Cybersecurity in Industrial Automation

- Standards & Pragmatic Approaches

Florian Spiteller
March 2019
 source: Adobe Stock_40-10860249
IT security vs. Functional safety
 Manufacturing

Controller Machine

OT ?
no IT
IT ?
no OT
PLC

Discrete Connection between machines

 Point to Point - analogue

3/27/2019 © DKE German Commission for Electrical, Electronic & Information Technologies of DIN and VDE 4
 Changes in Manufacturing 1/2

Controller Machine

OT Office
PLC
IT

1. Fieldbus connection between machines 2. Ethernet based fieldbus (IT and OT but different
 IT and OT with different physical mediums Networks) + Remote Services

3/27/2019 © DKE German Commission for Electrical, Electronic & Information Technologies of DIN and VDE 5
 Changes in Manufacturing 2/2

Internet

Factory A Factory B
3. IoT
 from machine in country
A to machine in country
B within the cloud
  networks with security
enabled

Supplier

source: Adobe Stock_11056594 source: Fotolia_F1nr_10860161 source: Adobe Stock_40-140531253

3/27/2019 © DKE German Commission for Electrical, Electronic & Information Technologies of DIN and VDE 6
 Implement Cybersecurity

 Industrial systems rely more and more

on the use of IT and OT

source: Adobe Stock_40-140531253

• Increasing implementation of IT in
OT
• Increased need for information
• Increasing degree of automation
• Increasing internal and external
networking
• Prerequisite for Industry 4.0

 A mixture of IT and OT results in a

completely new starting point
for the assessment of security risks

7
 Differences in requirements for Office and Industrial IT

Office IT Industrial IT

5-20 years
Service life 3-5 years Note: IEC 62443 uses the term service life in Part 1-1 with
regard to key management but does not specify a time frame

Seldom, requires release from system manufacturer

Patch management Often, daily Note: IEC 62443 explicitly regulates the topic in Part 2-3

Critical
Time dependency Delays accepted Note: IEC 62443 defines security objectives in Part 1-1; the
real-time capability is indicated in the millisecond range

24/7
Availability Short down-times tolerated Note: IEC 62443 defines security objectives in Part 1-1, where
availability is defined as the highest security goal

source:https://www.zvei.org/fileadmin/user_upload/Presse_und_Medien/Publikationen/2017/April/Orientierungsleitfaden_fuer_He
rsteller_IEC_62443/Orientierungsleitfaden_fuer_Hersteller_IEC_62443.pdf

3/27/2019 © DKE German Commission for Electrical, Electronic & Information Technologies of DIN and VDE 8
 Industry 4.0 – Networking poses hidden risks

Infection with malicious software

Human error

Blackmail, ransomware

Burglary via remote maintenance access

Attack on network components

Attacks
Attacks onon internet
internet connected
connected
control
control components
components

Attacks on enterprise networks

(D) DoS-Attacks

source: VDE Member Survey 2018

3/27/2019 © DKE German Commission for Electrical, Electronic & Information Technologies of DIN and VDE 9
 IT security is complex

source: IEC Draft Guide 120

3/27/2019 © DKE German Commission for Electrical, Electronic & Information Technologies of DIN and VDE 10
 Cyber crime

“Crimes committed by exploiting

modern information and
communications technologies, or
committed against them.”*

source: Adobe Stock_208495821

Criminal intentions in five core points:
1. Siphoning off financially useful
information (e.g. for misuse)
2. Redirecting financial transactions
3. Blackmail via sabotage
4. Sabotage by modifying or
manipulating data (with the objective
of damaging an image)
5. Identity theft

source: *As defined by the Bundeskriminalamt (German Federal Criminal Police Office)

12
 IT security in critical infrastructures…

Regulation Security Insurance

management

Complex frame conditions

Technology Networking

KRITIS

Organisation Human

Risk
Attacks management
Market

*KRITIS - IT security for critical infrastructures

3/27/2019 © DKE German Commission for Electrical, Electronic & Information Technologies of DIN and VDE 13
 ISO/IEC 27001 Information Security
Definition of critical infrastructure according to BMI
Transport and road
Energy Hazardous substances Information technology /
traffic
Telecommunications
 Aviation  Electricity  Chemicals and
biological  Telecommunications
 Maritime transport  Nuclear power
substances
plants  Information
 Railways & local
 Hazardous goods technology
transportation  Gas
transport
 Roads  Mineral oil
 Defence industry
 Postal services

Financial, monetary and Supply Administration and Miscellaneous

insurance systems justice authorities
 Health, emergency  Media
 Banks  Government bodies
and rescue services
 Major research
 Insurance
 Disaster response institutes
companies
 Food supply  Prominent or highly
 Financial services
symbolic structures,
providers  Water supply
cultural assets
 Stock exchanges

source: Bundesministerium desInnern (German Federal Ministry of the Interior)

3/27/2019 © DKE German Commission for Electrical, Electronic & Information Technologies of DIN and VDE 14
 Series of standards ISO/IEC 27000
Sector/branch-specific standards
Sector and branch-specific Topic-specific standards

ISO 27010
ISO 27017/27018 ISO 27031 ISO 27032 ISO 27033 ISO 27034
Information exchange
Cloud services Business continuity Cyber security Network security Application security
in critical infrastructures

ISO 27011 ISO 27019 ISO 27037

Information security Process control ISO 27035 ISO 27036 Securing and ISO 27038
Telecommunications systems Incident management Supplier security preserving digital Digital redaction
providers Energy sector evidence

ISO 27042
ISO 27039 ISO 27041
ISO 27015 ISO 27040 Analysis and
ISO 27799 Intrusion detection Incident investigation
Information security Storage security interpretation
Health sector security system methods
in the financial sector of digital evidence

ISO 27043
Investigation of
incidents

3/27/2019 © DKE German Commission for Electrical, Electronic & Information Technologies of DIN and VDE 15
 ISO/IEC 27001 Information Security
Structure of the ISO 27000 standards series based on ISO 27000
Terminology

27000
Overview and terminology
requirements
General

27006
27001
Requirements for bodies providing
Requirements
audit and certification
guidelines

27004 27007
General

27002 Analysis Guidelines for auditing

Code of practice for 27003 27005
information security controls Implementation guidance Risk management
Branch-spec.

27011
guidelines

Requirements for
telecommunications organisations 27019
27709 Requirements for the control
Requirements for the health sector systems in the energy utility ind.

3/27/2019 © DKE German Commission for Electrical, Electronic & Information Technologies of DIN and VDE 16
Characterisation of safety vs. IT security

Machine safety IT security/Cyber security

Hazard avoidance,
prevention, health & Availability, integrity, confidentiality
Objectives
safety
slight
Conditions risk
(risks,
Transparent Non-transparent/confidential F 1
methods, 1
measures) S
1
P 2
More static field Highly dynamic field; adjustable goal F 1
(intended purpose, (intentional manipulation, criminal 2 P
Activities
foreseeable misuse) intent) P
2 3
F
S P
1
Risk
Primarily mechanical
From a variety of actors (machine 2
1
F 2 4
production at a
minimisatio manufacturers, system integrators, S 1 F
dedicated time (when
n
making the machine
machine users, service providers) at 3
F 5
(reduction), any time along the entire life cycle 2
available for initial use)
measures severe risk

20
 Classification of information
security for functional safety

Safety Information
security
The relationship between the
requirements of functional security and
information security is described in such
Information Industrial a manner that makes it possible to
Functional information efficiently combine the measures.
security for
safety security
functional
IEC 61508 safety IEC 62443

21
 Interconnection safety and security risk assessment

source: IEC DTR 63069

3/27/2019 © DKE German Commission for Electrical, Electronic & Information Technologies of DIN and VDE 22
 Series of standards 62443- Security for industrial automation
and control systems
General Guidelines and procedures System Component

1-1 Terminology 2-1 Security program requirements 3-1 IT security technologies 4-1 Requirements for product
for IACS asset owners for industrial automation development
systems (TR)
1-2 Glossary with abbreviations 2-2 Implementation guidelines for 3-2 Security risk 4-2 Technical security
an IT security program for assessment and system requirements for IACS
automation systems design (CDV) components (CDV)

1-3 Benchmark for determining 2-3 Patch management for 3-3 System requirements for
compliance industrial automation systems (TR) IT security and security level

1-4 IT security life cycles and 2-4 Requirements for the IT

use cases for an automation security program in engineering
system firms and maintenance service
providers for industrial automation
systems
General description Security requirements for Security requirements for Security requirements for
operators and service providers automation systems automation components

Process Functional Most important parts for machines VDE publishing –

requirement requirements and system construction Library of Standards

3/27/2019 © DKE German Commission for Electrical, Electronic & Information Technologies of DIN and VDE 25
 Cybersecurity: Attack vectors and Certification tests

 5
 7

 1  4
 3 Cloud/Backend

 6

1. Secure access, secure updates

1. Attack on the communication device
 2 2.
2.
Secure installation, secure communication
Attack on the local wired connection
3. Encryption of the radio protocol
3. Attack on the local radio connection
4. Encryption to the Internet
4. Attack on the connection to the Internet
5. Pen-Testing application-server, Secure data
5. Attack on the backend-server
centers, audit of security processes
6. Attack on the web-application
6. Pen-testing web-application
7. Attack on the apps
7. Testing of the apps

3/27/2019 © DKE German Commission for Electrical, Electronic & Information Technologies of DIN and VDE 26
 Draft IEC 62443-4-2 Security for industrial automation and control
systems – Part 4-2: Security requirements for IACS components

source: Copyright and all right reserved © VDE Prüf- und Zertifizierungsinstitut GmbH 2018.

3/27/2019 © DKE German Commission for Electrical, Electronic & Information Technologies of DIN and VDE 27
Risk-Assessment
according to IEC 62443

 IEC 62443-3-2:
„Security Risk Assessment and
System Design” (draft status)

 Identify assets
 Identify threats
 Identify vulnerabilities
 Calculate occurrence probability
 Identify possible impact
 Calculate risk

28
 IEC 62443 - Protection against violations

Level Protection against…

1 incidental incorrect use
2 intentional attempts using simple means

3 SL2, but with extended knowledge and

expanded means
4 SL3, but with specific knowledge and
considerable means

Short form Long form Meaning

SL-C Security-Level – Capability Security level the device or system can reach if it is correctly used and configured

SL-T Security-Level – Target This target security level is a result of the threat/risk analysis
SL-A Security-Level – Achieved The achieved and measurable security level achieved in the overall system

source: IEC 2033/13

source: Security Level during the life cycle IEC 62443 source: Security Level (SL) in accordance with IEC 62443

3/27/2019 © DKE German Commission for Electrical, Electronic & Information Technologies of DIN and VDE 29
 Standards in Industry 4.0
Concept of protection levels as per IEC 62443

Degree of development
Security process Security functions

 Based on IEC 62443-2-2  Based on IEC 62443-3-3

and ISO 27001
 Security level 1 to 4
 Degree of development
1 to 4

source: Source: Pierre Kobes: Protection Levels, ISA-99 Meetings, Frankfurt, June 2015

3/27/2019 © DKE German Commission for Electrical, Electronic & Information Technologies of DIN and VDE 30
 Example of
typical vulnerabilities
 Limited security awareness
 Flaws in asset management
 Updates or patches add on vulnerability

source: Adobe Stock_12140940

 Deficiencies of products/solutions
 Design limitations in with respect to performance
 Misuse of functions/features built in on purpose
 Real usage differs from the intended use
 threat evolution: existing solutions are also
vulnerable

Important: Vulnerabilities should not be

considered as a fault, failure or error defined in
IEC 61508, as their origin and nature is different

31
 IT security in trades

Basic rules: “Bring your own device” (BYOD)

 Important: activation of password query &

source: VDE-USB-Stick-auf-Tastatur_IMG_1938
automatic locking when mobile device not in use
 Understandable security guidelines for device
allocations
 Company data: save internally and transmit via
encrypted connections, e.g. WPA2 or VPN
 Sensitive data: on encrypted private mobile
devices
 Draw attention to possible risks, e.g. from apps
 Mobile device management: only if mobile
devices are centrally managed
 Bluetooth and WiFi: only if wireless connection
necessary

32
 A need to adapt with new the
IT security threats

Industry 4.0

 Expansion of existing technical protection

source: Adobe Stock_44334883

measures
 Integration of IT security functions:
• on-top measures
• secure communication required
• Applicability of cryptography in production
 Secure storage of key information and unequivocal
authentication
 Continuous adaptation of IT security infrastructure

33
 Security concepts for machine
and system constructors

 IT Security Act requires a security

management system in the critical
infrastructures sector since 2018.
 Operators require a continuous security

source: Adobe Stock_10860229

concept

 IEC standard 62443

 role specification within IEC standard 62443
 Goals as a results of networking:
 availability and integrity
 confidentiality and authenticity

34
Source: Hacker attack on Deutsche Telekom devices: Security researchers at
the Freie Univerisität Berlin create a detailed picture of the situation
Reachable TR069 devices in Europe (23/11/2016)
viaFunctional
securityvs.
ITITsecurity standards
norms andsafety
 Thank you
for your attention!
We are building the e-dialistic future.
Please join us.

Your contact:

Florian Spiteller
Head of External Relations & Support
Member of the DKE Executive Board
Phone +49 69 6308-380
[email protected]

3/27/2019 © DKE German Commission for Electrical, Electronic & Information Technologies of DIN and VDE 36