Upload
phamdiep
View
254
Download
2
Embed Size (px)
Citation preview
© Siemens AG 2014 All rights reserved. Answers for infrastructures and cities.
Patch Management in Smart Grids – the challenge in patching large SCADA/EMS/DMS systems
Sebastian Ranft, Product Manager IT-Security, Siemens AG
© Siemens AG 2014 All rights reserved.
22-Sep-14 Page 2 IC SG SE
Siemens IT Security Solutions
Spectrum Power
Patch management
DMZ concept
Control center
functions System
hardening
Intrusion detection
• Removal of unused software packets
• Security tools
• Newsletter • 3rd party patches • Staging system • IT-Security variances
• DMZ • Security zones • Port matrix
• Malware protection
• Secure ICCP • IEC104 tunneled by VPN
• Pattern actualization
© Siemens AG 2014 All rights reserved.
22-Sep-14 Page 3 IC SG SE
Security Patch Management Protects your Assets by the Trustful Interaction of People, Process and Solutions
Criticality / Work around Communication, e.g. Patch status
Classify Evaluate relevance of vulnerabilities and patches
Identify Scan market on new vulnerabilities Track industry for available patches
Implement Spectrum Power Patch implementation and test
Deploy Advice on or deploy patches at Customer premises
Siemens Patch Management service secures SCADA systems for known vulnerabilities.
Patch management protects your
network
Network Protection is more than a Compliance topic
© Siemens AG 2014 All rights reserved.
22-Sep-14 Page 4 IC SG SE
Patch Management Process
… as part of a Service Contract with Siemens.
Delivery of uncritical security update by Siemens quarterly. Critical update within one week.
Installation by Siemens in parallel to operation by use of redundant servers.
Testing (and adaptation) of security update on customer‘s reference system at Siemens.
Customer receives uncritical (monthly) and critical (daily) information
Download of security update by customer.
Self-installation by customer.
Security update Acceptance by customer.
© Siemens AG 2014 All rights reserved.
22-Sep-14 Page 5 IC SG SE
Asset management
... ensures traceability of the integrity of patch management
Gathering patches
CERT subscriptions
OSS Clearing
Patch bundling
Patch repository
Initial
3rd party product list
Asset scanning
IT Security contract
cyclic
© Siemens AG 2014 All rights reserved.
22-Sep-14 Page 6 IC SG SE
Informing the Customer The Newsletter
Contact information and version information
Security bulletins affecting Siemens products
Security bulletins not affecting Siemens products
Additional issued security bulletins
© Siemens AG 2014 All rights reserved.
22-Sep-14 Page 7 IC SG SE
Applied Patch Management Process One example successfully implemented at a large European utility
• More than 20 servers being patched
• Stand alone as well as virtualized systems
• SPARC and x86 architecture
SCADA Control Center UI
TNA Hot Standby
Backup Control Center Main Control Center
SCADA Control Center UI
TNA Hot Standby
SCADA Cold Standby
• More than 40 servers being patched
• Stand alone as well as virtualized systems
• SPARC and x86 architecture
• About 50 different 3rd party products being patched including Oracle, Java, Mozilla, Apache, openLDAP etc.
The challenge…
© Siemens AG 2014 All rights reserved.
22-Sep-14 Page 8 IC SG SE
Applied Patch Management Process One example successfully implemented at a large European utility
Delivery of two tested security patch packages per year
Monthly uncritical newsletters Critical newsletters within one work day
The implementation… Tests by Siemens at site
Test of successful tested patches against customers backup control center
Operation switch to backup CC and installation of patches into main CC
Test of released patches against customers test system
Watching system for final approval by customer
Full proof No failures, no disturbances
All patches successfully implemented during operation
© Siemens AG 2014 All rights reserved.
22-Sep-14 Page 9 IC SG SE
Good reasons for security with Spectrum Power
The all-encompassing and truly integrated security approach of Spectrum Power protects your assets and secures your systems against future threats for a reliable energy supply.
• Complies with the most recent NERC CIP requirements and BDEW Whitepaper and enables compliance with any cybersecurity standard
• Covers software and system, communications, and system architecture
• Features the most recent security precautions
• Availability of any required security service
• Provision of additional product-related services such as security training and assessments
• Off-the-shelf solution
© Siemens AG 2014 All rights reserved. siemens.com/answers
Successfully implemented – today. Thank you.