© Siemens AG 2014 All rights reserved. Answers for infrastructures and cities.

Patch Management in Smart Grids – the challenge in patching large SCADA/EMS/DMS systems

Sebastian Ranft, Product Manager IT-Security, Siemens AG

© Siemens AG 2014 All rights reserved.

22-Sep-14 Page 2 IC SG SE

Siemens IT Security Solutions

Spectrum Power

Patch management

DMZ concept

Control center

functions System

hardening

Intrusion detection

•  Removal of unused software packets

•  Security tools

•  Newsletter •  3rd party patches •  Staging system •  IT-Security variances

•  DMZ •  Security zones •  Port matrix

•  Malware protection

•  Secure ICCP •  IEC104 tunneled by VPN

•  Pattern actualization

© Siemens AG 2014 All rights reserved.

22-Sep-14 Page 3 IC SG SE

Security Patch Management Protects your Assets by the Trustful Interaction of People, Process and Solutions

Criticality / Work around Communication, e.g. Patch status

Classify Evaluate relevance of vulnerabilities and patches

Identify Scan market on new vulnerabilities Track industry for available patches

Implement Spectrum Power Patch implementation and test

Deploy Advice on or deploy patches at Customer premises

Siemens Patch Management service secures SCADA systems for known vulnerabilities.

Patch management protects your

network

Network Protection is more than a Compliance topic

© Siemens AG 2014 All rights reserved.

22-Sep-14 Page 4 IC SG SE

Patch Management Process

… as part of a Service Contract with Siemens.

Delivery of uncritical security update by Siemens quarterly. Critical update within one week.

Installation by Siemens in parallel to operation by use of redundant servers.

Testing (and adaptation) of security update on customer‘s reference system at Siemens.

Customer receives uncritical (monthly) and critical (daily) information

Download of security update by customer.

Self-installation by customer.

Security update Acceptance by customer.

© Siemens AG 2014 All rights reserved.

22-Sep-14 Page 5 IC SG SE

Asset management

... ensures traceability of the integrity of patch management

Gathering patches

CERT subscriptions

OSS Clearing

Patch bundling

Patch repository

Initial

3rd party product list

Asset scanning

IT Security contract

cyclic

© Siemens AG 2014 All rights reserved.

22-Sep-14 Page 6 IC SG SE

Informing the Customer The Newsletter

Contact information and version information

Security bulletins affecting Siemens products

Security bulletins not affecting Siemens products

Additional issued security bulletins

© Siemens AG 2014 All rights reserved.

22-Sep-14 Page 7 IC SG SE

Applied Patch Management Process One example successfully implemented at a large European utility

•  More than 20 servers being patched

•  Stand alone as well as virtualized systems

•  SPARC and x86 architecture

SCADA Control Center UI

TNA Hot Standby

Backup Control Center Main Control Center

SCADA Control Center UI

TNA Hot Standby

SCADA Cold Standby

•  More than 40 servers being patched

•  Stand alone as well as virtualized systems

•  SPARC and x86 architecture

•  About 50 different 3rd party products being patched including Oracle, Java, Mozilla, Apache, openLDAP etc.

The challenge…

© Siemens AG 2014 All rights reserved.

22-Sep-14 Page 8 IC SG SE

Applied Patch Management Process One example successfully implemented at a large European utility

Delivery of two tested security patch packages per year

Monthly uncritical newsletters Critical newsletters within one work day

The implementation… Tests by Siemens at site

Test of successful tested patches against customers backup control center

Operation switch to backup CC and installation of patches into main CC

Test of released patches against customers test system

Watching system for final approval by customer

Full proof No failures, no disturbances

All patches successfully implemented during operation

© Siemens AG 2014 All rights reserved.

22-Sep-14 Page 9 IC SG SE

Good reasons for security with Spectrum Power

The all-encompassing and truly integrated security approach of Spectrum Power protects your assets and secures your systems against future threats for a reliable energy supply.

•  Complies with the most recent NERC CIP requirements and BDEW Whitepaper and enables compliance with any cybersecurity standard

•  Covers software and system, communications, and system architecture

•  Features the most recent security precautions

•  Availability of any required security service

•  Provision of additional product-related services such as security training and assessments

•  Off-the-shelf solution

© Siemens AG 2014 All rights reserved. siemens.com/answers

Successfully implemented – today. Thank you.