Siemens Cyber Security Report Card (Part 2 of 2) (plus Presentation)

This article continues our review of Siemens’ announcements and posture regarding cyber security as reflected at their Automation Summit last week.  Part 1 of this post was published yesterday.

New Siemens Products for Enhanced Cyber Security

Christoph Lehmann, from Siemens Germany, focused on many of the new products and services that Siemens is currently developing (or has recently released) to improve control system security.  A few noteworthy ones are mentioned here.

a.     New Communications Processors (CP)

First, Siemens plans to address one of the biggest vulnerabilities within the ICS space regarding the lack of secure communication protocols and the lack of source and destination authentication. They will do this with a family of new communication processors (CP) that can be installed in either the S7 PLC chassis or replace existing network interface cards (NICs) located on various PCS7 computers such as the WinCC/OS Servers and Clients.

This technology is critical to address the significant risk that is introduced through such attack vectors as man-in-the-middle attacks, replay attacks, and information leakage.  It also appears promising for securing legacy systems, as customers are unlikely to rip and replace existing S7 products.  We are looking forward to more details.

b.    Function Block Encryption

Along these lines, Siemens is also improving their STEP7 and S7 programming environment with the introduction of function block encryption.  Specific details of this technology were not disclosed, but Siemens explained that this functionality will eliminate the possibility of a non-authenticated application from modifying the code running within the S7 controllers, or from an external agent from modifying the STEP7 project files (both attack vectors used by the Stuxnet worm in 2010).

c.    New PCS7 Automation Firewall

Siemens will also be introducing a new PCS7 Automation Firewall based on Microsoft's Threat Management Gateway (TMG) technology.  Most people see the value in implementing firewalls within a hierarchical ICS architecture, however, security audits today reveal that a large number of organizations still have not implemented this technology.

Most security experts believe this lack of proper implementation is due to one of two reasons:

  • End users believe that there is little risk from an "inside" attack originating from the "protected business network";
  • End users believe that firewalls are complex to configure and maintain and an improperly configured firewall could be worse than no firewall at all.

Siemens’ approach to the Automation Firewall helps address these problems by offering an ICS-specific solution that can be configured with straight-forward GUI tools.  Obviously, we are strong proponents of this approach, even if it is a potential Tofino Security competitor.

Our one concern is that we see that TMG continues Siemens’ position of leveraging the Microsoft Internet Security and Acceleration (ISA) infrastructure used extensively in their Security Concept documents of the past. However, Microsoft is not a security product company and is definitely not focused on the industrial controls market.  We would be more comfortable with a product not only developed by a security-based enterprise, but also one that understands a little more about control systems and their unique issues when compared with traditional office IT.

d.    Application Whitelisting

Siemens is part of a growing list of ICS vendors that see the need to embed anti-malware software into their core products.  Such software focuses on permitting what is allowed, rather than trying to block what is denied.  This is referred to as "application whitelisting", and provides the ability to detect and protect event applications from the malicious payloads that many attacks commonly drop on target hosts.  Siemens has partnered with McAfee and will be using the Application Control which was the result of McAfee's acquisition of Solidcore in 2009.

Grade:  B    The product directions announced are good, but we need more details to fully assess them.

New Suite of Security Services

Siemens also understands that products alone will not provide sufficient risk reduction of cyber attacks.  This will require additional focus on those aspects of security that depend on employees, users, etc. and the business processes they use to perform their job.  To meet this gap, Siemens rolled out a new suite of security services for their customers.

One of the services that I was most interested in was their Security Quick Assessment (SQA).  This is an informal, interview-based security asset that is performed jointly between end-users and Siemens-trained field personnel to review the current security posture of a business.  It will be used to identify potential opportunities to improve the overall posture of an organization’s control system security.

Grade:    The concept and intent of this program is good.

Cyber Security Recognized as an Issue Requiring Attention by Operators

At the concluding 90 minute round table discussion on cyber security, most of the end users present agreed that prior to the Summit, they did not completely understand cyber security.  By the end of the conference they unanimously agreed that there is risk to their facilities and that something needs to be done.  This was a major accomplishment!

Our Conclusions and Final Grade

In our opinion, the conference showed how Siemens has taken many of the lessons learned during the past 12 months and converted them into a roadmap that will help their users secure their environment in the future.

A lot of criticism has been raised on social networks both prior to and following the conference claiming that Siemens was simply presenting marketing fluff and simply “winning the battle of status quo1”.

We do not agree with that position.  What Siemens is planning to do is in the right direction, and shows their commitment to their users and the businesses they support.  Short of a complete, global replacement of all legacy equipment (which we all know is impossible), security has to be addressed one step at a time.  We are pleased that  the steps Siemens are taking appear to be in the right direction.

We will revisit this topic a year from now and see if Siemens has delivered their cyber security promises by then!

Final Overall Grade:  C+    (B for effort and intent, D for lack of details and lack of demonstrated changes in policies or products, F for communication)

1Dale Peterson, “Siemens Security Tap Dance or Reality?

This article is a collaboration between Eric Byres and Joel Langill.

http://www.tofinosecurity.com/sites/default/files/JLangill.pnghttp://www.tofinosecurity.com/sites/default/files/SCADAhacker_composite_white.png

Joel Langill
CSO, SCADAhacker.com
joel@scadahacker.com      

Practical SCADA Security thanks Joel for his contribution.

Related Content to Download

NOTE: you need to be a member of tofinosecurity.com and logged in to have access to the paper. Register here to become a member.

This is the presentation that Eric and Joel gave at the Siemens Automation Summit.

PDFHow Stuxnet Spreads - A Look at Infection Paths in Best Practice Systems(7.6 MB)

Related Links

 

RSS Feed Subscribe to the "Practical SCADA Security" news feed

Comments

2

Eric and Joel,

Thanks for taking the time to provide a nice summary and assessment of Siemens cyber security direction following the Siemens Automation Summit. I was also there and generally agree with your assessment of the event and the progress Siemens has made in the last year.

I'll take a moment to document some of my own thoughts in a separate blog.

Thanks,
John

Hello all,

I am about to have a little battle with Siemens on the TMG tool.

My take on this is that TMG is a Microsoft Product that does have a CC EAL 4. This means that one can place a little more trust in the device.

This raises the question as to whether or not a tool running a security device on MS Server 2008 or any version is still succeptable to the vulnerabilites of that OS. Does the forefront line protect a MS server from itself? Essentially TMG is used to protect systems that can have the same vulnerabilities as itself. What is your take on this?

The other issue is on patches. Our Automation Systems do not get patched OR patching the systems is not trusted by end users so they do not get done. Does the TMG device need a solid patch management process or can it survive and protect the underlying systems without having a extensive patch management process?

Thanks,

Michael

Add new comment