Banished from Digital Paradise - IT Security in Industrial Networks

Introduction

The appearance of the Stuxnet trojan in the summer of 2010 marked something of a turning point in terms of the protection of industrial systems and critical infrastructure: Suddenly the vulnerability of systems had become more than simply a hypothetical issue which concerned IT departments – it had been exposed as a practical reality. Nobody had previously conceived of the possibility that anyone would have either the inclination or the technical means to infiltrate industrial systems and to selectively influence targeted processes. Stuxnet highlighted the need for everyone involved in the life cycle of industrial systems to adopt a whole new approach and to reassess existing security concepts.

A study conducted by the ARC Advisory Group in May 2011 revealed that companies currently allocate more than two percent of their control system budget to IT security, not including the associated internal personnel costs. This represents a 1.5% lower budget allocation than is expended on office IT security. The ARC analysts estimate that expenditures on IT security is set to rise still further in the future. Every individual corporation has to measure the probability of attack and the extent of any resulting damage with the associated costs of adopting security measures to ward off possible attack and reduce the residual risk to an acceptable minimum. These are the basic considerations which determine which protection concept a company should adopt.

Tino Hildebrand

“The problem is that security is not a product you can pick off a shelf, security is something you have to create”,
explains Siemens Manager Marketing Industrial Security Tino Hildebrand. Security begins on the management level and ends with each and every employee. When staff members write their PC access codes in the telephone directory or even attach them to the monitor in full view scribbled on a memo note, then there is a lack of understanding about security awareness.

These bad habits are widespread and offer a simple route into the network for would-be perpetrators. Only when every individual understands the risks involved and when a security policy is firmly rooted into all their actions, will hackers, saboteurs or spies be deterred.

Security is afforded by such simple measures as locking doors to server cabinets and distribution boards, providing access control systems to restrict entry to rooms and computers, installing locks for USB ports and setting up extensive security checks before allowing access to programs. “Security is a process. Once it has been introduced it has to go on being tested, updated and maintained over the entire life cycle of a plant or system,” emphasizes Hildebrand. In the face of ever more specialized attacks on individual complex systems, new and different defense strategies are called for.

Security concepts borrowed from classical office IT systems cannot be directly transposed for use in automation technology. Quite distinct protection needs and requirements in fields such as real time behavior call for a different approach and a different type of security solution. Another factor is that universal IT security product suppliers such as McAfee, Symantec, Trend Micro, Cisco and others have only recently turned their attention to developing components specifically for industrial controls. Standard IT software products currently offered are not well-suited for use in production. To be truly effective, virus databases have to be updated on a daily basis. In a production environment, scope for these regular updates is restricted: Regular virus checks would increase the system load to such an extent that it would compromise real-time capability. Importantly too, many systems operate around the clock, allowing maintenance teams only limited scope for keeping operating systems abreast of the latest developments.


Access protection is more efficient than most people think

Security needs to be reassessed

“These are all reasons why we should be taking a broader view of the whole IT security issue,” according to Rainer Glatz of the Electrical Automation Association, part of the German Engineering Federation (VDMA). “Presently, the industrial sector is concentrating too much of its energy on finding a technical solution to the problem, and is neglecting the necessary organizational measures and the need to engender awareness among employees.” In a bid to remedy this situation, the security guideline VDI 2182 was developed in Germany on the basis of the ISO 27001 concept for automation technology. The fundamental concept behind this series of guidelines is to set out a procedural model agreed between product manufacturers, automation software and end users which guarantees an optimum level of IT security. In an independent move, the ISA also drew up a series of technical reports on security technologies for industrial automation and control systems (ISA TR99).

Responsibility for adherence to these security regulations within companies lies not only with the system integrators but primarily with the system users themselves. The importance of the security issue is highlighted by a VDMA survey set up to analyze corporate IT security policy. Of those companies questioned, only 44% stated that they operated a classical IT security policy which exists not just on paper but is also subjected to regular checks. The degree to which the automation environment comes into this equation remains an open question. The advent of Stuxnet was to bring a long-overdue awakening to the sleeping dog that was the “automation level.”

“We have been endeavoring for years to prevent hackers from infiltrating our customers’ systems,” explains Hildebrand. However, as most systems are not operated by Siemens and frequently contain components from other manufacturers, owners and operators have to take responsibility for protecting themselves from IT attack. “As manufacturers, we do everything in our power to support them.” Valuable information is available to interested readers in a white paper published on the subject entitled “Security Concept PCS 7 & SIMATIC WinCC.”

PCS 7 Security Lab

Siemens runs a Security Lab dedicated to improving security for SIMATIC PCS 7 and WinCC. Founded in 2004, the lab works independently of conventional facilities used for product and system testing. Alongside continuous testing, the Security Lab is also responsible for the development of new industrial security architecture and security concepts. Different architecture models are regularly subjected to penetration tests by the Siemens Corporate Technology Computer Emergency Response Team (CERT).

Siemens CERT has been responsible for protecting Siemens’ own internal IT infrastructure and for secure product development since 1998. The team enjoys widespread recognition as an independent test body and trustworthy partner in dealing with security problems, developing preventive measures and assessing IT security. Head of Siemens CERT, Johann Fichtner, is well aware that Stuxnet is not the last instance in which a computer virus is likely to succeed in penetrating high-level industrial systems in a targeted attack. The worm was, to all intents and purposes, ordinary malware which capitalized very effectively on Microsoft weak spots. However, what Stuxnet demonstrated was that even proprietary systems present no obstacle where perpetrators have sufficient motivation and adequate resources to throw at them. The Stuxnet episode also clearly highlighted that separating automation and control systems from other networks offers no guarantee of security. Fichtner considers the most important approach to prevention to be in driving forward secure encryption and in subjecting not only processes but also products to security checks. On the corporate security level, he also considers it vital that the same level of importance be attached to setting up minimum requirements for IT security as for protecting infrastructures and safeguarding life and property.

Secure Hardware

Secure networking

Alongside changing codes of conduct, the automation components used naturally also have to comply with the same enhanced requirements in terms of IT security. A first line of defense for individual automation components entails restricting network and internet communication to an essential minimum. Making use of what is known as the cell protection concept, automation components can be grouped on a logical or communication-specific basis and separated from the rest of the network by means of firewalls and other security components.

This is something we are all familiar with from our own home office environment: Printers are hardly ever password-protected, theoretically allowing anyone gaining access to the printer to print out documents. Generally speaking this situation does not arise, as we lock the front door when no-one is home. Once we are working ourselves in the home office, the PC, notebook, DSL router and firewall protect the printer from outside access over the Internet. In this way, the printer is integrated into a “secure” cell. The same thing applies to the production environment: System components in secure automation cells are internally exposed. Although internal communication is permitted, the link between individual cells and the overall network is VPN and firewall protected. For servicing purposes, security modules open separate network access channels, restricted if required, in a similar way to systems used for instance for remote maintenance over the Internet.


Das Security Cell Konzept kapselt wirkungsvoll Kommunikationsteilnehmer

Right from the outset, all the automation components of the SIMATIC family were designed to be so robust and equipped with such defined communication mechanisms that they enable a control system to continue processing its program as usual even in extreme situations such as Denial-of-Service attacks or targeted violation of individual communication services. This affects both the lower communication layers (2 to 4) with their Ethernet and IP protocols and also the higher-level application protocols (layers 5 to 7) of the OSI model. In addition, for years now Siemens has been performing regular tests to ascertain the network robustness of its components, using load scenarios and protocol attacks which are continuously adjusted in line with the current threat situation. The experience gained through the performance of these tests has allowed the network robustness of these devices to be increased across the board. A cooperative arrangement of many years’ standing with CERN openlab (Conseil Européen pour la Recherche Nucléaire) has also made a major contribution towards enhancing the security of SIMATIC controls.

Secure software

Protection mechanisms such as access safeguards and firewalls need to be additionally configured. While this does involve a certain amount of initial outlay, it helps to prevent problems and costly troubleshooting processes later on when security-relevant incidents occur. Siemens provides support for these essential precautionary measures in the form of special security services. To prevent unauthorized persons from making changes to PLC programs or project engineering through the engineering software, the automation components have been fitted with access protection mechanisms.

Different protection stages are applied here: New functions or defects can be quickly integrated using firmware updates. To detect manipulated or falsified updates, every firmware file comes complete with checksums such as CRC (Cyclic Redundancy Check). To detect firmware manipulation or sabotage, Siemens supports digital signatures. These allow a target device to check the firmware file about to be installed and to accept only authentic updates.

“Today, Siemens automation products combine a far larger number of IT data security-related features than the models sold just a few years ago, and they are several generations removed from those sold a decade ago” Says Hildebrand. The Siemens security portfolio reflects the growing demand which has emerged on the back of the latest developments in industry. Alongside completely new solutions, improvements are being developed to many existing security functions such as user management, role-based access rights, encryption, attack detection, application whitelisting and other familiar technologies such as firewalls, all of which leave viruses and trojans such as Stuxnet largely powerless to cause damage in the industrial environment.