14.12.

2017

ICS AG - 13.12.2017 ROS Industrial Day – © Hipp/Zappe

Challenges in Safety and Security for
Industrial Automation Systems
Industrial Security (IEC 62443)

ROS Industrial Conference 2017 12.-14.12.2017 – Stuttgart

Martin Zappe
Business Unit Manager
Industrial Engineering

Udo Hipp
Head of Functional Safety and Agile Engineering ICS AG
BC Industrial Safety & Security Sonnenbergstr. 13
D-70184 Stuttgart
Stuttgart // 13.12.2017 1
www.ics-ag.de

Abstract

¬ In April 2016 the BSI (Federal Office for Information Security) released a study about the
ICS AG - 13.12.2017 ROS Industrial Day – © Hipp/Zappe

security status of OPC UA protocol. The performed analyzes showed, that OPC UA offers a
good security level. In this context it is important to understand, that the OPC UA specification
can specify IT-security-measures which secure the related communication only. Threads which
attack e.g. the operating system have to be secured separately. Hence the engineer needs a
bouquet of balanced measures for securing his system/application. These facts lead us to the
"Challenges in Safety and Security for industrial Automation Systems" - in this session we will
describe an all-embracing engineering approach which incorporates also the system view by
the application of IEC 62443.

1
 14.12.2017

ICS AG - 13.12.2017 ROS Industrial Day – © Hipp/Zappe

3

Agenda

ICS AG – Profile
ICS AG - 13.12.2017 ROS Industrial Day – © Hipp/Zappe

OPC UA
Basics
Level of Security
Security Measures

About IEC 62443

Basic Principles
Foundational Requirements

Risk Assessment

Recap
4

2
 14.12.2017

ICS AG – Profile

¬ Facts

ICS AG - 13.12.2017 ROS Industrial Day – © Hipp/Zappe

formation 1966 – more than 50 years
privately owned – no investors
registered capital 2.65 Mio EUR

¬ Profile
We are an international Systems- and Software Engineering Company
ICS AG’s responsiveness to customer needs and its innovative competence centers ensure your
success
Our employees are a key asset. Most have been with us for many years
We are distinguished by a reputation for premium engineering and support quality focused on:
safety critical, mission critical, business critical Applications

Review – ROS & OPC UA Basics

Review - ROS Industrial Day 2016

„A Status Update“, Mr. M. Keinert, isw.uni.stuttgart.de [MK]
ICS AG - 13.12.2017 ROS Industrial Day – © Hipp/Zappe

„Advanced robotics …“, Mr. B. Gerkey, ROS Foundation [BG]

ROS based on OPC UA for seamless Integration [MK] Source: M. Keinert, isw.uni.stuttgart.de

&
Platform and manufacturer independent communication

Making ROS relevant for Industry 4.0x [MK]

OPC UA is a key technology in the context of Industry 4.0
ROS 2.0 enables the integration of the OPC UA communication technology

„Classic“ ROS ist not secure [BG]

Front Door is wide open (no authentication, no encryption …)
ROS assumes a secure network

Process level security [BG]

Security enhancements for ROS -> sros http://wiki.ros.org/action/show/SROS

3
 14.12.2017

OPC UA – Level of Security

OPC UA Security Analysis Study
Commisionened by the Federal Office for Information Security (BSI)

ICS AG - 13.12.2017 ROS Industrial Day – © Hipp/Zappe

published 02 / 03 / 2017
Method: STRIDE

2 Analysis were performed

In the first part of the project, the specification of the OPC UA was analyzed Source: bsi.bund.de

Protocol version 1.02 on systematic errors. This analysis was divided into the following steps:
Threat analysis (analysis of the objectives and threats, analysis of threats and measures)
Analysis of the OPC UA specification in detail with an emphasis on the parts of 2, 4, 6, 7 and 12

Analysis Conclusion and Result

If confidential data is exchanged „securityMode SignAndEncrypt“ is mandatory
OPC UA offers a high level of Security
IF „securityMode Sign“ and „securityMode SignAndEncrypt“ is used
7

OPC UA –Security Measures

OPC Foundation Security working group

ICS AG - 13.12.2017 ROS Industrial Day – © Hipp/Zappe

Assessed the findings in the BSI report and initiated necessary measures
no major flaws had been detected,
Measures defined will help to improve the OPC UA Specification and
the implementations.

OPC UA Security Architecture – „Castle Approach“

Defense in Depth

8
Quelle: outfit4events.de

4
 14.12.2017

IEC 62443 and OPC UA - „Castle Approach“ (Defense-in-Depth)

ICS AG - 13.12.2017 ROS Industrial Day – © Hipp/Zappe

9

Source: opcfoundation.org

OPC UA – Security Architecture

ICS AG - 13.12.2017 ROS Industrial Day – © Hipp/Zappe

10
Source: opcfoundation.org
Source: outfit4events.de

5
 14.12.2017

OPC UA – Security Architecture

ICS AG - 13.12.2017 ROS Industrial Day – © Hipp/Zappe

Castle
OPC UA Approach IEC 62443
Organization Level

Process Level

Implementation Implementation
Level Level

11

Industrial Security – Standards and Guidelines

Fulfillment of Standing Orders
x
x
ICS AG - 13.12.2017 ROS Industrial Day – © Hipp/Zappe

[IT-Security Act]

Applicable Standards Guidelines

[NIST SP 800-30 R1]:

[IEC 62443]: Guide for Conducting Risk Assessments –
Industrielle Kommunikationsnetze – IT- Information Security
Sicherheit für Netze und Systeme
[VDE VDI 2182]:
IT-security for industrial automation -
example of use of the general model for
device manufacturer in factory
[ISO 27001]: automation
IT-Sicherheitsverfahren –
Informationssicherheits-
Managementsysteme – Anforderungen [BSI IT-Grundschutz] Catalogue:
Leitfaden zur Umsetzung der ISO
27000-Reihe
12

6
 14.12.2017

Industrial Security – Documented Evidence of Conformity

ISO 27000ff
Installation, Implementation, Operation and continous optimization

ICS AG - 13.12.2017 ROS Industrial Day – © Hipp/Zappe

of ISMS

ISO
27000ff

IEC 62443
IT-Security für Industrial Automation
VDI/VDE 2182 und Control Systems
“IT-security for industrial automation -
2.1
example of use of the general model for
Req. IACS SMS
device manufacturer in factory automation“ ISO 27001/2 Profile
Inspection according to VDI 1000 - content is
transfered into IEC 62443
IEC 62443

VDI/VDE
2182
13

Overview - IEC 62443

ICS AG - 13.12.2017 ROS Industrial Day – © Hipp/Zappe

General

Policies &
Procedures
14
Quelle: ISA99 Committee
abgerufen am 20.01.2016

7
 14.12.2017

Overview - IEC 62443

Informative

ICS AG - 13.12.2017 ROS Industrial Day – © Hipp/Zappe

General
superordinate Aspects, Terminology, Metrics

Req. SMS
Requirements
Policies &
Procedures ISO 27001/2 Service Provider
profile
15
Quelle: ISA99 Committee
abgerufen am 20.01.2016

Overview - IEC 62443

ICS AG - 13.12.2017 ROS Industrial Day – © Hipp/Zappe

System

Component

16

8
 14.12.2017

Overview - IEC 62443

Requirements

ICS AG - 13.12.2017 ROS Industrial Day – © Hipp/Zappe

System
Asset Owner/System Integrator
Zones/Conduits, Segmentation, Risk Analysis/-level

Requirements
Component
Component Supplier
IT-Security as mandated asset of Dev.-Processes
17

Coherence – IEC 62443

runs Industrial Automation- / Controlsystem
(IEC 62443-2-1, (IEC 62443-2-4)
IEC 62443-2-3,
ICS AG - 13.12.2017 ROS Industrial Day – © Hipp/Zappe

IEC 62443-1-3) Operation and Maintenance

Asset Owner
(Processe)s

+
integrates
Risk System
(IEC 62443-3-1, IEC 62443-3-2, IEC 62443-3-3)
System- (IEC 62443-2-4) Analysis
Integrator Subsystem 1 Subsystem 2 Additional
HW und SW

Product
implements OPC UA (IEC 62443-4-2)
Product- (IEC 62443-4-1)
System, Sub-System or Componen, e.g.:
supplier
Application Embedded Network- Plattform-
System Component Component

18

9
 14.12.2017

OPC UA – Security Architecture

Data Authentication Timely Availability
Use Control
Flow Response

ICS AG - 13.12.2017 ROS Industrial Day – © Hipp/Zappe

19
Source: opcfoundation.org
Source: outfit4events.de

IEC 62443 - Basic Principles

People
ICS AG - 13.12.2017 ROS Industrial Day – © Hipp/Zappe

Process

Technology

20
Source: ISA-62443-1-1

10
 14.12.2017

Vector of Security Levels - IEC 62443

Usage of a Vector of Security Levels

ICS AG - 13.12.2017 ROS Industrial Day – © Hipp/Zappe

inherits SEVEN Foundational Requirements (FR)
instead of a single protection factor

Vector of Security Levels allows definable separations between Security

Levels for the different FRs using language

Identification, Authentication and Access Control (IAC)

Requirements
Foundational
Use Control (UC)
System Integrity (SI)
Technology

Data Confidentiality (DC)

Restricted Data Flow (RDF)
Time Response To Events (TRE)
Resource Availibility (RA)
21

Cybersecurity risk assessment based on 62443-2

Identify threats

Identify vulnerabilities ¬ Challenges:

ICS AG - 13.12.2017 ROS Industrial Day – © Hipp/Zappe

Start Identify consequences and

impact

Identify Threats and Vulnerabilities

System definition Determine unmitigated
likelihood

High level Calculate unmitigated

(organisational) risk cybersecurity risk
assessment

Identify the needed security

Determine Security level target

Partition of the

requirements
system into zones Derivation security
and conduits requirements

Identify and evaluate existing

Detailled cyber countermeasures
security risk

Manual effort for security risk

assessment for
zones and
Reevaluate likelihood and
conduits

analysis on component level

impact

Determine residual risk

Document and
communicate results Compare residual risk with
tolerable risk

Apply additional cyber security

End countermeasures 22

11
 14.12.2017

Threats and Vulnerabilities database sources

ICS AG - 13.12.2017 ROS Industrial Day – © Hipp/Zappe

23

Threats and Vulnerabilities database sources

Common Attack Pattern Enumeration and Classification (CAPEC):
¬ The CAPEC- database documents attack patterns using a unique
ICS AG - 13.12.2017 ROS Industrial Day – © Hipp/Zappe

id, describes the weakness (CWE-ID), likelihood, consequenses

in terms of Confidentiality, Integrity, Availability (16.8.2017:206
entries)

Common Vulnerabilities and Exposures (CVE):

¬ The CVE- database documents vulnerability of products and
software using a unique id. (16.08.2017:89118 entries)

Common Weakness Enumeration (CWE):

¬ The CWE- database documents weaknesses of products and
software using a unique id, countermeasures and attack
patterns enabled by this weakness. (16.08.2017: 705 entries)
24

12
 14.12.2017

CAPEC: Threats and Vulnerabilities database sources

Common Attack Pattern Enumeration and Classification - https://capec.mitre.org/

ICS AG - 13.12.2017 ROS Industrial Day – © Hipp/Zappe

25

CVE: Threats and Vulnerabilities database sources

Common Vulnerabilities and Exposures - https://cve.mitre.org/

ICS AG - 13.12.2017 ROS Industrial Day – © Hipp/Zappe

Source: https://opcfoundation-onlineapplications.org/faq/#t=SecurityBulletins.htm

26

13
 14.12.2017

Threats and Vulnerabilities database sources

Common Weakness Enumeration - https://cwe.mitre.org/

ICS AG - 13.12.2017 ROS Industrial Day – © Hipp/Zappe

27

Using Threats and Vulnerabilities database sources

Identify threats

Identify vulnerabilities
ICS AG - 13.12.2017 ROS Industrial Day – © Hipp/Zappe

Start Identify consequences and

impact

System definition Determine unmitigated

likelihood

High level Calculate unmitigated

(organisational) risk cybersecurity risk
assessment

Determine Security level target

Partition of the
system into zones Derivation security
Challenge is the definition of a a threat model that can be used
and conduits requirements
in cyber security risk assessment to overcome:
Identify and evaluate existing
Detailled cyber countermeasures
security risk
assessment for
- Cyclic and timely update of databases
zones and
Reevaluate likelihood and
conduits
impact
- Large amount of entries
Determine residual risk
Document and
communicate results Compare residual risk with
tolerable risk
- Linkage between CAPEC, CWE and CVE ids using a multiple
relationship
Apply additional cyber security
End countermeasures 28

14
 14.12.2017

Using Threats and Vulnerabilities database sources

Identify threats

Identify vulnerabilities

ICS AG - 13.12.2017 ROS Industrial Day – © Hipp/Zappe

Start Identify consequences and Proposed solution:
impact

System definition Determine unmitigated Attack patterns

likelihood

High level Calculate unmitigated

cybersecurity risk
(organisational) risk
assessment Filter criteria ISO/IEC
TR 20004
Determine Security level target

Partition of the
system into zones Derivation security
Weaknesses/
and conduits requirements Vulnerabilities Threats
Identify and evaluate existing
Detailled cyber countermeasures
security risk
assessment for
zones and
Reevaluate likelihood and
conduits
impact

Document and
Determine residual risk
Consequences Likelihood
communicate results Compare residual risk with
tolerable risk

Apply additional cyber security

Threat
model
End countermeasures 29

Identify security requirements in the scope of 62443

Most databases (CAPEC, CWE, CVE) and the common understanding of security challenges
are working with the three basic values Confidentiality, Integrity, Availability
ICS AG - 13.12.2017 ROS Industrial Day – © Hipp/Zappe

Confidentiality,
Integrity,
Availability

The security requirements of 62443 are grouped in seven Foundational Requirements

Proposed solution: Mapping of CIA to foundational requirement

CIA \ Foundational IAC UC SI DC RDF TRE RA

Requirements Identification and Use System Data Restricted Timely Response Resource
Authentication confidentiality to Events Availability
Control integrity Data Flow
Control
Confidentiality X X X X X
Integrity X X X X X
Availability X X

30

15
 14.12.2017

Identify security requirements in the scope of 62443

Common databases:
No relationship between Security Requirements and the required Security Level

ICS AG - 13.12.2017 ROS Industrial Day – © Hipp/Zappe

In 62443-3-3 security requirements are allocated to the security level
(determined in the security risk analyse)

Security Defintion of Security level Identification and authentication (IAC)

level (System requirements 62443-3-3: Example for SR1.1– SR1.3)
SL 0 No specific requirements or security protection None None None
necessary
SL 1 Protection against casual or coincidental violation SR 1.1 Identification and None SR 1.3 User Account Management
authentication of human users

SL 2 Protection against intentional violation using simple additionally: SR 1.2 (from SL 2) Identification additionally:
means with low resources, generic skills and SR 1.1 RE 1 (from SL 2) Unique and authentication of software -
moderate motivation identification and authentication processes and devices

SL 3 Protection against intentional violation using additionally: additionally: additionally:

sophisticated means with moderate resources, IACS SR 1.1 RE 2 (from SL 3) Multifactor SR 1.2 RE 1 (from SL 3) SR 1.3 RE 1 (from SL 3) Uniform user
specific skills and moderate motivation identification via Unique identification and account management
non-trusted networks authentication

SL 4 Protection against intentional violationusing additionally: additionally: additionally:

sohisticated means with extended resources, IACS SR 1.1 RE 3 (from SL 4) Mulitfactor - - 31
specific skills and high motivation identification across all networks

Manual effort for security risk analyzes on component level

Identify threats

Identify vulnerabilities
¬ System definition, high level risk assessment and the
partition of the system into zones and conduits are
ICS AG - 13.12.2017 ROS Industrial Day – © Hipp/Zappe

Start Identify consequences and manual tasks on system and security Expert level
impact

System definition Determine unmitigated ¬ The detailled cyber security risk assessment on every
likelihood
component is a timeconsuming error-prone task
High level Calculate unmitigated
cybersecurity risk
(organisational) risk
assessment
Proposed solution:
Determine Security level target
¬ Use a formalized description of the system definition
Partition of the
¬ Use a tool generated threat model (CAPEC, CWE, CVE)
system into zones
and conduits
Derivation security ¬ Use a tool generated assignment of threats to components
requirements
based on the formalized system definition
Identify and evaluate existing
¬ Use consequences and impact based on CIA of the threat
Detailled cyber countermeasures model
security risk
assessment for ¬ Define a basic relationship between threat and security
zones and
conduits
Reevaluate likelihood and requirements of the 62443
¬ Calculate automatically the intermediate residual risk
impact

Determine residual risk values

Document and
communicate results Compare residual risk with
¬ Focus the individual security expertise on identification of
tolerable risk vulnerabilities and the definition of additional cyber security
countermeasures
Apply additional cyber security
End countermeasures 32

16
 14.12.2017

Recap

Industrial Security matters!

ICS AG - 13.12.2017 ROS Industrial Day – © Hipp/Zappe

Conscious Mind Set and Process is essential!

ROS should support Vulnerability data bases!

Risk Assessment reduces overall effort – IEC 62443!

33
Source: outfit4events.de

ICS AG
Thank you, for Martin Zappe
ICS AG - 13.12.2017 ROS Industrial Day – © Hipp/Zappe

Business Unit Manager

your Attention! Industrial Engineering

[email protected]
+49 172 7280 508

Sonnenbergstr. 13
D-70184 Stuttgart
www.ics-ag.de

34

17
 14.12.2017

Recap
Industrial Security is the matter of the Management!
Establish a Security Officer – implement an ISMS!

ICS AG - 13.12.2017 ROS Industrial Day – © Hipp/Zappe

Secure Products mandate an ISMS

Standards are a good starting point – support of experts is helpful

Every Branch/Industry needs an individual interpretation/adaptation

ISO 27000ff and IEC 62443 valuable standards !

35
Source: outfit4events.de

ICS AG
Thank you, for Martin Zappe
ICS AG - 13.12.2017 ROS Industrial Day – © Hipp/Zappe

Business Unit Manager

your Attention! Industrial Engineering

[email protected]
+49 172 7280 508

Sonnenbergstr. 13
D-70184 Stuttgart
www.ics-ag.de

36

18