Protect every drop of water from cyberattacksPlant availability and security of supply are top priorities in the water industry. In a digital world where IT and OT are merging more and more, both of these areas deserve special, around-the-clock protection from external attacks as well as negligent behavior on the part of employees. What they require is a comprehensive security concept that provides reliable protection from cyberattacks.
The digital transformation needs cybersecurity
As the potential threat of cyberattacks continually grows, water utilities are also becoming increasingly aware of suitable protective measures: They know that potential security vulnerabilities must be detected and eliminated. This change in thinking is mainly happening in industrial nations where plant security is also subject to ever stricter statutory regulations: for example, the IT Security Act 2.0 in Germany.
Many of the increasingly frequent cyberattacks on critical infrastructure are targeted ransomware attacks. Criminals use this type of malware to encrypt data and prevent it from being accessed. There’s usually a demand for ransom before the data is decrypted. But operators have more to fear than just the financial fallout: Control of their plants also falls into the hands of hackers.
Siemens helps the water industry protect its critical infrastructure from cyber threats by drawing on more than 30 years of experience in the field and a portfolio that’s unique throughout the world.
Defense-in-Depth Concept for the Water Industry
This whitepaper describes the threats and risks to which industrial automation and control systems in water and waste water treatment plants and networks are exposed, and introduces best practice concepts to minimize these risks and to achieve a level of protection to be implemented that is acceptable with regards to both the economic boundary conditions and the desired security level.
Ignoring cyber risks can kill the businessNatalia Oropeza, Chief Cybersecurity Officer of Siemens
Multilayer protection for water plantsWhat’s the best protection from intruders? In medieval times, people relied on multilayer protection concepts. They constructed a series of barriers that had to be overcome one by one. This concept is still being used today to provide security against cyberattacks: It’s called “Defense in Depth.”
Defense-in-Depth concept according to the recommendations of IEC 62443
Cybersecurity in the water industry should always be understood as a comprehensive process. To defend plants from internal and external threats, all levels have to be protected simultaneously – from the operation control level to the field level and from access control to copy protection.
This all-inclusive protection is provided by our Defense-in-Depth concept, a holistic approach based on plant security, network security, and system integrity as recommended by IEC 62443.
Security according to IEC 62443
Siemens has made it its business to guarantee plant security in the water industry in accordance with certifications and standards like IEC 62443, which is internationally recognized as the most comprehensive industrial security standard. IEC 62443 mainly covers national standards or is referred to by national standards. Generally speaking, requirements from local standards – for example, in calls for bids – can easily be aligned with security measures from IEC62443.
As a company, Siemens is a top promoter of cybersecurity – as also evidenced by its certification through external agencies like TÜV. Siemens is the first company to gain TÜV SÜD certification based on IEC 62443-4-1 for the PLM process at all of its Digital Industries product production and development locations. Security is already integrated based on multiple standards.
Furthermore Siemens – as one of the first system and solution providers – has been providing reference architectures (blueprints), which are tailored specifically to the needs of this industry. These blueprints and the corresponding documentation for the secure configuration of process control system and communication were certified to IEC 62443-3-3 for the first time in April 2020 by TÜV-Süd. In order to provide system integrators with a basis for a cyber security concept as well as low-effort and low-risk adaptation to customer-specific requirements, the corresponding documents are available at any time. Siemens therefore helps the operators of critical infrastructures to reach appropriate security levels for their plants that meet national standards – e.g. B3S WA and BSI Manual for Basic IT Security, which takes into account international standard IEC 6244.
Our Industrial Security Services are divided into three phases. In the first phase, our experts identify actual potential risks and help you develop a plant-specific security strategy. This strategy is then implemented and the identified security gaps are closed. In the third phase, we help you maintain the security status achieved by your plants over the long term.
The increased networking and digitalization of automation and IT systems as well as the growing threat of cyber attacks, is forcing plant operators to invest heavily in appropriate protection for their systems and plants in order to ensure security of supply. Siemens offers proven and certified security concepts for cyber security, for example the Defense-in-Depth concept, special reference solutions, and associated services as an integral part of plant design, engineering and operation. Users benefit from seamless concepts and solutions – with Siemens as their reliable partner.
Protection of machines and plants from unauthorized access
Consistent, logged access control is an essential protection mechanism for automation components. That’s exactly what the SIMATIC RF1000 access control reader provides. The RFID-based solution allows the simple and flexible implementation of electronic access management, making it possible to reliably identify personnel operating machines and plants and assign them appropriate access rights.
An especially practical and economical feature is the ability to use existing employee IDs as the basis for identification. SIMATIC RF1000 readers let you implement finely graduated access concepts as well as document procedures and save user-specific notes and instructions.
Whether it’s via dedicated line, telephone, mobile communication, or the internet, our portfolio includes everything you need for efficient and secure remote communication via remote networks – regardless of whether the communication is wired or wireless, IP-based or analog. You can implement communication connections via private and public networks that can be used for both telecontrol and teleservice.
The SINEC NMS Network Management System supports your plants’ network security with a series of functions, including central, rule-based firewall management. SINEC NMS enables the central configuration and management of SCALANCE S Industrial Security Appliances and offers numerous security-related features:
- central firmware updates
- comprehensive system backup and restore
- expanded certificate management
- central, rule-based management of firewalls and network address translation (NAT)
- local documentation feature via audit trails
- central forwarding of information via Syslog
Security guidelines for SIMATIC HMI operator devices and SIMATIC WinCC Unified
In automation, maintaining control of production and processes is a top priority. Even measures that prevent the spread of a security threat can’t interfere with it. We provide you with the right strategies to help you to realize more security when configuring and operating SIMATIC HMI operator devices and SIMATIC WinCC Unified projects. Specifically, we address the following areas:
- How can manipulations during configuration be minimized or totally prevented?
- How can device settings and access restrictions be used to reduce risks?
- How can external construction measures and device-specific settings be used to minimize risks?
- How can appropriate protection measures be used to prevent an unwanted remote access?
New security features in TIA Portal V17
Several security improvements have been introduced in TIA Portal V17 for communication between engineering stations, CPUs, and HMI panels. Users are guided through the process by a wizard. Basically:
- Encryption of communication using the transport layer security protocol or TLS by applying individual certificates for each partner. The certificates can be imported or created in the TIA Portal using the certificate manager
- Protection of confidential CPU configuration data using a user-defined password (optional)
- “Security by Default” concept: A number of options have been preconfigured and are set by default to ensure a higher security level for machines and plants
Secure control system architectures according to IEC 62443Whether your next project is a freshwater, wastewater, or desalination plant, we provide you with blueprints of system architectures that offer optimal protection from cyberattacks in plants of all sizes. Our sample architectures cover a range of typical applications and also include detailed guidelines for secure configuration.
Blueprints for control system architectures - available in our Water Portal for SIMATIC PCS 7 and WinCC
With our blueprints for diverse system architectures, you also get detailed guides for safe configuration – for freshwater, wastewater and (reverse osmosis) desalination plants.