Hackers Targeting Critical Infrastructure

Until recently, hostile attacks by viruses and Trojans on automation systems was not an issue for infrastructure such as water works, power grids or transportation systems, because the data networks in these infrastructure installations were isolated...


This applies to both the lower communication layers 2 to 4, with their Ethernet and IP protocols, as well as to the higher level application protocols (layers 5 to 7). For many years, Siemens has also been regularly testing the network ruggedness of its components with stress scenarios and protocol attacks, which are continually updated to match the latest threats. Thanks to the experience gained in the process, the network stability of these devices has been comprehensively strengthened.

Security features such as network ruggedness are available automatically, but protective mechanisms such as access control and firewalls must be individually configured. This entails a certain initial expense, but it prevents subsequent malfunctions and time-consuming trouble-shooting in the event of a security incident.

Siemens’ automation components have been equipped with access protection mechanisms to prevent unauthorized persons making changes to the PLC program or its configuration via engineering software. New functions and error corrections can be updated quickly by firmware updates, and digital signatures detect manipulations of firmware and sabotage.

One or more firewalls which restrict access to the organization or infrastructure’s network to one fixed, defined protocol are a good compromise between security and openness. Access from the Internet or the company intranet is only enabled on dedicated computer systems.

The networks are segregated by a terminal server which has a virus scanner installed. The virus scanner is updated automatically every day, and recognizes all known new viruses and worms. When data is transferred to the system, the local virus scanner checks all the data before it passes into the network.

Only a user with a valid certificate and who is trusted by the company is given access to the industrial network. Even when a user has been clearly identified, access to the systems is individualized to prevent access to other parts of the system or the company intranet.

 

Dirk Gebert is a Security Systems Manager for Simatic Products at Siemens.