity in Industrial Automation 23

Primer for Cybersecurity in Industrial Automation 24