Webinar Presentation Cybersecurity4ProtectionEngineers

Cybersecurity with
SIPROTEC 5
What a protection engineer should know
about cybersecurity!
Page 1 Unrestricted | © Siemens 2023| Smart Infrastructure |

Content
Unrestricted | © Siemens 2023| Smart Infrastructure |

Protection devices within a
Secure Substation

Certified Secure Substation according to IEC62443 Standard
Field level - Protection
Cyber security measures

AD Server Certificate
Radius/LDAP Manager
Access control and
Control center account management
Remote access
Untrusted network
Security logging
and monitoring
DMZ Syslog AD Server Certificate Trusted zone
Server LDAP Manager System hardening
Station controller
Service
HMI
PC Router PC
Security patching,
Backup and restore
Station level
Malware protection
Field level Trusted zone
Data protection, data integrity
and system architecture
Process Bus Communication

IEDs Secure remote access
Protection and
field devices
Merging Units

Cybersecurity in the Power Grid
Security by Design in Products
Signed software/firmware Certificate Management
Protection against Easy certificate

firmware/software management with SICAM
manipulation GridPass
Firewall & VLAN
Separation of Ethernet traffic

over integrated firewall &
VLAN
Secure Protocols
RBAC with central user
Security Logging
management • Secure IEC 61850
Non-volatile persistence of Centrally manage users and according IEC62351-3
TLS
security audit trail and assign roles for authorization
transfer over Syslog (based on IEC 62351-8) • Engineering Tool and
WebUI
with LDAPS
• EST Automatic certificate
enrolment
Security event logging –
Syslog

Logging and Monitoring
• Security relevant logs are stored

locally by default <105>1 2021-03-17T12:28:37.874+00:00
172.16.21.221 Mainboard - Siemens-
Grid-Security - 'L2_TX102_6MD85':
User 'admin' initiated restart from
'172.16.41.11' [with action: 'start load
• Security relevant logs can be configuration'].
sent via syslog Load Config Syslog Syslog
• Logs can be correlated and IED Syslog SIEM

Server Security Information
analyzed in order to detect and Event
Management
suspicious activities

Engineering

Demo with SIPROTEC5 as DigitalTwin
Environment :
Syslog • SIPROTEC5 DigitalTwin configured as Syslog Client.

Server
• Syslog „Freeware“ :
VPN
• „Visual syslog server“ for windows: Syslog Server collect the syslog
messages via UDP
Syslog
Client
• Communication between DigitalTwin and PC protected via "VPN"

SIPROTEC DigitalTwin - Syslog

DigitalTwin and „Visual syslog Server“

Login with SIPROTEC 5 WebUI will create some syslog message

Syslog – secured / encrypted via TLS

Summary
• SYSLOG is
• simple to activate in our devices only need the IP of the Syslog
server
Syslog
Server • easy to test
• SYSLOG basic for cyber security for substation and automation
system
• In case of attack : quickly analyze Who/What/What
Syslog
Client
• Attacker will work invisible : syslog is the light to see what happens
• Highly recommended in IEC 62443
• Can be encrypted via TLS as recommended in IEC 62351
Basics “encryption” with TLS

Basics : TLS as the standard for communication encryption
TLS (Transport Layer Security) is
• the IT standard for secure communication with “Certificates”
• used every day whenever you connect in internet to a web server i.e. HTTPS : S stands for TLS
• that is why it is recommended in IEC 62443 and IEC 62351

Cybersecurity – Data encryption using TLS (Transport Layer Security)
Envelope
with Seal
Pattern of Seals
A→G
B→K
Pattern
of Seals
Envelope
with Seal

Cybersecurity – Data encryption using TLS (Transport Layer Security)
Public Key Infrastructure (SICAM GridPass)

• Create Certificate Authorities (Seals)
• Create, sign and manage X509 certificates
• manage AUTOMATICALLY Certificate with
EST Protocol
Envelope
with Seal
Seal = > Certification Authority (CA)
Pattern of Seals => Trusted CA Store
=> X509 Certificate including keys

Pattern issued/signed by the trusted CA
of Seals
=> TLS handshake :

Server authentication or
Server and Client (Mutual authentication)
Example every day HTTPS : Chrome‘s „Seals pattern“ repository !

Summary : TLS standard for communication encryption
TLS in SIPROTEC5 :
• DIGSI 5 Protocol
• WebUI over Https
DIGSI 5 Browser Syslog LDAP 61850 EST
• Syslog over TLS
client Server Server Client Server
• RBAC with LDAPs
• Secure IEC 61850 MMS
• EST (automated Cert.
Management)
DIGSI 5 Web UI Syslog LDAPS IEC61850 EST

Server Server Client Client MMS Server client
TLS HTTPS (TLS) TLS (TLS) (TLS)
TLS is basic for cyber security for substation and automation system
TLS is recommended in IEC 62443 and IEC 62351

RBAC with LDAPS

Cyber Security – RBAC – LDAPs
Name: Engi
Password: secret
RBAC protocols :
Radius (convenient for IT switch)
login: OK LDAPs (convenient for PC, server,…)

Role: Engineer

Cyber Security – RBAC – What if connection to AD server not working
“Primary”
AD server
3 Configure Name: Engi
emergency users Password: secret
(all permissions)
1
“Secondary”
No responses !
AD server
(Or “RODC”)
List of “cached” user
already authorized by
2 the central server

Engineering
2. User cache (activated by default)
1. Secondary AD server
Page 25 Unrestricted | © Siemens 2023| Smart Infrastructure | 3. Emergency

LDAP and Access Tokens
SIPROTEC 5 LDAP Server

I am „IEC Engineer“ under „My Corporation“
and here is my username and password
That‘s correct, and here is the certificate

signed by the User Authority TLS Encryption
0 = VIEWER
1 = OPERATOR
2 = ENGINEER
3 = INSTALLER
4 = SECADM
Access Token 5 = SECAUD
6 = RBACMNT
• userRole = 2
• aor = “*” local, remote, *
• revision = 1 0: IEC 62351-8:2011

1: IEC 62351-8:2020
SIPROTEC 5 RBAC with LDAPS – Practical part
Login to SIPROTEC5 using RBAC

• as usual, SIPROTEC 5 is simulated in SIPROTEC DigitalTwin
• remote with the SIPROTEC 5 Web UI
• locally in front of the device with On-Site Operation Pane
How to configure RBAC with LDAP in SIPROTEC 5 with

DIGSI 5
PKI: SICAM GridPass

How to configure User’s in an Active Directory with
Certificates created in SICAM GridPass (PKI)

Role : SECADM

Role : Viewer
No permission to change settings

2- RBAC over LDAP – Device Configuration Security Setting
OU=IEC62351 Group,
DC=siprotectest,
DC=com

Create new User in AD and new Certificates with SICAM GridPass

SICAM GridPass: The PKI for OT according to IEC 62351 !

Alternative: manually from PKI to AD server

Role : Engineer
Role : SECADM

RBAC with LDAP
Summary
• Activate one time with DIGSI 5 in our devices (IP Address + CA of the LDAP
server)
• RBAC with LDAPS is basic for cyber security for substation and automation
system
• Attacker : access blocked after certain number of unsuccessful login
• High availably, fall back measures (back-up server, cached users, emergency
users)
• => that is why it is recommended in IEC 62443 and
• IEC62351-9 define the protocols (LDAPS) and the roles to improve the
interoperability

Secure
Communication

Secure Communication – Focus on IEC 61850 MMS Secured
SICAM PAS SICAM GridPass



Secure MMS : Use case
IEC61850
With IEC 61850 MMS Secured Client
Communication integrity can be
improved:
• INSIDE Substation that can’t IEC61850

be considered as a secure Client
zone
• OUTSIDE Substation with IEC61850
Server IEC61850
poor protection Server

IEC 62351 -3,-4- to define IEC 61850 MMS „secure“ options
„Application Security“ :
A (ACSE)-Profile secured with Certificate
„Transport Security“
recommended to be secured via TLS, using port 3782
MMS Secure Server can implement:

„TLS“ or
„TLS and A-Profile“
 SIPROTEC 5
implement „TLS“
Source : Noris
SIPROTEC 5 Secure Communication– Practical part
How to configure SIPROTEC 5 as IEC61850 MMS Server

secured via TLS according to IEC62351-3
How to configure SICAM PAS as IEC61850 MMS Client

secured via TLS according to IEC62351-3
SICAM GridPass will act as “EST Server” to create the certificates for
- SIPROTEC 5 as MMS secure Server (manually or automatically)
- SICAM PAS as MMS secure Client (automatically only)

1) SIP5 Secure MMS – Practical part - Configure SIP5 as MMS server with secure MMS
PKI: create CA
DIGSI5: Configure and load and export pattern (pem)
IEC61850 MMS
Server
CA store CSR
MMS.csr
=> LOAD “security settings“ to Device

SIPROTEC 5 WebUI
->Certificates
->Certificate authorities
->SecureMMS Port J:
CA as selected in DIGSI5 is visible
MMS.csr
SIPROTEC 5 WebUI
->Certificates IEC61850 MMS
->Requested certificates Server
->Secure MMS Port J
CA store CSR
->click on export :
file .csr is created MMS.csr

PKI: read csr, create
SICAM GridPass WebUI certificate and sign with your
-> Certificates –> Import certificate Signing Request Requested certificates -> CA for TLS server
“Secure MMS Port J.csr”
MMS.pem MMS.csr
-> Certificates (.pem) file created by SICAM GridPass
IEC61850 MMS
Server
CA store Cert.

SIP5 WebUI
-> Certificates
-> Certificates in use
-> import “file.pem”
MMS.pem
IEC61850 MMS
Server
CA store Cert

2) SIP5 Secure MMS – Practical part - Config SICAM PAS as MMS Client
SICAM PAS UI-Config

-> Templates –> Certificates -> EST communication
-> Upload: CA of EST server
-> Upload: Certificate for EST client
IEC61850 MMS EST Client
Client
CA store Cert CA store Cert

2) SIP5 Secure MMS – Practical part - Config SICAM PAS as MMS Client EST Server
CA store Cert
SICAM PAS UI-config
-> Configuration –> Protocol: IEC 61850 Client
-> Interface_SIP5
-> Security - TLS encryption
Select : “TLS using EST” EST Client
IEC61850 MMS
(do not select “TSL + A-Profile using EST”)
Client

2) SIP5 Secure MMS – Practical part - Config SICAM PAS as MMS Client EST Server
CA store Cert
Automatic certificate creation via EST :
SICAM PAS as EST client asked to SICAM GridPass EST server to create a
certificate for 61850 MMS client for the corresponding device
SICAM GridPass: via EST generated certificate for Device as MMS client EST Client
IEC61850 MMS
Client

3) SIP5 Secure MMS – Practical part - SICAM PAS and SIPROTEC 5 EST Server
Result: MMS Messages are encrypted CA store Cert
TLS handshake between MMS client and server done.
IEC61850 MMS EST Client

Client
IEC61850 MMS
Server
CA store Cert

Secure Communication : Summary
TLS => Certificates on client

and server needed

TLS is basic for cyber security for substation and automation system
TLS is recommended in IEC 62443 outside secure zone
and IEC 62351 select the best practice from IT world for the OT

SUMMARY – Cybersecurity for Protection engineer
• Protection devices within a Secure

Substation
• Security event logging (Syslog)
• Basics “encryption” with TLS
• RBAC with LDAPS
• Secure Communication
SIPROTEC 5 =>
Peace of mind with best in
class for Cyber Security !

Expert
Dr. Francois Simon
Promotor SIPROTEC and SICAM - Cybersecurity
Smart Infrastructure
Electrification & Automation
Mozartstraße 31 C
91052 Erlangen
Germany
Mobil +49 (172) 8457280

E-Mail francois.simon@siemens.com
Contact
Published by Siemens 2023
Smart Infrastructure
Electrification & Automation
Mozartstraße 31 C
91052 Erlangen
Germany
For the U.S. published by
Siemens Industry Inc.
100 Technology Drive
Alpharetta, GA 30005
United States
© Siemens 2023
Subject to changes and errors. The information given in this
document/video only contains general descriptions and/or performance
features which may not always specifically reflect those described, or which
may undergo modification in the course of further development of the
products. The requested performance features are binding only when they
are expressly agreed upon in the concluded contract.
All product designations may be trademarks or other rights of Siemens, its
affiliated companies or other companies whose use by third parties for their
own purposes could violate the rights of the respective owner.

Webinar Presentation Cybersecurity4ProtectionEngineers

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Webinar Presentation Cybersecurity4ProtectionEngineers

Uploaded by

Copyright:

Available Formats

Cybersecurity with

Page 1 Unrestricted | © Siemens 2023| Smart Infrastructure |

Unrestricted | © Siemens 2023| Smart Infrastructure |

Page 3 Unrestricted | © Siemens 2023| Smart Infrastructure |

Cyber security measures

Process Bus Communication

Page 4 Unrestricted | © Siemens 2023| Smart Infrastructure |

Signed software/firmware Certificate Management

Protection against Easy certificate

Firewall & VLAN

Separation of Ethernet traffic

Page 6 Unrestricted | © Siemens 2023| Smart Infrastructure |

• Security relevant logs are stored

sent via syslog Load Config Syslog Syslog

• Logs can be correlated and IED Syslog SIEM

Page 7 Unrestricted | © Siemens 2023| Smart Infrastructure |

Page 8 Unrestricted | © Siemens 2023| Smart Infrastructure |

Syslog • SIPROTEC5 DigitalTwin configured as Syslog Client.

• Communication between DigitalTwin and PC protected via "VPN"

Page 9 Unrestricted | © Siemens 2023| Smart Infrastructure |

Page 10 Unrestricted | © Siemens 2023| Smart Infrastructure |

Page 11 Unrestricted | © Siemens 2023| Smart Infrastructure |

Page 12 Unrestricted | © Siemens 2023| Smart Infrastructure |

Page 13 Unrestricted | © Siemens 2023| Smart Infrastructure |

Page 15 Unrestricted | © Siemens 2023| Smart Infrastructure |

TLS (Transport Layer Security) is

• the IT standard for secure communication with “Certificates”

• that is why it is recommended in IEC 62443 and IEC 62351

Page 16 Unrestricted | © Siemens 2023| Smart Infrastructure |

Page 17 Unrestricted | © Siemens 2023| Smart Infrastructure |

Public Key Infrastructure (SICAM GridPass)

Seal = > Certification Authority (CA)

Pattern of Seals => Trusted CA Store

=> X509 Certificate including keys

=> TLS handshake :

Page 19 Unrestricted | © Siemens 2023| Smart Infrastructure |

DIGSI 5 Web UI Syslog LDAPS IEC61850 EST

Page 21 Unrestricted | © Siemens 2023| Smart Infrastructure |

Page 22 Unrestricted | © Siemens 2023| Smart Infrastructure |

Radius (convenient for IT switch)

login: OK LDAPs (convenient for PC, server,…)

Page 23 Unrestricted | © Siemens 2023| Smart Infrastructure |

Page 24 Unrestricted | © Siemens 2023| Smart Infrastructure |

2. User cache (activated by default)

Page 25 Unrestricted | © Siemens 2023| Smart Infrastructure | 3. Emergency

SIPROTEC 5 LDAP Server

That‘s correct, and here is the certificate

• revision = 1 0: IEC 62351-8:2011

Login to SIPROTEC5 using RBAC

How to configure RBAC with LDAP in SIPROTEC 5 with

PKI: SICAM GridPass

Page 27 Unrestricted | © Siemens 2023| Smart Infrastructure |

Page 31 Unrestricted | © Siemens 2023| Smart Infrastructure |

Page 40 Unrestricted | © Siemens 2023| Smart Infrastructure |

Page 41 Unrestricted | © Siemens 2023| Smart Infrastructure |

Page 46 Unrestricted | © Siemens 2023| Smart Infrastructure |

Page 48 Unrestricted | © Siemens 2023| Smart Infrastructure |

Page 62 Unrestricted | © Siemens 2023| Smart Infrastructure |

Page 63 Unrestricted | © Siemens 2023| Smart Infrastructure |

Page 64 Unrestricted | © Siemens 2023| Smart Infrastructure |

Page 65 Unrestricted | © Siemens 2023| Smart Infrastructure |

SICAM PAS SICAM GridPass

DIGSI 5 Browser Syslog LDAP 61850 EST

DIGSI 5 Web UI Syslog LDAPS IEC61850 EST