Protect your

power plant
with continuous
security
SPPA-T3000 R8.2

siemens-energy.com/sppa-t3000
SPPA-T3000 R8.2 | Continuous security

Value & Benefits

Minimum Risk
Extensive Experience
• SPPA-T3000 in use in over 3,000 units worldwide

Global experts
• Presence in 190 countries
• Comprehensive knowledge of particular markets and their special requirements

Continuous investments in R&D

• Continuously innovating to allow you to be ready, flexible and resilient today
and in the future
• Comprehensive knowledge of particular markets and their special requirements

Reliable Day-To-Day Operation

Tried and Tested Technology
• Clear and intuitive operation
• First rate alarm handling for quick reaction in critical situations
• One click access to root cause analysis
• Clear instructions and transparency of potential upcoming issues
• Integrated workflows, integrated Alarm Management & Analysis
• User friendly engineering

Investment Protection
Long Term Supported Release 8.2:

• Includes long term support for min. 8 years of lifecycle protection

• Online installation of patches and updates for uninterrupted availability
• Additional powerful security capabilities for compliance with ­
challenging requirements
• Innovated hard- and software for flexibility in automation and c­ ommunication
performance
• Small size DCS for efficient and reliable operation of remote and ­distributed
units and plant auxiliaries

© 2021 Siemens Energy Page 2

SPPA-T3000 R8.2 | Continuous security
Keeping Your System Secure
A secure system must always
be kept up to date to reduce
vulnerability
Every change you make could impact connected comp­-
onents, while vulnerabilities in one place may lead to
­problems across the system. The optimal way to manage
security effectively is through integrated services: That
is exactly what SPPA-T3000 offers.
• We understand the power generation OT landscape
better than a pure IT company.
• We are engineers, manufacturers and power generation
asset managers, with profound OT know-how.
• We understand that patching and upgrading OT compo-
nents is different than IT patches.
• The risks are greater, the potential for operational
impact is higher and the need for specialized knowledge
and skills is more urgent.
• We also understand the balance between stringent
IT security and the need for physical security within a
power plant.
© 2021 Siemens Energy Page 3
SPPA-T3000 R8.2 | Continuous security

Continuous development of cyber security features contributes to

main­taining high plant security level for the entire lifecycle of your asset

Cyber Security features of

SPPA-T3000, e. g.:

• Centralized Online Security Patch Management

• Malware Protection Solution

• Security Information and Event Management

(SIEM)

• Configuration Change Monitoring

Security features • Application Whitelisting

• Network Intrusion Detection System (NIDS)

• System Hardening
Security processes
• Secure Remote Access

• Secure Data Gateway

Handling of vulnerabilities • Active Directory

• Centralized Backup and Restore

Security consciousness

Security Zone Architecture

driven by NERC CIP V5, VGB-S-175
and IEC 62443-3-3 / IEC 62443-4-1

Enhanced Security Testing

© 2021 Siemens Energy Page 4

SPPA-T3000 R8.2 | Continuous security

Simple, Secure Patch & Update Process

Centralized Deployment for efficient secure patch implementation

• User friendly via central deployment

• Flawless patch installation through
control, monitoring and visibility from a
single device
• Lower potential for security gaps resulting
from un-patched components
• Transparency of the software status of the
relevant components

Security Server deploys security

patches and virus patterns from a
central point

File Contains Patch

Patch Deployment

Terminal
Server

Security
Server

Application Thin Clients

Server

© 2021 Siemens Energy Page 5

Lorem ipsumR8.2 | Continuous
SPPA-T3000 l security

• Efficient administration of the

redundant ­Application Server

• Easy and fast recovery in case of

hardware failures

• Patches and Updates can be

­implemented online

• Reliable operation and availability with

no downtime required during an update

Online Patch and Update capability of the Application

Server based on system integrated redundancy

Patch or Update Patch or Update

available requires installation
New SPPA-T3000 Install the servers
or 3rd party in sequence
security patches
Full Operation during
Patch and Update process

Patch or Update Completed

Online installation with no downtime of the DCS system

Only a continuously maintained installation can be optimally kept “up to date”

and secured

© 2021 Siemens Energy Page 6

SPPA-T3000 R8.2 | Continuous security

Vulnerability Management
The operational technology (OT) environment and land-
scape is constantly evolving, so vulnerability management
is more important than ever before. Organizations need a
modern, comprehensive strategy to quickly and accurately
identify vulnerabilities and misconfigurations and reme-
diate them, tailored to your standard installed SPPA-T3000
plant. Siemens SPPA-T3000 provides a comprehensive
strategy to quickly and precisely identify vulnerabilities and
operational risks so they can be mitigated and remediated
immediately, to avoid any potential for harm. This approach
is customized for your SPPA-T3000 plant.
The Challenge
Many software and hardware vulnerabilities may have
­operational consequences. These vulnerabilities can range
from affecting physical devices, to modifying underlying
execution procedures, to leaving security information
exposed. Typically, operational technologies are actively
scanned for vulnerabilities, but only during shutdown.
Given the understandable reluctance to shut down a plant,
this means fewer opportunities exist to scan for vulnerabili-
ties. Even on rare occasions when a system network is
analyzed, plant operators struggle to actively prioritize and
schedule remediation. The plant’s operational network
remains unsecure.
Solution
Considering the importance of having a well defined
strategy for vulnerability management, we have developed
a comprehensive srategy, which accurately identifies
vulnerabilities and misconfigurations and remediates them,
specifically for your standard installed SPPA-T3000 plant.
We frequently issue security advisories to communicate any
affected vulnerability, via our I&C Customer Portal.

Step 1
• Active and continuous
scanning of all stan-
dard HW / SW / Firmware
release products
Step 4
• Remote Service of regular
inspection to identify, inves-
tigate, prioritize and remedi-
Step Step ate vulnerabilities as well

• R&D notification of
01 04 as possible misconfiguration
in the entire environment
the vulnerabilities in of standard delivered
real time ­SPPA-T3000

This first of its kind • Our service does not need

solution, brings continuous active scanning and thanks
to our state of the art online
asset and vulnerability patching solution, can be
Step 2 visibility to operational done also online
Evaluation of vulnerabili-
networks.
• Service can be ordered on
ties and SPPA-T3000
demand or on regular basis
specific risk assessment
(per month, quarterly,
tailored to your power
Step Step annually)
plant installed standard
(given that you follow our
standard release asset list)
02 03
including affected compo-
nents, probability, priority,
impact and exploitability Step 3
published regularly in the
Customer Portal Security Remediation plan for every single vulnerability,
Announcement communicated through the Customer Portal Security
Announcement

© 2021 Siemens Energy Page 7

SPPA-T3000 R8.2 | Continuous security

What’s Coming Next?

The next developments will introduce new security mechanisms to further
enhance the communication security and operation of the system.

For example: Beyond SPPA-T3000 itself, we can also offer services to

help protect your investment:
• Enhanced SPPA-T3000 Hardening based on ­CIS bench-
mark • Service contract 24 / 7 availability of system experts

• Improvement of communication security by extension of • Remote proactive services to detect potential issues
input validation before they escalate

• Two-factor authentification for cRSP
• Full integration of Unidirectional Gateway (SPPA-UDG)
• I & C Monitors & Advisors implement digitalization into
the traditional DCS service
• Software or System Maintenance Agreement – we keep
your software “up to date” and secure

For additional information or questions, please

contact your local sales representative or email:

sppa-t3000.energy@siemens-energy.com

Roadmap – Continuous Innovation

Safeguard your plant’s operation for years to come with the stability of proven
technology, combined with long term innovation and support.

SP1 SP2 SP3

LTS = Long Term Support
SP = Service Pack
LTS R8.2

SP1

LTS R7.2 Maintenance

SP1 SP2 SP3

LTS R7 Maintenance

2005 2010 2015 2020 2025 2030 2035

Continuous enhancements and improvements of Cyber Security

SPPA-T3000 is well positioned with a comprehensive security concept to meet the requirements of
common security standards. SPPA-T3000 is designed to be compliance ready for the applicable VGB-S-175,
NERC CIP Standard and IEC 62443-3-3 / IEC 62443-4-1.

© 2021 Siemens Energy Page 8

SPPA-T3000 R8.2 | Continuous security

From 2005 …

Minimum
system
complexity

Easy
operation

Data
transparency

SPPA-T3000
R8.2
Security
by design Flexible
connectivity

Clever
HMI No
subsystem

… to 2035 and beyond …

© 2021 Siemens Energy Page 9

Published by and copyright © 2021

Siemens Energy Global GmbH & Co. KG

Otto-Hahn-Ring 6
81739 Munich, Germany

For more information, please visit our website:

www.siemens-energy.com/sppa-t3000
E-Mail: sppa­t3000.energy@siemens-energy.com

Subject to changes and errors. The information given in this document

only contains general descriptions and/or performance features which
may not always specifically reflect those described, or which may
undergo modification in the course of further development of the
products. The requested performance features are binding only when
they are expressly agreed upon in the concluded contract. All product
designations may be trademarks or product names of Siemens Energy
Global GmbH & Co. KG or other companies whose use by third parties
for their own purposes could violate the rights of the owners.

Siemens Energy is a trademark licensed by Siemens AG.