Please use another Browser
It looks like you are using a browser that is not fully supported. Please note that there might be constraints on site display and usability. For the best experience we suggest that you download the newest version of a supported browser:Continue with the current browser
An ideal protection strategy for industrial systems is based on thorough planning.
Integrators, operators and manufacturers all contribute to IT security measures in the design and operation of automation processes and systems. Transparency among partners is essential here.
TÜV Süd certificate based on IEC 62443 gives integrators and operators transparent insight into the IT security measures and backs up Siemens Security in the process of developing automation products.
Protection against cyber attacks is growing more and more important for industrial companies. That’s why this aspect must be considered right at the development stage for new machines, and observed throughout the entire life cycle.
It is essential in this regard to perform regular PDCA (“plan-do-check-act”) cycles, as prescribed in standard IEC 62443. During the specification, design and development stages, manufacturers concentrate on potential points of attack and draft protection mechanisms. Then, in the marketing phase, they actively look after protecting their products with information and updates.
Since 2015, operators of critical infrastructure facilities have been required to fulfill the requirements of the new IT Security Act. The focus is on maintaining operations in the event of an attack, and the PDCA cycles are coordinated with this requirement.
On the one hand, operators must determine the requirements for laying out the automation solution, and on the other they must define the measures that they themselves will have to implement. These include limited access to critical parts of the automation solution, for example.
The new IT Security Act took effect in Germany on July 25, 2015. Under the act, key operators of critical infrastructures are required in future to report any IT security incidents to the German Federal Office for Information Security (BSI) and implement minimum IT security standards. Who this includes was determined, among other things, by the BSI with the help of a measurement table.
A total of seven industries (sectors) and around 700 systems are covered by the IT Security Act.
In addition to information technology and telecommunications in the strictest sense, the energy, food, finance, insurance, healthcare and water industries are required to meet minimum IT security standards and report incidents to the BSI.
The German government applies the 500,000 rule as the basis for determining which groups are covered by the act: If 500,000 or more citizens are dependent on a service, the accompanying system falls under the reporting requirement. What these people consume is converted into a threshold.
Part 1 of the BSI Kritis (Critical Infrastructure Protection) Regulation took effect in May 2016.
Deadlines will apply from that point on, in other words:
Operators of critical infrastructures in the areas of energy, water, food, information technology and telecommunications will have to meet their reporting requirements to the BSI from November 2016 and observe the new industry-specific minimum IT security standards from May 2018.
System integrators are often trail-blazers when a company’s IT security has to be improved. They work closely with the operator to establish the protection strategy that will meet the specified protection goals. The focus for the integrators is on implementing the automation solution at a functional level.
That’s why the PDCA solutions are mainly built around multiple functional and organizational measures, and include efficiency checks for the protection measures, training for employees, documentation, and maintenance of the protective measures. Security – e.g. of recipes or passwords – must still be guaranteed when an automation solution is being dismantled.
Defense in depth
Industrial plants from internal and external cyber attacks, all levels must be protected simultaneously – ranging from the plant management level to the field level and from access control to copy protection. This is why our approach to comprehensive protection offers defense throughout all levels – “defense in depth”.
As the level of digitalization increases, so too does the importance of comprehensive security concepts for automation applications.
That's why Industrial Security is an essential element of Digital Enterprise, the Siemens way to Industrie 4.0. With defense in depth, Siemens provides a multi-layer concept that gives your plant both all-round and in-depth protection. The concept is based on plant security, network security and system integrity as recommended by ISA 99/IEC 62443.
Plant security starts with conventional building access and extends to securing of sensitive areas by means of key cards. Tailored industry security services include processes and guidelines for comprehensive plant protection. These range from risk analysis and the implementation and monitoring of suitable measures to regular updates.
Protection of automation networks against unauthorized access with access protection, segmentation (e.g. DMZ) and encrypted communication using security using security appliances, Internet and wireless routers, and Security SIMATIC S7 communications processors.
Our portfolio has been optimized for use in automation systems and are designed for the specific requirements of industrial networks.
Whether you want to protect existing know-how or rule out unauthorized access to your automation processes from the outset, thus preventing production downtimes, our comprehensive Industrial Security portfolio includes support for implementing targeted measures to protect against a variety of threats, as well as the design of complete solutions for maximum protection.
Our integrated security features provide comprehensive protection against unauthorized configuration changes at the control level as well as against unauthorized network access, preventing the copying of configuration data and making any attempts to manipulate such files easier to detect.