Comprehensive Security Concept For Process Control Systems V2006

19
(too) „simple“ Securityconzept PCN 2 PCN 1 Internet *PCN = Process Control Network

description

the slides from my speaking at congress at SPS2006 fair - still in work, but just for example about the idea.

Transcript of Comprehensive Security Concept For Process Control Systems V2006

Page 1: Comprehensive Security Concept For Process Control Systems V2006

(too) „simple“ Securityconzept

PCN 2

PCN 1

Internet

*PCN = Process Control Network

Page 2: Comprehensive Security Concept For Process Control Systems V2006

Solution based Security concept made on

• Technologische Planung der :

• Produktionsebenen

• Steuerungskomponenten und des

• Informations- und Auftragsflusses

Produktionsablauf

• Umsetzung von :

• Gebäudeschutz, Zugangskontrolle

• Technologischer Planung der Securityzonen, Securityzellenund Zugriffswege in der Netzwerkinfrastruktur

• Abhärtung der Netzwerkteilnehmer

Securityzonen und -Zellen

• Umsetzung der :

• Benutzerverwaltung in Bedienberechtigungen mittels

• Gruppen und Rollenzuweisungen in den einzelnen Bedienkomponenten (Hard- und Software)

Autorisierung

Page 3: Comprehensive Security Concept For Process Control Systems V2006

Enhanced Security Conzept

InternetMON = Manufacturing Operation Network

ECN = Enterprise

Control Systems Network

Perimeter

Automatisierungs-und Securityzellen

PCN

CN = Control NetworkCN = Control Network

Page 4: Comprehensive Security Concept For Process Control Systems V2006

Standards und Normen

•Kapitel 4 „IT-Grundschutz im Bereich Infrastruktur“

BSI IT-Grundschutzhandbuch

•ISA S95 „Enterprise – Control System Integration“

•Teil 1: „Modelle und Terminologie“

•Teil 2: „Datenstrukturen und -attribute“

•Teil 3: „Modelle von Produktions-Prozessen“

•ISA SP99 “Manufacturing and Control System Security”

•Teil1: „Security Technologies for Manufacturing and Control Systems”

•Teil2: “Establishing a Manufacturing and Control System Security Program”

ISA

•17799 "Code of practice for information security management"

•27001 “Information security management systems – Requirements”

•62443 “Security for Industrial Process Measurement and Control - Network and System”

•61784-4 "Profiles for secure communications in industrial networks“

ISO/IEC

•NA 67 „Informationsschutz bei Prozessleitsystemen (PLS)“

•NA 103 „Einsatz von Internettechnologien in der Prozessautomatisierung“

•NA 115 „IT-Sicherheit für Systeme der Automatisierungstechnik“

NAMUR

•„Elektronische Aufzeichnungen und Unterschriften“

FDA 21 CFR 11

Page 5: Comprehensive Security Concept For Process Control Systems V2006

ERP – Enterprise Resource Planning

MES – Manufacturing Execution Systems

MCS – Manufacturing Control Systems

Production levels

Produktionsebenen nach ISA S95

Page 6: Comprehensive Security Concept For Process Control Systems V2006

Control components und relationships

nach ISA-95.00.01-2000

Page 7: Comprehensive Security Concept For Process Control Systems V2006

Informations- und order direction of Operator roles

nach ISA S95

Page 8: Comprehensive Security Concept For Process Control Systems V2006

SafetySecurity Zone

ManufactoringSecurity Zone

Enterprise Security Zone

Securityzonen nach ISA SP 99 Part1

Safety

Level 0

Level 1

Level 2

Level 3

Level 4

Level 5 Enterprise

Site Business Planning and Logistics

Site ManufactoringOperations and Control

Area Control

Basic Control

Process

Safety-Critical

Area Control

Basic Control

Process

Safety-Critical

AreaSecurity

Zone

• Supervisory Controllers

• Primary Operator

Interface

• Site Production

Scheduling

• Site Accounting

• Enterprise Financial

Systems

• Batch Controllers

• Continous Controllers

• Process Monitoring

• Sensors, Transmitters

• Control Valves

• Field Network

• Production Control

• Optimizing Control

• Process History

• Identity Management

Security Zones (Levels)

Page 9: Comprehensive Security Concept For Process Control Systems V2006

Security Cell of a production plant

Page 10: Comprehensive Security Concept For Process Control Systems V2006

Network names (working titels)

Produktionsebenen nach ISA S95

ERP – Enterprise Resource Planning

MES – Manufacturing Execution Systems

MCS – Manufacturing Control Systems

Page 11: Comprehensive Security Concept For Process Control Systems V2006

CN

SecurityCells und Authentification

PCN

PCN

Kerberosserver

Page 12: Comprehensive Security Concept For Process Control Systems V2006

Identity and responsibility by application filtering of protocolls and order level

Page 13: Comprehensive Security Concept For Process Control Systems V2006

Boundary of each Security Cell

Page 14: Comprehensive Security Concept For Process Control Systems V2006

Trustworthy connections to trustworthy applications and devices

PCN

MON

PCN

IPSecurity

MES Server

VPN-Tunnel

Page 15: Comprehensive Security Concept For Process Control Systems V2006

perimeter network and access ways

PCN

perimeter network for Data Exchange

PCN Webserver

Terminalserver

Web-bridging

Radiusserver

VPN- undQuarantaineserver

Page 16: Comprehensive Security Concept For Process Control Systems V2006

Identity Management

Page 17: Comprehensive Security Concept For Process Control Systems V2006

Identity Management und production plan

ERP

MES

MCS

Page 18: Comprehensive Security Concept For Process Control Systems V2006

Enhanced Security Conzept

Page 19: Comprehensive Security Concept For Process Control Systems V2006

Core: The organizational structure of the complete enterprise must be recreate (or followed) by the security concept.

Enterprise

Standardize and Laws

Productions levels

Component map (ISA95)

Security Zones (ISA99)

Industrial Automation Component Vendor

network- and component structure (Security Cells)

Part1: the structure of Security Cells, Security-Zones and Domains and there interconnectivity based on:

-production plans

-Interoperability of the Components

-standardize and laws

Personal and there tasks Responsible areas and tasks

Part2: Each Right in Security Cells, Security Zones and trough the network based on:

-Information and control directions

Information and control directions

Interoperability of each Component