What should a modern cyber security system look like? With its "se.MIS" system, for example, Sematicon has set itself the goal of ensuring integration into industrial systems based on modern IT security standards in accordance with the Zero Trust model, without modifying them with additional software or updates and thus protecting them from cyber attacks. The overall solution is based on a digital maintenance log that documents all systems, changes and accesses, thus creating a complete log. The requirements of IEC 62443 are also taken into account.

IT-SiG 2.0: regulations fulfilled

The software architecture follows the zero-trust architecture recommended by the German Federal Office for Information Security (BSI) in order to provide maintenance-free protection for particularly sensitive industrial networks and therefore also complies with IT-SiG 2.0 regulations. The IT Security Act introduced in 2015 affected companies in the so-called critical infrastructure (KRITIS). This has now been extended to include the area of municipal waste disposal.

New in version 2.0 are special obligations for "companies in the special public interest". This includes companies which, in the opinion of the legislator, are of considerable economic importance to the Federal Republic of Germany or which are of significant importance to such companies as suppliers due to their unique selling points (Section 2 (14) sentence 1 no. 2 of the new BSI Act). Defense manufacturers are now also included. The legislator is thus significantly expanding the scope of application. Even companies that do not belong to any of the sectors listed in Section 2 (10) of the BSI Act should therefore now carefully check whether new obligations may arise for them from the IT Security Act 2.0. The expansion of the content of the law requires operators of critical infrastructures to register directly with the BSI. From 01.05.2023, they must also use systems to detect attacks.

Isolation of technician and system

The concept of isolation between technician and system in the aforementioned security system ensures that the technician does not have direct network access to the system at any time. This means that insecure or unpatched systems such as Windows XP or Windows 7 can be connected without any problems. With the appropriate configuration, a virus scanner on the target system can also be omitted. All file transfers are documented in the maintenance log and can be checked for viruses and malicious code using leading and established solutions before they reach the target system. Software-based data diodes are also possible. For example, it is possible to exchange data between the target machine and the maintenance log while the upload or download to the technician's PC is completely blocked. Sensitive data can thus be protected from leaving the company or the malware does not reach the company in the first place.

Managing security well

The software architecture follows the zero-trust architecture recommended by the German Federal Office for Information Security (BSI) to provide maintenance-free protection for particularly sensitive industrial networks and therefore also complies with IT-SiG 2.0 regulations.

© Sematicon

The core of the security system is the se.MIS Manager, in which the user interaction takes place. The overall system is operated in the internal network and is ideally the only system with indirect access to the isolated machine network. The aforementioned manager can be installed in the cloud or entirely on a local system outside the isolated machine network. The complete solution is delivered pre-installed and pre-configured as a digital container. Internal, reliable data management is also predefined in the standard configuration. The entire system is operated and configured via a lean, user-friendly web interface. If an update is due, only the container is replaced; the data and configuration remain unaffected. This makes it easy to keep the system up to date and adapt it to the respective requirements and threats. Read-only access is also possible. The optional access gateway allows external users to access the system from the Internet without having to open the firewall from the internal network.

Operation in the cloud

The author: Corinna Weiss is responsible for marketing and press at CyProtect.

© Sematicon

If the system is not operated locally, but in a cloud environment such as Microsoft Azure, for example, the system integrates itself into the customer's tanant. The industrial-grade security solution is now available worldwide within a Kubernetes cluster. Thanks to the intelligent architecture, native cloud solutions such as databases, file storage and Azure AD can be used for authentication. The consistent use of web standards also means that the full range of cybersecurity solutions is available in the cloud.

The optional connector also enables secure access from the IT network to the machine network via an indirect connection. Or it helps to connect the cloud to the machine. This innovative process guarantees complete control with complete isolation and is therefore far superior to a classic VPN connection in terms of security. The connector is available as both a hardware and a software solution. It can be integrated in virtual environments and as a Docker container in existing solutions, switches, firewalls and edge gateways from third-party companies. This hardware independence and the absence of VPN technology means that the solution can be used worldwide. Thanks to the central administration, this component itself is maintenance-free. The strength of the connector is particularly evident in environments that are already segmented and connected via VPN technology. The platform can continue to use most existing firewalls and VPN technology, which makes hardware changes to the machine unnecessary and significantly simplifies migration. This allows individual adaptation to the existing interfaces and connection options of the machine environment.

The question of configuration

The easy-to-configure security platform can be perfectly integrated into the system of third-party manufacturers, can control firewalls and allow temporary maintenance access, which favors consistent micro-segmentation. The maintenance log can also be integrated into existing IoT solutions to enable protected "just-in-time" access to the system around the clock in the event of a fault, while at the same time automatically documenting the intervention by the technician. Once the system has been cleared of detectable faults, technician access can be automatically withdrawn again. The maintenance log allows automatic billing of the intervention through integration into ERP systems. Intrusion detection systems or network analysis systems can be set to maintenance mode before access in order to avoid false alarms.

Secure PLC access

Isolation is consistently maintained when accessing PLC controllers. The "PLC-Guard" options can be used to regulate access to controllers such as the Simatic S7. The software download to the PLC can be disassembled and compared with the maintenance project. This means that even unknown PLC malware has no chance of penetrating the system. Of course, classic IP connections are also available for proprietary systems or own applications. However, these can also be fully documented as PCAPs, which enables subsequent analysis using the WireShark open source solution, for example.

The KVM extenders (optional) enable access to systems that do not have network access or exclude it (critical infrastructure). With the KVM analog extender, it is possible to transfer keyboard, mouse and screen signals from a control PC digitally to the manager. With the help of these extensions, all types of devices with VGA, DVI, USB or PS/2 connections, for example old machines with MS-DOS, Windows CE, Windows 3.11 or another system, can be controlled remotely.