Scribd Logo
Upload

Welcome to Scribd!

  • Security and Wincc Oa

    Uploaded by

    Kijo Supic
    148 views24 pages
    Security and Wincc Oa

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Security and Wincc Oa

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    148 views24 pages

    Security and Wincc Oa

    Uploaded by

    Kijo Supic
    Security and Wincc Oa

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 24

    Jrgen Mad

    WinCC OA and Security


    Agenda

    A secure plant
    Defense in Depth
    Task related permissions
    Central Administration

    Security Measures Supported by WinCC OA


    Discussion ?
    Interfaces Do not hesitate to join!
    Runtime

    Selected Examples
    Perimeter with Multiplexing Proxy
    Central Administration
    Access Restriction
    Secure Plant
    Security as a philosophy

    All parties have to support


    Technical
    Personal (!)

    Risk Management
    Periodical
    Review of countermeasures
    Organisational
    Technical

    Best Practice:
    Defense in Depth
    Defence in Depth

    "Security architecture with the assumption that every point of


    security can and most likely will be bypassed." (ISA-99)

    Plant security
    Access Control
    Phyiscal
    Persons

    Network security
    Clear defined segments
    Access Control

    System integrity
    "Prevent misuse"
    Internally: Use Roles for Operators
    Externally: Use Virus Scanners
    Layers of Protection

    Defense in Depth with WinCC OA Data Realtime


    Types of Maintenance Support
    Layer based approach Access Exchange Controlling
    Each Role in Focus Realtime Data

    physical protection
    Layers
    Protection
    Of single accesspoints
    Support for Administration Protection perimeterzones certificate based perimeterzones certificate based
    authenticated authenticated
    Support for Runtime Systems standardize and standardize and
    application layer encrypted application layer encrypted
    filtering communication filtering communication
    Cell based approach secure Authentication secure Authentication
    secure secure
    Authentication and Authentication and
    Split into functional groups and Single SignOn and Single SignOn
    Single SignOn Single SignOn
    Keep disturbance local System hardening System hardening System hardening System hardening

    Operator-Rights Operator-Rights Operator-Rights


    Administration Administration Administration
    Types of Data Realtime
    Maintenance Support
    Access Exchange Controlling
    Realtime Data

    physical protection
    Layers
    Of single accesspoints

    Protection perimeterzones certificate based perimeterzones certificate based


    authenticated authenticated
    standardize and standardize and
    application layer encrypted application layer encrypted
    filtering communication filtering communication
    secure secure
    secure Authentication secure Authentication
    Authentication and Authentication and
    and Single SignOn and Single SignOn
    Single SignOn Single SignOn

    System hardening System hardening System hardening System hardening

    Operator-Rights Operator-Rights Operator-Rights


    Administration Administration Administration

    Security Measures
    Supported by WinCC OA
    Overview of Security Options
    in WinCC OA

    Type of Access

    Single Access Point / Perimeter Zones Secure Authentication / Single Sign-On


    Multiplexing Proxy Username/Password Single Access
    OPC UA Kerberos based Authentication
    Perimeter Zones
    Secured Communication System Hardening
    Encrypted
    Encryption with Kerberos IP Access List Communication
    Message Integrity with Kerberos Encrypted Panels / Scripts
    Message Replay / Message Integrity Know-How / IP Protection System Hardening
    SSL based communication Encrypted Panels / Scripts
    Protection against manipulation Secure Authentication
    WinCC OA as service and Single Sign On
    Operator Rights Administration
    Security Plugin
    Permission-Bits Operator Rights
    Dist-Management
    Role based approach Administration
    Group, Area, Workstation
    Restricted Permissions " and where is
    Each operation need a dedicated check
    Physical Protection?"
    WinCC OA Embedded in Factory/Facility Environment

    WinCC OA is supportive
    Protect its core
    Provide mechanisms for integration

    Example: Small Factory


    Two Cells
    Process Control (PCN)
    Enterprise Control (ECN)
    Interface for Data Exchange
    Interface for Maintenance
    Interface for Remote Control
    Perimeter Zone
    Perimeter Zone (DMZ) with WinCC OA

    Perimeter Zone Type of Access


    "neutral" Zone between critical infrastructure and untrusted area
    Provides limited access
    Single Access
    No direct feedback to critical infrastructure
    Perimeter Zones
    Clear defined boundary
    Encrypted
    Communication
    Multiplexing Proxy Cache of Process Image

    Provides TLS encrypted E.G. OPC UA Server


    communication
    Allows single point of entry for Single Access
    network (TCP Port)
    E.G. Web based Access
    Multiplexing Proxy

    Client / Server Architecture Single TCP Port


    Type of Access
    Slightly different configuration Proxy Port (default): 5678
    Automatic detection of
    configuration for small setups Enabled by default Single Access

    Since WinCC OA ver. 3.12 Perimeter Zones


    TLS enabled for communication
    Encrypted
    Need Certificates Communication
    Built-in management
    TLS Support

    Built-in Certificate management TLS turnd on by default


    Independent of 3rd party One ETM certificate included Type of Access
    Based on Open SSL Should be replaced by customer
    Recommended usage specific certificate
    Single Access

    Perimeter Zones

    Encrypted
    Communication
    Perimeterzone Example: Ultralight Client

    Type of Access

    Single Access

    Perimeter Zones

    Encrypted
    Communication
    ULC connects through firewall

    TLS enabled communication


    Dedicated TCP Ports

    Clear defined needs for firewall


    configuration
    WinCC OA Embedded in Factory/Facility Environment

    Large Scale Environment

    Many options open for defining


    boundaries
    Perimeterzone Example: OPC UA

    Provide Option for Data Exchange


    Type of Access
    OPC UA Server
    Responsible for caching current Single Access

    data Perimeter Zones


    Connection with OPC UA clients
    Encrypted
    possible Communication
    TLS supported
    System Hardening
    System Hardening

    "Hardening for SIMATIC WinCC OA means that the functions and programs, Type of Access
    which are not necessary for the operation of the computer within the system
    environment, are disabled or restricted."

    IP Access List Dist Management

    ip_deny / ip_allow Unique Credentials System Hardening


    localAddress Central Administrable

    Security Plugin Protocol usage restricted


    SNMP v3
    Restricted Access IP Access Lists

    Allow only dedicated stations


    Type of Access
    Project Managemet
    User Interface Connection
    System Connectivity

    Additional to the external DMZ


    configuration

    System Hardening
    Central Administration Distributed Systems

    Many Options
    Type of Access
    Kerberos based
    Built in: Dist Management
    Manual (?)

    Combinations

    System Hardening

    Advantage
    Unique user information even in large systems
    No Local management
    Less engineering effort
    Access Restriction to Contents

    Security Plugin
    Type of Access
    Part of API
    Free Programable
    For all Managers
    Works on Message Level

    System Hardening
    Security and WinCC OA

    Long Tradition
    Type of Access
    Changed from Add-On to Default

    Multiplexing Proxy Single Access

    TLS base communication Perimeter Zones


    Port concentration
    Encrypted
    Communication
    Mobile Applications
    System Hardening
    Opt-In Mechanism (WinCC OA Operator)
    TLS Support Secure Authentication
    and Single Sign On

    Central Administration Operator Rights


    Administration
    Dist-Management
    Kerberos
    Enjoy Secure Controlling!

    Jrgen Mad
    ETM professional control
    joergen.mad@etm.at

    https://portal.etm.at/

    See you next year!


    References

    Security Concept SIMATIC WinCC Open Architecture


    https://portal.etm.at/
    Download Area Safety and Security

    Operational Guidelines fr Industrial Security


    http://www.industry.siemens.com/topics/global/en/industrial-
    security/Documents/operational_guidelines_industrial_security_en.pdf

    WinCC OA Online Help


    Provided with you WinCC OA installation

    You might also like