概述
Digitalization and the increasingly networked nature of machinesand industrial plants increase the risk of cyber attacks and theirpotential fallout. Therefore, industrial plants and infrastructuremust be fully protected against cyber attacks from inside and fromoutside, from the enterprise level to the field level.
Defense in DepthA suitable security concept must contain three layers: plantsecurity, network security and system integrity.
With "Defense in Depth", Siemens provides such a multi-layeredsecurity concept that offers industrial plants comprehensive andfar-reaching protection in accordance with the recommendations ofthe international IEC 62443 standard. It is aimed at plantowners, integrators and component manufacturers and covers allsecurity-relevant aspects of cybersecurity for industry.
Network security through cell protectionOne of the things that the Defense in Depth concept provides isthat production plants are segmented into secured cells. The cellscontain automation and drive products such as SINAMICS frequencyconverters. Communication to the individual cells is protected byso-called cell protection, e.g. SCALANCE S products, and restrictedto permitted connections by firewall rules.
Patch managementSiemens offers a targeted hotfix/patch management system andcommunicates security vulnerabilities and patches via SiemensProductCERT. Customers can be automatically informed when newadvisories are available for the products they use. Standardizedinterfaces are also available for automatically interfacing withcustomer-specific tools.
The SINAMICS S200, S210 (New) and G220 converters have SecurityIntegrated functions as standard.
Secure default settingsThe SINAMICS S200, S210 (New) and G220 converters are deliveredfrom the factory with security functions activated, yet in such away that allows for a user-friendly first commissioning. Whenconfiguring the converter in TIA Portal or via the SINAMICS webserver, the user is automatically guided through a security wizardto adjust the most important security settings. Among other things,this determines whether the converter should be protected by useradministration and access control.
Security Integrated functionsThe SINAMICS S200, S210 (New) and G220 converters support thefollowing Security Integrated functions:
User management and accesscontrol
This function makes it possible to create various users and protecttheir access to the converter with passwords. Each user is assignedone or more roles. Various rights can be assigned to each role.There are various rights, both for offline configuration as well asfor online access to the device. In this way, it is possible to setwhich users have full access to the device's settings and whichusers only receive limited rights. For example, you could createusers who only have read access for diagnostic purposes or userswho have write access to the device settings but no rights tochange the safety configuration.
TIA Portal provides cross-device user administration.
Users and rights can be configured in the TIA Portal at a centrallocation in the project across devices for SINAMICS converters,SIMATIC HMI Panels, SIMATIC PLCs, and for the TIA Portal projectengineering. This means that settings for users and rights can bemade and changed consistently and rapidly for multiple devices.
Protected communication withengineering systems
(SINAMICS Startdrive and SINAMICS web server)
The SINAMICS S200, S210 (New) and G220 converters enable TLS-basedcommunication between the converter and the TIA Portalcommissioning tool (secure S7 protocol) and to web clients (httpsprotocol).
Firmware integrity andauthenticity
The Siemens-provided firmware of the SINAMICS S200, S210 (New) andG220 converters is equipped with integrity protection and is signedby Siemens. Through this, the converter can detect whether thefirmware code was manipulated by a third party and whether the codeis from a reliable source.
Firmware updates can be carried out via memory card, TIA Portal andweb clients and SINAMICS Startdrive.
Backup andrestore
The configuration for SINAMICS S200, S210 (New) and G220 can bebacked up and restored remotely via the SINAMICS web server,Startdrive or locally via the SD card. Creating a backup afterchanges is an important step of a comprehensive security concept.This means that the converter can be quickly restored to a knownstate in the event of a cyber attack.
Restoring the backup file can also be used to provide the newconverter with the desired configuration when replacing a part.
Session handling
The SINAMICS S200, S210 (New) and G220 converters feature sessionhandling. A session starts as soon as a user logs in to the deviceand ends when the user logs out manually or after a preset periodof inactivity. Session handling ensures that each user onlyreceives the access rights that are assigned to him, even ifmultiple users with different rights are connected to the device atthe same time.
Physical accessprotection
Access to the SINAMICS SDI (Smart Drive Interface) and SD card slotof the SINAMICS G220 IP55 drive can optionally be locked with apadlock. This prevents configurations from being changed directlyon the device by unauthorized persons
Encryption of sensitivedata
The Drive Data Encryption feature stores encrypted data for usermanagement and access control in backups and on the memory card ofthe converter. Independent of this feature, passwords are hashedbefore they are stored.
Securitydocumentation
The Configuration manual SINAMICS Industrial Cybersecurity providescomprehensive security documentation:
https://support.industry.siemens.com/cs/ww/en/view/109823969