summary
With the introduction of SIMATIC PCS neo, Siemens wants to set new standards in process automation with an innovative, web-based process control system. As a completely new system software, Siemens had the opportunity to integrate important functions right out of the box. This includes global, web-based collaboration in engineering and operations, an intuitive user interface with all relevant information that is available from a single workbench, and above all cybersecurity, which is deeply embedded in the system’s DNA.
Rethink process automation
SIMATIC PCS neo users benefit from an intuitive graphical user interface (GUI) that can be used to access applications with just a few clicks. The SIMATIC PCS neo Workbench enables you to easily switch between the Engineering and Monitoring & Control views. The object-oriented data model increases efficiency and quality over the entire system life cycle.
Although SIMATIC PCS neo was designed as a web-based system, users can also access software and system updates offline, ie without direct internet access, so that the system can easily be kept up-to-date even in critical areas of the plant.
Cyber security from the start
In order to protect against cyber attacks on industrial plants, security and detection must take place on several levels at the same time. In addition to integrated security features, SIMATIC PCS neo follows the “defense-in-depth” approach, a comprehensive protection strategy based on the recommendations of IEC 62443, the global standard for security and industrial automation.
Defense in depth
Defense-in-depth deals with plant security, network security and system integrity. The implementation of a large number of security measures in these areas makes it more difficult for attackers to break into a system. It is important to recognize that the plant network strategies and security systems implemented during commissioning cannot be forgotten. Organizations need to keep their cybersecurity strategies up to date throughout the life of their assets.
The server-client architecture of SIMATIC PCS neo with web-based access enables the protection of physical access to critical data and systems. Critical components such as servers and controllers are located in separate, locked control cabinets and physically accessible slim clients do not contain any sensitive data. The access of employees to the system components can be restricted to certain users.
System integrity
The integrated “Security by Default” of SIMATIC PCS neo ensures a secure pre-configuration of the functions in accordance with the Charter of Trust, Principle 3. This means that the essential cybersecurity measures have been deeply integrated into the system concept right from the start.
The system integrity of SIMATIC PCS neo ensures that all undiscovered changes in the automation process are discovered. Authentication and access protection are integrated system functions, administration is simple and practical, so that employee rights can be transferred to workplace requirements. A further system hardening is guaranteed by the system modularity. The keyword “lowest functionality” guarantees that the required software functionality is installed first. The integrity of the entire system is monitored by digital signatures. This ensures that only unmodified Siemens software is used on the system. These measures reduce the risk of cyber attacks from the outset so that the system can be operated safely.
Sophisticated patch management ensures system integrity throughout the entire life cycle. A central overview of the patch status enables deviations to be identified immediately. Various software maintenance packages offer updates and system upgrades; this includes basic, dynamic and premium packages.
SIMATIC PCS myExpert
The SIMATIC PCS myExpert function is an essential part of the software maintenance package. This service enables access to the Siemens network of experts, which offers reliable support for all questions relating to SIMATIC PCS neo, including proactive notifications about weak points in individual installations.
Network security
Similar to the access protection described above, the network security is also increased. Network cells are best configured and protected by firewalls and virtual private networks (VPN). Right from the start, SIMATIC PCS neo was designed to work in separate network cells so that communication between the network cells, i.e. between servers and clients, is encrypted via HTTPS. The use of certificates is integrated into HTTPS communication.
Different firewall layers ensure access rights in the network. In this way, the access rights of users can also be restricted to certain network areas.
- The front firewall ensures communication with the office network.
- A DMZ enables secure service and support for the plant environment. This ensures a controlled and monitored data exchange with the process control network.
- Each host is equipped with a Windows firewall configured by SIMATIC PCS neo.
Plant security
Industrial security cannot be achieved through technical measures alone. Instead, it must be actively applied as a continuous process in all relevant company units. The physical protection of the critical components is made possible by only granting the right employees access to the corresponding systems. Access to components with sensitive information can be configured accordingly.
Certificate management
Right from the start, SIMATIC PCS neo is equipped with a certificate management system that provides the system administrator with the registration, renewal or revocation of certificates. In addition, a central overview provides all details on the status of the certificates in the system. The user is free to choose whether to use the certification authority (CA) integrated in SIMATIC PCS neo or an externally provided Microsoft-based certification authority which is the responsibility of the customer’s IT department.
Data protection / user management
SIMATIC PCS neo is GDPR-compliant (General Data Protection Regulation, Data Protection Act of the European Union). The creation and maintenance of users and passwords is in the hands and responsibility of the customer (created users remain in the system).
“Security by default” is also fulfilled for the user administration and is set up when the system is first installed, ie no preconfigured users and passwords are part of SIMATIC PCS neo. If necessary, existing users from the customer’s existing IT environment can be mapped into the OT user administration of SIMATIC PCS neo.
Off / online operation
All system components can be operated both offline and online. This means that the system can be operated on-premise or online.
diploma
Process control systems have long life cycles that correspond to the industrial processes that they control and monitor. Features are added as new needs and challenges arise, but a completely new system presents a rare opportunity to incorporate these features while opening up a new avenue for future development.
With the development of SIMATIC PCS neo, Siemens was able to break with the past and at the same time build a bridge into the future. With a fresh start, the new DCS integrates important functions such as cybersecurity that have been “screwed” into existing systems over the years. Looking to the future, Siemens examined the way future process engineers interact with DCS and created a system that supports global collaboration in engineering and operations, as well as an intuitive, web-based user interface that brings all relevant information from a single workbench makes available.
Integrating cybersecurity deep into the DCS system DNA was possible by starting from scratch. This means that key functions are securely preconfigured according to the principles of the Charter of Trust and IEC 62443 (Security by Default), which reduces the attack surface of the control system and enables a plant to be operated safely from the start.
The security concepts of SIMATIC PCS neo correspond to the charter of trust in many areas. These aspects PCS neo also supports operators with patch management and attack detection. A central overview of the current patch level is used to display variants so that they can be installed from a central point.
ARC Advisory Group customers can view the full report on the ARC Client Portal
If you would like to purchase this report or for information on how to become a customer, please contact us
Keywords: Cybersecurity, Siemens, SIMATIC PCS neo, IEC 62443, Defense in Depth, DCS, ARC Advisory Group.
Comments are closed.