With the rapid development of the Internet of Things and the integration of OT and IT, the connection between OT and IT makes OT face the same network threats as IT, and also brings more stringent information security requirements to the OT field.
A single security product cannot solve all problems. An all-round and multi-level information security protection system has become the core content of information security work, especially industrial information security, and has formed a consensus. To comprehensively protect industrial facilities and achieve information security goals, an approach that covers all levels simultaneously – from the operational level to the field device level, from access control to copyright protection is essential. By reconfiguring or updating the components in the existing system, it can be used as an effective protection method. Protecting automation systems with comprehensive safety functions such as secure communication and access protection is very important for the realization of the “defense in depth” concept and the implementation of effective security for plants and machines.
As early as 2013, Siemens introduced information security requirements into the fully integrated security framework TIA Portal V12 to achieve the security goals of “integrity protection” and “data confidentiality” for communication between devices, customer programs and industrial control system network devices. After previous version updates, the new generation of TIA Portal V17 provides stronger security features to better meet the latest Chinese cybersecurity regulations and standards:
1. SIMATIC PG/HMI enhances communication security
The next-generation advancement of SIMATIC is that TIA Portal V17 can realize end-to-end encrypted communication, between S7-1200/1500 controllers and controllers, between S7-1200/1500 controllers and TIA Portal engineering stations, and S7- The communication between the 1200/1500 controller and the HMI system is enhanced based on TLS. TLS1.3 (Transport Layer Security) makes the confidentiality and integrity protection of the entire communication process stronger, and each PLC can be uniquely identified based on its own certificate generated by TIA Portal. Sensitive PLC configuration data, such as individual certificates, can be protected against unauthorized access by setting a user-defined password for each PLC.
In order to reduce the technical complexity, it is determined that the configuration process is completed by means of a setup wizard, which reduces the complexity of the use process and the risk of errors, improves transparency, and maximizes user convenience. The wizard explains the pros and cons of each option and setting, so it is easier for the user to choose the correct configuration. If necessary, the user can also deactivate the wizard after confirmation.
2. User management and access control
For the requirements of access protection consistency, you can configure different function permissions for the engineering station and runtime version of different user roles. Different from the previous mode that only divides read-only, read and write, the latest function supports the division of user roles according to responsibilities. The same workstation can log in to the same project and can choose different user roles to prevent unauthorized users from invading the protected system. . In addition, if the engineer temporarily leaves the workstation, the project can be automatically locked according to the user-configured time to prevent arbitrary changes to the project.
User Management Component (User Management Component) optional component allows the establishment of central user management. Customers can define and manage users and user groups across software and devices, as well as receive users and user groups from Microsoft’s Active Directory transfer.
TIA Portal V17 with the latest firmware version of SIMATIC S7-1200V4.5.0 and S7-1500 V2.9.2 controllers (S7-1200 CPU V4.5.0 / S7-1500 CPU V2.9.2) can achieve the above functions, Siemens strongly recommends customers to update to the latest version.In addition, the latest firmware release for S7-1200 and S7-1500 addresses CVE-2020-15782 memory protection bypass vulnerability, an unauthenticated attacker can exploit this vulnerability to write arbitrary data and code to protected memory areas or read sensitive data for further attacks. For the specific method of protection against this vulnerability, refer to Siemens Industrial Information Security Recommendation SSA-434534Countermeasures provided in:
1. Use password to protect S7 communication;
2. The client connection is prohibited by the ENDIS_PW instruction of the S7-1200 or S7-1500 (even if the client can provide the correct password, the remote client connection will be blocked);
3. Configure additional access protection using the Display of the S7-1500 CPU (this prevents remote client connections even if the client can provide the correct password);
4. Adopt Siemens Industrial Information Security GuidelinesThe “defense in depth” solutions described in , in particular:
Plant Security: Using Physical Guards to Prevent Access to Critical Components
Cybersecurity: Ensure PLC systems are not connected to untrusted networks
System Integrity: Configure, maintain, and protect equipment by employing appropriate compensating controls and built-in safety features
5. Finally, update the system to TIA Portal V17 and implement TLS-based secure communication between PLC, HMI and PG/PC through the respective certificates of the devices, enhancing the information security protection level of the factory.