The increasing digitalization of companies and the associated networking of practically all areas opens up economic potential that a highly developed and industrialized country like Germany cannot do without. At the same time, however, digitalization is creating new threats that need to be responded to quickly and consistently. The sharp rise in the risk of targeted and professional cyber attacks, known as advanced persistent threats (APTs), particularly in recent years, has now also prompted legislators to introduce appropriate regulations.

The Act to "Increase the Security of Information Technology Systems" - also known as the IT Security Act - which has been in force since July 2015, obliges operators of critical infrastructures (KRITIS) in Germany to take certain measures. For some of the critical infrastructures covered, the law stipulates, among other things, a reporting obligation for security-relevant incidents from November this year and minimum standards for IT security from May 2017. If reportable IT incidents occur at a KRITIS operator, the Federal Office for Information Security (BSI) may also oblige the manufacturers of the relevant IT products and systems to cooperate if necessary. This includes, for example, the prompt elimination of identified vulnerabilities.

The IT security standards should be based on the 'state of the art'. The security standards must then be reviewed every two years by means of audits. The legal term 'state of the art' is used because experience has shown that technical development is usually faster than legislation. Therefore, in some areas of law, it has proven useful for many years to refer to the state of the art in legislation instead of trying to lay down specific technical requirements in the law.

The 'state of the art' at a particular point in time can be determined on the basis of existing national or international standards and norms, such as DIN or IEC, or on the basis of examples that have been successfully tested in practice - so-called 'best practices' - for the respective area. As the necessary technical measures can also differ depending on the specific case, it is hardly possible to describe the state of the art generally and conclusively anyway.

In the industrial environment, IEC 62443 is the leading or most comprehensive international standard for security, which is sometimes also adapted or referenced in other areas such as railroad applications. It addresses operators, system integrators and manufacturers of automation systems alike and refers to processes, technologies and the role of people in various parts of the standard. Among other things, the standard makes it clear that it is essential to define and implement suitable measures based on a risk analysis in order to ensure adequate protection. It is just as important to maintain this level of protection in the long term, for example by regularly reviewing the effectiveness of the measures implemented.

A basis for certification

IEC 62443 also provides a basis for the certification of cybersecurity in industrial automation and control systems for the first time. TÜV Süd was one of the first providers to start carrying out tests and certifications in accordance with this standard. The certification of development and manufacturing processes at product manufacturers is based on Part 4-1 of IEC 62443, which allows the security functions of products to be evaluated in accordance with IEC 62443-3-3. The world's first certificate based on IEC 62443-4-1 was awarded to Siemens by TÜV Süd in August of this year, confirming compliance with the security requirements of the standard for the comprehensive development process of automation and drive technology products at seven development sites in Germany.

However, everyone should be and remain aware of this: There has never been and will never be 100% security in the IT age! However, it is important to find appropriate security measures. Ultimately, this means reducing the risk to an acceptable level. In other words, the effort for potential attackers should be increased to such an extent that the relationship to the potential benefit is no longer economically viable. Based on defined security levels (SLs), IEC 62443 provides guidance on the required level of security in relation to the existing risks.

The key to the concept is the protection level. This results from the security and maturity level. The maturity level indicates how mature or reliable the security processes in a company are and is based on the IEC 62443-2-4 and ISO 27001 standards. The more mature a company is, the higher the maturity level. The security level in turn refers to the technical solutions used in accordance with the IEC 62443-3-3 standard. The matrix used to define the protection class states that a higher protection class requires both a higher security level (better technical security solution) and a higher maturity level (better process maturity).

Effective defense against attacks requires the use and combination of several security measures.

© Siemens

In order to put all of this into practice, systems, products, solutions and services need to be adapted or improved by introducing security functions and features, as well as processes and guidelines. This means implementing a multi-layered defense or - to use security jargon - a "defense-in-depth strategy".

This means not only that several security measures are implemented one after the other, but also that different technologies are used. For example, access to a network is controlled by firewalls, such as an industrial-grade security appliance from the Scalance S product family. Access from outside is prevented as far as possible, which may also be possible by means of a DMZ (demilitarized zone) in which data from the protected network is made available, thus preventing direct access to the automation network from outside. Access authorizations should be assigned according to the 'Need2Connect' premise. This means that only access that is absolutely necessary should be permitted.

To increase protection even further, further security-related network segmentation is recommended, especially for larger networks, in which various automation cells are protected by a firewall or special components such as the security communication processors for Simatic S7 controllers. If a hacker succeeds in gaining access to the network, they have to overcome another hurdle to get into an automation cell.
The next hurdle is the automation components themselves. Control systems, HMI devices and SCADA systems today often have integrated security functions such as password protection and can thus further reduce the risk of unauthorized access.

These measures reduce the risks of unauthorized access and data loss - but only if all security functions are implemented correctly, the devices are configured correctly and there are no undetected vulnerabilities, so that even so-called side-channel attacks remain unsuccessful.

Security by design

To achieve this, appropriate measures must be taken during the development and manufacture of products in order to detect and eliminate any existing vulnerabilities at an early stage. As already mentioned, some security standards now also require this. Such a 'security by design' approach must be taken into account from the very beginning of product development.

A key prerequisite for reducing risks is the 'security by design' approach in the development and manufacture of products.

© Siemens

However, experience also shows that it is never possible to avoid all vulnerabilities, especially in products with software. It is therefore crucial that any vulnerabilities that are discovered during operation are quickly rectified and that affected users are informed promptly and in detail. For this to work smoothly, appropriate processes must also be set up and responsibilities and contact persons must be clarified. In short, the avoidance of vulnerabilities during development and production and the rapid elimination of vulnerabilities during operation are important contributions to minimizing risk and continuously improving the security of industrial automation and communication systems. With this in mind, the measures and processes mentioned have been introduced and optimized at Siemens in recent years.

Author: Franz Köbinger is Marketing Manager Industrial Security at Siemens.