Proactive, Not Reactive!

Protection of data and programs in automation solutions starts back at the device development stage

  • Industrial Security Process Improvement: Siemens is actively improving its products with regard to industrial security and it has successfully introduced the appropriate measures following assessment.
    Industrial Security Process Improvement: Siemens is actively improving its products with regard to industrial security and it has successfully introduced the appropriate measures following assessment.
  • Networks in the industrial environment can be protected with switches of the Scalance S type from Siemens thanks to an integrated firewall.
    Networks in the industrial environment can be protected with switches of the Scalance S type from Siemens thanks to an integrated firewall.
  • Unused interfaces must be deactivated for protection reasons. For interfaces in use, appropriate protective measures against malware must be taken.
    Unused interfaces must be deactivated for protection reasons. For interfaces in use, appropriate protective measures against malware must be taken.
  • The electronics and software development of suppliers must be deeply integrated into the protective measures to avoid unwelcome surprises at a later stage. It is crucial to be always at least one step ahead of hackers.
    The electronics and software development of suppliers must be deeply integrated into the protective measures to avoid unwelcome surprises at a later stage. It is crucial to be always at least one step ahead of hackers.

The significance of IT security threats is increasing for industrial companies. Plant operators, machine manufacturers and the manufacturers of automation products are therefore well advised to do more for industrial security. Device developers can, for example, enhance the security of industrial information and data in their systems by adopting proactive measures.

 

To counteract the growing threats from malware and hackers, attack scenarios that could pose a hazard to the information and data security of a production company must be considered back at the development stage of automation solutions and programmable electronic devices: Such measures are proactive, or preventive, in nature.

Standardization efforts for protection against manipulation
The philosophy of proactive maintenance of machinery and plants is familiar to almost all plant builders today. Long confirmed in the case of hardware, this is now finding its way into the software and firmware of industrial automation products. Here too, the goal is to protect machinery and plants - not against wear and tear, but against manipulation via data networks. This protection of automation solutions - industrial security, for short - must be achieved with the appropriate precautions, tools, and programs. New directions are required here.

While the safety of personnel and machinery has long been regulated by corresponding standards such as IEC 61508, IEC 62061 or DIN EN ISO 13849, experts worldwide are still working on the further optimization and standardization of communication security. The standard IEC 62443 Part 4-1, for example, is currently taking shape. This represents an important foundation for the necessary protection against manipulation in the development of electronic controllers and in the establishment of data networks used in industry.

The Industry Automation Division of Siemens is making great efforts here to achieve the necessary communication security and to hamper hacking attacks by means of proactive measures during the development process.

ISPI project as the basis for ISA certification
One example of this is "Industrial Security Process Improvement" (ISPI), a project started by the electrical engineering giant in 2012 with the purpose of improving the security of automation products and their software on a sustained basis. This undertaking was triggered by the many weak points in controllers and software that had to be prevented back at the development stage. A significant proportion of the comprehensive activities affect not only in-house development areas, but also suppliers. It is important here to heighten awareness that security measures must be available systematically, universally and permanently, and that they must be continuously tested. Those involved actively in structuring this process - that is, suppliers and in-house development departments - are laying the foundation for certification in accordance with ISA Secure (International Society of Automation). The processes defined by Siemens for enhancing data and communication security are by their own account suitable for achieving ISA certification to an appropriate level, depending on their weighting.

The evaluation phase for the ISPI project started back in 2011. This was created on the basis of the +Secure Improvement Catalyst, the ISA-SDSA (Software Development Security Assessment) Secure questionnaire Level 1, and the WIB (International Instrument Users Association) questionnaire for Industrial Security. At the evaluation phase, the experts here examined the processes involved in product life cycle management (PLM), supply chain management (SCM), and customer relationship management (CRM), as well as the Siemens-internal organization, and assessed them according to security aspects. The results: Improvement measures in the relevant processes were found and carried out and new roles were introduced within the organization.

Establishing and observing protective mechanisms
"Coding Guidelines & Tools" define rules for avoiding weak points. This affects not only the source code of programs, but also typical weak points such as standard passwords of devices, SQL injections or cross-site scriptings.

The Coding Guidelines and static code analysis were made available to the developers to optimize source code also under the aspects of data security. Undeclared variables in the source code, for example, represent a potential risk. Tools for static code analysis are used to check compliance with the Coding Guidelines. These tools subject the source code to a series of formal tests during the compiler runtime. This is used to search for errors even before the actual program is executed. The tools search here for possible attack points such as memory leaks, buffer overflows, or format string attacks.

Sustainability shares center-stage with security here because anything that is unknown presents a potential risk. "Easter eggs" - supposedly humorous surprises that developers used to hide in program code in the past - are now forbidden. After all, functions designed to provoke hilarity have no place in automation solutions. After the security experts had removed functions that had become public, a waiting period was created in the transition phase from project evaluation to roll-out, during which time developers could report such hidden programs. By means of appropriate development guidelines, you can ensure that any Easter eggs already included are removed and that no new undiscovered functions can be concealed in the program code.

In the course of the ISPI project, a host of other points were defined that help developers to keep an eye on industrial security right from the start and thus create secure system solutions. Product Security Risk Management is one such point that forms the central instrument for "tailoring", in other words adapting a process to security requirements. Another aspect of risk assessment is that critical tasks must not be outsourced. It is also important in this context to define what has to be protected, how the internal architecture is structured, and which route specific data flows have to take.

Precise monitoring of procurement paths
Procurement processes. Security experts together with central purchasing take a searching look at suppliers here and ask whether they already strictly follow their security processes. Accordingly, new suppliers must be immediately acquainted with in-house guidelines on all aspects of industrial security. It must be ensured that suppliers are also included in the process. An awareness program is also important in dealing with industrial security. While the risks and effects of malware and targeted IT hacker attacks have long had a high profile in the office area, these issues are still in their infancy in the industrial automation environment. Only since the widely reported "Stuxnet" affair has industrial security been handled as an autonomous issue to its full extend, and not just by professionals. Increased awareness also applies to the hardening of electronic products and solutions.

One example of such hardening is the selective deactivation of interfaces that are not required in an automation solution. Potential access points for attacks from outside or inside are therefore not available in the first place. Siemens also supplies support for this and provides users with the appropriate documentation when using products and solutions. There are, after all, a number of points to be observed when implementing integrated system security, so user documentation is likewise a central aspect of industrial security.

Proactive measures are more efficient than troubleshooting
Another important component is Security Verification & Security Validation. This means that finished components must be tested in accordance with defined specifications. The tests are carried out either in the central Security Lab in Karlsruhe, Germany, or by the Cyber Emergency Readiness Team (CERT) in Munich. Regular status reports are designed to demonstrate that all the points of a sustained security strategy are implemented precisely and in detail.

Since standard operating systems also have a central significance for security in industrial systems, it is absolutely necessary to qualify available security updates and patches from operating system manufacturers for use in industrial systems.

The ultimate goal is to improve the industrial security of automation components efficiently and permanently. Security in an ever more closely networked automation environment can be implemented more efficiently using proactive measures than with reactive troubleshooting scenarios.