Post on 25-Jun-2015
description
(too) „simple“ Securityconzept
PCN 2
PCN 1
Internet
*PCN = Process Control Network
Solution based Security concept made on
• Technologische Planung der :
• Produktionsebenen
• Steuerungskomponenten und des
• Informations- und Auftragsflusses
Produktionsablauf
• Umsetzung von :
• Gebäudeschutz, Zugangskontrolle
• Technologischer Planung der Securityzonen, Securityzellenund Zugriffswege in der Netzwerkinfrastruktur
• Abhärtung der Netzwerkteilnehmer
Securityzonen und -Zellen
• Umsetzung der :
• Benutzerverwaltung in Bedienberechtigungen mittels
• Gruppen und Rollenzuweisungen in den einzelnen Bedienkomponenten (Hard- und Software)
Autorisierung
Enhanced Security Conzept
InternetMON = Manufacturing Operation Network
ECN = Enterprise
Control Systems Network
Perimeter
Automatisierungs-und Securityzellen
PCN
CN = Control NetworkCN = Control Network
Standards und Normen
•Kapitel 4 „IT-Grundschutz im Bereich Infrastruktur“
BSI IT-Grundschutzhandbuch
•ISA S95 „Enterprise – Control System Integration“
•Teil 1: „Modelle und Terminologie“
•Teil 2: „Datenstrukturen und -attribute“
•Teil 3: „Modelle von Produktions-Prozessen“
•ISA SP99 “Manufacturing and Control System Security”
•Teil1: „Security Technologies for Manufacturing and Control Systems”
•Teil2: “Establishing a Manufacturing and Control System Security Program”
ISA
•17799 "Code of practice for information security management"
•27001 “Information security management systems – Requirements”
•62443 “Security for Industrial Process Measurement and Control - Network and System”
•61784-4 "Profiles for secure communications in industrial networks“
ISO/IEC
•NA 67 „Informationsschutz bei Prozessleitsystemen (PLS)“
•NA 103 „Einsatz von Internettechnologien in der Prozessautomatisierung“
•NA 115 „IT-Sicherheit für Systeme der Automatisierungstechnik“
NAMUR
•„Elektronische Aufzeichnungen und Unterschriften“
FDA 21 CFR 11
ERP – Enterprise Resource Planning
MES – Manufacturing Execution Systems
MCS – Manufacturing Control Systems
Production levels
Produktionsebenen nach ISA S95
Control components und relationships
nach ISA-95.00.01-2000
Informations- und order direction of Operator roles
nach ISA S95
SafetySecurity Zone
ManufactoringSecurity Zone
Enterprise Security Zone
Securityzonen nach ISA SP 99 Part1
Safety
Level 0
Level 1
Level 2
Level 3
Level 4
Level 5 Enterprise
Site Business Planning and Logistics
Site ManufactoringOperations and Control
Area Control
Basic Control
Process
Safety-Critical
Area Control
Basic Control
Process
Safety-Critical
AreaSecurity
Zone
• Supervisory Controllers
• Primary Operator
Interface
• Site Production
Scheduling
• Site Accounting
• Enterprise Financial
Systems
• Batch Controllers
• Continous Controllers
• Process Monitoring
• Sensors, Transmitters
• Control Valves
• Field Network
• Production Control
• Optimizing Control
• Process History
• Identity Management
Security Zones (Levels)
Security Cell of a production plant
Network names (working titels)
Produktionsebenen nach ISA S95
ERP – Enterprise Resource Planning
MES – Manufacturing Execution Systems
MCS – Manufacturing Control Systems
CN
SecurityCells und Authentification
PCN
PCN
Kerberosserver
Identity and responsibility by application filtering of protocolls and order level
Boundary of each Security Cell
Trustworthy connections to trustworthy applications and devices
PCN
MON
PCN
IPSecurity
MES Server
VPN-Tunnel
perimeter network and access ways
PCN
perimeter network for Data Exchange
PCN Webserver
Terminalserver
Web-bridging
Radiusserver
VPN- undQuarantaineserver
Identity Management
Identity Management und production plan
ERP
MES
MCS
Enhanced Security Conzept
Core: The organizational structure of the complete enterprise must be recreate (or followed) by the security concept.
Enterprise
Standardize and Laws
Productions levels
Component map (ISA95)
Security Zones (ISA99)
Industrial Automation Component Vendor
network- and component structure (Security Cells)
Part1: the structure of Security Cells, Security-Zones and Domains and there interconnectivity based on:
-production plans
-Interoperability of the Components
-standardize and laws
Personal and there tasks Responsible areas and tasks
Part2: Each Right in Security Cells, Security Zones and trough the network based on:
-Information and control directions
Information and control directions
Interoperability of each Component