comprehensive security concept for process control systems v2006
DESCRIPTION
the slides from my speaking at congress at SPS2006 fair - still in work, but just for example about the idea.TRANSCRIPT
![Page 1: Comprehensive Security Concept For Process Control Systems V2006](https://reader034.vdokument.com/reader034/viewer/2022052621/558ba5ffd8b42a146d8b469b/html5/thumbnails/1.jpg)
(too) „simple“ Securityconzept
PCN 2
PCN 1
Internet
*PCN = Process Control Network
![Page 2: Comprehensive Security Concept For Process Control Systems V2006](https://reader034.vdokument.com/reader034/viewer/2022052621/558ba5ffd8b42a146d8b469b/html5/thumbnails/2.jpg)
Solution based Security concept made on
• Technologische Planung der :
• Produktionsebenen
• Steuerungskomponenten und des
• Informations- und Auftragsflusses
Produktionsablauf
• Umsetzung von :
• Gebäudeschutz, Zugangskontrolle
• Technologischer Planung der Securityzonen, Securityzellenund Zugriffswege in der Netzwerkinfrastruktur
• Abhärtung der Netzwerkteilnehmer
Securityzonen und -Zellen
• Umsetzung der :
• Benutzerverwaltung in Bedienberechtigungen mittels
• Gruppen und Rollenzuweisungen in den einzelnen Bedienkomponenten (Hard- und Software)
Autorisierung
![Page 3: Comprehensive Security Concept For Process Control Systems V2006](https://reader034.vdokument.com/reader034/viewer/2022052621/558ba5ffd8b42a146d8b469b/html5/thumbnails/3.jpg)
Enhanced Security Conzept
InternetMON = Manufacturing Operation Network
ECN = Enterprise
Control Systems Network
Perimeter
Automatisierungs-und Securityzellen
PCN
CN = Control NetworkCN = Control Network
![Page 4: Comprehensive Security Concept For Process Control Systems V2006](https://reader034.vdokument.com/reader034/viewer/2022052621/558ba5ffd8b42a146d8b469b/html5/thumbnails/4.jpg)
Standards und Normen
•Kapitel 4 „IT-Grundschutz im Bereich Infrastruktur“
BSI IT-Grundschutzhandbuch
•ISA S95 „Enterprise – Control System Integration“
•Teil 1: „Modelle und Terminologie“
•Teil 2: „Datenstrukturen und -attribute“
•Teil 3: „Modelle von Produktions-Prozessen“
•ISA SP99 “Manufacturing and Control System Security”
•Teil1: „Security Technologies for Manufacturing and Control Systems”
•Teil2: “Establishing a Manufacturing and Control System Security Program”
ISA
•17799 "Code of practice for information security management"
•27001 “Information security management systems – Requirements”
•62443 “Security for Industrial Process Measurement and Control - Network and System”
•61784-4 "Profiles for secure communications in industrial networks“
ISO/IEC
•NA 67 „Informationsschutz bei Prozessleitsystemen (PLS)“
•NA 103 „Einsatz von Internettechnologien in der Prozessautomatisierung“
•NA 115 „IT-Sicherheit für Systeme der Automatisierungstechnik“
NAMUR
•„Elektronische Aufzeichnungen und Unterschriften“
FDA 21 CFR 11
![Page 5: Comprehensive Security Concept For Process Control Systems V2006](https://reader034.vdokument.com/reader034/viewer/2022052621/558ba5ffd8b42a146d8b469b/html5/thumbnails/5.jpg)
ERP – Enterprise Resource Planning
MES – Manufacturing Execution Systems
MCS – Manufacturing Control Systems
Production levels
Produktionsebenen nach ISA S95
![Page 6: Comprehensive Security Concept For Process Control Systems V2006](https://reader034.vdokument.com/reader034/viewer/2022052621/558ba5ffd8b42a146d8b469b/html5/thumbnails/6.jpg)
Control components und relationships
nach ISA-95.00.01-2000
![Page 7: Comprehensive Security Concept For Process Control Systems V2006](https://reader034.vdokument.com/reader034/viewer/2022052621/558ba5ffd8b42a146d8b469b/html5/thumbnails/7.jpg)
Informations- und order direction of Operator roles
nach ISA S95
![Page 8: Comprehensive Security Concept For Process Control Systems V2006](https://reader034.vdokument.com/reader034/viewer/2022052621/558ba5ffd8b42a146d8b469b/html5/thumbnails/8.jpg)
SafetySecurity Zone
ManufactoringSecurity Zone
Enterprise Security Zone
Securityzonen nach ISA SP 99 Part1
Safety
Level 0
Level 1
Level 2
Level 3
Level 4
Level 5 Enterprise
Site Business Planning and Logistics
Site ManufactoringOperations and Control
Area Control
Basic Control
Process
Safety-Critical
Area Control
Basic Control
Process
Safety-Critical
AreaSecurity
Zone
• Supervisory Controllers
• Primary Operator
Interface
• Site Production
Scheduling
• Site Accounting
• Enterprise Financial
Systems
• Batch Controllers
• Continous Controllers
• Process Monitoring
• Sensors, Transmitters
• Control Valves
• Field Network
• Production Control
• Optimizing Control
• Process History
• Identity Management
Security Zones (Levels)
![Page 9: Comprehensive Security Concept For Process Control Systems V2006](https://reader034.vdokument.com/reader034/viewer/2022052621/558ba5ffd8b42a146d8b469b/html5/thumbnails/9.jpg)
Security Cell of a production plant
![Page 10: Comprehensive Security Concept For Process Control Systems V2006](https://reader034.vdokument.com/reader034/viewer/2022052621/558ba5ffd8b42a146d8b469b/html5/thumbnails/10.jpg)
Network names (working titels)
Produktionsebenen nach ISA S95
ERP – Enterprise Resource Planning
MES – Manufacturing Execution Systems
MCS – Manufacturing Control Systems
![Page 11: Comprehensive Security Concept For Process Control Systems V2006](https://reader034.vdokument.com/reader034/viewer/2022052621/558ba5ffd8b42a146d8b469b/html5/thumbnails/11.jpg)
CN
SecurityCells und Authentification
PCN
PCN
Kerberosserver
![Page 12: Comprehensive Security Concept For Process Control Systems V2006](https://reader034.vdokument.com/reader034/viewer/2022052621/558ba5ffd8b42a146d8b469b/html5/thumbnails/12.jpg)
Identity and responsibility by application filtering of protocolls and order level
![Page 13: Comprehensive Security Concept For Process Control Systems V2006](https://reader034.vdokument.com/reader034/viewer/2022052621/558ba5ffd8b42a146d8b469b/html5/thumbnails/13.jpg)
Boundary of each Security Cell
![Page 14: Comprehensive Security Concept For Process Control Systems V2006](https://reader034.vdokument.com/reader034/viewer/2022052621/558ba5ffd8b42a146d8b469b/html5/thumbnails/14.jpg)
Trustworthy connections to trustworthy applications and devices
PCN
MON
PCN
IPSecurity
MES Server
VPN-Tunnel
![Page 15: Comprehensive Security Concept For Process Control Systems V2006](https://reader034.vdokument.com/reader034/viewer/2022052621/558ba5ffd8b42a146d8b469b/html5/thumbnails/15.jpg)
perimeter network and access ways
PCN
perimeter network for Data Exchange
PCN Webserver
Terminalserver
Web-bridging
Radiusserver
VPN- undQuarantaineserver
![Page 16: Comprehensive Security Concept For Process Control Systems V2006](https://reader034.vdokument.com/reader034/viewer/2022052621/558ba5ffd8b42a146d8b469b/html5/thumbnails/16.jpg)
Identity Management
![Page 17: Comprehensive Security Concept For Process Control Systems V2006](https://reader034.vdokument.com/reader034/viewer/2022052621/558ba5ffd8b42a146d8b469b/html5/thumbnails/17.jpg)
Identity Management und production plan
ERP
MES
MCS
![Page 18: Comprehensive Security Concept For Process Control Systems V2006](https://reader034.vdokument.com/reader034/viewer/2022052621/558ba5ffd8b42a146d8b469b/html5/thumbnails/18.jpg)
Enhanced Security Conzept
![Page 19: Comprehensive Security Concept For Process Control Systems V2006](https://reader034.vdokument.com/reader034/viewer/2022052621/558ba5ffd8b42a146d8b469b/html5/thumbnails/19.jpg)
Core: The organizational structure of the complete enterprise must be recreate (or followed) by the security concept.
Enterprise
Standardize and Laws
Productions levels
Component map (ISA95)
Security Zones (ISA99)
Industrial Automation Component Vendor
network- and component structure (Security Cells)
Part1: the structure of Security Cells, Security-Zones and Domains and there interconnectivity based on:
-production plans
-Interoperability of the Components
-standardize and laws
Personal and there tasks Responsible areas and tasks
Part2: Each Right in Security Cells, Security Zones and trough the network based on:
-Information and control directions
Information and control directions
Interoperability of each Component