Cybersecurity

The why and how

Unrestricted | © Siemens 2022 | Jürgen Büssert | DI FA S GVM INF | 2022-03-14

Industrial Security protects against threats! – Example:
A Ransomware attack against Infrastructure

Possible system downtime

Distribution Encryption Black- Data decryption

of malware of critical data mailing (optional)

Deploy ransomware on Lock the system Claim money from PC Deliver key to
a PC via mail, USB, etc. with ransomware owner for unlocking unlock the system

Unrestricted | © Siemens 2022 | Jürgen Büssert | DI FA S GVM INF | 2022-03-14

European Parliamentary Research Service
Figures about Cybercrime dated 2020

2015 2017
2007 Forecast costs US$20
The first known cyber-attack on a costs US$370 million
billion by 2021
country was mounted on Estonia in
April 2007, affecting the online a ransomeware attack
services of banks, media outlets every 11 seconds in
and government bodies for weeks. 2021

2019
According to Verizon*, 86 %
of breaches committed in
2016 2019 were financially
a ransomeware attack every motivated and 10 % by
40 seconds espionage

* Verizon Communications Inc. an US-american telecommunication company with global activities

Unrestricted | © Siemens 2022 | Jürgen Büssert | DI FA S GVM INF | 2022-03-14
Cybersecurity
What is it about ?
There are people out there …

• who earn their money by offering the capability to destroy

• who earn their money by blackmailing the operator of
• who just want to feel their power and ability for destroying

critical infrastructure
All over the world people work hard to prevent such things to happen

Unrestricted | © Siemens 2022 | Jürgen Büssert | DI FA S GVM INF | 2022-03-14

Cybersecurity
What about the awareness ?

1 • „The“ automation guy focusses on functionality

2 • Cybersecurity is strange, something from „another“ universe

3 • Cybersecurity is an effort
• in time
• in money
• in Know-How and experience
• in inhouse employees with Know-How and experience

4 • Cybersecurity is at it‘s best, when nothing happens!

Why should one spend time and money to gain Know-How and experience, when everthing runs fine?

Unrestricted | © Siemens 2022 | Jürgen Büssert | DI FA S GVM INF | 2022-03-14

Cybersecurity
Why can’t I sell it like a product ?

It‘s like a car

Observing Cybersecurity • The car itself represents no harm for anybody
requirements is as • One can kill people with a car
important as traffic • The driving license creates awareness for the threat
regulations
The operator decides how it is used

Cybersecurity is no product Cybersecurity is expencive

• Implement the possible minimum
and needs experts !
• Implement the required things
This can only by achived in a dialog with the operating
company

Unrestricted | © Siemens 2022 | Jürgen Büssert | DI FA S GVM INF | 2022-03-14

Industrial Security – Trends and Impacts
The corporate security chain is only as strong as its weakest link

Trends impacting Security can fail Impact

security at many points
• Horizontal and Vertical integration • Automation systems/plants
• Cloud Computing approaches • Service
• Open standards Laptops/Smartphones/USB Sticks
• PC-based systems • Network infrastructure
• Increased use of Mobile Devices • Remote access
• Wireless Technology • Employees
• The worldwide remote access to • Policies and guidelines
plants machines • Printers
• Mobile applications • …
• The “Internet of Things”

Automation as new „Prime target“

Unrestricted | © Siemens 2022 | Jürgen Büssert | DI FA S GVM INF | 2022-03-14

Industrial Security –
"Defense-in-Depth"-Concept of Siemens (according to IEC 62443)

Plant security
Defense
• Physical access protection
in depth
• Processes and guidelines
• Security services protecting systems

Network security
Security • Cell protection
• Perimeter network
threats • Firewalls and VPN

System integrity
• System hardening
• Patch-Management
• Detection of attacks
• Authentication and access protection

Unrestricted | © Siemens 2022 | Jürgen Büssert | DI FA S GVM INF | 2022-03-14

Available Certificates … Siemens stands for cybersecurity within the PLM
Process

IEC 62443/ISA99 TÜV Süd ANSSI-Zertifizierung ACHILLES-Zertif.

International Standard IEC 62443/
ISA99, in particular, has proven its
worth in the industrial automation
environment. It is aimed both at plant
operators, integrators and component
manufacturers, and covers all
security-relevant aspects of Industrial
Security.
As the first company to receive TÜV
SÜD certification based on IEC
62443-4-1 for the interdisciplinary
process of developing Siemens
automation and drive products,
including industrial software, Siemens
received the certification at seven
development sites in Germany.
ANSSI certifies and gives a classi-
fication to some Siemens products.
As the first provider of automation
technology, Siemens holds Level
2 certification for Communication
Robustness for multiple controls,
CPs and DPs.

Unrestricted | © Siemens 2022 | Jürgen Büssert | DI FA S GVM INF | 2022-03-14

Siemens ProductCERT and Siemens CERT

The central expert teams for immediate response to

security threats and issues affecting Siemens products,
solutions, services, or infrastructure.
https://new.siemens.com/global/en/products/services/cert.html

Siemens Security Advisories

Validated security vulnerabilities that directly involve
Siemens products and require applying an update.
https://new.siemens.com/global/en/products/services/cert.html#SecurityPublications

Unrestricted | © Siemens 2022 | Jürgen Büssert | DI FA S GVM INF | 2022-03-14

Added value overview for Water and Wastewater customers W&WW (FA)

W&WW Cyber Security Toolbox Added values

Cyber Security Whitepapers and Reference architecture blueprints Security in Plant design and Engineering
according to IEC62443-3-3 • Security whitepapers give guidance to achieve protection
 Available for all WinCC Systems for typical against all major security threats
water and waste water treatment plant sizes • The holistic “Defense in Depth” approach is tailored
to the requirements of the W&WW industry

Security implementation
• Secure reference architecture blueprints and secure
configuration guides acc. IEC62443-3-3
• Checklist allows a comprehensive implementation of cyber security in W&WW

WTP and WWTP “large” WTP and WWTP WTP and WWTP “small” Secure operation
WinCC Open Architecture “medium” WinCC V7 WinCC RT PROF/TIA • IEC62443-3-3 compliance supports TÜV certification
of the specific customer installation
Secure Configuration guides according to IEC62443-3-3, • Siemens industrial security services ensure a secure
implementation of technical measures to fulfil Blueprint security operation over the lifecycle
requirements
 Available for all WinCC Systems for typical
water and waste water treatment plant sizes Siemens has developed a consistent security
(Release in June 2020)
concept, which is unique in the market

Unrestricted | © Siemens 2022 | Jürgen Büssert | DI FA S GVM INF | 2022-03-14

Industrial Security offering from Siemens –
Consulting, Implementation and Optimization

Consulting: Implement measures Optimization:

Identify your security position to close the gaps to increase your security Manage your security solution

Concepts Concepts Services

• Security reference architectures • Secure configuration guide • Industrial Security Monitoring
acc. IEC62443-3-3 acc. IEC62443-3-3 • Industrial Vulnerability Manager
• Patch Management
Services Services
• Remote Incident Handling
• Security Assessments acc. • Security Awareness Training
to IEC 62443 and ISO 27001 • Application Whitelisting and Antivirus protection
• Risk and Vulnerability • Industrial Security Consulting
Assessments • Professional Services and Network Consulting
• Scanning Services Products
• IEC 62443, in US: NIST, NERC • Network Components
• Remote Connectivity and Network Management
Solutions
• Firewall Solutions
• Industrial Anomaly Detection
Unrestricted | © Siemens 2022 | Jürgen Büssert | DI FA S GVM INF | 2022-03-14
SIMATIC PLC S7: Encrypted Communication
Overview

The following encrypted communication is supported

OPC UA Server & Client Open User Connections

based on TLS ES communication
Information models
based on TLS
Information access

Robustness
Security

Data model and base services

Stability
Transport Discovery
Protocol Detection of Servers

Webserver with https HMI communication

based on TLS

Unrestricted | © Siemens 2022 | Jürgen Büssert | DI FA S GVM INF | 2022-03-14

Industrial Security offering from Siemens –
Secure communication

S7-1500 has 64 resources for keys

A trusted root certificate requires one resource

(public key)

A device certificate requires 2 resources

(private + public key)

For which services does S7-1500 use certificates?

Secure Open User Webserver OPC UA

Connections (SOUC) Client/ Server

Encrypted email ES/HMI communication

VPN tunnel
by CP1543-1 based on TLS

Unrestricted | © Siemens 2022 | Jürgen Büssert | DI FA S GVM INF | 2022-03-14

Links
Cybersecurity at Siemens
https://www.siemens.com/cybersecurity

Protected in every aspect

https://new.siemens.com/global/en/products/automation/topic-areas/industrial-security.html

Cybersecurity Services
https://new.siemens.com/global/en/products/services/cybersecurity.html

Siemens ProductCERT and Siemens CERT

https://new.siemens.com/global/en/products/services/cert.html

Unrestricted | © Siemens 2022 | Jürgen Büssert | DI FA S GVM INF | 2022-03-14

Contact
Published by Siemens AG
Jürgen Büssert
Technical Specialist
DI FA S GVM INF
Gleiwitzerstraße 555
90475 Nuremberg
Germany
E-mail juergen.buessert@siemens.com

Unrestricted | © Siemens 2022 | Jürgen Büssert | DI FA S GVM INF | 2022-03-14