概述
Digitalization and the increasingly networked nature of machines and industrial plants increase the risk of cyber attacks and their potential fallout. Therefore, industrial plants and infrastructure must be fully protected against cyber attacks from inside and from outside, from the enterprise level to the field level.
Defense in Depth
A suitable security concept must contain three layers: plant security, network security and system integrity.
With "Defense in Depth", Siemens provides such a multi-layered security concept that offers industrial plants comprehensive and far-reaching protection in accordance with the recommendations of the international IEC 62443 standard. It is aimed at plant owners, integrators and component manufacturers and covers all security-relevant aspects of cybersecurity for industry.
Network security through cell protection
One of the things that the Defense in Depth concept provides is that production plants are segmented into secured cells. The cells contain automation and drive products such as SINAMICS frequency converters. Communication to the individual cells is protected by so-called cell protection, e.g. SCALANCE S products, and restricted to permitted connections by firewall rules.
Patch management
Siemens offers a targeted hotfix/patch management system and communicates security vulnerabilities and patches via Siemens ProductCERT. Customers can be automatically informed when new advisories are available for the products they use. Standardized interfaces are also available for automatically interfacing with customer-specific tools.
The SINAMICS S200, S210 (New) and G220 converters have Security Integrated functions as standard.
Secure default settings
The SINAMICS S200, S210 (New) and G220 converters are delivered from the factory with security functions activated, yet in such a way that allows for a user-friendly first commissioning. When configuring the converter in TIA Portal or via the SINAMICS web server, the user is automatically guided through a security wizard to adjust the most important security settings. Among other things, this determines whether the converter should be protected by user administration and access control.
Security Integrated functions
The SINAMICS S200, S210 (New) and G220 converters support the following Security Integrated functions:
User management and access control
This function makes it possible to create various users and protect their access to the converter with passwords. Each user is assigned one or more roles. Various rights can be assigned to each role. There are various rights, both for offline configuration as well as for online access to the device. In this way, it is possible to set which users have full access to the device's settings and which users only receive limited rights. For example, you could create users who only have read access for diagnostic purposes or users who have write access to the device settings but no rights to change the safety configuration.
TIA Portal provides cross-device user administration.
Users and rights can be configured in the TIA Portal at a central location in the project across devices for SINAMICS converters, SIMATIC HMI Panels, SIMATIC PLCs, and for the TIA Portal project engineering. This means that settings for users and rights can be made and changed consistently and rapidly for multiple devices.
Protected communication with engineering systems
(SINAMICS Startdrive and SINAMICS web server)
The SINAMICS S200, S210 (New) and G220 converters enable TLS-based communication between the converter and the TIA Portal commissioning tool (secure S7 protocol) and to web clients (https protocol).
Firmware integrity and authenticity
The Siemens-provided firmware of the SINAMICS S200, S210 (New) and G220 converters is equipped with integrity protection and is signed by Siemens. Through this, the converter can detect whether the firmware code was manipulated by a third party and whether the code is from a reliable source.
Firmware updates can be carried out via memory card, TIA Portal and web clients and SINAMICS Startdrive.
Backup and restore
The configuration for SINAMICS S200, S210 (New) and G220 can be backed up and restored remotely via the SINAMICS web server, Startdrive or locally via the SD card. Creating a backup after changes is an important step of a comprehensive security concept. This means that the converter can be quickly restored to a known state in the event of a cyber attack.
Restoring the backup file can also be used to provide the new converter with the desired configuration when replacing a part.
Session handling
The SINAMICS S200, S210 (New) and G220 converters feature session handling. A session starts as soon as a user logs in to the device and ends when the user logs out manually or after a preset period of inactivity. Session handling ensures that each user only receives the access rights that are assigned to him, even if multiple users with different rights are connected to the device at the same time.
Physical access protection
Access to the SINAMICS SDI (Smart Drive Interface) and SD card slot of the SINAMICS G220 IP55 drive can optionally be locked with a padlock. This prevents configurations from being changed directly on the device by unauthorized persons
Encryption of sensitive data
The Drive Data Encryption feature stores encrypted data for user management and access control in backups and on the memory card of the converter. Independent of this feature, passwords are hashed before they are stored.
Security documentation
The Configuration manual SINAMICS Industrial Cybersecurity provides comprehensive security documentation:
https://support.industry.siemens.com/cs/ww/en/view/109823969