Transparency for machine manufacturers, integrators and operators
TÜV Süd certificate based on IEC 62443 gives integrators and operators transparent insight into the IT security measures and backs up Siemens Security in the process of developing automation products.
- Security through design
- Security inspection and validation test
- Security update management
Protecting machines against cyber attacks
Protection against cyber attacks is growing more and more important for industrial companies. That’s why this aspect must be considered right at the development stage for new machines, and observed throughout the entire life cycle.
It is essential in this regard to perform regular PDCA (“plan-do-check-act”) cycles, as prescribed in standard IEC 62443. During the specification, design and development stages, manufacturers concentrate on potential points of attack and draft protection mechanisms. Then, in the marketing phase, they actively look after protecting their products with information and updates.
Implementing the requirements of the IT Security Act
Since 2015, operators of critical infrastructure facilities have been required to fulfill the requirements of the new IT Security Act. The focus is on maintaining operations in the event of an attack, and the PDCA cycles are coordinated with this requirement.
On the one hand, operators must determine the requirements for laying out the automation solution, and on the other they must define the measures that they themselves will have to implement. These include limited access to critical parts of the automation solution, for example.
Existing regulations on industrial cyber security
The new IT Security Act took effect in Germany on July 25, 2015. Under the act, key operators of critical infrastructures are required in future to report any IT security incidents to the German Federal Office for Information Security (BSI) and implement minimum IT security standards. Who this includes was determined, among other things, by the BSI with the help of a measurement table.
German IT Security act ("IT Sicherheitsgesetz") – are you affected?
A total of seven industries (sectors) and around 700 systems are covered by the IT Security Act.
In addition to information technology and telecommunications in the strictest sense, the energy, food, finance, insurance, healthcare and water industries are required to meet minimum IT security standards and report incidents to the BSI.
The German government applies the 500,000 rule as the basis for determining which groups are covered by the act: If 500,000 or more citizens are dependent on a service, the accompanying system falls under the reporting requirement. What these people consume is converted into a threshold.
Part 1 of the BSI Kritis (Critical Infrastructure Protection) Regulation took effect in May 2016.
Deadlines will apply from that point on, in other words:
Operators of critical infrastructures in the areas of energy, water, food, information technology and telecommunications will have to meet their reporting requirements to the BSI from November 2016 and observe the new industry-specific minimum IT security standards from May 2018.
Increased security requirements – what factors should you be aware of?
Source: The German Federal Office for Information Security (BSI)
A strong partner – how can Siemens help you?
Knowing what form protection must take
System integrators are often trail-blazers when a company’s IT security has to be improved. They work closely with the operator to establish the protection strategy that will meet the specified protection goals. The focus for the integrators is on implementing the automation solution at a functional level.
That’s why the PDCA solutions are mainly built around multiple functional and organizational measures, and include efficiency checks for the protection measures, training for employees, documentation, and maintenance of the protective measures. Security – e.g. of recipes or passwords – must still be guaranteed when an automation solution is being dismantled.
Comprehensive concept according to IEC 62443Industrial plants from internal and external cyber attacks, all levels must be protected simultaneously – ranging from the plant management level to the field level and from access control to copy protection. This is why our approach to comprehensive protection offers defense throughout all levels – “defense in depth”.
As the level of digitalization increases, so too does the importance of comprehensive security concepts for automation applications.
That's why Industrial Security is an essential element of Digital Enterprise, the Siemens way to Industrie 4.0. With defense in depth, Siemens provides a multi-layer concept that gives your plant both all-round and in-depth protection. The concept is based on plant security, network security and system integrity as recommended by ISA 99/IEC 62443.
Physical protection and security management for automation systems
Plant security starts with conventional building access and extends to securing of sensitive areas by means of key cards. Tailored industry security services include processes and guidelines for comprehensive plant protection. These range from risk analysis and the implementation and monitoring of suitable measures to regular updates.
Secure communication within industrial networks
One of the key challenges for a consistent communication is simply to establish adequate protection of the easily accessible systems. With professional planning, design, and implementation of available, efficient network structures, it is possible continuously and secure.
The focus here is on the availability of the protection of automation networks against unauthorized access. Network security management, network segmentation (e.g. DMZ) and encrypted communication with industrial security appliances, Internet and mobile radio routers, and security SIMATIC S7 communication processors are an integral part of the planning phase with the support of Siemens Professional Services for industrial networks.
In addition, our product portfolio has been optimized for use in automation technology and designed for the requirements of industrial networks.
Protection of automation systems and control components
Whether you want to protect existing know-how or rule out unauthorized access to your automation processes from the outset, thus preventing production downtimes, our comprehensive Industrial Security portfolio includes support for implementing targeted measures to protect against a variety of threats, as well as the design of complete solutions for maximum protection.
Our integrated security features provide comprehensive protection against unauthorized configuration changes at the control level as well as against unauthorized network access, preventing the copying of configuration data and making any attempts to manipulate such files easier to detect.