(too) „simple“ Securityconzept

PCN 2

PCN 1

Internet

*PCN = Process Control Network

Solution based Security concept made on

• Technologische Planung der :

• Produktionsebenen

• Steuerungskomponenten und des

• Informations- und Auftragsflusses

Produktionsablauf

• Umsetzung von :

• Gebäudeschutz, Zugangskontrolle

• Technologischer Planung der Securityzonen, Securityzellenund Zugriffswege in der Netzwerkinfrastruktur

• Abhärtung der Netzwerkteilnehmer

Securityzonen und -Zellen

• Umsetzung der :

• Benutzerverwaltung in Bedienberechtigungen mittels

• Gruppen und Rollenzuweisungen in den einzelnen Bedienkomponenten (Hard- und Software)

Autorisierung

Enhanced Security Conzept

InternetMON = Manufacturing Operation Network

ECN = Enterprise

Control Systems Network

Perimeter

Automatisierungs-und Securityzellen

PCN

CN = Control NetworkCN = Control Network

Standards und Normen

•Kapitel 4 „IT-Grundschutz im Bereich Infrastruktur“

BSI IT-Grundschutzhandbuch

•ISA S95 „Enterprise – Control System Integration“

•Teil 1: „Modelle und Terminologie“

•Teil 2: „Datenstrukturen und -attribute“

•Teil 3: „Modelle von Produktions-Prozessen“

•ISA SP99 “Manufacturing and Control System Security”

•Teil1: „Security Technologies for Manufacturing and Control Systems”

•Teil2: “Establishing a Manufacturing and Control System Security Program”

ISA

•17799 "Code of practice for information security management"

•27001 “Information security management systems – Requirements”

•62443 “Security for Industrial Process Measurement and Control - Network and System”

•61784-4 "Profiles for secure communications in industrial networks“

ISO/IEC

•NA 67 „Informationsschutz bei Prozessleitsystemen (PLS)“

•NA 103 „Einsatz von Internettechnologien in der Prozessautomatisierung“

•NA 115 „IT-Sicherheit für Systeme der Automatisierungstechnik“

NAMUR

•„Elektronische Aufzeichnungen und Unterschriften“

FDA 21 CFR 11

ERP – Enterprise Resource Planning

MES – Manufacturing Execution Systems

MCS – Manufacturing Control Systems

Production levels

Produktionsebenen nach ISA S95

Control components und relationships

nach ISA-95.00.01-2000

Informations- und order direction of Operator roles

nach ISA S95

SafetySecurity Zone

ManufactoringSecurity Zone

Enterprise Security Zone

Securityzonen nach ISA SP 99 Part1

Safety

Level 0

Level 1

Level 2

Level 3

Level 4

Level 5 Enterprise

Site Business Planning and Logistics

Site ManufactoringOperations and Control

Area Control

Basic Control

Process

Safety-Critical

Area Control

Basic Control

Process

Safety-Critical

AreaSecurity

Zone

• Supervisory Controllers

• Primary Operator

Interface

• Site Production

Scheduling

• Site Accounting

• Enterprise Financial

Systems

• Batch Controllers

• Continous Controllers

• Process Monitoring

• Sensors, Transmitters

• Control Valves

• Field Network

• Production Control

• Optimizing Control

• Process History

• Identity Management

Security Zones (Levels)

Security Cell of a production plant

Network names (working titels)

Produktionsebenen nach ISA S95

ERP – Enterprise Resource Planning

MES – Manufacturing Execution Systems

MCS – Manufacturing Control Systems

CN

SecurityCells und Authentification

PCN

PCN

Kerberosserver

Identity and responsibility by application filtering of protocolls and order level

Boundary of each Security Cell

Trustworthy connections to trustworthy applications and devices

PCN

MON

PCN

IPSecurity

MES Server

VPN-Tunnel

perimeter network and access ways

PCN

perimeter network for Data Exchange

PCN Webserver

Terminalserver

Web-bridging

Radiusserver

VPN- undQuarantaineserver

Identity Management

Identity Management und production plan

ERP

MES

MCS

Enhanced Security Conzept

Core: The organizational structure of the complete enterprise must be recreate (or followed) by the security concept.

Enterprise

Standardize and Laws

Productions levels

Component map (ISA95)

Security Zones (ISA99)

Industrial Automation Component Vendor

network- and component structure (Security Cells)

Part1: the structure of Security Cells, Security-Zones and Domains and there interconnectivity based on:

-production plans

-Interoperability of the Components

-standardize and laws

Personal and there tasks Responsible areas and tasks

Part2: Each Right in Security Cells, Security Zones and trough the network based on:

-Information and control directions

Information and control directions

Interoperability of each Component