Cyber

THIS SUBMISSION IS DECLARED TO BE
SIGNATURE:
PHASE - 11
STRICTLY IN ACCORDANCE WITH THE

REQUIREMENTS OF THE CONTRACT
QATAR POWER TRANSMISSION SYSTEM EXPANSION PHASE - 11 SUBSTATIONS

PACKAGES - S2, S3 & S7
CONTRACT No. GTC/488C/2012
CONSULTANT:
ENERGOPROJEKT-ENTEL - QATAR Branch office

Tel : (974) 447 8571, 447 7321
Fax : (974) 447 8572
SUBSTATION NAME
PROJECT DRAWING NUMBER
COMMON
04-06-14
REV.
STAT.
DATE
PH11-8C-10-40-P101
Issued for Comments

MODIFICATION
RAVI
ZKN
RLG
DRAWN
CHECKED
APPROVED
CONTRACTOR NAME
SUBCONTRACTOR NAME
SIEMENS CONSORTIUM
SIEMENS AG - SIEMENS WLL
MANUFACTURERS DRAWING NO.
DRAWING/DOCUMENT TITLE
(4)G719EA-EG9006-U1020
SCS CYBER SECURITY

DATE
NAME
SIGNATURE
DRAWN
04-06-14
RAVI
CHECKED
04-06-14
ZKN
SIZE
APPROVED
04-06-14
RLG
A4
REV
Sheet 1 of 11
IC SG EA SYS
Energy Automation - System Security
Table of Contents
Introduction...................................................................................................... 3
Secure Network Design................................................................................... 4
System Hardening ........................................................................................... 6
Role Based Access Control (RBAC) .............................................................. 8
Malware / Antivirus Protection ..................................................................... 10
Backup and Restore ...................................................................................... 11
Page 2
2014 by SIEMENS AG Sector IC
This document shall not be transmitted or reproduced, nor shall its contents be exploited or disclosed to third persons without prior written consent.
IC SG EA SYS
Introduction
Cyber security is vital. Customers' systems must be operated in a secure and reliable way.
Today, especially the secure operation of systems that are part of critical infrastructures is of
key importance.
Ensuring such secure operation relies on the implementation of security functions in
products. These products need to be shipped with a default secure configuration. This,
however, is only the first step. Security needs to be planned and implemented for a full
system as secure operation is only guaranteed when secure products are combined as part
of an overall secure system design.
It is also required that the operator follows his processes to ensure that the system remains
in a secure condition during the operational phase.
Page 3
IC SG EA SYS
Secure Network Design
The general approach for developing the network security design for a project follows
common approaches based on defense in depth, where the security of the system is ensured
by a succession of lines of defense rather than relying on a single component.
The lines of defense, or security controls considered in the SCS architecture are the
following:
- Firewalls
- Hardening
- Access Control
- Anti-virus protection
- White-listing
- Back-up
Two different firewall types are considered:
Host firewalls: Host firewalls allows to enforce the traffic policy not only at IP and
PORT level, but also at process level, by allowing only specific applications to
communicate. As such, Host firewalls can prevent unwanted software from taking
advantage of open communication PORTs to communication with the outside.
Settings for the local firewall configuration (e.g. for SICAM PAS) are documented in
the respective product security manuals.
Dedicated firewall: Dedicated firewalls are capable of routing IP traffic between
several subnets. These need to be configured to properly implement the project
network segmentation.
Concrete configuration of both Host and Dedicated firewall is defined per project. It depends
on the actually deployed products and communication protocols used, as well as on the
location-specific IP-addressing plan.
We further define a secure zone within the substation, which corresponds to the network
linking the IEDs and the Control System. This zone has not direct IP communication to the
outside, instead there is always an isolation at application level and a firewall filtering
between the secure zone and the outside network.
The resulting network architecture is defined on Figure 1
Page 4
IC SG EA SYS
Figure 1: Typical SCS Architecture (Refer SCS Configuration Document for Reference)
Page 5
IC SG EA SYS
System Hardening
Hardening refers to limiting the attack surface by creating a secure configuration of the whole
system, including self-developed software, third-party software (including the operating
system), and network devices.
By avoiding unsecure default configurations (e.g. weak protected password transmission in
Windows file sharing, default passwords) the risk of malware or targeted attacks is reduced.
Running only the services really needed by the solution also limits the likelihood that
malware or attacks break into the system.
Hardening ensures that all the parts of a solution are configured in a secure way. As
illustrated by Figure 2, this covers all levels of a system and includes various topics, such as:
disabling or removing of unnecessary user accounts; modifying existing accounts; removal of
unnecessary services and programs; changes to file system and operating system
permissions; or secure hardware configuration.
Figure 2: Hardening activities are required on different layers to stop attackers.
The following list gives an overview over the hardening measures regarding PC hardware,
Windows operating system and PAS application:
PC hardware:
Mechanical protection of interfaces against unauthorized use
Disable of all wireless connections
No Cordless Keyboards
No Biometric Authentication Devices
Set a BIOS Access password
Strong Administrator Password for PCs
Set a boot password (Exception: E.g. If a server is supposed to boot automatically)
Disable Wake-On LAN
Disable USB Storage
Disable Dynamic Update
Disable Auto Run and System Restore
Use of Windows Firewall
Page 6
IC SG EA SYS
Disable unused ports in Ruggedcom Switches
Disable Registry Access
Disable Hardware Virtualization
MS Windows
Security Settings during Windows Installation (Initial Administrator Password)
Windows Account Security Settings (Windows user accounts)
Windows Network Security (Securing Shared Folders)
Windows Baseline Security Settings
Disable CD/DVD-, Floppy Drives and USB Ports for external Drives
Disable all unnecessary Services, Remove of unnecessary Software
Windows Application Security (activate Firewall, etc.)
Gateways Local Firewall
Windows firewall will be activated in the Gateways PC for Control Center Connection
over IEC60870-5-104 protocol.
HWS/CMS
Hardware Firewall (Watch guard XTM 3 series and XTM 5 Series) will be used to
protect the traffic flows corresponding to Remote access, PMR and CMS.
.Additional Security embedded with hardware firewall
Intrusion Detection system (IDS) feature is available in the firewall which can be
activated. Enabling, setting up and tuning the IDS is not part of the supply in this
project.
Intrusion Prevention systems (IPS) feature is available in the firewall which can be
activated. It is however not recommended to activate this features on critical networks
where as a false-positive could affect the process.
Page 7
IC SG EA SYS
Role Based Access Control (RBAC)
The systems developed by Siemens Energy automation especially in the area of substation
automation fulfil by definition critical tasks and need therefore be protected appropriately.
Adequate access control to the systems and its resources is a vital element for ensuring only
authorized actions are conducted on the system by authorized personnel.
Role Based Access Control (RBAC) is part of a general authentication, authorization and
accounting infrastructure for access control to data and operation.
In general the RBAC follows the security principle of least privilege. That means that no user
should be given more rights than necessary for performing their job.
Therefore a clear definition of users, roles and rights are necessary. The principle model of
assignment of users, roles and rights are shown in Figure
Figure 3: Simplified model of the RBAC concerning assignment of user, roles an right
There are two mappings between these components that have to be configured by the
administrator
Subject to Role assignment
Role to Right assignment
This section describes typical uses of the system, involved user groups, and required
privileges of these user groups. Figure shows the simplified access control matrix.
Siemens will define role and accounts based on our experience of customer needs. The
same will be further communicated to Kahramaa for possible amendments till the design
freeze.
Page 8
IC SG EA SYS
Role / User Group
Administrator
Engineer
Operator
HMI
SICAM SCC
Windows admin
Windows user
Windows auto-logon
account;
operator account for
SICAM SCC
application
SICAM PAS
Windows admin;
SICAM PAS admin
SIPROTEC
indirectly via DIGSI

(Service PC)
Accounts:
admin
guest
operator
Windows auto-logon
account;
SICAM PAS system
engineer
indirectly via DIGSI
(Service PC)
Remote Service
Component
RuggedCom Switch
RSG2100
Figure 4: Simplified access control matrix
Page 9
IC SG EA SYS
Malware / Antivirus Protection
Malware protection is mandatory for the use of PC based systems. There are two general
mechanism to realize malware protection.
Anti Virus Software:
Anti Virus SW compares the content of the file system of the PC with pattern of known
malicious software. In case of a positive match the Anti Virus software alerts the user. This
mechanism is also called blacklisting.
The anti-virus Trend Micro Office client will be installed on all PCs, in a client-server topology
where the update server will be located on the HWS PC.
The update of the signature shall be performed by copying the signature update file on the
HWS PC only.
Application Whitelisting:
Application whitelisting is a protection mechanism that allows only trusted programs and
applications to run on a system. After installation of the system software and applications,
additional whitelisting solution will be installed provided. After installation is complete, a
whitelist of programs, applications and services will be generated by the whitelisting solution.
All applications/programs/services on the list will be signed or secured by a checksum. This
ensures that only approved software will be executed. Downloaded software or viruses that
might potentially infect the system after activation of the whitelisting protection will be
prevented from executing.
The advantage of the application whitelisting is, that is not necessary to install regular pattern
updates for new developed malware.
The Application Whitelisting to be deployed is based on Microsoft AppLock.
Note about the concurrent use of anti-virus software with application whitelisting:
In principle, it could be considered to remove entirely the anti-virus software and rely instead
on whitelisting alone. Such approach would make sense, in particular if for operational
reasons the antivirus signature updates cannot be applied regularly on the system.
In the current architecture both antivirus and whitelisting software are proposed for the
following reasons:
Such approach is new for substations automation and Siemens believes that a pilot
testing together with the end-customer would be necessary in order to define together
with Kahramaa the specific requirements and required effort on both sides.
Using both software still provides an additional line of defense in general, e.g. in case
of a vulnerability on the Whitelisting software itself
Page 10
IC SG EA SYS
Backup and Restore
Backup and restore is the process of copying data preemptively for the specific purpose of
restoring that same data following an event that results in a loss of either hardware storing
that data, or the loss of only the data itself. This process, also known as data backup and
restore, can be used to restore entire volumes of electronic files and media or
restore discrete smaller numbers of files for a variety of purposes, including:
Accidental deletion or corruption of data

Hardware failure
Facilities damage due to natural disasters, fire or flooding
Backup and restore are key for disaster recovery; in particular in the event of cyber intrusion
they can reduce significantly the down-time of the system in case the system by allowing to
timely to restore a safe configuration on a compromised system.
Page 11

Cyber

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Cyber

Hochgeladen von

Copyright:

Verfügbare Formate

THIS SUBMISSION IS DECLARED TO BE

STRICTLY IN ACCORDANCE WITH THE

QATAR POWER TRANSMISSION SYSTEM EXPANSION PHASE - 11 SUBSTATIONS

ENERGOPROJEKT-ENTEL - QATAR Branch office

PROJECT DRAWING NUMBER

Issued for Comments

SCS CYBER SECURITY

Secure Network Design................................................................................... 4

System Hardening ........................................................................................... 6

Role Based Access Control (RBAC) .............................................................. 8

Malware / Antivirus Protection ..................................................................... 10

Backup and Restore ...................................................................................... 11

Secure Network Design

Figure 2: Hardening activities are required on different layers to stop attackers.

Role Based Access Control (RBAC)

Role / User Group

indirectly via DIGSI

Figure 4: Simplified access control matrix

Malware / Antivirus Protection

Backup and Restore

Accidental deletion or corruption of data

Das könnte Ihnen auch gefallen