Post-Stuxnet: Siemens Improves ICS-SCADA Security

Thursday, June 07, 2012



Two years after the emergence of the Stuxnet virus, network systems provider Siemens has made concerted moves to improve the security posture of their SCADA-ICS product lines.

Industrial Control Systems (ICS), which include supervisory control and data acquisition (SCADA) networks, administer operations for critical infrastructure and production including manufacturing facilities, refineries, hydroelectric and nuclear power plants.

Stuxnet is a highly sophisticated designer-virus that wreaks havoc with SCADA-ICS systems, and the virus is thought to have caused severe damage to Iranian uranium enrichment facilities which reportedly set back the nation's nuclear program several years.

"During the past two years, Siemens has made several strategic decisions that have been well-received by both internal and external audiences, including developing new industrial security products and solutions, providing software updates incorporating security enhancements, increasing our communication and collaboration with key partners, including ICS-CERT and other government agencies, as well as the research community. We have also developed consultative services to support our customers throughout the life cycle of their products or projects," said Siemens' Raj Batra.

One of the main challenges in protecting these critical networks is the fact that the earlier systems were not necessarily designed with cybersecurity in mind. Rather, the security solutions have been layered on in a piecemeal fashion after the networks were operational, leaving ample room for attackers to compromise their functionality.

Of note are Siemens new Simatic CP and Scalance products, designed with security in mind from the earliest stages. While Siemens new approach to design and implementation will have a measurable impact on improving overall security, the company acknowledges that there will always be risks.

"The introduction of our new Simatic CP and Scalance products only help to bolster Siemens' industrial security portfolio, but as we stress to our customers, there is no silver bullet to cybersecurity threats. Maintaining security is an ongoing process for plants and enterprises requiring collaboration at all levels," Batra said.

Key to Siemens improvements in the latest product lines is the addition of an integrated firewall and virtual private network (VPN).

"The Simatic NET CP 343-1 Advanced and Simatic NET CP 443-1 Advanced communications processors with extended functional scope enable connection to the S7-300 or S7-400 controllers via VPN. It is also possible to define more detailed security settings and access rights via the integrated firewall. Through this function, the communications processors secure access across the entire plant network. The integrated switch also supports secure connection of the lower-level controllers and HMI and I/O devices," a Siemens product announcement states.

Even with the additional security enhancements, some experts are still critical of the slow pace of implementation across all Siemens' product lines that have already been deployed.

"Siemens officially announced a firewall and VPN solution that should prevent the Stuxnet attack on the S7 PLC... The obvious question is why didn't Siemens offer a similar capability as a firmware upgrade to the currently deployed systems?" wrote Digital Bond's Dale Peterson.

Still, others authorities on SCADA-ICS security see Siemens as moving in the right direction, and recognize that the entire industry is experiencing a sea change, and that improvements in security will take time.

"All manufacturers are vulnerable. The approach Siemens has taken and will continue to take is a journey, which is great, starting to build more and better protection into all of their systems and their process control products. [Security] is becoming more front and center for them. But that's not to say they didn't do anything before. They've taken the next step in moving it along," said WurldTech's Neil O'Donnell.


Possibly Related Articles:
Firewalls SCADA Cyber Security Stuxnet VPN Headlines Infrastructure Siemens Industrial Control Systems
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.