Security for Process Automation with SIMATIC PCS 7

Today, process plants are either directly or indirectly connected to the Internet which puts their operations, product quality, and profits at risk. SIMATIC PCS 7 offers a security concept for reliable defense against this potential danger and comprehensive protection of production systems.

Application

The SIMATIC PCS 7 security concept offers comprehensive solutions for the protection of process plants. The concept is based on nested security architecture (defense-in-depth) and represents an integrated approach. It is not limited to the use of individual security procedures (such as hierarchical authority distribution, authentication and encryption) or devices (such as firewalls). Its strength instead lies in the combination of a variety of security measures working together in the plant network. Segmentation of the plant into individual security cells ultimately results in a closed system in line with the definition of ISA 99 - Security for Industrial Automation and Control Systems.


Benefits

  • Siemens offers an integrated, comprehensive security solution, tailored to the specific requirements of process plants.

  • Defense-in-depth security concept increases protection & reduces risk, thereby increasing plant availability.

  • Complete Security Life-Cycle Support helps to protect your plant.

Virus protection and firewalls

Firewalls and virus scanners at dedicated access points protect individual computers or networks within the security cells against unauthorized access and infiltration.

The SIMATIC PCS 7 Security Concept supports the use of the Microsoft® Forefront Threat Management Gateway, the Windows firewall as well as Scalance S security modules and VPN connections to IPSec. These modules differ from office equipment due to their industrial capability and optimized communication of process information. In addition to firewalls, virus scanners are the most well-known security precautions. SIMATIC PCS 7 supports the three most commonly used virus scanners for production and control systems.

  • Trendmicro™ Office Scan Corporate Edition.

  • Symantec™ Antivirus Corporate Edition.

  • McAfee™ VirusScan Enterprise.

A. Automation firewall

The automation firewall is based on the Microsoft ®Forefront Threat Management Gateway 2010, and it is provided with stateful inspection packet filters, application layer firewall, VPN gateway functionality, URL filtering, Web proxy, virus scan, and intrusion prevention. It thus protects the access point to the production environment e.g. from the office or intranet/Internet networks. It can be used as follows, depending on plant size:

  • Access point firewall for secure remote access in process plants and IT networks.

  • Three-homed firewall for plants with complex perimeter networks.

  • Front and back firewall for maximum protection in larger plants with extensive perimeter networks.

  • The automation firewall is supplied preinstalled. A user-friendly configuration wizard is provided for setup.

B. Application whitelisting

Application whitelisting protection mechanisms guarantee that only trustworthy applications and programs are executed on a station of the SIMATIC PCS 7 process control system. They prevent both the execution of illegal software and the modification of installed applications, thus adding to the existing protection against malware (malicious software)

1. Benefits of Whitelisting

  • Based on a positive list, so it does not require continuous updates to combat new malware threat.

  • Additional "layer of defense"

  • Effective protection against "zero-day exploits"

  • Logging of attacks on the system (local / central)

2. PCS 7-specific support

  • McAfee Application Control has been compatibility-tested with the following PCS 7 versions:     V6.1.4, V7.0.3, V7.1.2, V7.1.3 and V8.0

C. User and rights management

  • Consistent user and rights management with precise access control is another key element of the security concept. The Least Privilege Principle applies here. This means that the individual user or the individual application receives only those rights required for the actual task at hand. This is the best way to avoid intentional or unintentional operation errors.

  • SIMATIC PCS 7 supports central user management with the SIMATIC Logon software package, which enables the assignment of permissions for SIMATIC applications and plant areas.

  •  Logon uses the Windows user management tools for functions such as automatic logoff and automatic expiration of passwords.

Key points for efficient industrial security solutions when planning and implementing efficient industrial security solutions, the following five starting points must be taken into account :

  • Implementation of an appropriate system-wide security management system with regard to the technology and the engineering and production processes.

  • The interfaces to office IT and the Internet/Intranet are subject to clear regulations – and are monitored accordingly.

  • Protection of PC-based systems (HMI, engineering and PC-based controllers) by means of antivirus software, whitelists, and integral security mechanisms.

  • Protection of the control level.

A. with automatically active security functions already integrated into the automation and drive components –

    e.g. IP      hardening.

B. with security functions that have to be activated by the programmer – e.g. setup of access password.

  •  Monitoring of all communication with systems for the purpose of detecting intruders, and intelligent segmentation of the network with the help of firewalls.

Please click on Ask To Expert to write your Query.