T3adm1-En 12

1
SPPA-T3000 Section 12
t_
Course : K-T3ADM1 Web Security
en
ud
st
Section 12
Kursunterlagen für Mathivanan Anbazhagan, student_1
Web Security t_
1
en
ud
Restricted / © Siemens AG 2013 All Rights Reserved. E F IE 28 Training Center

R 7.0 POWER ACADEMY
st
1
t_
en
Contents Page
ud
12 Web Security
st
12 Web Security .......................................................................................................................... 0
12.1 Introduction ..................................................................................................................... 1
12.2 Access Protection ........................................................................................................... 2
12.2.1 Why does access to the T3000 system have to be safeguarded? ...................................... 2
12.2.2 What risk os posed by such access and what consequences could it have? ...................... 3
12.3 Security Requirements regarding SPPA-T3000 ............................................................. 4
12.3.1 Generally........................................................................................................................... 4
12.3.2 Security Requirements regarding Thin Client ..................................................................... 6
12.3.3 Highest Commandment Gebot: Secrecy ............................................................................ 8
12.4 Security Conecept ........................................................................................................... 9

12.4.1 Security Cell .................................................................................................................... 10
12.4.2 Communication Principle ................................................................................................. 14
12.5 Access from „Inside“ or from „Outside“ ..................................................................... 15
12.6 Examples of Access Scenarios .................................................................................... 16
12.6.1 Inside the “Control System” ............................................................................................. 17
12.6.2 Principle of Access from Outside the “Control System” .................................................... 18
12.7 Methods of Access from Outside the „Control System“ ............................................ 21
12.7.1 Access from an Office PC by Terminal Server Within a DMZ Network ............................ 22
12.7.2 Access from a Hotline PC using a VPN Tunnel ................................................................ 24
12.8 Terms and Definitions................................................................................................... 26
12.8.1 Router ............................................................................................................................. 26
12.8.2 Firewall............................................................................................................................ 27
12.8.3 DMZ Net .......................................................................................................................... 28
12.8.4 Terminal Server .............................................................................................................. 29
12.8.5 VPN Tunnel ..................................................................................................................... 30
1
t_
en
ud

R 7.0 12 - 0 POWER ACADEMY
st
1
t_
en
12.1 Introduction
ud
st
SPPA-T3000 Web Security
Why must access to SPPA-T3000 be safeguarded and what risks is the

power station exposed to due to unauthorized access?
What security requirements can be derived from these risks and what
security concept has been developed on the basis of those risks?
What is meant by access from "inside" or from "outside“

The principles of "access from the outside" are explained on the basis
of the example scenarios "Access from an office PC by terminal server
within a DMZ network" and "Access from a hotline PC using a VPN
tunnel".
Access and Security Concept Access Scenario
Restricted / © Siemens AG 2013. All rights reserved.
Fig. 12_1 SPPA-T3000 – Web Security

1
t_
en
ud

st
1
t_
en
12.2 Access Protection
12.2.1 Why does access to the T3000 system have to be safeguarded?
ud
st
Access Protection
Why does access to the T3000 system have to be safeguarded?
To rule out unintentional and forbidden access

caused, for example, by improper or defective use
of thin clients
that might be perpetrated by unauthorized persons
(e.g. access from an outside PC in the corporate Intranet)
To rule out retroactive effects of hardware and software

components on system operation,
i.e. the installation or operation of unapproved hardware and
software should be suppressed
To ensure the operator control functionality,

e.g. through compliance with response and operating times
Fig. 12_2 Access Protection

1
t_
en
ud

st
1
t_
en
ud
12.2.2 What risk os posed by such access and what consequences could it have?
st
Risk/Consequences due to
Unintentional or Forbidden Access
What risk is posed by such access and what consequences could it
have?
A loss of production due to

e.g. a smuggled-in computer virus or
a provoked turbine trip
The destruction of system components

e.g. by unprofessional handling of the system
Through the loss of company know-how

e.g. due to targeted industrial espionage (direct penetration
into the company network or by means of a "Trojan horse")

Fig. 12_3 Risk/Consequences due to Unitentional or Forbidden Access
1
t_
en
ud

st
1
t_
en
12.3 Security Requirements regarding SPPA-T3000
ud
12.3.1 Generally
st
Security Requirements
Security requirements can be derived on the basis of what has been

said above:
Access to SPPA-T3000 may only take place through authorization

of the personnel,
e.g. with a login and password (BIOS, Windows and Workbench)
Access may only take place from authorized computers,

for which purpose it is necessary to determine which PCs will
be authorized to access SPPA-T3000 (e.g. separate thin
clients in the office network or hotline PCs)
Access from the outside may only take place via defined
connections or access points
e.g. via defined routers and
defined dial-in points (applicable to the hotline and to the
customer's standby service)
Fig. 12_4 Security Requirements 1

1
t_
en
ud

st
1
t_
en
ud
st
Block undesirable applications or network protocols
e.g. by configuring one or more firewall(s)
Access from the outside only through "secure" connections

These suppress or reduce the possibility of spying during data
transfer.
The installation of software and hardware on standard thin clients

operating in a control room must be prevented.
e.g. by using a Windows user login without administrative
rights ("normal" user account)
e.g. by deactivating DVD drives and USB interfaces
Fig. 12_5 Security Requirements 2

1
t_
en
ud
st

1
t_
en
12.3.2 Security Requirements regarding Thin Client
ud
st
"Hardening" (locking) of the thin client by reducing Windows
functionality to the minimum level needed for control room operation
The essential aspects of hardening a thin client are

automatic start of the Web browser with login prompt
no starting of other Web sites
no starting of other applications (such as Nero)

no logging into Windows with a different user login
no starting of the Task Manager and Windows Explorer
no icons on the desktop
no complete start menu
no access to external drives
Fig. 12_6 Security Requirements regarding TC 1

1
t_
en
ud

st

1
t_
en
ud
st
Additional requirements apply for a thin client that is not connected

directly to the Application Highway (e.g. in the office network)
A recognized anti-virus program with up-to-date signatures must

be installed
All the manufacturer's relevant security updates have been
installed
Only "trustworthy" software has been installed besides the T3000

software (no freeware or shareware from the Internet)
Fig. 12_7 7 Security Requirements regarding TC 2

1
t_
en
ud

st
1
t_
en
12.3.3 Highest Commandment Gebot: Secrecy
ud
st
Basically, it is necessary to observe: secrecy

In relation to the existence of the dial-in point and its parameters
(e.g. telephone number, login and password for establishing a
connection)
In relation to the network structure and its configuration data
(e.g. IP addresses and subnet masks)
In relation to all login data (logins and passwords) on the thin

clients. Login data may only be communicated and accessible to
authorized persons – throughout the company.
Fig. 12_8 8 Security Requirements - Secrecy

1
t_
en
ud

st

1
t_
12.4 Security Conecept
en
ud
Security Concept
st
On the basis of what has just been discussed,
a security concept has been developed for SPPA-T3000
This security concept is based on the following elements

hardware in compliance with security requirements
security cells and access points

secured network access to the security cells
computer, user and access right management
Fig. 12_9 Security Concept

1
t_
en
ud

st

1
t_
en
12.4.1 Security Cell
ud
Security Concept –
st
Security Cell
What is a security cell?
General definition: A security cell is an isolated zone that offers the
best possible protection against negative influences.
Applied to the SPPA-T3000 security concept: A security cell offers

the best possible protection against undesirable or forbidden
access to the complete control system.
Fig. 12_10 Security Concept – Security Cell

1
t_
en
ud

st

1
t_
en
ud
Security Cell "Control System"
st
User
Interface
Presentation
Layer
Thin
Clients
Security cell "Control System"
Application
Server
Power Server Processing

Layer
Automation
Server
Process
Data
Interfaces
Layer
Fig. 12_11 Security Concept – Security Cell “Control System”

1
t_
en
ud
st

1
t_
en
ud
st
Insecure Cell Internet/Intranet
Internet/Intranet (corporate network)
Thin
User
Presentation Clients
Interface
Layer
Application
Server

Layer
Automation
Server
Process
Data
Interfaces
Layer
Fig. 12_12 Security Concept – Insecure Cell Internet/Intranet

1
t_
en
ud
E F IE 28 Training Center
st
Restricted / © Siemens AG 2013 All Rights Reserved.

1
t_
en
ud
st
Security Cell DMZ Net
Internet/Intranet (corporate network)
Thin
User
Presentation Clients
Interface
DMZ net (Demilitarized Zone)
Layer
Application
Server

Layer
Automation
Server
Process
Data
Interfaces
Layer
Fig. 12_13 Security Concept – Security Cell DMZ-Net

1
t_
en
ud

st
1
t_
en
12.4.2 Communication Principle
ud
Communication Principle
st
A restrictive basic attitude is applied to data communication with the
security cell "control system" or the DMZ net:
Everything is prohibited unless expressly permitted!
This restrictive basic attitude is implemented by appropriate

configuration of the relevant access point (firewall to the "control
system" or to the DMZ net).
In practice, this means

only the data packets of the computers are forwarded whose
source and target IP addresses are expressly allowed.
e.g. desirable communication between a Thin Client in the
Intranet and the Application Server
only permitted network protocols are passed on.
e.g. https (hypertext transport protocol secure) for operation of
the Workbench Restricted / © Siemens AG 2013. All rights reserved.
Fig. 12_14 Security Concept – Communication Principle

1
t_
en
ud
st

1
t_
12.5 Access from „Inside“ or from „Outside“
en
ud
Access from “Inside" or from
“Outside"
st
All access to the SPPA-T3000 system gained from within the security
cell "control system" is referred to as "access from the inside".
All access to the SPPA-T3000 system gained from outside the security
cell "control system" is referred to as "access from outside"; in other
words, "external" or "outside world" includes all systems which are not
part of the security cell "control system" but should or could have
access to it.
Access by external systems can take place via the following

connection media
optional DMZ network (demilitarized Zone)
corporate Intranet (office network)
internet, e.g. a DSL connection
a dial-in connection, e.g. by ISDN
Fig. 12_15 Access from „Inside“ or from „Outside“

1
t_
en
ud
st

1
t_
12.6 Examples of Access Scenarios
en
ud
Examples of Access Scenarios
st
To illustrate what has just been said, we will speak in the following of
what we call "access scenarios".
By way of introduction, we will discuss "Access by a thin client

from inside the security cell control system” on the Application
Server. We will also focus on the topics of network structure and
risk.
In the next step, we will explain the "Principle of access from

outside the security cell control system". The emphasis in this
case will be on the specific risks and how to reduce them.
Finally, examples of the scenarios "Access via an office PC (DMZ

net)" and "Access via a hotline PC (VPN tunnel)" will be presented
along with the necessary terms and definitions.
Fig. 12_16 Examples of Access Scenarios

1
t_
en
ud
st

1
t_
en
12.6.1 Inside the “Control System”
ud
Inside the “Control System" –
Access and Risk
st
How is access to SPPA-T3000 gained from inside the "control
system"?
As a rule, access is gained by means of a Thin Client.
It is operated directly on the Application Highway.
"Control System" An external risk is irrelevant in this case
because an autonomous network is involved.
TC TC TC
The risk posed by the human-machine

Appl. HW
interface is countered mainly by "hardening"
Appl. Sv (= locking) of the thin client.
Auto HW
Fig. 12_17 Inside the „Control System“ – Access and Risk

1
t_
en
ud
st

1
t_
en
12.6.2 Principle of Access from Outside the “Control System”
ud
Principle of Access from Outside the
st
“Control System"
How is access to SPPA-T3000 gained from outside the "control
system" in principle?
Here again, access is gained by means of a Thin Client. However,
as it is located outside the "control system", this kind of access is
referred to as access from an "insecure zone".
"Control System" Intranet (corporate network)
TC TC Router TC
Appl. HW Office network
Appl. Sv
Auto HW
This case involves a high risk because this kind of network is usually
very big and has a large number of users. This means there is an
increased risk of computer viruses, for example.
Fig. 12_18 Principle of Access from Outside the “Control System“

1
t_
en
ud
st

1
t_
en
ud
Reducing the Risk of Access from
st
Outside the “Control System"
How can the risk be reduced?
The risk can be reduced by the following means
by installing a recognized virus protection program with up-to-date

signatures
by installing all the manufacturer's relevant security updates
by installing exclusively trustworthy software, i.e. no freeware or

shareware from the Internet
by observing secrecy on access information
Fig. 12_19 Reducing the Risk of Access from Outside the „Control System“ 1
1
t_
en
ud

st

1
t_
en
ud
Reducing the Risk of Access from
Outside the “Control System"
st
The risk can be reduced further by installing a firewall between the
networks of the "control system" and the Intranet.
"Control System" Intranet (corporate network)
Router with
TC TC firewall TC
Appl. HW Office network

Appl. Sv
Auto HW
The requirements concerning the authorized computers and the

undesirable applications or protocols can be met through appropriate
configuration of the Router and the Firewall .
Fig. 12_20 Reducing the Risk of Access from Outside the „Control System“ 2
1
t_
en
ud
st

1
t_
en
12.7 Methods of Access from Outside the „Control System“
ud
st
Methods of Access from Outside the
“Control System"
In connection with the security concept, the principles of gaining
access from the outside world to SPPA-T3000 will be explained on
the basis of two methods
access from an office PC by means of a terminal server within a

DMZ net
access from a hotline PC using a VPN tunnel

Fig. 12_21 Methods of Access from Outside the „Control System“

1
t_
en
ud

st
1
t_
en
ud
12.7.1 Access from an Office PC by Terminal Server Within a DMZ Network
st
Scenario: DMZ Net
Why does access take place via a terminal server in the DMZ net?
To reduce the risks of access to the Application Server an

intermediate stage is incorporated in the access chain. This
intermediate stage constitutes a terminal server in a DMZ net.
There is no safeguarding of the data transfer path.
Access from the office PC promptly initiates a terminal server

session. The actual workbench is then operated on this terminal.
In this case, the data transfer path is not safeguarded. This

means there is no guarantee that communication takes place
exclusively between the Application Server and the office PC (e.g.
spoofing = the deception attempt in computer networks to disguise
one's own identity).
Fig. 12_22 Scenario: Terminal Server in the DMZ-Net 1

1
t_
en
ud

st
1
t_
en
ud
Scenario: DMZ Net
st
Operation of an office PC on the Intranet with access via a terminal
server that is located within a DMZ net
Intranet (corporate network)
TC
Office network
"Control System" Customer firewall
Router with Router with

TC TC "inside" firewall "outside" firewall
Internet
Appl. HW
DMZ net
Appl. Sv
Auto HW
Terminal Server
Fig. 12_23 Scenario: Terminal Server in the DMZ-Net 2

1
t_
en
ud

st

1
t_
en
12.7.2 Access from a Hotline PC using a VPN Tunnel
ud
Scenario: VPN Tunnel
st
Why does access take place by means of a VPN tunnel?
To eliminate the risk of data transfer through the Internet, a point-

to-point connection (VPN tunnel) is established between the
output of the Siemens network (cRSP) and the input to the
customer network.
Due the characteristics of the VPN tunnel (identification, integrity

and encryption), the otherwise unsecured data transfer path

becomes a secure data transfer path.
Fig. 12_24 Scenario: VPN Tunnel 1

1
t_
en
ud

st

1
t_
en
ud
st
Scenario: VPN Tunnel
Operation of a hotline PC on the Intranet with access by means of a

VPN tunnel
Intranet (corporate network)
TC
Office network
"Control System" Customer firewall
Router with Router with SIEMENS

TC TC "inside" firewall "outside" firewall cRSP Intranet
Appl. HW
PC
DMZ net
Appl. Sv VPN tunnel
Auto HW
Terminal Server
cRSP = common Remote Service Platform

Fig. 12_25 Scenario: VPN Tunnel 2

1
t_
en
ud

st

1
t_
en
12.8 Terms and Definitions
ud
12.8.1 Router
st
Terms and Definitions –
Router
What is a router?
A router is a network component that couples several networks to

one another.
To do this, the router requires one separate interface for each self-
contained network.
Arriving data packets are forwarded, i.e. routed, to the intended

target network. When data arrives, the router must determine the
right path to the destination and thus the suitable interface through
which the data must be forwarded.
To this end, the router uses a locally existing table, the routing
table. It specifies which network can be reached through which
interfaces (= IP addresses of the distant routers).
Fig. 12_26 Router

1
t_
en
ud

st
1
t_
en
12.8.2 Firewall
ud
Firewall
st
What is a firewall?
A firewall is a network security component that allows or forbids

network traffic depending on a defined set of rules.
A firewall is functionality that is installed on a hardware component

(e.g. a router).
The firewall is aimed at safeguarding data traffic between network

segments with different levels of trust. A typical application is to
check the transition between a local area network (LAN) (highly
trusted) and the Internet (no trust).
To configure a firewall, the network administrator must have a sound knowledge of
network protocols, routing and network and information security.
Even minor mistakes can negate the protective effect of a firewall!
Fig. 12_27 Firewall

1
t_
en
ud
st

1
t_
en
12.8.3 DMZ Net
ud
st
DMZ Net
What is a DMZ or a DMZ net?
A DMZ net (demilitarized zone) is a network featuring possibilities

of access to servers connected to it that are checked in terms of
security.
The systems set up in the DMZ are screened off against other
networks (e.g. the Internet) by means of firewalls.
Thanks to this separation, access to diverse services can be

permitted and, at the same time, the internal network can be
protected against unauthorized access.
The purpose of a DMZ network is to provide services of the

computer network, on as secure a basis as possible, to both the
WAN (e.g. insecure cell) and the LAN (e.g. security cell "control
system"). A DMZ develops its protective effect by isolating a system
from two or more networks.
Fig. 12_28 DMZ Net

1
t_
en
ud

st
1
t_
en
12.8.4 Terminal Server
ud
st
Terminal Server
What is a terminal server?
A terminal server is a computer that emulates several terminals

(e.g. PCs or desktops) or the software that enables emulation.
Like on any normal PC, several different programs can run on any
emulated terminal.
These emulated terminals are displayed on the screens of mostly

remote PCs.
Fig. 12_29 Terminal Server

1
t_
en
ud

st
1
t_
en
12.8.5 VPN Tunnel
ud
st
VPN Tunnel
What is a VPN tunnel?
A VPN tunnel (Virtual Private Network) is a technology for

operating an encrypted point-to-point connection between two
network stations through a public network (e.g. the Internet).
The tunnel ensures that data traffic between a source and a

destination is isolated from the general data traffic of the transit
network and is kept private. We speak of a secure connection in

this context.
The features of a secure connection are mutual, clear identification

of the communication partners (authentication) and protection of
data against loss and modification (integrity).
Fig. 12_30 VPN Tunnel

1
t_
en
ud

st

T3adm1-En 12

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

T3adm1-En 12

Uploaded by

Copyright:

Available Formats

1

Restricted / © Siemens AG 2013 All Rights Reserved. E F IE 28 Training Center

12.4 Security Conecept ........................................................................................................... 9

Restricted / © Siemens AG 2013 All Rights Reserved. E F IE 28 Training Center

Why must access to SPPA-T3000 be safeguarded and what risks is the

What is meant by access from "inside" or from "outside“

Access and Security Concept Access Scenario

Restricted / © Siemens AG 2013. All rights reserved.

Fig. 12_1 SPPA-T3000 – Web Security

Restricted / © Siemens AG 2013 All Rights Reserved. E F IE 28 Training Center

Why does access to the T3000 system have to be safeguarded?

To rule out unintentional and forbidden access

(e.g. access from an outside PC in the corporate Intranet)

To rule out retroactive effects of hardware and software

To ensure the operator control functionality,

Restricted / © Siemens AG 2013. All rights reserved.

Fig. 12_2 Access Protection

Restricted / © Siemens AG 2013 All Rights Reserved. E F IE 28 Training Center

A loss of production due to

The destruction of system components

Through the loss of company know-how

Restricted / © Siemens AG 2013. All rights reserved.

Restricted / © Siemens AG 2013 All Rights Reserved. E F IE 28 Training Center

Security requirements can be derived on the basis of what has been

Access to SPPA-T3000 may only take place through authorization

Access may only take place from authorized computers,

Fig. 12_4 Security Requirements 1

Restricted / © Siemens AG 2013 All Rights Reserved. E F IE 28 Training Center

e.g. by configuring one or more firewall(s)

Access from the outside only through "secure" connections

The installation of software and hardware on standard thin clients

e.g. by deactivating DVD drives and USB interfaces

Restricted / © Siemens AG 2013. All rights reserved.

Fig. 12_5 Security Requirements 2

Restricted / © Siemens AG 2013 All Rights Reserved. E F IE 28 Training Center

The essential aspects of hardening a thin client are

no starting of other applications (such as Nero)

Restricted / © Siemens AG 2013. All rights reserved.

Fig. 12_6 Security Requirements regarding TC 1

Restricted / © Siemens AG 2013 All Rights Reserved. E F IE 28 Training Center

R 7.0 12 - 6 POWER ACADEMY

Additional requirements apply for a thin client that is not connected

A recognized anti-virus program with up-to-date signatures must

Only "trustworthy" software has been installed besides the T3000

Restricted / © Siemens AG 2013. All rights reserved.

Fig. 12_7 7 Security Requirements regarding TC 2

Restricted / © Siemens AG 2013 All Rights Reserved. E F IE 28 Training Center

Basically, it is necessary to observe: secrecy

In relation to all login data (logins and passwords) on the thin

Restricted / © Siemens AG 2013. All rights reserved.

Fig. 12_8 8 Security Requirements - Secrecy

Restricted / © Siemens AG 2013 All Rights Reserved. E F IE 28 Training Center

R 7.0 12 - 8 POWER ACADEMY

This security concept is based on the following elements

security cells and access points

Restricted / © Siemens AG 2013. All rights reserved.

Fig. 12_9 Security Concept

Restricted / © Siemens AG 2013 All Rights Reserved. E F IE 28 Training Center

R 7.0 12 - 9 POWER ACADEMY

Applied to the SPPA-T3000 security concept: A security cell offers

Restricted / © Siemens AG 2013. All rights reserved.

Fig. 12_10 Security Concept – Security Cell

Restricted / © Siemens AG 2013 All Rights Reserved. E F IE 28 Training Center