Professional Documents
Culture Documents
SPPA-T30
SPPA-T3000
00 Secu
Securi
rity
ty Manual
1 Introductio
Introductionn ...........................
........................................
...........................
...........................
...........................
...........................
...........................
........................
........................
................ .. 1-4
1.1 Purpose
Purpose of the document...............
document............................
..........................
...........................
..........................
..........................
...........................
.......................
.......... 1-4
1.2 Target
Target group ..........................
........................................
...........................
...........................
...........................
..........................
...........................
.........................
................
..... 1-4
1.3 Required
Required knowledge.......................
knowledge....................................
...........................
...........................
..........................
..........................
.........................
......................
.......... 1-4
2 T3000 introducti
introduction;
on; approx.
approx. 10 pages pages .........................
......................................
...........................
...........................
..........................
..........................
................ ... 2-5
2.1 Standard
Standard architectu
architecture.......
re...................
........................
........................
..........................
...........................
...........................
............................
.........................
............. 2-5
2.2 Components of SPPA-T3000 (Thin Client, Application Server, Automation Server S7,
Automation Server CM, Time Time Server, Firewalls, Firewalls, Router for Multi-Unit, Switches) Switches) .......... ......... 2-6
2.2.1 User interfaces
interfaces - Thin Clients......................
Clients..................................
.........................
..........................
...........................
.........................
........... 2-7
2.2.2 Power
Power server
server – Applicati
Application on Server
Server .........................
.......................................
...........................
..........................
.........................
............ 2-7
2.2.3 Power
Power server
server – Automation
Automation Server S7 ...........................
........................................
.........................
.........................
...................
...... 2-8
2.2.4 Power server – Automation Server CM104 ........... ............ ........... ........... ........... ........ 2-9
2.2.5 Time server server ..........................
........................................
...........................
..........................
............................
...........................
...........................
................... .... 2-9
2.2.6 Process
Process interfaces
interfaces ...........................
........................................
...........................
............................
...........................
...........................
....................
...... 2-9
2.2.7 Network
Network components
components .........................
.......................................
...........................
.........................
..........................
...........................
................. .... 2-10
2.2.7.1 EthernetEthernet componen
components ts .........................
......................................
...........................
...........................
...........................
.............. 2-10
2.2.7.2 Profibus..............
Profibus............................
...........................
...........................
...........................
...........................
...........................
..................
..... 2-10
2.2.7.3 Routers Routers and firewalls..
firewalls...............
..........................
.........................
.........................
...........................
...........................
............. 2-11
2.3 Networks (Application
(Application Highway,
Highway, Automation Highway, Highway, Backbone Highway, Highway, DMZ). ............ .. 2-12
2.3.1 Standard network network topology for application application and Automation Highways Highways .............. ....... 2-12
2.3.1.1 RedundanRedundancy cy manager
manager (RM)..................................
(RM)............................................... .........................
......................
.......... 2-13
2.3.1.2 ObserverObserver (for OSM/ESM).................
OSM/ESM).............................. ...........................
..........................
..........................
................. ... 2-14
2.3.2 Application Highway......
Highway...... ........... ........... ........... .......... ........... ............ .......... ........... .... 2-15
2.3.3 Automation Highway Highway ........... .......... ............ .......... ........... ........... ........... ........... ......... 2-16
2.3.4 Backbone
Backbone highwayshighways .........................
.......................................
............................
...........................
...........................
...........................
..................... 2-17
2.3.5 The DMZ network network ..........................
........................................
...........................
..........................
...........................
..........................
....................
........ 2-18
2.3.5.1 DMZ sample sample variants
variants in detail detail .........................
......................................
..........................
..........................
............... .. 2-19
2.4 Variants (small, standard, multi-unit configuration) .......... .......... ............ ........... ........... ......... 2-21
2.4.1 Small system............
system..........................
............................
...........................
...........................
...........................
...........................
...........................
............... 2-21
2.4.2 Standard
Standard system system ..........................
.......................................
...........................
............................
...........................
...........................
......................
........ 2-21
2.4.3 multi-uni
multi-unitt system
system ..........................
.........................................
............................
..........................
............................
...........................
....................
........ 2-23
2.5 Software
Software ...........................
.........................................
............................
...........................
...........................
...........................
...........................
........................
..................
........ 2-24
2.5.1 Software
Software architecture.........................
architecture.....................................
...........................
...........................
..........................
...........................
................. .... 2-24
2.5.1.1 Software component categories...... ........... ........... .......... ............ ........... .. 2-24
2.6 Crossove
Crossoverr to the "outside
"outside world"
world" ..........................
........................................
...........................
...........................
...........................
........................
........... 2-26
3 Coarse/ov
Coarse/overrid
erriding
ing security
security concept
concept .........................
......................................
..........................
..........................
..........................
..........................
...................
...... 3-27
3.1 Security
Security cells.............
cells............................
...........................
..........................
............................
...........................
...........................
...........................
.......................
................ 3-27
3.2 Communication rule: Everything is is prohibited unless unless explicitly
explicitly permitted............ ........... ....... 3-28
3.3 "Reinforcing" the Thin Clients of the Control systems ........... ........... ........... .......... ........... ..... 3-28
3.4 Thin Clients outside the security security cell "Control system"........ ........... ........... ........... ........... ...... 3-29
4 Scenarios
Scenarios for Remote
Remote ServiceService Access
Access ............................
.........................................
...........................
...........................
...........................
.......................
......... 4-30
4.1 General observations on Remote Service............... .......... ............ .......... ........... ........... ........ 4-30
4.1.1 Comparison of external Terminal Servers and combined Thin Clients / t erminal
servers
servers ..........................
........................................
...........................
...........................
...........................
...........................
............................
.......................
......... 4-30
4.1.2 File transfer using RDP and SSH............... SSH..... .......... ........... ............ .......... ............ .......... ....... 4-30
4.2 Service
Service access
access to SPPA SPPA-T300-T3000 0 .........................
......................................
..........................
..........................
..........................
...........................
................ 4-31
4.2.1 Service access to SPPA-T3000 SPPA-T3000 via Customer Access Gateway Gateway (CAG).... ............. .. 4-32
4.2.1.1 Service access via CAG through dial-up connection (ISDN or POTS*)
or internet..................
internet................................
...........................
..........................
..........................
..........................
..........................
............. 4-32
4.2.2 Service access via Customer Owned Gateway (COG) .......... ........... ........... ........... . 4-38
4.2.2.1 Service access through COG via via dial-up connectionconnection (ISDN)................. ... 4-38
4.2.2.2 Service access access through COG COG via internet VPN connection .......... ............ 4-38
4.3 Connectio
Connection n of SPPA
SPPA-T300-T3000 0 to an intranet
intranet .........................
......................................
........................
........................
..........................
............... 4-44
4.3.1 Thin Client in the intranet with with access
access to SPPA-T3000 .......... ............ ........... ........... 4-45
4.4 SPPA-T3000 connection to the internet ............. .......... ........... ........... .......... ........... ........... ... 4-49
4.4.1 Thin Client in the internet internet ........................
.....................................
...........................
............................
...........................
........................
........... 4-49
T3000 Security Manual V1.0.3 1-2 24.01.2008
© Siemens AG 2007 All Rights Reserved
Siemens AG
4.5Wireless Thin Clients in the control station and power power station .......... ........... ........... ........... ... 4-51
4.5.1 Administration of the wireless wireless Access Point Point .......... ........... .......... ........... ........... ........ 4-53
4.6 Third party system connection via OPC........... OPC ........... ........... ........... ........... ........... ........... ........... ... 4-54
4.6.1 OPC server/client system in the client intranet .......... ............ .......... ............ ........... .. 4-55
4.6.2 OPC server/client system in the DMZ with access by external PI system in the
client
client intranet.......
intranet.....................
...........................
..........................
...........................
..........................
...........................
...........................
....................
........ 4-57
4.7 Third party system connection via Modbus ............ .......... ............ ........... ........... ............ ....... 4-58
4.7.1 Modbus TCP connection via CM104............. CM104. ............ ........... ............ ........... ........... ........... ... 4-58
5 Annexes .......... ........... ........... ........... .......... ........... ........... ........... ........... .......... ............ ............ ...... 5-60
5.1 VPN details for Remote Remote Service Access via cRSP............. ........... .......... ........... ........... ........ 5-60
5.1.1 IPSec details on on establishing
establishing a VPN tunnel via the internet internet to the cRSP cRSP ........... ...... 5-61
5.1.2 Configuration of the Cisco VPN client software............ software ............ .......... ............ ........... ........... 5-62
5.2 Applications
Applications and ports for the communication communication with SPPA-T3000............... ........... ........... ..... 5-63
5.3 Sample loading times for a workbench via DSL............ DSL. ........... ........... ........... ........... ........... ........... . 5-64
6 Glossary........................
Glossary.....................................
...........................
............................
............................
...........................
...........................
...........................
..........................
..................
..... 6-65
1 Introduction
1.1 Purpose of the document
The T3000 Security Manual contains information, notes and guidelines for the planning and
implementation of external access to T3000 systems.
It describes standards of a binding nature which ensure a high degree of security for the T3000 systems
and the related plant operation.
Some exemplary typical scenarios of the connection of external clients to T3000 systems are illustrated
and dealt with in detail.
The aim is to establish a common basis f or the cooperation of network administrators of company
networks and of automation networks.
The SPPA-T3000 standard architecture is formed f rom 3 functional levels connected via networks.
• Presentation Tier
• Processing Tier
• Data Tier
2.2 Compon ents of SPPA-T3000 (Thin Client, Appl icati on Server, Aut omati on
Server S7, Automation Server CM, Time Server, Firewalls, Router for Multi-
Unit, Switch es)
Overview
User Interfaces
Power server
• Application Server
o ft server
o non tf server
• Automation Servers
o S7
o CM104
Process Interfaces
• I/O modules
• Special I/O modules
switch switch
Thin Clients form the interface between users and the functions of SPPA-T3000. In principle every
computer with a web browser can access the web applications via the local network, an intranet or via the
internet. No particular applications need to be installed on the desktop system for this purpose.
Benefit
An interruption in the ring exists if at least one of the two ring test telegram currents is interrupted. The
RM then re-activates its port 8 for user data and the 2 bus segments resulting from the interruptions are
reconnected. A ring interruption is rectified for <= 50 switch modules in the ring within 0.3 sec in the
manner described above.
Bild 4 RM activation
The ring test telegram currents remain interrupted until the ring structure has been restored. When both
ring test telegram currents are received the RM re-"opens" the closed ring structure and the standard
topology is restored.
EAGLE
x
1 2
P FAULT
STATUS
LS/DA
1 2 V.24
S
S
E
R
D
D
A
P
I
1
e
s
s
e
r
d
A
- 2
C
A
M
r
e
b T
e
l L
k U
f A
u F *
A
V V
4 4
2 V V 2
+ 0 0 +
V.24
* For multi-unit systems with backbone the time servers are connected to the automation backbone
Runtime container
Management
Management and execution
Auto
Au to matio
mat ion
n f un ct ions
io ns
Components with standardized interfaces
Hardware proxy
Represents an I/O module
Management proxy
Coordination of all software components and
services
• Operating System
• Server components
• Network communication
• Field device communication
2.6
2.6 Crossover to the " outs ide world"
Client Intranet
SPPA-T3000
Control System
Firewall
Dial-in
or
Internet
Application
Server
Terminal Server
(optional)
OPC Server/Client
(optional)
Automation-
WIN TS
Server
(optional)
Client Intranet
SPPA-T3000 DMZ-Net
Control System
Firewall Firewall
inside outside
Dial-in
or
Internet
Application
Server
Terminal Server
OPC Server/Client
(optional)
WIN TS
Automation- (optional)
Server
The framework conditions necessary for the DMZ network could be: e.g.
• Project requirements
• Client security policy
3 Coarse/
Coarse/overriding
overriding security concept
Network management
•
Time synchronization
• synchronization
3.1 Secur
Secur ity cells
A basic idea of the SPPA-T3000
SPPA-T3000 security
security concept is based on security
security cells with different
different security levels.
The cells can be structured hierarchically and the security levels can be reduced from the inside to the
outside from "secure" to "not secure".
The inner cells consist of the application and Automation Servers; the next cell includes the Thin Clients.
Together they then form the security cell of the "Control system".
All other cells outside the control systems are considered as less secure.
External Thin
DMZ Net Client
Intranet
Control System
Application
Internet
Automation
Field
The optional security cell DMZ Net is switched between the security cell Control system and the non-
secure cell intranet/internet. All access to the security cell Control system is then directed via the security
cell DMZ Net. The DMZ Net contains systems which communicate externally and internally.
For access to the security cells Control system and optional DMZ Net a restrictive basic approach is
used:
Everything i s prohibit ed unless explicitly p ermitted!
In the firewalls of the optional DMZ Net and the Control system the source and target address and the
communication port used are checked. In future, application level firewalls may also be used.
3.3 " Reinfor cing" the Thin Clients of the Control systems
The Thin Clients in the security cell "Control system" provide the operator workstations. This "physical
contact" between man and system implies an increased security risk. For this reason the Thin Clients are
specifically configured and locked for functions which are not required for normal control operation. This
ensures that the Thin Client is not modified in a way which could affect the t hink client itself or other
systems in the Control system.
Only "reinforced" Thin Clients may be used in the security cell "Control system".
A Thin Client is "reinforced" for operation in the security cell "Control system" on 3 levels:
Hardware
T3000 Security Manual V1.0.3 3-28 24.01.2008
© Siemens AG 2007 All Rights Reserved
Siemens AG
Firmware
Setup of a BIOS password
•
Software
Strict limitation of the Thin Client functionality ("locking") for the user "operator" e.g.
• Automatic start of the web browser with login screen for the control technology application.
• No starting of other websites.
• No installation of additional software possible
• No starting of other applications
• No login possible under different user names
• No autostart of any drives present (e.g. CD ROM).
• No access to external drives and USB memories
• No icons, no start button, no task manager, no explorer
3.4 Thin Clients outside the security cell " Control syst em"
Thin Clients outside the security cell "Control system", e.g. in the client intranet, pose a security risk. In
addition to the access restrictions to the security cell "Control systems" external Thin Clients must meet
the minimum requirements below;
• Recognized anti-virus program with current signatures installed
• All relevant security updates of the manufacturers have been installed
• Only trusted standard software has been installed on this Thin Client
For external service access via WAN or internet, t he access must always be via a Terminal Server (TS)
using Microsoft Terminal Services (MS-TS).Access cannot gained direct via the Application Server(s).
The Terminal Server is either a Thin Client at the Application Highway or a server in the DMZ. In the case
of a Thin Client as Terminal Server only a remote session is possible; the local session must be logged
out.
If more than one terminal session is to be allowed at the Terminal Server, a standard server HW and
server operating system must be used.
The only exception to this rule are t he applications on SSH basis Secure Shell, SFTP and SCP, which for
exclusively service purposes, may also run direct on the Application Server and Thin Clients.
4.1.1 Comparis on of external Terminal Servers and com bined Thin Clients /
terminal servers
File transfer is an important application between the service center and the Control syst em. Diagnosis
data, patches, virus pattern updates etc. are frequently transferred in both directions.
Microsoft Terminal Services (MS-TS) is one of the main service applications and also offers a file transfer
option. Resources, e.g. the client drives, are connected to the server. When using the cRSP the MS-TS
client runs on CAT clients in the intranet. When using the drive connection via MS-TS all network drives
and any inserted USB drives at t he CAT client would be connected to the server. This situation cannot be
modified administratively and poses a high security risk for the server. For this reason the connection of
drives via MS-TS is prohibited.
As an alternative the file transfer via SSH is used. On Application Servers and Thin Clients an SSH
program will be installed or enabled in future.
SSH File Transfer Protoco l (SFTP) permits the secure data transfer and data access on remote
systems.
Secure Copy or SCP ensures the confidentiality, integrity and authenticity of the transferred data. For
this the SSH uses.
The Thin Client in the client intranet must first establish a VPN connection (VPN tunnel) to the inside
firewall (router/firewall) in the DMZ. The inside firewall acts as VPN gateway.
The HTTPS and RMI connections are then channeled through this protected tunnel.
The Thin Client in the client intranet must meet the requirements in chapter 3.5.
Conditions for the establishment of a VPN tunnel between TC and inside firewall:
• TC: VPN Client Software (Cisco VPN Client) installed and configured, for
configuring the Cisco VPN Client see "appendix"
• Inside firewall: Configuration as VPN gateway
Bild 28 Connection of a Thin Client in the client intranet to SPPA-T3000 via VPN Client Connection
Communication relationships between TC in the client intranet and the VPN gateway in the inside
firewall
Permissions required at the inside firewall, the access to the security cell "Control System"
The communication here is divided into 2 parts:
1. Establishing the tunnel
2. Application communication
Re 2, application communication
The connection of SPPA-T3000 to the internet may be required for the following reasons:
• Access for client personnel
• Access for third parties
The use of the internet by Siemens remote service has already been covered in chapter 4.1. This also
defined that the internet access via Customer Access Gateway CAG (the internet is connected direct to
the DMZ Net via CAG) can only be used for service via cRSP.
The information above determines that access by client personnel and third parties to the SPPA-T3000
must be carried out via a separate internet access.
A connection over the internet uses public resources; therefore mechanisms for the security of the
transferred data are mandatory:
• A VPN tunnel is only established after successful authentication.
• Authentication is encrypted.
• In the VPN tunnel the data packages are encrypted using 3DES* encryption.
In addition to the Remote Service via t he internet it may be necessary also to connect individual Thin
Clients over the internet to SPPA-T3000, e.g. client personnel from home.
The client must provide the corresponding access for this purpose. This gateway forms the access point
for individual systems via internet or dial-in.
The internet is considered an "untrusted area". Therefore, access by TC f rom the internet must be
especially secure. The TC in the internet must first establish a VPN connection (VPN tunnel) to the client
gateway. Protected by this VPN tunnel a MS-TS connection to the Terminal Server in the DMZ can be
made. No direct access to SPPA-T3000 systems from the internet is permitted.
The Thin Client in the internet must meet a minimum of the following requirements:
• Recognized anti-virus program with current signatures installed
• All relevant security updates of the manufacturers have been installed
• Only trusted standard software has been installed on this Thin Client
Bild 30 Connection of wireless Thin Clients to SPPA-T3000 via WLAN and VPN tunnel
Communicati on relation ships between wireless Thin Client (wTC) and the VPN gateway in th e
inside fir ewall
Permissions required at the inside firewall, the access to the security cell "Control System"
The communication here is divided into 2 parts:
1. Establishing the tunnel
2. Communication by the application(s)
Re 2, application communication
Appl ic ation Con necti on Source IP Target IP Protoc ol/
direction target port
Terminal session wTC -> Terminal VPN-Client IP of TS IP RDP
Server the TC* TCP 3389
Workbench Terminal Server -> TS IP Appl.Server IP HTTPS
HTTPS connection Appl. server TCP 443
RMI reg Terminal Server -> TS IP Appl.Server IP RMI
Appl. server TCP 1099
RMI com. Terminal Server -> TS IP Appl.Server IP RMI
Appl. server TCP 50001-50050
RMI to Appl. server -> Appl.Server IP TS IP TCP 50000+50009
Workbench** Terminal Server
* allocated by the VPN gateway
** outgoing connection
For the communication between the applications OPC currently, mainly uses the DCOM technology
(Distributed Component Object Model).
The result of using DCOM would be:
• DCOM has to be configured
• An unpredictable number of TCP/UDP connections would be opened.
The 2nd point in particular would represent a serious security problem, because it would no longer make
a static firewall configuration possible.
The solution to the problem is in the use of an "OPC tunnelers" e.g. by Matrikon Inc., which reduces the
OPC communication between client and server to one (1) TCP connection.
The target port TCP 21379 has been defined for the tunneler.
sec. for
Modem (28.8 Kbps) 1 hours 32 min. 35 20 megabyte
approx.
sec. for
Modem (56 Kbps) 0 hours 47 min. 37 20 megabyte
approx.
sec. for
1 channel ISDN (64 Kbps) 0 hours 41 min. 40 20 megabyte
approx.
sec. for
2 channel ISDN (128 Kbps) 0 hours 20 min. 49 20 megabyte
approx.
sec. for
DSL-768 (768 Kbps, outdated) 0 hours 3 min. 28 20 megabyte
approx.
min sec. for
DSL 1000 (1024 kbps) 0 hours 2 36 20 megabyte
. approx.
sec. for
DSL-1500 (1536 Kbps, outdated) 0 hours 1 min. 44 20 megabyte
approx.
min sec. for
DSL 2000 (2048 kbps) 0 hours 1 18 20 megabyte
. approx.
min sec. for
DSL 3000 (3072 kbps) 0 hours 0 52 20 megabyte
. approx.
min sec. for
DSL 6000 (6016 kbps) 0 hours 0 26 20 megabyte
. approx.
min sec. for
DSL 16,000 (16000 kbps) 0 hours 0 10 20 megabyte
. approx.
6 Glossary
CAG Customer access gateway Service access point in accordance with the
cRSP standard
COG Customer Owned Gateway Service access point provided by the client
DCOM Distributed Component Object Model a protocol defined by Microsoft to allow
program components to communicate via a
network
DMZ Demilitarized Zone Computer network with access options
controlled by security technology
ESP Encapsulating Security Payload ESP authentication authenticates the inner IP
header (e.g. of the external system) but not the
outer IP header.
https Hyper Text Transfer Protocol Encryption and for the authentication of the
(Secure) communication between Web server and
Browser
IP Internet protocol prevalent network protocol
VLAN Virtual Local Area Network a virtual local network within a physical network
VPN Virtual Private Network facilitates the secure transmission via an
unsecured network
WPA Wi-Fi Protected Access an encryption method for a wireless LAN
wTC Wireless Thin Client Thin Client connected via a wireless network
infrastructure