Digital technologies have been part of the production and automation world for several years now. In the past, automation was shaped by fieldbuses – some of which were proprietary. Typical applications were primarily isolated solutions whose communication options were limited. Managing to achieve transparency of the overall production situation was tedious and associated with considerable, sometimes manual, effort.
Today, standardized network technologies and communication standards, such as Ethernet, Profinet, and OPC-UA, are implemented in the industry, resulting in ever-increasing integration with the companies’ IT systems. For example, data from the production systems are fed back into the planning or customer systems, or the other way round, orders are digitally forwarded to the production systems. The connection to file servers, databases, email and messaging services, domain controllers, time synchronization systems, and other digital services that we know from the IT industry, are also becoming increasingly standard in production.
There is a convergence of IT technologies with production technologies, which brings many advantages: for example, more shared know-how, increased continuity and integration of technologies, a higher degree of networking, more flexibility, and less dependence on manufacturers. This convergence thus forms the basis for corporate digitization. However, the associated convenience, and increased functionality and options, also brings with it the risk of cyber-attacks. Possible effects of such an attack range from production downtime, loss of production or engineering data, the leaking of company secrets (e.g. process data), to loss of customer confidence. A possible blackmail situation – a loss of customer data – can cause lasting damage to the company’s image.
It is therefore sensible and necessary to address the topic of security in a structured manner, taking into account the special requirements of production, in order to minimize possible risks. This article will give you an insight into the world of cyber security in production and provide a starting point for approaching the subject.
KPMG study on awareness of cyber security in companies
The study on “Cyber Security in Austria” conducted by KPMG, offers insights into domestic companies and the importance of cyber security in the industry across all sectors. Companies are being confronted with increasingly sophisticated technical attacks, but still have a false sense of security that these attacks can be quickly detected. Realistically speaking, the average time that attackers spend in the systems under attack has risen steadily in recent years and, according to estimates and studies, has now reached 100 to 170 days. The fact that 27% of the companies surveyed have no dedicated cybersecurity budget plays directly into the hands of the attackers. It is difficult to argue with management in this regard as quantifying successes is difficult to measure. This could be counteracted with a suitable definition of Cyber Security KPIs.
In addition to all technical measures that can be taken to be alerted of cyber-attacks or to ward them off, and to ensure the smallest possible room for attacks, employee training is still the most important factor. 79% of companies were alerted of potential cyber-attacks by trained and mindful employees – such as phishing attacks, which are also a popular gateway in the industry. In the event of a cyber-attack, employees are the first line of defense and are crucial in preventing attackers from infiltrating a system or identifying them early on.
Investment in cyber security is important because it helps a company maintain its ability to function when the unexpected occurs. However, it is not a guarantee for absolute security. The term ‘cyber resilience’ is often used in this context: it describes how resilient a company is to cyber-attacks and how it can compensate for them. Cyber security is part of a company’s quality commitment to its customers, and will therefore become increasingly important in the future. In Austria, a global trend is confirmed: Cyber-attacks will be ranked as the second largest risk to the economy in the next 10 years – just behind financial crises.
Threats that we are currently facing
Generally speaking, the latest findings on errors or vulnerabilities in software and hardware can be used for cyber-attacks within a very short time. Thus, it is also important to have an overview of the threat level in order to be able to react appropriately to cyber-attacks as a whole. The attack scenarios presented here are taken from the BSI Management Report 2019.
The most prominent example of identity theft is phishing, which attempts to obtain sensitive personal information through ‘social engineering’ methods. The victims are sent, for example, personalized emails and are asked to disclose passwords, access data, or account information.
The aim of an attack with ransomware is, as the name suggests, to get ransom payments from the victims. In this case, access to files or to one’s own computer is denied or restricted in order to blackmail the victim. However, in most cases it was observed that the perpetrators were either unable to regain access after the payment was made, or even made further demands, or simply did not respond anymore. A prominent agent of such ransomware was LockerGoga in 2019, which caused approximately 35 million dollars in damages to a Norwegian aluminum company. Effective measures against such attacks include, among other things, setting up an appropriate patch management and backup strategy.
The use of malware is part of almost every attack. ‘Malware’ is generally understood as software/programs that are capable of performing damaging functions. This umbrella term includes viruses, Trojans, and worms, among others. 114 million new malware programs were registered in 2019, an average of 320,000 new programs per day! No anti-virus manufacturer on earth could cover such an amount of malware in its anti-virus software. For basic protection, however, you should not forego anti-virus software where possible. A particularly annoying agent of the malware world is EMOTET, which behaves in a similar manner to APT (Advanced Persistent Threat). This involves infecting the computer in an initial wave and then downloading more suitable software, which then carries out the final attack.
Distributed Denial of Service (DDoS)
A DDoS attack – in other words, overloading the network services with a large number of inquiries – is often the cause of network services malfunctioning, websites no longer being accessible, or critical business processes being blocked due to an overload. These attacks are usually carried out simultaneously by many computers or servers, usually with the goal of paralyzing customer-relevant Internet services or distracting victims from another attack. The total damage caused by these attacks in 2018 was approximately 4 billion euros.
Botnets enable attackers to access a large number of foreign systems (computers, smartphones, routers, IoT devices, etc.) and to misuse these for malicious purposes. Personal data can be intercepted from the systems in question and/or resources can be taken over, for example to carry out cryptomining or DDoS attacks. In 2019, botnets were primarily used to intercept personal data for online banking fraud. In general, an increase of IoT botnets were found to be based on web-enabled home electronics.
Spam (or unsolicited emails)
Traditional spam is mostly used with product, securities, or service advertising, and simultaneously for attempted fraud. Victims are encouraged to pay money for a product or service in advance, which will never actually be delivered.
In the case of malware spam, the recipient is infected with malware. With phishing messages, users are asked to enter their login details (e.g. Internet banking, social networks, shopping portals, etc.) on websites that are operated by the attackers, who can use them to access data.
Industrial security concepts and solutions
The threat scenarios described above result in a number of security measures which must be defined depending on the actual level of risk. The selection, compilation, and commissioning of security solutions can be extraordinarily complex for users. That is why Siemens aims to offer customers the most automated and integrated solutions possible, and to support them at all levels.
One directive that can help to create a comprehensive security concept for industrial companies is the IEC 62443 which defines security measures from the process level down to the product level. At the process level, the main focus is on organizational measures, such as awareness and setting up security processes. Siemens supports customers in this regard through training, assessments, and consulting. Moreover, Siemens offers services such as a Security Hotline or so-called Incident Response.
An important principle on the technical level is the “Defense-in-Depth” principle. This basically stipulates that the defense against threats should be built up in layers (onion layer model), each with its own defense mechanisms. If the defenses of one layer are breached, there are still other layers that can protect the important assets.
This principle (see the figure above) is also applied in security solutions from Siemens. Security is considered on the following levels:
🡲 Plant security 🡲 Network security 🡲 System integrity
There are a number of security solutions for each of these levels. We would like to highlight some of these solutions in this article; solutions, which also offer the customer a special level of convenience through automation.
Monitoring is an important tool for detecting attacks on the plant level. For this purpose, the data traffic in production is analyzed and any deviations from the control behavior are detected. The first step here is to log all the devices that are used in production in order to define the control behavior. For example, the network traffic logged over a longer period of time in the OT can be used for this purpose. In this way, not only the devices that are currently in use can be determined, but also the communication relations between the devices and their customary communication behavior. By implementing industrial anomaly detection software, device relationships, data transfer, but also in-depth protocol analyses are used to determine whether devices are behaving abnormally and are thus potentially compromised. If suspicion arises, the incident is automatically assessed, and the events which have led to the current state are detected (Root Cause Analysis). Among other things, an alarm is triggered in a SIEM (Security Incident and Event Management) system. The information provided enables a team in the Security Operations Center (SOC) to react efficiently and avert possible damage. Siemens offers both active asset identification, which is specifically designed for the industry requirements, and passive anomaly detection (Industrial Anomaly Detection).
Their detection is accompanied by an overview of the patching status of the individual devices. Since new vulnerabilities are constantly being discovered, which could be exploited for attacks, it is essential to equip devices with the latest software in order to keep the system security level extremely high, e.g. by installing updates. While doing so, it is important to ensure that the operation of the system is not disrupted. Siemens carries out proactive Security Monitoring of its products with a team of recognized security experts at ProductCERT. Any vulnerabilities that are discovered in Siemens products are evaluated, solutions are found/proposed, and they are ultimately published as Security Advisories. Their customers are thus proactively informed about potential vulnerabilities in their systems. In doing so, the effects of vulnerabilities on Siemens products are evaluated and solutions are found using various metrics under the CVSS Standard, and finally, these are bundled into a score that indicates the general vulnerability.
Based on this, Siemens has developed the Industrial Vulnerability Manager, which makes it possible to receive automated notifications of security gaps for components in use. Notifications are not limited to Siemens components or products, but also include other Components-Off-The-Shelf (COTS). The software components to be monitored do not have to be specified manually, but can be implemented automatically using the data already available in the TIA Portal or SINEC NMS. The Industrial Vulnerability Manager thus offers vulnerability management to keep track of things and also provides more detailed information on the vulnerabilities found, as well as details on possible patches. The app to visualize the detected vulnerabilities is either operated in the cloud as a MindSphere app or directly on AWS. To meet more discerning customer requirements, an “on-premises” option is also offered.
The network is one of the main gateways for cyber-attacks. Attackers usually scan for open ports and services in the network, and try to find the associated vulnerabilities. These scans are semi-automated or fully automated, and provide a list of all vulnerabilities in the network. These vulnerabilities can then be attacked.
The goal here is to make it as difficult as possible for the attackers, meaning access to devices, networks, and network components should only be possible with appropriate authentication and authorization. Network security also includes communication paths between network participants that are secure and that ensure integrity (e.g. encrypted networks). Especially in places where the network cannot be trusted.
Siemens therefore recommends the following for industrial networks:
Network separation and DMZ
Network separation involves creating separate network segments with firewalls, routers, and switches. The IEC 62443 also recommends creating a physically separate network with its own hardware infrastructure for automation.
Remote maintenance access must be strictly monitored and standardized within the company. Systems that have their own remote maintenance solutions must be converted in accordance with a company-wide remote access strategy. The following are important requirements in this regard: central manageability, overview of currently active external accesses, secure communication, clear identification, authentication, authorization, and traceability of actions. Any external access to the automation network must be prevented.
Automation cells or systems should, where possible, be protected by a firewall in order to prohibit general direct communication with the system or cell.
Communication should only be permitted via clearly defined and monitored interfaces, ports, and protocols. A regular review of the permitted communication must be carried out in order to prevent unauthorized communication again (which, for example, was permitted for troubleshooting or maintenance work).
The innermost layer of the “Defense-In-Depth” line of defense is the protection of the device itself, which are installed during production. There are different areas here that should be protected. One item that falls into this category is the copy and know-how protection for software and data. Siemens offers functionality in numerous devices to protect customer know-how (e.g. copy protection of memory cards, password protection for function blocks, linking function blocks to the serial number of a control system, etc.).
Access control to the devices also plays a key role in system integrity. Only authenticated users or devices should have access to essential functions (e.g. configuration, reading and writing of data) from other devices. The User Management and Access Control (UMAC) in the TIA portal guarantees authenticated access to Siemens devices.
UMAC means “User Management and Access Control” and refers not only to the authentication of users, but also to the assignment of rights based on the identity of the user. The result is that rights can be managed very precisely. To increase the customer’s level of convenience, there is the option of combining an existing Windows Active Directory with UMAC, and thus managing users centrally.
A popular gateway for attacks is vulnerabilities in the software or the configuration. Various measures, the umbrella term of which is ‘system hardening’, can significantly reduce the space for attacks. These include, above all, restrictive rights management (least-privilege principle) and the deactivation of functionality or communication channels which are not required for the intended use of a device. So-called ‘whitelisting’ can be used, for example, to specify which applications are allowed to run on a system. The use of other applications, including potentially malicious ones, is automatically blocked.
To enable the customer to operate their devices securely, Siemens not only offers a wide range of configuration options, but also provides corresponding, detailed documentation. Moreover, many Siemens products are safely preconfigured ex works and are hardened by means of numerous methods during development. This development process is carried out in accordance with the requirements of the IEC 62443-4-1 Standard.
Secure development process
Security at Siemens is taken into account right from the get-go – Security by Design – and is already integrated in the planning phase. This is where the security requirements for the product are defined and a risk analysis is carried out continuously. As a result, a security concept is created and security measures are derived, which are then implemented during development. The development is supported by extensive security test methods, which ensure that there are no vulnerabilities in the software and firmware. Of course, this also includes third-party software, which is repeatedly checked for known vulnerabilities by means of a Monitoring Service. Any vulnerabilities must then be remedied by the manufacturer.
As previously mentioned, Siemens products are already delivered according to the “Security-by-Default” principle, i.e. there is a default configuration which is intended to offer a high level of security. To ensure that the customer actually receives the software and firmware developed in accordance with high security requirements, it is signed. This allows the origin to be verified; some Siemens devices also offer the feature of checking the firmware directly upon starting the device (“Secure Boot”).
Patching and Incident Handling
Patches and updates are rolled out centrally at Siemens via the Siemens Industry Online Support (SIOS). If vulnerabilities are detected in your own products, internally or externally, a central office takes care of further action. Any interested party can report vulnerabilities to the Siemens CERT Service and request to be notified when new vulnerabilities in Siemens products become known, and learn how to remedy them.
By already integrating security methods from the planning stage, through to development and operation of the devices at the customer, Siemens implements a comprehensive security concept that is intended to help customers secure their products in the best possible way at the device level.
Outlook and conclusions
No one, not the manufacturer, nor the customer or user, should be under the illusion of absolutely security. Cyber Security is all about finding the right compromise between expenditure and benefit. Questions that need to be answered here are e. g.: Which risks am I willing to take, and which risks am I absolutely not willing to take? What are the most important assets that I want to protect? The protection of customer data and business secrets, as well as the continuity of production capability, are usually top priorities here.
However, topics such as usability also play an important role in the implementation of security measures, as successful implementation is strongly based on the acceptance of said measures by the workforce. The employees will not support measures that hinder them from carrying out their daily work and the measures can subsequently prove to be useless, even counterproductive.
It is not only paramount to take measures to prevent cyber-attacks, but also to detect an attack and define a course of action on how to react accordingly. In other words, in the unpleasant event that an attacker has managed to compromise a system, processes and procedures should be in place which allow employees to act efficiently and to avoid any harm from being done.
At Siemens, they support their customers with a wide variety of solutions and measures to implement a “Defense-in-Depth” strategy. Starting from the system level, where it’s about monitoring solutions and vulnerability scanners, to the network level, for which the company can provide devices and services to ensure secure network operation, all the way to its devices, which are developed in compliance with the criteria of the IEC 62443 Standard for industrial security.
“In addition to technical measures, we also make our expertise available to our customers and provide organizational support in the form of our training and consulting services. Furthermore, Siemens has an international team of security experts, who react to new threats quickly and inform customers immediately,” Siemens representatives say.
With the increase of networking and digitization of production facilities, security-related issues are also becoming more and more important. With its comprehensive security strategy, Siemens is a great partner.
Copyright: Siemens Austria