VDMA

Germany 2019

Best of Germany 2014 - Mining Equipment and Mining Technology

Issue link: https://vdma.epubxp.com/i/1099192

Contents of this Issue

Navigation

Page 7 of 51

VDMA 6 VDMA MINING SUPPLEMENT • 2019 In today's connected world, data protection is more important than ever before. Yet, many mine operators lack the required expertise to identify risks and threats. The good news is that suitable solutions are now available that can be easily adapted to the individual proj- ect requirements to provide optimum security. What happened with the WannaCry ransomware, as drastic as the effects were, was but a warning shot to plant operators and systems integrators. The worldwide cyberattack is estimated to have affected more than 10,000 organizations and approximately 200,000 computers across as many as 150 countries. Especially troubling to IT and security experts is that the crypto worm used a known exploit that could have been closed with patches. However, many organizations had not applied them or were running legacy systems that could no longer be patched. WannaCry is just one example of a growing number of cyber- attacks — and while malware that specifically targets industrial control systems is still rare, automation and control systems are already more networked with general IT systems than many plant operators realize. Having good, regular and secure backups, using appropriate software, implementing good cybersecurity including isolating critical systems, and always having the latest security patches installed should be a given. In its whitepaper on cybersecurity, the ARC Advisory Group lists several barriers to improving cybersecurity in industrial environments. They include increasingly open industrial auto- mation, insufficient awareness among end-user management, increased use of commercial off-the-shelf IT solutions, inade- quately trained staff, and misconceptions concerning the cyber- security lifecycle. ARC believes organizations are reluctant to act on potential threats and to adopt security planning and implementation because the task appears too daunting. Furthermore, in the customized con- trol environment of an industrial site, it is difficult to predict how a newly introduced patch will impact the functioning of the control system, especially if the patch is not tested rigorously. Industrial security as specified in recent guidelines, such as the IEC 62443, should therefore be treated as a lifecycle concern con- sisting of five phases: product or system development, specifica- tion, integration and commissioning, operations and maintenance, and decommissioning. The phases require clear accountability and coordinated com- munication between different roles and stakeholders such as sys- tem integrators, product suppliers and asset owners. A defense-in-depth security approach covering a heterogeneous and broad range of security topics — including network security, user authentication, secure configuration and the hardening of operating system, logging, encryption, and secure channels — is required. Technical solutions and tools are available, but project teams often lack the time and expertise to choose a suitable solu- tion for each security topic. Hence, a common pitfall is to focus on some topics in detail while overlooking others. In November 2018, Siemens became the first company to gain TÜV certification for the secure system integration of process automation and drives systems in compliance with the international standards. Based on this, Siemens has developed several blueprints for automa- tion and control systems engineering to facilitate security engineering and eliminate potential weak spots. These blueprints provide guidance in the form of references to specific resources and make sure that the engineering project produces all security documents. For example, the Siemens minerals solutions for conventional mill drives and gearless mill drives have been developed according to these blueprints. In the end, designs that fulfill IEC 62443 simplify information exchanges between stakeholders and deliver a complete set of doc- uments for acceptance tests and the security solution certification. The development of the secure framework and the secure proj- ect blueprints was driven by Siemens' own experience. Key areas of importance include helping the asset owner identify critical assets and specify suitable protection goals; supporting the security life- cycle process through an efficient threat and risk analysis; imple- menting efficient and effective testing; and compiling and provid- ing the required documentation. Particularly in large projects where security affects different disciplines — such as network, software applications and firmware — the framework establishes a common language for engineers to work together on security. On an organizational level, the framework also facilitates the communication between units that develop com- ponents and those that work as system integrators and on service. The security framework combines the expertise of Siemens se- curity engineers and incorporates them into a reproducible process that yields reproducible results — thus mitigating project risks. As the blueprints are based on a comprehensive Simatic PCS 7 secu- rity standard, the secure solution can be easily designed to cover all required assets and security levels. Plant operators benefit by having a security solution engineered for their specific requirements that is ready for certification according to IEC 62443. During plant operation, the security documents support system maintenance. As cyberthreats become more frequent and more creative, in- dustry players are developing and deploying more sophisticated cybersecurity systems and procedures to meet ever-changing re- quirements. Supported by their own specialist organizations, a global network of experts for automation and cybersecurity monitors current and developing threats, analyses solutions for weaknesses, and develops suitable measures, thus making sure that their control and automation solutions are and continue to be secure by design. Solutions for Security by Design Securing automation and IT systems against cyberattacks and manipulation should be a top priority The industrial security concept Defense-in-Depth for industry from Siemens.

Articles in this issue

view archives of VDMA - Germany 2019