Contents

Continuous increase of global networking

Top 10 threats to industrial control systems
Comprehensively protecting productivity
Single-layered protective measures
Multi-layered protective measures
Risk Assessment
Cyber Security
Deploying a Network Security Strategy
Securing OSI layers
Siemens Cyber Security

Industrial Networks Education Security in Industrial Networks with RUGGEDCOM

Siemens AG © 2016. All rights reserved 1-1 Protecting Industrial Networks
Know the Defense in Depth concept:
You learn about the Defense in Depth concept to effectively and flexibly protect an industrial plant
from the risks associated with Industrial Security.

Industrial Networks Education Security in Industrial Networks with RUGGEDCOM

Siemens AG © 2016. All rights reserved 1-2 Protecting Industrial Networks
Many different trends with effects on industrial security are now coming together.
Worldwide, the number of network connections is continuously increasing. This allowed
innovations such as Cloud computing and the associated applications. In connection with this, we
have the massive increase of mobile devices such as mobile telephones and tablet PCs. This trend
is bolstered by the widespread availability of mobile radio networks.

If we look at the infrastructure as whole, we see that the extensive networking is not limited to data
networks, but will soon also leave its mark on our energy infrastructure. The Smart Grid will
become the "Internet of Energy", in which the loads will also be energy producers and will feed
power into the network and sell it. This might not sound so exciting if you only have three people in
your family, but it is very interesting for glass or steel producers, for example.

But even if you are the parent of a family of three, it would be interesting for you if your refrigerator
"knew" how to cool in low-energy mode on a hot August afternoon when the power grid is reaching
the limits of its capacity. To do this, however, the refrigerator must be able to communicate with the
network and respond to demand signals. The refrigerator only represents an example for the
"Internet of Things", i.e. the connecting of millions of electronic devices via the Internet, from the
onboard computer in your car, which sends warranty information to your dealer, to the pickups in
your water meter, which report water consumption data to your city water supplier via radio signals.
To ensure that everything runs without errors, from Cloud computing to the water meters, you need
a reliable network infrastructure which is well protected against attacks by malware and hackers.

Industrial Networks Education Security in Industrial Networks with RUGGEDCOM

Siemens AG © 2016. All rights reserved 1-3 Protecting Industrial Networks
Social Engineering is a method to gain unauthorized access to information. This attack exploits
human traits such as curiosity, helpfulness, belief, fear or respect for authority. These methods may
involve emails -- “phishing” --, phone calls or other types of personal interactions in which malicious
individuals attempt to lure employees into providing sensitive personal or corporate information,
such as account passwords. Certain attachments may contain malicious code when opened.
Removable media such as USB flash drives are often times used by employees to transfer
information both in the office and Industrial Control System (ICS) network. Contractors or external
personnel may also carry their own removable media. The use of laptops with external software,
potentially used by these contractors, also constitutes a threat.
External access may be required during troubleshooting or simply, maintenance. These entry
points into the ICS network, if not properly safe guarded, are taken advantage of for hackers to
break in. Lack of authentication/authorization, restrictions in place as to who can try to connect,
amongst others, make ICS easy targets.
Human error and sabotage. Wrong configuration of elements -- intentional or unintentional-- for
example, firewalls or other network and ICS components, unattended security patches on OS,
compromise of systems by unauthorized software or hardware.
Control Components left with weak security/passwords can be accessed easily. These types of
devices often do not have enough, or any, security features. Implementing additional security
mechanisms around them is paramount.
Technical Malfunctions and Force Majeure (unforseeable circumstances). This has to do with
software and hardware errors/failures in security-specific components and ICS components that
may lead to unexpected malfunction.
Denial of Service Attacks. When communications are interrupted, business continuity gets
impaired. Measuring and control data, for example, cannot be transmitted anymore; overloading a
device will lead to higher than usual response times. Distributed DoS is a form of deliberately
causing a malfunction.

Industrial Networks Education Security in Industrial Networks with RUGGEDCOM

Siemens AG © 2016. All rights reserved 1-4 Protecting Industrial Networks
US Industrial control systems reported 295 incidents during 2015, compared to 245 in the previous
year, as per the US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).

Industrial Networks Education Security in Industrial Networks with RUGGEDCOM

Siemens AG © 2016. All rights reserved 1-5 Protecting Industrial Networks
Remaining secure means you have to stay alert – at all times
There is no such thing as 100% security. And the security that does exist never lasts forever.
Internalizing this fact is an essential step toward creating the best-possible industrial security
solution and continuously adapting it to new threats.

Ensuring productivity with security

Constantly monitored and integrated security is essential for industrial networks.
Ethernet connections increasingly extend all the way to the field level. Only an approach that
combines security mechanisms with a comprehensive understanding of industrial networks can
provide reliable protection. Siemens supports you in implementing the necessary measures – as
part of our integrated range of products and services for industrial security.

Industrial Networks Education Security in Industrial Networks with RUGGEDCOM

Siemens AG © 2016. All rights reserved 1-6 Protecting Industrial Networks
Wall
Looking back in history, a wall was a proven protective measure for fortifying a city. Equipped with
battlements and towers, they were used to both defend the city and to control who was allowed in.

Today, a wall no longer represents an overwhelming obstacle. An attacker only has to think about
how to overcome this one obstacle. It is then a matter of time before the attacker figures out their
way in. The intruder also has to put forth time and effort just once to achieve their goal. Thus, a
wall by itself is not an effective protective measure.

A single protective measure is never sufficient to effectively put a stop to a threat.

Industrial Networks Education Security in Industrial Networks with RUGGEDCOM

Siemens AG © 2016. All rights reserved 1-7 Protecting Industrial Networks
Defense in Depth
This principle is not new. Castles and fortresses were always equipped with more than one
defensive or protective system, with each measure supporting the other in order to make the
attacker's attempt as difficult as possible. After the moats to hinder the approach and the outer wall
with defensive towers, an additional protective wall was also erected, for example, to secure the
main castle complex.
Thus, Defense in Depth is the principle of setting up successive, but independent protective
measures. An attacker must repeatedly invest time and effort into overcoming each protective
measure. The failure of a single protective measure, however, must not automatically cause the
failure of the following measure.

There is no such thing as 100% security of a system, but a Defense in Depth approach can
reduce the risks involved.

"Defense in Depth" means setting up as many protective measures as possible between the
"outside world" and the devices or systems to be protected.

Industrial Networks Education Security in Industrial Networks with RUGGEDCOM

Siemens AG © 2016. All rights reserved 1-8 Protecting Industrial Networks
Today’s Industrial ethernet networks found in plants, substations, traffic control sites, contain
equipment that can be accessed remotely through the network infrastructure.

Electric Power Systems (EPSs) emerged as one of the most critical infrastructures in the sense
that all other critical and vital infrastructures depend on reliable electricity supply. At the same time
they are considered as the most vulnerable to physical and cyber attack.

What could happen if the EPS security is breached ?

“Entry into the substation via telephone lines or other electronic-based media for the manipulation
or disturbance of electronic devices. These devices include digital relays, fault recorders,
diagnostic packages, automation equipment, computers, programmable logic controllers, and
communication interfaces.” (IEEE1402 -- IEEE Guide for Electric Power Substation Physical and
Electronic Security --)

Main vulnerabilities in EPSs are connected with the ability to remotely access protection, control,
automation and SCADA equipment. Using vulnerability of a power substation communication an
electronic intruder could, for example, access the substation SCADA system and operate circuit
breakers in the substation that could affect the reliability of electricity supply or even cause a big
EPS
failure.

Industrial Networks Education Security in Industrial Networks with RUGGEDCOM

Siemens AG © 2016. All rights reserved 1-9 Protecting Industrial Networks
Is there any legislation or general guidelines to follow to ensure critical assets are
‘secured’?

Utilities
ƒ United States and some provinces in Canada are to enforce NERC-CIP version 5 (North
American Electric Reliability Corporation Critical Infrastructure Protection) guidelines or
standards on power systems. Failure to comply may result in financial penalties.
ƒ Most European countries follow best practices from the industry

NERC is a non-profit organization whose mission is to ensure the reliability of the North American
bulk power system.

NIST (National Institute of Standard and Technology) Cybersecurity Framework provides a policy
of computer security guidance for how private sector organizations can assess and improve their
ability to prevent, detect, and respond to cyber attacks.

Industrial Automation
ƒ ISA99 / IEC 62443, the leading standard for security in industrial automation

ISA – International Society of Automation Committee on Security for Industrial Automation and
Control systems (ISA99)

Industrial Networks Education Security in Industrial Networks with RUGGEDCOM

Siemens AG © 2016. All rights reserved 1 - 10 Protecting Industrial Networks
The purpose of a risk assessment is to help an organization identify, quantify
and prioritize the potential risks related to a recognized threat(s).
Not only do networks provide big opportunities with regard to communication,
but they also involve many risks with regard to confidentiality and availability.
These risks must be learned and discovered in networks so that your system
can stand a chance of defending against them.

Performing a risk assessment allows the business to proactively implement

protective measures against potential attacks. As a result, identification of
potential threats and the current vulnerabilities to the threats which can be
exploited, can be achieved.

This exercise should involve all the stakeholders in an organization and

should happen periodically. In this manner, proper mitigation can be deployed
and prevent the inherent risks.

Industrial Networks Education Security in Industrial Networks with RUGGEDCOM

Siemens AG © 2016. All rights reserved 1 - 11 Protecting Industrial Networks
What are we trying to protect?
Answers may range anywhere from workstations, HMI (Human Machine Interface), SCADA (Data
Acquisition), PLCs (Programmable Logic Controllers), IEDs (Intelligent Electronic Devices),
air/ground traffic controllers, Switches, Routers, and so forth.

Where do networks become insecure?

Where are they secure in the first place.
ƒ When you get back to your office, pull a drawing and documentation of your existing network.
See if it looks up-to-date.
ƒ Pinpoint what applications run (both ICS (Industrial Control Systems) and non-ICS) on it as
well as determine the traffic flow direction.
ƒ Establish what devices need to communicate with what devices. Is it an open policy? Meaning,
everybody can talk to everybody. Should that be even allowed?
ƒ Highlight interconnections to other networks such as Corporate IT, business partners,
Intercontrol Center communications (ICCP) links, Internet Service Providers (ISP)
ƒ In addition to identifying vulnerabilities on the network, one must perform a similar assessment
on the end devices that connect to the network infrastructure.
NOTE: Having up-to-date documentation/drawings is key to knowing, understanding and
implementing changes in a network. Running packet analyzers will also help you discover what
protocols are using network resources.

How or where do I implement security policies?

Depending on your specific industry, there are several ground rules to follow as highlighted in the
previous slide.

Industrial Networks Education Security in Industrial Networks with RUGGEDCOM

Siemens AG © 2016. All rights reserved 1 - 12 Protecting Industrial Networks
Physical security means, on the one hand, restricting the physical access of personnel to certain
areas of the company. This starts with conventional building access at the gatekeeper and extends to
securing sensitive areas by means of key cards. The goal is to keep unauthorized persons out and to
make it difficult for someone to intentionally introduce malware and to prevent industrial espionage.

Default passwords are very easy to obtain from the vendor’s user guides. NERC-CIP proposes the use
of the following criteria: at least 8 characters long, contain at least one uppercase and one lowercase
letter, contain at least one number, contain at least one non-alphanumeric character (e.g @,%,&,*,
etc…)

Stay away from using clear-text based protocols which if intercepted can impose significant security
problems, such as finding out what passwords are being used. Your equipment should support
protocols that are capable of encrypting the session between the field device and the managing end
user.

Layer 2 may be subject to attacks such as

ƒMAC Address Table overflow. This is when crafted traffic with bogus mac addresses start maxing out
the Switches MAC tables. This may result in legit traffic being treated as if it were broadcast traffic. To
overcome this attack, you can limit the number of MAC addresses learned on a switch port.
ƒARP based attacks. ARP spoofing and ARP flooding. Malicious ARP packets are injected and thus
could spoof legitimate hosts in the network. The result is that traffic gets detoured towards the attacker.
ƒVLAN Hopping. An attacker may send frames destined for another host—victim-- on a different VLAN
that otherwise could not be reached by the attacker. Double-tagging is one way of achieving this.
ƒSpanning Tree. If rogue switch with lower Bridge priority than the current Root Bridge is connected,
then this rogue switch will be elected as the new Root Bridge. This may lead to network disruptions.

Industrial Networks Education Security in Industrial Networks with RUGGEDCOM

Siemens AG © 2016. All rights reserved 1 - 13 Protecting Industrial Networks
Allow authorized devices and users to connect into the network by enforcing authentication. If the
authentication fails, then those devices or users will be unable to send or receive traffic at all.

Most routing protocols support some level of authentication. A rogue router could simply learn your
network topology by exchanging routing messages with your routers only to then advertise better
metrics to networks that exchange critical data. This data could then be collected.
ƒRIP timed keys
ƒOSPF uses message digest keys
ƒBGP uses passwords on a per neighbor basis
ƒISIS allows area authentication

The network layer may be subject to other form of attacks, for example, but not limited to:
ƒIP spoofing. An attacker may source packets as if they were coming from a trusted host.
ƒICMP attacks such as ICMP Denial of Service, ICMP flood attack, IP directed broadcast attack, ICMP
Tunnel (any udp/tcp traffic can piggy back into echo requests/replies), etc…
ƒPacket sniffing

Protect insecure communications to other networks you don’t have control over. For example, an
interconnection between a Control Network and the IT Corporate Network.
Other Layers to protect are the transport layer (Layer 4) where attackers may run port scanners to
discover what services your devices have open. Also, if traffic gets intercepted, a TCP session could be
potentially hijacked and taken over by an attacker.
Elements that help you protect these communications range anywhere from firewalls, Intrusion
Detection Systems/Intrusion Prevention Systems, to VPN (Virtual Private Networks) capable devices.

Industrial Networks Education Security in Industrial Networks with RUGGEDCOM

Siemens AG © 2016. All rights reserved 1 - 14 Protecting Industrial Networks
Siemens has been monitoring the developments of the various industry specific security standards
including NERC CIP, ISA S99, AGA 12, IEC 62443, ISO 17799:2005 and PCSRF SPP-ICS, to ensure
all Siemens RUGGEDCOM products contain features necessary to comply with the identified
requirements. Siemens is committed to providing a complete Cyber Security solution. By combining the
security features the RUGGEDCOM switches with that of the Multi Service Platform cyber security
appliance, Siemens customers are able to establish an electronic security perimeter around their critical
infrastructure in order to prevent the disruption of mission critical applications by accidental or malicious
acts.

Multi Service Platform

The Multi Service Platform has been specifically developed to provide an Electronic Security Perimeter
for the protection of critical cyber assets. The RUGGEDCOM Multi Service Platform is the main point of
entry between the local area network (plant floor or substation) and the outside world. The Multi Service
Platform combines a layer 3 router, a firewall, and a VPN in one device.

Key RUGGEDCOM Multi Service Platform cyber Security features include:

ƒFirewall – Stateful firewall to control traffic between different security zones of trust within a network.
Includes Network Address Translation (NAT) to prevent unauthorized or malicious activity, initiated by
outside hosts, from reaching the internal LAN.
ƒ Virtual Private Networking (VPN) – Provides secure communication links over networks. Ensures
confidentiality, sender authentication, message integrity, and uses IPSec (IP Security) for encryption
and authentication of all IP packets at the network layer.
ƒ Strong Encryption – Utilizes various encryption algorithms (DES, 3DES, AES) to obscure information
and make it unreadable without special knowledge
ƒ(Optional) – Check Point (firewall/IDS/IPS/anti-virus), SecureNOK(IDS), Snort(IDS/IPS) could be run
out of the ROXII APE module.

Industrial Networks Education Security in Industrial Networks with RUGGEDCOM

Siemens AG © 2016. All rights reserved 1 - 15 Protecting Industrial Networks
RUGGEDCOM Switches

The RUGGEDCOM Ethernet Switches provide security at the local area network level. The key
cyber security features of these switches include:
ƒPasswords – Multi-level user passwords secures switch against unauthorized configuration
ƒSSH / SSL – Extends capability of password protection to add encryption of passwords and data
as they cross the network
ƒEnable / Disable ports – Capability to disable ports so that traffic can not pass
ƒ802.1Q VLAN – Provides the ability to logically segregate traffic between predefined ports on
switches
ƒMAC based Port security – The ability to secure ports on a switch so only specific devices / MAC
addresses can communicate via that port
ƒ802.1x Port Based Network Access Control – The ability to lock down ports on a switch so that
only authorized clients can communicate via this port
ƒRadius Protocol – Switches as authenticators interact with an authentication server in order to
validate user or field device credentials.
ƒSNMPv3 - encrypted authentication and access security

Industrial Networks Education Security in Industrial Networks with RUGGEDCOM

Siemens AG © 2016. All rights reserved 1 - 16 Protecting Industrial Networks
SSL:
Secure Sockets layer (SSL) provides endpoint authentication and communications privacy over the
internet using cryptography. Its widely used for web browsing, email, other data transmission. In
typical use, only the server is authenticated while the client remains unauthenticated.

SSH:
The Secure Shell protocol is an encryption protocol. This protocol will allow two machines to
communicate with each other by using authentication. SSH also supports tunneling, Port
Forwarding and File Transfer.

HTTPS:
Data transported via Hyper Text Transfer Protocol Secure protocol are readable as plain text. It is
important that the transmission of confidential and personal data is secure and protected against
unauthorized access. HTTPS is the secure version of HTTP, the protocol over which data is sent
between your browser and the website that you are connected to Securely.
When you request a HTTPS connection to a webpage, the website will initially send its SSL
certificate to your browser. This certificate contains the public key needed to login to the secure
session. Based on this initial exchange , your browser and the website then initiate the ‘SSL
handshake’. This SSL handshake involves the generation of shared secrets to establish a uniquely
secure connection between yourself and the website

Industrial Networks Education Security in Industrial Networks with RUGGEDCOM

Siemens AG © 2016. All rights reserved 1 - 17 Protecting Industrial Networks
RUGGEDCOM CROSSBOW

A proven Secure Access Management solution designed to provide NERC CIP compliant access
to Intelligent Electronic Devices. The CROSSBOW solution focuses on delivering productivity gains
for administrators and users while achieving full NERC compliance in managing, securing and
reporting on remote access.

Industrial Networks Education Security in Industrial Networks with RUGGEDCOM

Siemens AG © 2016. All rights reserved 1 - 18 Protecting Industrial Networks