SIBERprotect
SIBERprotect
A PLC-based realtime
solution for cyber-
physical monitoring
and defense
Legal information
Use of application examples
Application examples illustrate the solution of automation tasks through an interaction of several
components in the form of text, graphics and/or software modules. The application examples are
a free service by Siemens AG and/or a subsidiary of Siemens AG (“Siemens”). They are non-
binding and make no claim to completeness or functionality regarding configuration and
equipment. The application examples merely offer help with typical tasks; they do not constitute
customer-specific solutions. You yourself are responsible for the proper and safe operation of the
products in accordance with applicable regulations and must also check the function of the
respective application example and customize it for your system.
Siemens grants you the non-exclusive, non-sublicensable and non-transferable right to have the
application examples used by technically trained personnel. Any change to the application
examples is your responsibility. Sharing the application examples with third parties or copying the
application examples or excerpts thereof is permitted only in combination with your own products.
The application examples are not required to undergo the customary tests and quality inspections
of a chargeable product; they may have functional and performance defects as well as errors. It is
your responsibility to use them in such a manner that any malfunctions that may occur do not
result in property damage or injury to persons.
Disclaimer of liability
Siemens shall not assume any liability, for any legal reason whatsoever, including, without
limitation, liability for the usability, availability, completeness and freedom from defects of the
application examples as well as for related information, configuration and performance data and
any damage caused thereby. This shall not apply in cases of mandatory liability, for example
under the German Product Liability Act, or in cases of intent, gross negligence, or culpable loss of
life, bodily injury or damage to health, non-compliance with a guarantee, fraudulent
non-disclosure of a defect, or culpable breach of material contractual obligations. Claims for
damages arising from a breach of material contractual obligations shall however be limited to the
© Siemens AG 2023 All rights reserved
foreseeable damage typical of the type of agreement, unless liability arises from intent or gross
negligence or is based on loss of life, bodily injury or damage to health. The foregoing provisions
do not imply any change in the burden of proof to your detriment. You shall indemnify Siemens
against existing or future claims of third parties in this connection except where Siemens is
mandatorily liable.
By using the application examples you acknowledge that Siemens cannot be held liable for any
damage beyond the liability provisions described.
Other information
Siemens reserves the right to make changes to the application examples at any time without
notice. In case of discrepancies between the suggestions in the application examples and other
Siemens publications such as catalogs, the content of the other documentation shall have
precedence.
The Siemens terms of use (https://support.industry.siemens.com) shall also apply.
Security information
Siemens provides products and solutions with industrial security functions that support the secure
operation of plants, systems, machines and networks.
In order to protect plants, systems, machines and networks against cyber threats, it is necessary
to implement – and continuously maintain – a holistic, state-of-the-art industrial security concept.
Siemens’ products and solutions constitute one element of such a concept.
Customers are responsible for preventing unauthorized access to their plants, systems, machines
and networks. Such systems, machines and components should only be connected to an
enterprise network or the internet if and to the extent such a connection is necessary and only
when appropriate security measures (e.g. firewalls and/or network segmentation) are in place.
For additional information on industrial security measures that may be implemented, please visit
https://www.siemens.com/industrialsecurity.
Siemens’ products and solutions undergo continuous development to make them more secure.
Siemens strongly recommends that product updates are applied as soon as they are available
and that the latest product versions are used. Use of product versions that are no longer
supported, and failure to apply the latest updates may increase customer’s exposure to cyber
threats.
To stay informed about product updates, subscribe to the Siemens Industrial Security RSS Feed
under https://www.siemens.com/cert.
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 2
Table of contents
Table of contents
Legal information ......................................................................................................... 2
1 Introduction ........................................................................................................ 5
1.1 Overview............................................................................................... 5
1.2 SIBERprotect® ...................................................................................... 6
1.3 Application examples for SIBERprotect ............................................... 7
1.4 Components used ................................................................................ 8
2 Principle of operation ...................................................................................... 12
2.1 Next generation firewalls (NGFW) ..................................................... 13
2.2 Intrusion detection systems (IDS) ...................................................... 14
2.3 Structure of the SIBERprotect S7-1500 ............................................. 15
2.4 Detection, processing and response to cyberthreats ......................... 18
2.5 Third-party software for industrial cybersecurity ................................ 19
2.5.1 Nozomi Networks company profile ..................................................... 19
2.5.2 Claroty company profile...................................................................... 20
2.5.3 Fortinet company profile ..................................................................... 21
2.5.4 Vendor comparison ............................................................................ 22
2.5.5 RUGGEDCOM platform ..................................................................... 23
© Siemens AG 2023 All rights reserved
3 Engineering ...................................................................................................... 24
3.1 SIBERprotect® actions ....................................................................... 24
3.2 Detecting a cyberthreat ...................................................................... 25
3.3 Cyberthreat analysis ........................................................................... 33
3.4 Responding to cyberthreats ............................................................... 39
3.4.1 Cell protection with SCALANCE S cell firewall .................................. 44
3.5 Firewall settings .................................................................................. 46
3.5.1 IP address .......................................................................................... 46
3.5.2 Firewall settings .................................................................................. 49
3.5.3 Email notification in case of threat ..................................................... 53
3.5.4 Indicator light column ......................................................................... 55
3.5.5 Alarm .................................................................................................. 56
4 Using the application ...................................................................................... 57
4.1 Commissioning the example project .................................................. 57
4.2 Operating the example project ........................................................... 57
5 Useful information ........................................................................................... 61
5.1 Syslog ................................................................................................. 61
5.1.1 Description ......................................................................................... 61
5.1.2 The transmission mechanism............................................................. 64
5.2 Security features of the S7-1500 PLC................................................ 65
5.3 NIST compliance ................................................................................ 65
6 Glossary ........................................................................................................... 66
7 Appendix .......................................................................................................... 67
7.1 Service and support ........................................................................... 67
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 3
Table of contents
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 4
1 Introduction
1 Introduction
1.1 Overview
Cybersecurity is a critical issue. Cyberattacks can damage plants, injure personnel,
cause production downtimes and damage market reputation, leading to financial
losses.
Figure 1-1
© Siemens AG 2023 All rights reserved
More information regarding critical infrastructure can be found at the following link:
https://www.bsi.bund.de/EN/Themen/KRITIS-und-regulierte-
Unternehmen/Kritische-Infrastrukturen/Allgemeine-Infos-zu-KRITIS/allgemeine-
infos-zu-kritis_node.html
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 5
1 Introduction
1.2 SIBERprotect®
SIBERprotect® is a cyberphysical protection system based on an S7-1500
controller. Cyberphysical refers to measures taken to protect devices. Physical
measures include, for example, sending a digital signal that causes a SCALANCE
S device to change its firewall rules, setting a digital input signal on a SIPROTEC
circuit breaker to block network control of the switch, locking down injection pumps
to prevent overdosing of chemicals, activating emergency cooling systems, or
similar measures. SIBERprotect® aims to prevent cyberattacks, impede their
spread, and shorten the response time before defensive actions are taken, all while
preventing damage to plants and ensuring uninterrupted production during and
after an attack. SIBERprotect® contains function blocks for receiving a cyberthreat,
processing it and responding to it. SIBERprotect® uses multiple solutions
simultaneously to detect threats, thus increasing the likelihood that an attack will be
detected. In responding to a threat by changing firewall rules, or by modifying
visual and acoustic signals, it is possible to quickly detect security threats.
In the example below, the access to the OT network is restricted to a single access
point which enables isolation of the IT network and the production cell in critical
situations ("island mode").
Figure 1-2
© Siemens AG 2023 All rights reserved
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 6
1 Introduction
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 7
1 Introduction
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 8
1 Introduction
Table 1-2
Component Quantity Item number Note
Claroty CTD sensor 1 6GK6015-0AL20-1AA0 perpetual license
with perpetual license
Claroty CTD sensor 1 6GK6015-0AL20-1AB0 Subscription license, 1 year
with 1-year
subscription
Claroty CTD sensor 1 6GK6015-0AL20-1AD0 Subscription license, 3 years
with 3-year
subscription
Claroty CTD sensor 1 6GK6015-0AL20-1AF0 Subscription license, 5 years
with 5-year
subscription
Claroty CTD sensor 1 6GK6015-0SA00-0AA0
with annual
subscription license
© Siemens AG 2023 All rights reserved
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 9
1 Introduction
Table 1-3
Component Quantity Item number Note
Fortinet cybersecurity 1 6GK6000-1AM02-0AA3 Hardware specification:
solution FG APE1808LNX = Application
Processing Engine, Atom
x5-E3940, 8GB RAM, 64 GB
eMMC, DisplayPort, uSD,
USB, Linux
Software specification for
the Fortinet firewall:
FortiGate-FG-VM02V-
FortiGate-VM, Virtual
Appliance for all supported
platforms, two vCPU cores
and (up to) 4 GB RAM
Preconfigured for APE
Fortinet VM02 1 6GK6000-1BC47-0AC6 FortiGuard Service, 3 years
FortiGuard IPS
Service
Fortinet VM02 1 6GK6000-1BC47-0AC6 FortiGuard Industrial
FortiGuard Industrial Security, 3 years
Security Service
© Siemens AG 2023 All rights reserved
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 10
1 Introduction
Table 1-4
Component Quantity Item number Note
Nozomi Cybersecurity 1 6GK6000-1AM01-0AA3 Hardware specification:
Solution NG APE1808LNX = Application
Processing Engine, Atom
x5-E3940, 8GB RAM, 64 GB
eMMC, DisplayPort, uSD,
USB, Linux
Software specification:
V100-SCAU-CE – Siemens
V100 Virtual Appliance
SGA-CE
Nozomi 8x5 Standard 1 6GK6000-1BC47-0AB7 Nozomi V100 3-year support
Support Guardian 8x5
Nozomi OT Threat 1 6GK6000-1BC47-0AC3 Nozomi OT Threat Feed, 3-
Feed - subscription year subscription
On-site configuration 1 6GK6000-1AB40-2CC1 • Update for network
including travel configuration in the
expenses (2 days) RX1500 for linking to
NGFW/IDS components
and mirrored traffic
• IDS baselining
© Siemens AG 2023 All rights reserved
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 11
2 Principle of operation
2 Principle of operation
Organizations today must have multiple security measures at their disposal. With
its Defense in depth concept, Siemens offers multi-layered protection for plants.
The following examples demonstrate how you can improve your network security
with additional security mechanisms.
Examples include:
• Intrusion Detection Systems (IDS)
• Deep Packet Inspection (DPI)
• Intrusion Prevention Systems (IPS)
• Next generation firewalls (NGFW)
• …
Figure 2-1
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 12
2 Principle of operation
Deep packet inspection inspects both the header as well as the content of data
packets. Viruses, spam and other undesired content can be blocked in this
manner. Through detection of the OSI layer-7 layer, it is possible, for example, to
detect a Start, Stop, Read or Write in the S7 protocol. Next generation firewalls are
© Siemens AG 2023 All rights reserved
Figure 2-2
Why should you choose a next generation firewall (NGFW)?
Multi-level security
concept against
cyberthreats
Excellent price-to-
performance ratio
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 13
2 Principle of operation
An intrusion detection system (IDS) can complement the firewall functionality and
thus increase security. An intrusion detection system is deployed in software form
and can run on different hardware. The system is distributed across various points
in the network. These sensors collect and analyze possible attacks on these points.
Collected attacks are collated in central analytics software and provided for
evaluation. If attack patterns are detected, an intrusion detection system will report
them. An intrusion detection system creates transparency about your automation
devices and their data traffic, increasing security thanks to continuous and
proactive detection of anomalies in the system.
© Siemens AG 2023 All rights reserved
Figure 2-3
Why should you choose an intrusion detection system (IDS)?
Transparency over
data traffic in
industrial networks
Early detection of
anomalies and
cyberthreats
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 14
2 Principle of operation
Figure 2-4
Threat detection devices
NGFW
IPS IDS
DPI Honeypot
Threat data
© Siemens AG 2023 All rights reserved
WannaCry Emergency
Stuxnet Alarm
Heartbleed Warning
… …
physical measures
The selection of suitable protection for system (threat defense) depends on the
system itself. If the system in question is a circuit breaker in a power plant,
SIBERprotect® can transmit a digital signal to the switch to lock it, which can only
be unlocked locally. This prevents malware from the network from tripping the
switch or disabling it. A simple chemical injection pump can be locked down with a
relay to switch off the pump or prevent it from being switched on. System protection
can take many forms and must be defined as part of an on-site review.
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 15
2 Principle of operation
Forensics logging
After a cyberattack, forensics are vital in ascertaining the cause of an attack. With
this in mind, SIBERprotect® recommends having incoming threat alerts sent to a
forensics server in parallel. SIBERprotect® also sends its security events to the
server via secure firewall traffic. When analyzing the event, threats and responses
can be seen in chronological order.
Note Detailed information regarding support and consulting on security solutions can
be found at the following link:
https://new.siemens.com/global/en/products/services/digital-enterprise-
services/industrial-security-services.html
© Siemens AG 2023 All rights reserved
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 16
2 Principle of operation
Example of an OT architecture
The Figure shows an example architecture of a SIBERprotect® system in an OT
environment.
Figure 2-5
Industrial datacenter
IT network WinCC SINEC NMS SINEC INS MES TIA Portal SIEM
Industrial
Ethernet
HMI
SIBERprotect
Digital I/O.
© Siemens AG 2023 All rights reserved
In this architecture, the RUGGEDCOM RX1510 layer-3 switch mirrors all network
traffic to the two RUGGEDCOM Application Productivity Engines (APE cards) that
run a Fortigate Next Generation Firewall Engine from Fortinet and the IDS software
for the intrusion detection system from Nozomi. All network traffic is mirrored via
the backplane of the RX1510. Threats are sent via the internally isolated port of the
APE card that runs the Nozomi IDS software. In this example, threats are sent in
Common Event Format.
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 17
2 Principle of operation
IT
network
Next
Generation Detect
© Siemens AG 2023 All rights reserved
Intrusion
Detection
Processing
System (IDS)
S7-1500
Siberprotect
Stateful
Packet Q0.1 Q0.1
False True
Inspection (SPI)
Firewall Measures
Production
Network (cell)
PROFINET / IE PROFINET / IE
The IT network and the OT network are secured with a next generation firewall
(NGFW) and an intrusion detection system (IDS). When a threat is detected, the
S7-1500 SIBERprotect® is able to isolate the cells from the higher-level network
so that production is not degraded. Once the attack is over, communication to the
higher-level system can be restored.
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 18
2 Principle of operation
Nozomi Networks is one of the leading companies in the fields of OT, ICS and
industrial IoT cybersecurity. Nozomi Networks supports monitoring, detection and
response to threats in industrial networks within trusted zones. Nozomi Networks
uses a span port to analyze data traffic. The full-service solution with Nozomi
Networks Guardian and Central Management Console supplies security personnel
with smart, context-based warnings. This enables rapid response in realtime when
threats appear, so as to keep the production environment in a secure and
operational state at all times. Nozomi Networks' solution encompasses an intrusion
detection system (IDS) with deep packet inspection (DPI). The products are
available either as an appliance (hardware-based), a VM, or a container (software-
based) solution.
© Siemens AG 2023 All rights reserved
You can find more information about anomaly-based intrusion detection at:
https://new.siemens.com/global/en/products/automation/industrial-
communication/industrial-ethernet/local-processing.html
Nozomi Networks supports the following IT, OT and IoT protocols: For a full list,
see the manufacturer site at:
https://www.nozominetworks.com/downloads/US/Nozomi-Networks-Protocol-
Support-List.pdf?utm_source=guardian-ce-
microsite&utm_medium=website&utm_campaign=gce
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 19
2 Principle of operation
https://security.claroty.com/siemens-integration
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 20
2 Principle of operation
Fortinet (NASDAQ: FTNT) protects the most valuable resources of some of the
largest companies, service providers and government agencies in the world.
Fortinet equips its customers with intelligent, seamless security mechanisms
against the rapidly intensifying cyberthreat environment and makes it possible to
address ever-increasing performance requirements. The solution from Fortinet and
Siemens combines the FortiGate next generation firewall (NGFW) from Fortinet
with the switches and routers of the Ruggedcom series. It makes it easy to deploy
cybersecurity at locations with challenging environments such as substations. The
solution is deployed in a single integrated device. The Ruggedcom hardware runs
a FortiGATE VM. This integrated solution offers first-class protection for OT
networks. It includes complete firewall functions, malware blocking, application
controls and Secure Sockets Layer (SSL) / Transport Layer Security (TLS)
inspection for encrypted data traffic flowing through the Ruggedcom hardware.
Thanks to the use of FortiGuard Labs and the FortiGate intrusion prevention
system (IPS) technology to detect unknown threats, this integrated platform offers
the capability to search data traffic for protocols and vulnerabilities.
Fortinet supports the following protocols. For a full list, see the manufacturer site at:
© Siemens AG 2023 All rights reserved
https://www.fortinet.com/content/dam/fortinet/assets/white-papers/wp-operational-
technology-design-guide.pdf
https://www.fortinet.com/support/support-services/fortiguard-security-
subscriptions/industrial-control-systems
FortiGuard IPS protects against the latest intrusion threats for networks. Threats
are detected and blocked before they reach the network device.
https://www.fortinet.com/support/support-services/fortiguard-security-
subscriptions/intrusion-prevention
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 21
2 Principle of operation
The following Table gives you an overview of the different technologies. For a
complete and up-to-date overview, please visit the vendor websites.
Table 2-1
Nozomi Networks Claroty Fortinet
Technology Intrusion Detection Intrusion Detection Next generation
System (IDS) with System (IDS) with firewalls (NGFW)
Deep Packet Deep Packet
Inspection (DPI) Inspection (DPI)
IDS detection Anomaly-based, Anomaly-based Signature-based
methods capable of when equipped with
supporting IDS functions
signatures
DPI Support for OT Support for OT Support for OT
protocols protocols protocols
Firewall functions not available not available Packet & application
filtering
IPSec VPN
NAT and more
IPS not available not available available
Siemens Platform APE1808, APE1808, IPC APE1808
© Siemens AG 2023 All rights reserved
SCALANCE LPE
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 22
2 Principle of operation
The RUGGEDCOM RX1500 is a multi-service platform for layer 2 and layer 3 switches and
routers. With its locally swappable performance modules, the RX1500 has been designed
for rough environments.
Figure 2-8
© Siemens AG 2023 All rights reserved
Figure 2-9
The RUGGEDCOM platform lets you bundle all the different systems under one hardware
platform.
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 23
3 Engineering
3 Engineering
3.1 SIBERprotect® actions
The Figure below shows the ways of detecting, evaluating and responding to a
cyberthreat in the SIMATIC S7-1500 controller. The following chapter presents the
individual components in more detail.
Figure 3-1
Process
Syslog
Cyberthreat analysis
Message
© Siemens AG 2023 All rights reserved
Threat
Notification
Response to cyberthreat
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 24
3 Engineering
Figure 3-3
Industrial Ethernet
© Siemens AG 2023 All rights reserved
The next generation firewall (NGFW) or the intrusion detection system (IDS) sends
a Syslog message to the S7-1500 SIBERprotect. The latter receives the message
and analyzes it.
The following function blocks are used for receiving a Syslog message. The block
utilizes Open User Communication, a protocol for transmitting data between two
stations connected to the Ethernet subnet. Networking can be carried out either
with the integrated CPU interface or with a communication processor (CP). The
block uses the TCON, TDISCON and TURCV communication functions to establish
and clear down a connection.
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 25
3 Engineering
ndr Bool
busy Bool
error Bool
status Word
diagnostics "typeDiagnostics"
rcvdLen UDInt
rcvdData
Array[*] of Byte Array[*] of Byte
Table 3-1
Name Declaration Data type Comment
enable Input Bool Enable signal for connection setup and
data exchange
© Siemens AG 2023 All rights reserved
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 26
3 Engineering
Troubleshooting
Specific status and error codes are listed below.
Table 3-2
Code Meaning
16#0000 Job completed successfully.
16#7000 No job active.
16#7001 First call of the instruction.
16#7002 Follow-up call of the instruction.
16#8408 Time-out: The job could not be completed within the specified time.
Possible reasons for a time-out:
• Partner is not available
16#8600 The FB is in an invalid state.
16#8601 Error in subordinate command "TCON"
The error code of the command is output to "diagnostics.subfunctionStatus".
For the meaning of the respective error code, refer to the TIA Portal
information system or the STEP 7 online help.
16#8603 Error in subordinate command "TURCV"
The error code of the command is output to "diagnostics.subfunctionStatus".
For the meaning of the respective error code, refer to the TIA Portal
information system or the STEP 7 online help.
© Siemens AG 2023 All rights reserved
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 27
3 Engineering
1. Download the library from the article page of the application example
109810533.
2. Insert the function block "Syslog Receive UDP" into your user program from
your library.
Figure 3-5
Figure 3-6
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 28
3 Engineering
4. Create a global data block. Give the data block the name "Internal Variables".
Acknowledge the dialog with "OK".
Figure 3-7
© Siemens AG 2023 All rights reserved
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 29
3 Engineering
5. Open the data block. Define the following control tags in the data block.
Double-click "<Add new>" in an empty row to do this.
Figure 3-8
The tags below, each with their own data types, serve to interconnect the function block
© Siemens AG 2023 All rights reserved
"Syslog Receive UDP". For a description of the functionality, please refer to Table 3-1
on the function block.
Table 3-3
Name Data type Input/output at the block
syslog_receive_execute Bool Input enable
syslog_receive_connParam TCON_IP_V4_SEC Input connParam
syslog_receive_message Array[0..2047] of Byte InOut rcvdData
syslog_receive_valid Bool Output valid
syslog_receive_done Bool Output done
syslog_receive_busy Bool Output busy
syslog_receive_error Bool Output error
syslog_receive_ndr Bool Output ndr
syslog_receive_status Word Output status
syslog_receive_diagnostics typeDiagnostics Output diagnostics
syslog_receive_rcvdLen UDInt Output rcvdLen
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 30
3 Engineering
6. Assign the following parameters for the connection partners. They are needed
for the internal blocks TCON, TDISCON and TURCV.
Table 3-4
Name Data type Start Description
value
InterfaceId HW_ANY 64 You can find the hardware identifier in
TIA Portal on the next page.
ID CONN_OUC 100 Connection reference.
ConnectionType Byte 19 Connection type:
• 11: TCP
• 17: TCP
• 19: UDP
ActiveEstablished Bool false Identifier for the manner in which the
connection is established:
• FALSE: passive connection
establishment
• TRUE: active connection
establishment
RemoteAddress IP_V4 16#C0 IP address of the partner endpoint
Array[1..4] of 16#A8 (e.g. 192.168.0.2)
Byte 16#0
© Siemens AG 2023 All rights reserved
16#2
RemotePort UInt 0 Port number of the remote connection
partner
LocalPort UInt 514 Port number of the local connection
partner
Interconnect the inputs and outputs of the instruction with the parameters from
the data block "Internal Variables".
Figure 3-9
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 31
3 Engineering
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 32
3 Engineering
Figure 3-12
Numerically, using
Text-based, using
the severity level of the
the message itself
message
© Siemens AG 2023 All rights reserved
The example below is intended to illustrate the possible analysis methods, taking
the case of a Syslog message. The intrusion detection system (IDS) has sent the
following Syslog message to the S7-1500 SIBERprotect® for analysis:
Figure 3-13
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 33
3 Engineering
Figure 3-14
Priority
Time
Message Source
© Siemens AG 2023 All rights reserved
Table 3-5
Information Evaluation
Priority The priority value is calculated as follows:
Priority value = Facility * 8 + Severity
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 34
3 Engineering
The processing logic of SIBERprotect® uses the Syslog severity model in reacting
to threats. The final 3 bits of the Severity field around Priority contain a numerical
value between 0 and 7, where 0 is the most critical or urgent level.
Table 3-6
Value Severity Description
0 "Emergency" The system is unusable.
1 "Alert" Immediate measures must
be taken.
2 "Critical" Critical conditions
3 "Error" Error states
4 "Warning" Warning states
5 "Notice" Normal but noteworthy state
6 "Informational" Informational messages
7 "Debug" Debug-level
messages
The following function block analyzes the message and filters the individual data
points from the outputs of the block.
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 35
3 Engineering
1. Add the function block "Process Message Nazomi Networks" to your user
program from your library.
Figure 3-15
2. In the global data block "Internal Variables", add the following tags from the
graphic. Double-click "<Add new>" in an empty row to do this.
Figure 3-16
© Siemens AG 2023 All rights reserved
The tags below, each with their own data types, serve to interconnect the function block
"Process Message Nazomi Networks". For a description of the functionality, please refer
to Table 3-8 on the function block.
Table 3-7
Name Data type Input/output at the block
syslog_receive_execute Bool Input enable
syslog_receive_ndr Bool Input ndr
syslog_receive_rcvdLen UDInt Input rcvdLen
syslog_receive_message Array[0..2047] of Byte INOut rcvdData
syslog_process_done Bool Output done
syslog_process_busy Bool Output busy
syslog_process_error Bool Output error
syslog_process_threat Struct Output threat data
data
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 36
3 Engineering
3. Interconnect the inputs and outputs of the instruction with the parameters from
the data block "Internal Variables".
Figure 3-17
Table 3-8
Name P type Data type Comment
enable IN Bool Enable signal for analysis of the Syslog
message.
ndr IN Bool A rising edge indicates new data have
been received. They are processed in this
block.
rcvdLen IN Int Length in bytes of the received data.
done OUT Bool TRUE: Job successfully executed. The
received data are available at the threat
data parameter.
busy OUT Bool TRUE: Job is being executed.
error OUT Bool TRUE: An error has occurred.
threat data OUT Struct Structure for classifying a Syslog
message that requires a response.
threat_time OUT DTL Point in time when the Syslog message
was received in the controller.
source OUT String Origin of the Syslog message
priority OUT INT Classification of priority value
facility OUT INT Classification of the Syslog message by
way of origin
severity OUT INT Classification of the Syslog message by
way of severity
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 37
3 Engineering
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 38
3 Engineering
Threat level
A limit at the blocks makes it possible to determine the threshold past which a
Syslog message is treated as a critical threat or as a warning. To do this, the block
compares the limit with the Severity value. All values less than or equal to this
value are classified as critical threats and all others as warnings. By default,
SIBERprotect® activates protection for Severity levels 0 to 2 and triggers warnings
only at warning levels above 2. This behavior can be changed by modifying a
setpoint value input on the block.
© Siemens AG 2023 All rights reserved
Automatic/manual response
In some cases, the SIBERprotect® user may not desire an automatic response to
a critical threat or warning. For such cases, SIBERprotect® allows for manual
activation of the desired threat response.
SIBERprotect® actions
SIBERprotect® is capable or responding in the event of critical threats or warnings.
Taking the example of the block, digital outputs are activated to change firewall
rules, turn on an indicator light, issue an audible alarm or send an email
notification.
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 39
3 Engineering
2. Create 4 digital outputs for yellow and red indicator lights, the acoustic alarm
and the firewall.
Figure 3-21
© Siemens AG 2023 All rights reserved
3. Add the "Threat Notification" function block to your user program from your
library.
Figure 3-22
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 40
3 Engineering
4. In the global data block "Internal Variables", add the following tags from the
graphic. Double-click "<Add new>" in an empty row to do this.
Figure 3-23
The tags below, each with their own data types, serve to interconnect the function block
"Threat Notification". For a description of the functionality, please refer to Table 3-10 on
the function block.
Table 3-9
© Siemens AG 2023 All rights reserved
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 41
3 Engineering
5. Interconnect the inputs and outputs of the instruction with the parameters from
the data block "Internal Variables".
Figure 3-24
© Siemens AG 2023 All rights reserved
critical threat
Bool red light Bool
critical threat
Bool horn Bool
critical threat
Bool Firewall Bool
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 42
3 Engineering
Table 3-10
Name P type Data Comment
type
enable IN Bool Enable signal for processing of the
Syslog message.
ndr IN Bool A rising edge indicates new data
have been received. They are
processed in this block.
threat message IN Struct Structure containing the filtered
data such as time stamp, Severity,
Facility, etc. These data come from
the Process Message block.
thresholdseverity IN Byte Sets the threshold past which a
message is considered critical or a
warning.
mode IN Bool Sets the mode for whether a
message will be processed
manually or automatically.
critical_threat_acknowledgment IN Bool Acknowledges a critical threat.
warning_threat_acknowledgment IN Bool Acknowledges a warning.
done OUT Bool TRUE: Job successfully executed.
The received data are available at
the parameter
warning_threat_message or
© Siemens AG 2023 All rights reserved
critical_threat_message.
busy OUT Bool TRUE: Job is being executed.
error OUT Bool TRUE: An error has occurred.
warning_threat_message OUT Struct Structure containing the data from
a warning such as time stamp,
Severity, Facility, etc.
critical_threat_message OUT Struct Structure containing the data from
a critical threat such as time stamp,
Severity, Facility, etc.
warning threat yellow light IN_OUT Bool TRUE: Activates the indicator light
in the event of a warning.
critical threat red light IN_OUT Bool TRUE: Activates the indicator light
in the event of a critical threat.
critical threat horn IN_OUT Bool TRUE: Activates the acoustic alarm
in the event of a critical threat.
critical threat firewall IN_OUT Bool TRUE: Activates dynamic firewall
rules in the event of a critical threat.
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 43
3 Engineering
The example below is intended to demonstrate how data traffic between multiple
cells can be interrupted by SIBERprotect®. The purpose of this is to isolate the
cells from one another. An OPC UA connection that sends outbound
communication to an MES or SCADA system from the cell will serve as our
example. The aim is to demonstrate how the SCALANCE S is configured in order
to fulfil the requirements on connection setup in the event of danger. The decision
on the part of the SCALANCE S regarding connection setup or cleardown is made
via the digital input.
Table 3-11
Service Source Destination Destination port
OPC UA 192.168.1.2 192.168.0.2 TCP, 4840
OPC UA
connection
© Siemens AG 2023 All rights reserved
RX1510 S7-1500
Industrial Ethernet
/PROFINET
Q0.1 DO =0
Digital I/O.
Q0.2
Cell 1 Cell 2
SCALANCE S SCALANCE S
Rule set Rule set
DROP OPC UA – DROP OPC UA –
Disabled Disabled
DI = 0 DI = 0
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 44
3 Engineering
In our scenario, the data traffic is blocked due to one of the following scenarios:
• Malware or virus detected
• Ransomware detected
The SCALANCE S devices support this safeguard through the use of a digital input
for reconfiguring their firewall. This prevents communication to a device, network or
group of devices. These devices are placed under quarantine. The following
example shows a SCALANCE S firewall controlled by a digital input. In this case, a
user configuration with the name " SIBERprotect® " is configured and activated
when the digital input of the SCALANCE S is switched on. When the digital input is
turned on, the communication between the internal and external ports of the
SCALANCE S is halted.
OPC UA
connection Syslog alarm
RX1510 IDS S7-1500
© Siemens AG 2023 All rights reserved
Industrial Ethernet
Q0.1 DO =1
Digital I/O.
Q0.2
Cell 1 Cell 2
SCALANCE S SCALANCE S
Rule set Rule set
DROP OPC UA – DROP OPC UA –
Activated Activated
DI =1 DI =1
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 45
3 Engineering
3.5.1 IP address
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 46
3 Engineering
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 47
3 Engineering
Result:
The IP address and subnet mask have been assigned.
Figure 3-29
© Siemens AG 2023 All rights reserved
Note The diagnostic tool "ping" lets you check whether a connection is active and
communication is possible.
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 48
3 Engineering
1. Open the Web Based Management. To do this, enter https://(IP address of the
SCALANCE S) in a browser.
2. To the initial logon, enter the name "admin" and the password "admin".
3. Enter the current user password, "admin". Assign a new password.
Figure 3-30
4. Configure the internal and external interface as follows. Go to the menu "Layer
3 > Subnets".
Figure 3-31
© Siemens AG 2023 All rights reserved
Figure 3-32
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 49
3 Engineering
5. Switch to the menu "Security > Firewall > General". "Activate Firewall". To
confirm your settings in the Web Based Management, click on the "Set Values"
button.
Figure 3-34
© Siemens AG 2023 All rights reserved
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 50
3 Engineering
6. Switch to the menu "Security > Firewall > IP Services". The IP service
definitions allow you to define firewall rules that can be applied to specific
services. In this case, you will assign a name and ascribe the service
parameters to it. The IP service for OPC UA is being set up in this example.
Enter a name for the IP service in the field. To create a table row in the Web
Based Management, click the "Create" button. To apply your settings, click on
the "Set Values" button.
Figure 3-35
7. Navigate to the menu "Security > Firewall > IP Rules". In order for the S7-1200
to communicate from the inside out without restriction, you will need to define
some IP rules. They limit communication to the following service: OPC UA.
© Siemens AG 2023 All rights reserved
Click "Create" to generate a new table row. Create the following service,
shown in the Table. To apply your settings, click on the "Set Values" button.
Table 3-12
Column Entered value
Action Accept
From Vlan2 (external)
To Vlan1 (internal)
Source (Range) 192.168.1.2
Destination (Range) 192.168.0.2
Service OPC UA
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 51
3 Engineering
Figure 3-36
8. Navigate to the menu "Firewall > Dynamic Rules". A rule set lets you bundle
firewall rules together, for example those required at a digital input. Assign the
rule set a name. In our case, the rule set is called "SIBERprotect". Assign the
SIBERprotect rule set to the digital input. Enter an IP address or an IP address
range that will be blocked as a consequence of the digital input signal.
Figure 3-37
© Siemens AG 2023 All rights reserved
9. Create a new rule to block data traffic. Link the IP rule with the SIBERprotect
rule set. To do this, click the "Assign to" button.
Figure 3-38
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 52
3 Engineering
Figure 3-39
The Figure below shows an architecture that includes a data diode. The data diode
is responsible for electronic notification in case of a threat.
Figure 3-40
More information on sending emails with a SIMATIC S7-1500 can be found at the
following article ID: 46817803.
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 53
3 Engineering
Data diode
Unlike firewalls, data diodes use a different approach to isolate two networks. A
data diode ("Data Capture Unit", or DCU) only allows communication to flow in one
direction. This makes it possible to allow communication from the production plant
to the internet in the outbound direction only. Meanwhile, the data diode prevents
communication in the inbound direction. This network component guarantees
reliable physical (galvanic) isolation. This prevents the critical and public networks
from interacting. There is no direct power connection between the two networks.
Data transfer takes place inductively.
A plant with a data diode is able to send information to security personnel on the
outside without putting the plant at risk.
Figure 3-41
© Siemens AG 2023 All rights reserved
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 54
3 Engineering
Figure 3-42
The Table below shows the meaning of the signals from the signal light.
Table 3-13
Light Off On Description
Green SIBERprotect is in SIBERprotect is in The green light
operation operation means that the
SIBERprotect® is
running code in the
S7-1500 PLC for
© Siemens AG 2023 All rights reserved
threat defense.
Yellow No minor threats Minor threat The yellow light
detected detected illuminates when a
minor threat has
been detected. The
threat must be
acknowledged
before the light goes
out.
Red No severe threats A severe threat has The red light
detected been detected and illuminates when a
physical security minor threat has
measures have been detected. The
been initiated. threat must be
acknowledged
before the light goes
out.
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 55
3 Engineering
3.5.5 Alarm
Figure 3-43
Table 3-14
Off On Description
No severe threats Severe threat The acoustic alarm sounds at the same
detected detected time as the red indicator lamp is turned on.
The sound can be switched off on the
HMI.
© Siemens AG 2023 All rights reserved
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 56
4 Using the application
Figure 4-1
You can also simulate cyberthreats. To do this, use the "LSyslog_Send" blocks
from the Library for Communication (Article ID: 109780503). In the simulation,
make sure that the message matches the vendor's format (see Figure 3-13).
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 57
4 Using the application
Figure 4-2
3. In manual mode, you must click the corresponding button for the response to
© Siemens AG 2023 All rights reserved
the cyberthreat. You can undo the action with another click.
Figure 4-3
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 58
4 Using the application
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 59
4 Using the application
6. The only consequence of a warning is that the yellow warning light illuminates.
You can acknowledge with the "Acknowledge" button.
Figure 4-6
© Siemens AG 2023 All rights reserved
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 60
5 Useful information
5 Useful information
5.1 Syslog
5.1.1 Description
If packages are formatted incorrectly, they will also be accepted. However, the
complete content is interpreted as message text. For unrecognized parameters
(such as the time of generation), corresponding default values are used.
The Syslog protocol has a simple structure and can be divided into three main
blocks: the header and the actual message.
Figure 5-1
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 61
5 Useful information
Structuring
The Syslog protocol prescribes a specified order and structure of the parameters
for the header. If these rules are disregarded, the information from the Syslog
server cannot be interpreted as such.
In detail, the structure is as follows:
PRI VERSION TIMESTAMP HOSTNAME APP-NAME PROCID MSGID
Note All elements and parameters must be entered in ASCII format (7 bits) in the
header.
Note Additional information on the meaning of the parameters can be found in RFC
5424.
https://tools.ietf.org/html/rfc5424
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 62
5 Useful information
9 "clock daemon"
10 "security / authorization messages"
11 "FTP daemon"
12 "NTP subsystem"
13 "log audit"
14 "log alert"
15 "clock daemon"
16-23 local use 0 - 7
For the severity field, there are 3 bits that define the severity of the Syslog
message, depending on the numerical value.
An excerpt from RFC 5424 shows the possible value ranges:
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 63
5 Useful information
headers (IP (20 bytes), UDP (8 bytes) and the Syslog message), the Syslog
message text must not exceed 1024 bytes in size.
Figure 5-2: Telegram structure
Preamble Target MAC Source MAC VLAN tag Ethertype Data field CRC
7 Byte 6 Byte 6 Byte 4 Byte 2 Byte 1500 Byte 4 Byte
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 64
5 Useful information
https://resources.dc.siemens.com/c/cybersecurity?x=LQ_yBh&lx=hCQl8A
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 65
6 Glossary
6 Glossary
This chapter contains a list of the most important terms used in this document,
along with their definitions.
Information technology
Administrative division of a company that typically covers equipment such as office
PCs, servers and network devices.
IT
Short for Information Technology
Operational technology
Operational or production division of a company typically containing industrial
plants that are controlled with process automation and factory automation systems.
OT
Short for Operational Technology
© Siemens AG 2023 All rights reserved
SIBERprotect®
Siemens solution for guarding against cyberthreats
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 66
7 Appendix
7 Appendix
7.1 Service and support
Industry Online Support
Do you have any questions or need assistance?
Siemens Industry Online Support offers round the clock access to our entire
service and support know-how and portfolio.
The Industry Online Support is the central address for information about our
products, solutions and services.
Product information, manuals, downloads, FAQs, application examples and videos
– all information is accessible with just a few mouse clicks:
support.industry.siemens.com
Technical Support
The Technical Support of Siemens Industry provides you fast and competent
support regarding all technical queries with numerous tailor-made offers
– ranging from basic support to individual support contracts.
Please send queries to Technical Support via Web form:
support.industry.siemens.com/cs/my/src
© Siemens AG 2023 All rights reserved
Service offer
Our range of services includes the following:
• Plant data services
• Spare parts services
• Repair services
• On-site and maintenance services
• Retrofitting and modernization services
• Service programs and contracts
You can find detailed information on our range of services in the service catalog
web page:
support.industry.siemens.com/cs/sc
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 67
7 Appendix
The Siemens Industry Mall is the platform on which the entire siemens Industry
product portfolio is accessible. From the selection of products to the order and the
delivery tracking, the Industry Mall enables the complete purchasing processing –
directly and independently of time and location:
mall.industry.siemens.com
SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 68