Professional Documents
Culture Documents
Industrial Security
Network Security
Edition
Brochure 11/2020 siemens.com/network-security
© Siemens 2020 © Siemens 2020
Contents
The Internet serves as an enormous accelerator of business processes INDUSTRIAL SECURITY 04 TECHNICAL SPECIFICATIONS 20
and has revolutionized business operations around the world. A look at the threat situation 04 SCALANCE S Industrial Security Appliances 20
The resulting changes in the production industry can therefore be de- Defense in depth 05 SCALANCE M Industrial Routers 21
scribed as a revolution – the 4th Industrial Revolution. Industry 4.0 Industrial security at a glance 06 Communications Processors 23
affects all aspects of the industrial value chain, including the very Industrial security – more than just product functions 08 Software for industrial networks 25
important aspects of industrial communication and security. Industrial security as part of Totally Integrated Automation 08 MORE ON INDUSTRIAL SECURITY 26
It is key here that, in light of digitalization and the ever increasing networking of machines and Cell protection concept 09 SIMATIC RF1000 Access Control Reader 26
plants, data security is always taken into account. The use of industrial security solutions precisely SCALANCE S Industrial Security Appliances 10 Security with SCALANCE X and SCALANCE W 27
tailored to the needs of industry is therefore of fundamental importance – and should be insepara-
Application example: Network access protection with DMZ 11 Cybersecurity with RUGGEDCOM 28
bly linked with industrial communication.
SCALANCE M Industrial Routers 12 Application example: Cybersecurity solutions with
29
RUGGEDCOM
The topic of cybersecurity is also becoming increasingly important due to the constantly growing Application example:
13
number of convergent networks in companies and the increased frequency of cyberattacks and has Secured remote maintenance with SCALANCE SIMATIC PCS neo Security and SIMATIC PCS 7 Security 30
long been the focus of standardization efforts by international committees such as the Security Communications Processors for Basic Controllers, SIMATIC PCS 7 Security 31
International Electrotechnical Commission (IEC). Moreover, security is also regulated at the 14
Advanced Controllers and Distributed Controllers
national level by laws and regulations addressing critical infrastructures in particular in order to Industrial Security Services 32
Application example: Network segmentation with Security
accommodate increased security requirements. Examples include the IT Security Act in Germany, Communications Processors
15
Automation Firewall Next Generation 33
the ANSSI Certification in France, NERC CIP in the USA and many more. Thanks to these standards
Security Communications Processors for SIMATIC S7-300 & GLOSSARY 34
and regulations, it is now possible to take advantage of the tremendous opportunities offered by SIMATIC S7-400
16
open communication and the increased networking of production systems while also appropriately Terms, definitions 34
addressing the accompanying high risks. Siemens supports you here in adequately protecting your Application example: Network segmentation 16
industrial plant from cyberattacks – as part of an integrated portfolio for industrial security. Software for secured networks 17
2 3
© Siemens 2020 © Siemens 2020
INDUSTRIAL SECURITY
INDUSTRIAL SECURITY
Industrial Security
A look at the threat situation Defense in depth
1 Introduction of malicious code The use of removable media and mobile IT components by external personnel always entails a
via removable media and major risk of malware infections. However, personnel are often unaware of the effects of malware.
external hardware
2 Malware infection via Internet Standard components used in company networks (e.g., operating systems, databases, browsers
or intranet and email clients) usually contain vulnerabilities which an attacker can exploit to infiltrate the
company network. From the infiltrated intranet or office network, the attacker can often
proceed into the production network, either directly or with a follow-up attack.
3 Human error Deliberate actions – regardless of whether by internal or external offenders – are a massive
and sabotage threat to all security goals. Security can never be guaranteed through technical measures alone;
organizational rules must always be established and followed.
4 Compromising of extranet Outsourcing of IT components to cloud solutions in some cases leads to system owners having
and cloud components only very limited control over the security of these components and the possibility of their be- Network security as a central component of the Siemens industrial security concept
ing compromised. However, the components themselves may be connected directly to the local
production.
5 Social engineering Social engineering is a method of gaining unauthorized access to information or IT systems With defense in depth, Siemens provides a multi-faceted automation network itself. The security-related segmenta-
and phishing through mostly non-technical actions and through exploitation of human traits, such as curiosi- concept that gives your system both all round and in- tion of the plant network into individually protected automa-
ty, helpfulness, trust, fear or respect for authority. Fraudulent emails – so-called phishing emails depth protection. The concept is based on plant security, tion cells minimizes risks and increases security. Cell division
– which induce recipients into opening manipulated links or attachments with malware repre-
network security and system integrity – following the and device assignment are based on communication and
sent a classic example of this.
recommendations of IEC 62443, the leading standard for protection requirements. Data transmission can be
6 (D)DoS attacks (Distributed) denial of service attacks can be used to disrupt both wired and wireless network security in industrial automation. encrypted using Virtual Private Network (VPN) and thus be
connections as well as required system resources and cause systems to crash, e.g., to disrupt the protected from data espionage and manipulation. The com-
functionality of an ICS.
Plant security munication nodes are securely authenticated. Automation
7 Control components Despite manufacturer recommendations, ICS components are often connected directly to the Plant security uses a number of different methods to prevent networks, automation systems and industrial communica-
connected to the Internet (ICS) Internet without having an adequate level of security and security mechanisms. tion can be made secure with SCALANCE S Industrial Security
unauthorized persons from gaining physical access to critical
8 Intrusion via remote External access to ICS installations for maintenance purposes is a common practice. Access with components. This starts with conventional building access Appliances, SCALANCE M Industrial Routers, Security Com-
maintenance access default or hard-coded passwords is widespread. Access by manufacturers and external service and extends to securing sensitive areas by means of key munications Processors for SIMATIC as well as with the
providers for maintenance purposes is sometimes not limited to specific systems. As a conse- cards. Comprehensive security monitoring leads to transpar- RUGGEDCOM portfolio.
quence, further systems are accessible.
ency with regard to the security status of production facili- System integrity
9 Technical malfunctions Failures due to extreme environmental influences or technical defects are always possible ties. Thanks to continuous analyses and correlations of exist-
and force majeure – the risk and the potential for damage can only be minimized here. The third pillar of defense in depth is the safeguarding of sys-
ing data and through comparison of these with threat
tem integrity. The emphasis here is on protecting automation
10 Compromising by smartphones The ability to display and change operating and production parameters on a smartphone or indicators, security-relevant events can be detected and clas-
systems and control components such as SIMATIC S7-1200
in the production environment tablet is increasingly being used in the production environment. Remote maintenance access sified according to risk factors. On this basis and through
and SIMATIC S7-1500 as well as SCADA and HMI systems
via a smartphone or tablet represents a special case and adds an additional point of attack. regular status reports, plant owners receive an overview of
against unauthorized access and on meeting special require-
the current security status of their production facilities,
ments such as know-how protection. Furthermore, system
Threat overview enabling them to react swiftly to threats.
integrity also involves authentication of users, access and
Network security change authorizations and system hardening – in other
Network security means protecting automation networks words, the robustness of components against possible
from unauthorized access. This includes the monitoring of all attacks.
interfaces such as the interfaces between office and indus-
trial networks or the remote maintenance access to the
Source:
Based on BSI-CS 005 | Version 1.30 dated 1 January, 2019 Internet. It can be accomplished by means of firewalls and, if
Note: applicable, by establishing a secured and protected “demili-
This list of threats was compiled in close cooperation between BSI (German Federal Office for Information Security) and representatives tarized zone” (DMZ). The DMZ is used for making data avail-
of industry.
Using BSI analyses, the Federal Office for Information Security (BSI) publishes statistics and reports on current topics relating to cybersecurity. able to other networks without granting direct access to the
4 5
© Siemens 2020 © Siemens 2020
INDUSTRIAL SECURITY
INDUSTRIAL SECURITY
Industrial security at a glance
Plant Security
Physical protection
Security management
Security operation center
Network Security
Office Network
SIMATIC S7-1500 with
SCALANCE M876-4
Firewall
Internet
DMZ Server SINEMA
Remote
SINEC
Connect
NMS SINEC INS
SCALANCE
SC646-2C
Industrial Ethernet
SCALANCE
XC206-2
G_IK10_XX_10362
OS ES
Factory Automation
6 Secured communication, network access protection and network segmentation with Security Integrated components 7
© Siemens 2020 © Siemens 2020
INDUSTRIAL SECURITY
Network Security
NETWORK SECURITY
Industrial security – more than just product functions Cell protection concept
Industrial Ethernet
G_IK10_XX_10373
Cell 1 Cell 2 Cell 1 Cell 2 Cell 3
Automation cell 1 Automation cell 2 Automation cell 3 Automation cell 4 Automation cell 5 Automation cell 6
Secured communication between components with Security Integrated in separate automation cells
With the aim of taking a further step toward a secure d
igital Based on 10 key principles, the members of the “Charter of
world, Siemens is the first company to receive TÜV SÜD (Ger- Trust” set themselves the three goals of protecting the data
Industrial communication is a key factor for corporate success – as long as the network is protected. For realization
man Technical Inspectorate/South) certification based on of individuals and companies, preventing harm to people,
of the cell protection concept, Siemens partners with its customers to provide Security Integrated components which
IEC 62443-4-1 for the interdisciplinary process of developing companies and infrastructures as well as creating a reliable
not only have integrated communication functions but also special security functions such as firewall and VPN.
automation and drive products and is also the initiator of the basis upon which trust is established and can grow in a con-
“Charter of Trust”. nected, digital world.
Totally Integrated Automation (TIA): maximum consistency from the TIA Portal
automation level to the IT
TIA stands for total integration: hardware, software and All Industrial Security Appliances and remote networks
services are seamlessly interconnected. Information flow components are integrated in the TIA Portal and can be
horizontally and vertically and new technologies are cons- configured there. In addition to a central user management
tantly integrated. To ensure that systems and machines are with the UMC option of the TIA Portal, the firewall rules for
as secure as possible despite increasing interconnected- the security communications processors are also automati-
ness, TIA is consequently based on the security concept cally assigned via the TIA Portal.
8 defense in depth. 9
© Siemens 2020 © Siemens 2020
NETWORK SECURITY
NETWORK SECURITY
Application example
SCALANCE S Industrial Security Appliances Network access protection with DMZ
PROFINET
G_IK10_XX_10340
Data base
server
Plant network/
permitted access blocked access limited access secure automation cell
Network security as a central component of the Siemens industrial security concept Connection of a local service PC
SCALANCE S Industrial Security Appliances offer protection Industrial Firewall Appliances via SCALANCE S615
of devices and networks in discrete manufacturing and
SCALANCE SC622-2C, SC632-2C and SC636-2C
in the process industry and protect industrial communica- Task
◾ Firewall performance approx. 600 Mbps Advantages at a glance
tion with mechanisms such as Stateful Inspection Firewall Network nodes or servers (e.g., MES servers) are to be accessible from both the
and Virtual Private Networks (VPN). The devices are suitable ◾ Communication between separate network segments
secured network and the unsecured network without a direct connection between ◾ Increased security through
for industry-related applications. Depending on the require through a bridge firewall (except SC622-2C)
the networks. data exchange via DMZ and
ments, they are available with different port configurations ◾ Connection via 10/100/1000 Mbps ports and fiber optic
for large distances (up to 200 km) Solution prevention of direct access
(2 to 6 ports) and range of functions (firewall or firewall +
to the automation network
VPN). All versions enable configuration over Web Based Ma- ◾ Secured redundant MRP/HRP connection for A DMZ can be set up with the help of a SCALANCE SC636-2C. The servers can be
nagement (WBM), Command Line Interface (CLI), Simple SCALANCE SC636-2C positioned in this DMZ. ◾ Protection of automation
Network Management Protocol (SNMP), SINEC NMS net- networks against unauthor-
Industrial VPN Appliances ized access starting at the
work management as well as TIA Portal. Furthermore, the
Industrial Firewall Appliances allow the realization of a net- SCALANCE S615 network boundaries
work segmentation in the PROFIsafe environment. ◾ Firewall performance approx. 100 Mbps
◾ Management of up to 20 VPN connections with a
All Industrial Security Appliances support:
data rate of up to 35 Mbps
◾ User-specific firewall ◾ Connection via 10/100 Mbps ports
◾ Network Address Translation (NAT), Network Address Task
Port Translation (NAPT) for communication for serial SCALANCE SC642-2C and SC646-2C Advantages at a glance
machines with identical IP address bands ◾ Firewall performance approx. 600 Mbps The local network is to be protected against unauthorized access and authorized
◾ Bridge tunnel for secure layer 2 communication individuals are to receive only the access rights for their roles. ◾ Securing local n
etwork
◾ Autoconfiguration interface for easy connection confi-
guration to SINEMA Remote Connect ◾ Communication between separate network segments Solution access
◾ Digital input (DI) for connection of a transducer (e.g., through a bridge firewall The port of the Industrial Security Appliance (in this case the SCALANCE S615) ◾ Flexible and user-specific
key-operated switch) for controlled setup of a tunnel ◾ Management of up to 200 VPN connections with a defined as the DMZ port is the single locally accessible port. The Industrial Security access rights
connection data rate of up to 120 Mbps Appliance is connected to the plant network and a lower-level automation cell. ◾ Central authentication
◾ Simple device replacement with C-PLUG ◾ Connection via 10/100/1000 Mbps ports and User-specific firewall rules are created for each user. To receive access to the net- using RADIUS is possible
◾ Redundancy mechanisms through VRRPv3 fiber optic for large distances (up to 200 km) work, the user must be logged in to the SCALANCE S with user name and password.
◾ Secured redundant MRP/HRP connection for
SCALANCE SC646-2C
NETWORK SECURITY
Application example
SCALANCE M Industrial Routers Secured remote maintenance with SCALANCE M and SCALANCE S
Automation plant
TIA Portal
SIMATIC
S7-1200 with
CP 1243-7 LTE
Plant network
Industrial Ethernet VPN tunnel
GPRS/
UMTS/
SCALANCE LTE
M876-4
The SCALANCE M portfolio consists of routers for Industrial Wired connection to remote networks
G_IK10_XX_10339
Remote Communication applications such as Telecontrol and The wired routers of the SCALANCE M product family support
Teleservice. The integrated firewall and VPN (IPsec; OpenVPN the cost-effective and secured connection of Ethernet-based
SIMATIC S7-1500
with CP 1543-1
as client and for connection to SINEMA Remote Connect) subnets and automation devices. The connection can be
Automation Cell n Automation Cell n-1 Automation Cell 1
security functions protect against unauthorized access and made over existing two-wire or stranded cables or wired
make data transmission secure. telephone or DSL networks. The connection of PROFIBUS Secured remote access without direct connection to the automation network with industrial security components
networks is also possible w ithout any additional adapters or
software.
Wireless connection to remote networks Task
SCALANCE M804PB supports PROFIBUS/MPI. This enables the Advantages at a glance
The wireless SCALANCE M routers use the globally available, For servicing purposes, a system integrator requires secure
device to have secured remote access to existing systems.
public cellular telephone networks (2G, 3G, 4G) for data access via the Internet to his/her machine or equipment at the ◾ Secured remote access via the Internet or mobile
Transmission rates up to 12 Mbps can be achieved.
transmission. end user. However, the integrator is to be given access only to networks such as UMTS or LTE by safeguarding the
SCALANCE M812-1 and SCALANCE M816-1 are DSL routers for specific devices and not to the plant network. In addition, data transmission with VPN (IPsec)
SCALANCE M874-2 supports the GSM data services GPRS
connection to wired telephone or DSL networks which sup- a secured connection from the plant to a remote station via
(General Packet Radio Service) and EDGE (Enhanced Data ◾ Restriction of access possibilities with integrated
port ASDL2+ (Asynchronous Digital Subscriber Line). Thus, the mobile networks (e.g., UMTS or LTE) is to be established.
Rates for GSM Evolution). firewall function
devices enable high transmission rates of up to 25 Mbps in
SCALANCE M874-3 supports the UMTS data service HSPA+ the downlink and up to 1.4 Mbps in the uplink. Solution ◾ Secured remote access to plant units without
(High Speed Packet Access) and therefore enables high Starting points for the connection of the system integrator are direct access to the plant network with
SCALANCE M826-2 is an SHDSL modem for connection via the VPN clients (in this case CP 1243-7 LTE, SCALANCE M874-3) SCALANCE SC646-2C firewall
transmission rates of up to 14.4 Mbps in the downlink and
existing two-wire or stranded cables and supports the ITU-T with the end point SCALANCE SC646-2C as VPN server in the
up to 5.76 Mbps in the uplink.
standard G.991.2. Thus, the device enables high symmetrical automation system.
SCALANCE M876-3 supports dual-band CDMA2000 and the transmission rates of up to 15.3 Mbps per wire pair.
UMTS data service HSPA+. Thus, the device enables high
transmission rates of up to 14.4 Mbps in the downlink and Task
Advantages at a glance
up to 5.76 Mbps in the uplink. Access of a system integrator to the machine is to be unlocked
SCALANCE M876-4 supports LTE (Long Term Evolution) and for individual end devices and services on a user-dependent ◾ Reduced security risk during service and
enables high transmission rates of up to 100 Mbps in the and role-dependent basis. maintenance
downlink and up to 50 Mbps in the uplink. Solution ◾ Controlled and logged device access
User-specific firewall rules can be temporarily enabled on the ◾ User-based and protocol-based access control to
SCALANCE S Industrial Security Appliances with personalized end systems of a network cell
user data for the duration of the service work.
12 13
© Siemens 2020 © Siemens 2020
NETWORK SECURITY
NETWORK SECURITY
Security Communications Processors for Application example
Basic Controllers, Advanced Controllers and Distributed Controllers Network segmentation with Security Communications Processors
Industrial Ethernet
Basic controller Advanced controller Distributed controller
SIMATIC S7-1200 SIMATIC S7-1500 SIMATIC ET 200SP
with CP 1243-1 with CP 1543-1 with CP 1543SP-1
G_IK10_XX_10350
SIMATIC SIMATIC SIMATIC
ET 200SP ET 200SP ET 200SP
Segmentation of networks and protection of the SIMATIC S7-1200 with CP 1243-1, SIMATIC S7-1500 with CP 1543-1 and
Security Communications Processors protect controllers with For SIMATIC Advanced Controllers SIMATIC ET 200SP Distributed Controller with CP 1543SP-1
integrated firewall and VPN against data manipulation and CP 1543-1
espionage.
The CP 1543-1 communications processor securely connects Task
Advantages at a glance
the SIMATIC S7-1500 controller to Ethernet networks. With its Communication between the automation network and lower-
For SIMATIC Basic Controllers integrated firewall and VPN security functions and protocols level networks on SIMATIC controllers is to be secured by ◾ Secured connection of the SIMATIC S7-1200,
CP 1243-1, CP 1243-7 LTE and CP 1243-8 IRC for data encryption such as FTPS and SNMPv3, the communi- means of access control. SIMATIC S7-1500 and SIMATIC ET 200SP Distri-
The CP 1243-1 and CP 1243-7 LTE communications processors cations processor protects S7-1500 stations and lower-level
Solution buted Controller to Industrial Ethernet by means
connect the SIMATIC S7-1200 controller to Ethernet networks networks from unauthorized access and data transmission
of integrated S
tateful Inspection Firewall and
(CP 1243-1) or mobile wireless networks (CP 1243-7 LTE). against manipulation and espionage by means of encryption. The communications processors are placed in the rack of
VPN
The CP 1243-8 IRC communications processor connects the The CP 1543-1 also allows encrypted email communication the respective target systems (SIMATIC S7-1200, SIMATIC
via SMTPS (Ports 587 & 25) and secure open communication S7-1500, SIMATIC ET 200SP Distributed Controller) upstream ◾ Additional secured communication possibilities:
controller to a telecontrol center via the telecontrol protocols
via TCP/IP. of the automation cells to be protected. In this way, the com- file transfer and email
SINAUT ST7, DNP3 and IEC 60870-5-104. With integrated
firewall and VPN security functions, the communications munication to and from the SIMATIC CPU and lower-level ◾ Use in an IPv6-based infrastructure1)
CP 1545-1
processors protect S7-1200 stations and lower-level net- The CP 1545-1 with CloudConnect functionality enables easy automation cell is restricted to the permitted connections
works from unauthorized access and data transmission and reliable transfer of all data from SIMATIC S7-1500 to with the aid of firewall rules and, if necessary, protected
against manipulation and espionage by means of MindSphere or a cloud solution which supports the standard- against manipulation or espionage by setting up VPN tunnels. 1)
Applies to CP 1543-1, CP 1543SP-1
encryption. ized MQTT protocol, e.g., Microsoft Azure or IBM Cloud.
CP 1545-1 protects the SIMATIC S7-1500 station from unau-
thorized access with the integrated Stateful Inspection Firewall.
Integration into an IPv6 infrastructure is also possible. In parallel
with the connection to cloud applications, the CP 1545-1 sup-
ports the connection to additional automation devices, such
Advantages at a glance as HMIs, via Industrial Ethernet with the SIMATIC S7 protocol.
For SIMATIC Distributed Controllers
◾ A special advantage of the security communications
processors for SIMATIC controllers is the automatic CP 1543SP-1
creation of firewall rules during configuration with The CP 1543SP-1 communications processor allows the ET 200SP
the TIA Portal. Distributed Controller to be flexibly expanded to include an
Industrial Ethernet interface. This enables the setup of identical
◾ Configured communication connections are auto-
machines with the same IP addresses through network segmen
matically enabled in the firewall so that the config-
tation. It also offers extended security functions such as en
uration effort and the error rate are drastically
cryption of all transmitted data using VPN with IPsec and Fire-
reduced.
wall for secure access to the ET 200SP Distributed Controller.
14 15
© Siemens 2020 © Siemens 2020
NETWORK SECURITY
NETWORK SECURITY
Security Communications Processors Application example
for SIMATIC S7-300 & SIMATIC S7-400 Network segmentation Software for secured networks
,QGXVWULDO(WKHUQHW
SIMATIC SIMATIC
S7-300 mit S7-400 mit
CP 343-1 CP 443-1
Advanced Advanced
SIMATIC SIMATIC
ET 200S ET 200S
G_IK10_XX_10337
PROFINET PROFINET
Industrial Ethernet Industrial Ethernet
CP 343-1 Advanced and CP 443-1 Advanced Task Efficient and secure network management Furthermore, information such as audit logs, system events
Alongside the familiar communication functions, an inte- Communication between the administration system on the With the powerful and future-proof Network Management and network alarms can be passed to a central location via
grated switch and Layer 3 routing functionality, the Industrial office level and lower-level networks of the automation level System (NMS), the possibility exists for central, 24/7 monitoring, syslog. SINEC NMS also offers central firewall and NAT man-
Ethernet communications processors CP 343-1 Advanced and is to be secured by means of access control. management and configuration of networks of up to several agement. Firewall components (SCALANCE SC-600/S615 and
CP 443-1 Advanced for SIMATIC S7-300 and SIMATIC S7-400 thousand nodes across industry sectors. RUGGEDCOM RX1400/1500) can be centrally configured. The
Solution firewall rules are created using a graphical description of the
contain Security Integrated, i.e., a Stateful Inspection Firewall
CP 343-1 Advanced and CP 443-1 Advanced are placed SINEC NMS also enables efficient security management in permitted communication relationship in the network. The
and a VPN gateway for protection of the controller and lower-
upstream of the automation cells to be protected. As a result, accordance with IEC 62443. For example, access to the sys- system then automatically generates the device-specific rules.
level devices against security risks.
communication is limited to the permitted connections with tem and the range of functions available to each authorized It is also possible to use only the NAT management function
the aid of firewall rules. user can be precisely controlled via the user role administra- independent of firewall management, or vice versa.
tion. The system provides system security through, among
other things, encrypted data communication (via certificates Infrastructure Network Services SINEC INS
Advantages at a glance Advantages at a glance and password) between the central SINEC NMS control SINEC INS (Infrastructure Network Services), the software tool
instance and the SINEC NMS operations distributed in the net- for central network services, offers central network services
◾ A special advantage of the Security Communica- ◾ In addition to their communication functions, work. Data communication between SINEC NMS and the infra- which are specifically tailored to Operational Technology (OT)
tions Processors for SIMATIC controllers is the auto- Advanced CPs also come with integrated firewall structure components in the network can also be encrypted in an easy and structured way. Separated from IT services, the
matic creation of firewall rules during configura- and VPN security functions for implementing a (SNMPv3). OP can establish a self-sufficient network which it can host by
tion with the TIA Portal. protected automation cell and for protecting data itself, e.g., in an OT data center with SINEC INS. The tool in-
transmission. In addition, SINEC NMS provides a local documentation function
◾ Configured communication connections are auto- cludes different security-relevant clients such as a RADIUS
via Audit Trails. For example, audit log entries can be traced
matically enabled in the firewall so that the config- ◾ Secure communication integration: CPs are easily server for user and device authentication (MAC authentica-
by automatically documenting which user performs which activi-
uration effort and the error rate are drastically configured with STEP 7/TIA Portal; VPN tunnels can tion) within the network, for example to check who may ac-
ties in the system and when with a time stamp. This also
reduced. be set up between the CPs or to the SCALANCE S cess which device. The Secure Syslog Client allows sending
produces significant time and cost savings for official tests.
Industrial Security Appliances and the SCALANCE M and receiving security messages in the Syslog format mean-
Internet and mobile wireless routers. ing, for example Audit Log entries from SINEC NMS can be
◾ All CP 343-1 Advanced and CP 443-1 Advanced users sent to the SINEC INS Syslog Cleint as Syslog messages. A (D)
get Security Integrated and do not need separate Dos ((Distributed) Denial of Service) attack, meaning an unau-
hardware or special tools besides SIMATIC S7 to con- thorized user tried to gain access with force, can be discov-
figure the security of industrial plants. ered here.
NETWORK SECURITY
Application example
Software for secured networks Secured access to plant sections with SINEMA Remote Connect
OpenVPN
Client
G_IK10_XX_50740
SCALANCE SCALANCE SCALANCE
M816-1 + M876-4 + SC636-2C
Office Factory Machine KEY-PLUG KEY-PLUG
Customer A Customer B Customer C Customer D Customer E
18 19
© Siemens 2020 © Siemens 2020
TECHNICAL SPECIFICATIONS
TECHNICAL SPECIFICATIONS
Technical specifications
SCALANCE S Industrial Security Appliances SCALANCE M Industrial Routers
Industrial Firewall Appliances Industrial VPN Appliances Product type SCALANCE M wireless
designation
M874-2, M874-3 M876-3, M876-4
Product type SCALANCE SCALANCE SCALANCE SCALANCE SCALANCE SCALANCE
designation SC622-2C SC632-2C SC636-2C S615 SC642-2C SC646-2C Article number 6GK5874-2AA00-2AA2 6GK5876-3AA02-2BA2
6GK5874-3AA00-2AA2 6GK5876-4AA00-2BA2
Article number 6GK5622-2GS00- 6GK5632-2GS00- 6GK5636-2GS00- 6GK5615-0AA00- 6GK5642-2GS00- 6GK5646-2GS00-
Transmission rate
2AC2 2AC2 2AC2 2AA2 2AC2 2AC2
at interface 1/2 10/100 Mbps
Transmission rate
GPRS transmission uplink/downlink, max. 85.6 Kbps 85.6 Kbps
Transmission rate 10/100/1 000 10/100/1 000 10/100/1 000 10/100 Mbps 10/100/1 000 10/100/1 000 EDGE transmission uplink/downlink, max. 237 Kbps 237 Kbps
Mbps Mbps Mbps Mbps Mbps
HSPA+ transmission uplink/downlink, max. 5.76 Mbps 14.4 Mbps
Interfaces
EV-DO transmission forward link/reverse link – 3.1 Mbps/1.8 Mbps (M876-3 only)
Electrical connection 2 x RJ45 port 2 x RJ45 port 6 x RJ45 port 5 x RJ45 port 2 x RJ45 port 6 x RJ45 port
LTE transmission uplink/downlink, max. – 50 Mbps/100 Mbps (M876-4 only)
Optical connection 2 x combo port 2 x combo port 2 x combo port – 2 x combo port 2 x combo port
ADSL2+ transmission uplink/downlink, max. – –
with SFP with SFP with SFP with SFP with SFP
SHDSL transmission, max. – –
for signaling contact 1 x 2-pin terminal 1 x 2-pin terminal 1 x 2-pin terminal – 1 x 2-pin terminal 1 x 2-pin terminal
block block block block block Interfaces
for power supply 1 x 4-pin terminal 1 x 4-pin terminal 1 x 4-pin terminal 1 x 5-pin terminal 1 x 4-pin terminal 1 x 4-pin terminal Number of electrical connections
block block block block block block ◾ for internal network 2 4
C-PLUG removable data Yes Yes Yes Yes Yes Yes ◾ for external network 1 2
storage medium
◾ for power supply 2 2
Supply voltage, current consumption, power loss
Electrical connection
Supply voltage, external 24 V DC 24 V DC 24 V DC 24 V DC 24 V DC 24 V DC
◾ for internal network RJ45 port (10/100 Mbps, TP, autocrossover) RJ45 port (10/100 Mbps, TP, autocrossover)
Range 9.6 V ... 31.2 V DC 9.6 V ... 31.2 V DC 9.6 V ... 31.2 V DC 10.8 V ... 9.6 V ... 31.2 V DC 9.6 V ... 31.2 V DC
◾ for external network SMA antenna sockets (50 ohms) SMA antenna sockets (50 ohms)
28.2 V DC
◾ for power supply Terminal strip Terminal strip
Permissible ambient conditions
Supply voltage, current consumption, power loss
Ambient temperature -40 °C ... +70 °C -40 ℃ ... +70 ℃ -40 ℃ ... +70 ℃ -40 ℃ ... +70 ℃ -40 ℃ ... +70 ℃ -40 ℃ ... +70 ℃
during operation [°C] Supply voltage/range 10.8 V ... 28.8 V 10.8 V ... 28.8 V
Degree of protection IP20 IP20 IP20 IP20 IP20 IP20 Permissible ambient conditions
Design Ambient temperature during operation [°C] -20 °C ... +60 °C -20 °C ... +60 °C
Module format Compact Compact Compact Compact Compact Compact Degree of protection IP20 IP20
Design
Product function: Security
Module format Compact Compact
Firewall type Stateful Inspection Stateful Inspection Stateful Inspection Stateful Inspection Stateful Inspection Stateful Inspection
Product function: Security
Bridge firewall No Yes Yes No Yes Yes
Firewall type Stateful Inspection Stateful Inspection
Bridge tunnel No No No No Yes Yes
Bridge firewall No No
User-specific firewall Yes Yes Yes Yes Yes Yes
User-specific firewall Yes Yes
Password protection Yes Yes Yes Yes Yes Yes
Password protection Yes Yes
Product function with OpenVPN OpenVPN OpenVPN IPsec, OpenVPN IPsec, OpenVPN IPsec, OpenVPN
VPN connection (as client for (as client for (as client for (as client for (as client for (as client for Packet filter Yes Yes
SINEMA Remote SINEMA Remote SINEMA Remote SINEMA Remote SINEMA Remote SINEMA Remote Product function with VPN connection IPsec, OpenVPN (as client) IPsec, OpenVPN (as client)
Connect) Connect) Connect) Connect) Connect) Connect)
Number of possible connections with 20 20
IPsec VPN data – – – 35 Mbps 120 Mbps 120 Mbps VPN connection
throughput
Key length
Number of possible 0 0 0 20 200 200 ◾ 1 | 2 | 3 with IPsec AES for VPN 128 bit | 192 bit | 256 bit 128 bit | 192 bit | 256 bit
connections with
VPN connection ◾ with IPsec 3DES/with virtual private network 168 bit 168 bit
Firewall data throughput 600 Mbps 600 Mbps 600 Mbps 100 Mbps 600 Mbps 600 Mbps ◾ VRRPv3 coupling 2 2
NAT/NAPT Yes Yes Yes Yes Yes Yes ◾ MRP client/HRP client No No
VRRPv3 coupling 6 6 6 2 6 6
MRP client/HRP client No No Yes No No Yes
Network segmentation Yes No No No No No
in PROFIsafe environ- Suitable accessories such as antennas and cables can be found on the Internet at:
ment www.siemens.com/mall-remote-networks-accessories
20 21
© Siemens 2020 © Siemens 2020
TECHNICAL SPECIFICATIONS
TECHNICAL SPECIFICATIONS
SCALANCE M Industrial Routers Communications Processors
Product type SCALANCE M wired Product type CP 1243-1 CP 1243-7 LTE CP 1243-8 IRC CP 1543-1 CP 1543SP-1 CP 1545-1
designation designation
M812-1/M816-1 M826-2 M804PB
Article number 6GK7243-1BX30- 6GK7243-7KX30- 6GK7243-8RX30- 6GK7543-1AX00- 6GK7543-6WX00- 6GK7545-1GX00-
Article number 6GK5812-1BA00-2AA2 6GK5826-2AB00-2AB2 6GK5804-0AP00-2AA2 0XE0 0XE0 0XE0 0XE0 0XE0 0XE0
6GK5816-1BA00-2AA2
Transmission rate
Transmission rate
◾ at interface 1 10/100 Mbps Mobile wireless 10/100 Mbps 10/100/1 000 10/100 Mbps 10/100/1 000
at interface 1/2 10/100 Mbps 10/100 Mbps 10/100 Mbps 4G/3G/2G Mbps Mbps
GPRS transmission uplink/downlink, max. – – – Interfaces
EDGE transmission uplink/downlink, max. – – – Number of electrical connections
HSPA+ transmission uplink/downlink, max. – – – ◾ to interface 1 1 x RJ45 port Antenna connec- 1 x RJ45 port 1 x RJ45 port 2 x RJ45 ports 1 x RJ45 port
EV-DO transmission forward link/reverse link – – – tion SMA socket using ET 200SP
BusAdapter
LTE transmission uplink/downlink, max. – – –
◾ for power supply – 1, 3-pin plug-in 1, 3-pin plug-in – – -
ADSL2+ transmission uplink/downlink, max. 1.4 Mbps/25 Mbps – – terminal strip terminal strip
SHDSL transmission, max. – 15.3 Mbps – ◾ C-PLUG swap medium – – – – – -
Interfaces Supply voltage
Number of electrical connections ◾ 1 from backplane bus 5 V DC – 5 V DC 15 V DC – 15 V DC
◾ for internal network 1 4 4 2 ◾ external – 24 V DC 24 V DC – 24 V DC
◾ for external network 1 1 2 1 Permissible ambient conditions during operation
◾ for power supply 2 2 2 2 ◾ when installed -20 °C … +60 °C -20 °C … +60 °C -20 °C … +60 °C 0 °C … +40 °C 0 °C … +50 °C 0 °C … +40 °C
Electrical connection vertically
◾ for internal network RJ45 port (10/100 Mbps ,TP, autocrossover) RJ45 port (10/100 Mbps, TP, ◾ when installed -20 °C … +70 °C -20 °C … +70 °C -20 °C … +70 °C 0 °C … +60 °C 0 °C … +60 °C 0 °C … +60 °C
autocrossover), D-SUB horizontally
◾ for external network RJ45 DSL port – Terminal strip RJ45 port (10/100 Mbps, TP, Degree of protection IP20 IP20 IP20 IP20 IP20 IP20
autocrossover)
Design
◾ for power supply – – – Terminal strip
Module format Compact S7-1200, Compact S7-1200, Compact S7-1200, Compact S7-1500, Compact module Compact S7-1500,
Supply voltage, current consumption, power loss single width single width single width single width for ET 200SP single width
Supply voltage/range 10.8 V ... 28.8 V 10.8 V ... 28.8 V 10.8 V ... 28.8 V Product function: Security
Permissible ambient conditions Firewall type Stateful Inspection Stateful Inspection Stateful Inspection Stateful Inspection Stateful Inspection Stateful Inspection
Ambient temperature during operation [°C] 0 °... +60 °C -40 ℃ ... +70 ℃ -20 °C ... +60 °C Product function with IPsec, SINEMA IPsec, SINEMA IPsec, SINEMA IPsec IPsec, SINEMA -
VPN connection Remote Connect Remote Connect Remote Connect Remote Connect
Degree of protection IP20 IP20 IP20
Number of possible 8 1 8 16 4 -
Design connections with
Module format Compact Compact Compact VPN connection
Firewall type Stateful Inspection Stateful Inspection Stateful Inspection ACL – IP-based No No No No No No
Bridge firewall No No No ACL – IP-based for No No No No No No
PLC/routing
User-specific firewall Yes Yes Yes
Deactivation of services Yes No No Yes Yes Yes
Password protection Yes Yes Yes that are not needed
Packet filter Yes Yes Yes Log file for unauthorized No No No Yes Yes Yes
access
Product function with VPN connection IPsec, OpenVPN (as client) IPsec, OpenVPN (as client) IPsec, OpenVPN (as client)
Number of possible connections with 20 20 20
VPN connection
Key length
◾ 1 | 2 | 3 with IPsec AES for VPN 128 bit | 192 bit | 256 bit 128 bit | 192 bit | 256 bit 128 bit | 192 bit | 256 bit
◾ with IPsec 3DES/with virtual private network 168 bit 168 bit 168 bit
◾ VRRPv3 coupling 2 2 2
◾ MRP client/HRP client No No No
Suitable accessories and details can be found on the Internet at: www.siemens.com/mall-remote-networks-accessories
22 23
© Siemens 2020 © Siemens 2020
TECHNICAL SPECIFICATIONS
TECHNICAL SPECIFICATIONS
Communications Processors Software for industrial networks
Product type CP 343-1 Advanced CP 443-1 Advanced Product type SINEC NMS SINEC INS SINEMA Remote SINEMA RC Client
designation designation Connect
Article number 6GK7343-1GX31-0XE0 6GK7443-1GX30-0XE0 Article number 6GK8781-1....-.... 6GK8751-1....-.... 6GK1720-1AH01-0BV0 6GK1721-1XG01-0AA0
Transmission rate
Firewall management Yes – – –
at interface 1/2 10/1 000 Mbps/10/100 Mbps 10/1 000 Mbps/10/100 Mbps
Product function with VPN connection – – OpenVPN OpenVPN
Interfaces
Operating system Desktop: Linux Ubuntu 18.04.2 SINEMA RC Virtual Appli- Windows 10 Pro,
Electrical connection
Windows 10 (64 bit, LTS Desktop (64 bit) ance has its own opera- Windows Server 2008,
◾ to interface 1 acc. to Industrial Ethernet 1 x RJ45 port 1 x RJ45 port Professional, Enterprise) Linux Ubuntu 18.04.2 ting system 2012 R2, 2016, 2019
as of version 1809 LTS Server (64 bit) (64 bit)
◾ to interface 2 acc. to Industrial Ethernet 2 x RJ45 port 4 x RJ45 port
Server: SIMATIC OS V1.3
◾ for power supply 2-pin plug-in terminal strip – Windows Server 2016 RX1500 APE 1808
(64 bit), Windows Server Debian 9.6.0
◾ C-PLUG swap medium Yes Yes 2019 (64 bit)
Supply voltage, current consumption, power loss Virtualization:
ESXi V6.7
Type of power supply voltage – –
Web browser Internet Explorer V11.0, Google Chrome 67.0 or Internet Explorer V11.0, –
Supply voltage
Firefox V 68.3 or higher, higher Firefox V65.0 or higher,
1 from backplane bus 5 V DC 5 V DC Google Chrome V78.0 Firefox 60.0 or higher Google Chrome V72.0 or
or higher Microsoft Edge 83 or higher
2 from backplane bus – –
higher
external 24 V DC – Internet Explorer 11.0 *)
Range – – System Integrity Check Yes – – –
Permissible ambient conditions User/Device authentication Yes Yes Yes Yes
during operation 0 °C … +60 °C Central user authentication with UMC Yes Yes Yes Yes
◾ when installed vertically 0 °C … +40 °C – Security-relevant Syslog messages Yes/Syslog-Client Yes/Syslog-Client Yes/Syslog-Client No/but via SINEMA RC
◾ when installed horizontally 0 °C … +60 °C – Server
Degree of protection IP20 IP20
Design
Module format Compact Compact S7-400
single width
Product function: Security
Firewall type Stateful Inspection Stateful Inspection
Bridge firewall No No
User-specific firewall Yes Yes
Product function with VPN connection IPsec IPsec
Number of possible connections 32 32
with VPN connection
Product function
Password protection for Web applications Yes Yes
ACL – IP-based Yes Yes
ACL – IP-based for PLC/routing Yes Yes
Deactivation of services that are not needed Yes Yes
Blocking of communication via Yes Yes
physical ports
Log file for unauthorized access No No
MRP client Yes Yes
24 25
© Siemens 2020 © Siemens 2020
MORE ON INDUSTRIAL SECURITY
IE RJ45 Port Lock SIMATIC RF1000 for controlling access to machines and equipment SCALANCE X-200 product line SCALANCE W product line
Physical network access protection with IE RJ45 Port Lock SIMATIC RF1000 Access Control Reader SCALANCE X SCALANCE W
A well-balanced and holistic security concept also includes The growing demand for security and traceability increasin- The managed switches of the SCALANCE X product family are Reliable wireless communication solution on different auto-
physical protection measures. A known problem is the pres- gly calls for solutions which regulate and document access well suited for setup of line, star and ring structures. mation levels according to WLAN standard IEEE 802.11 –
ence of open unused RJ45 ports which can be used by to machines and equipment. With SIMATIC RF1000, Siemens the SCALANCE W IWLAN products enable scalable
The SCALANCE X-200, X-300, X-400 and X-500 switches can
unauthorized persons to gain access to the network. The provides an RFID-based solution for easy and flexible imple- applications.
control network access and have the following security
IE RJ45 Port Lock has been developed to reduce this risk. mentation of electronic access management. Existing emplo-
functions: SCALANCE W access points und client modules have the fol-
The IE RJ45 Port Lock enables mechanical locking of RJ45 yee IDs are used as the basis for identification. This increases
lowing security functions:
ports at end devices or network components. The robust user friendliness and reduces costs. SIMATIC RF1000 series ◾ Management ACL (Access Control List)
design of the port lock in the form of a plug-in connector readers allow realization of finely-graded access concepts, ◾ IEEE 802.1X (RADIUS) ◾ Management ACL (Access Control List)
completely occupies the RJ45 port. In this way, the inser- documentation of processes and storage of user-specific ins- ◾ IEEE 802.1X (RADIUS)
◾ 802.1Q-VLAN – enables logical separation of the data
tion of RJ45 cables can be prevented and undesired use of tructions – according to the customer-specific application.
traffic between pre-defined ports on the switches ◾ Access protection according to IEEE 802.11i
unused RJ45 ports on unconfigurable network components And all with a single card. The compact size, low overall
can also be avoided. The detent lug of the RJ45 Port Lock is depth, high degree of protection (IP65 at the front) and tem- ◾ Broadcast/Multicast/Unicast Limiter ◾ WPA2 (RADIUS)/WPA2-PSK with AES
blocked by the integrated lock which can only be unlocked perature range from -25 to +55 °C allow the access control ◾ Broadcast blocking In addition, the following secured protocols are supported:
with a mechanical key. Additional advantages of the port reader to be used directly on machines and equipment in
In addition, the following secured protocols are supported: ◾ SSH, HTTPS, SNMPv3
lock are its robust, industry-compatible mounting technol- harsh industrial environments.
ogy and its ease of installation without additional tools ◾ SSH, HTTPS, SNMPv3
thanks to the RJ45-compatible design. Highlights:
Inter AP-Blocking increases the security in a network envi-
◾ Use in the HF range (13.56 MHz) and LF range (125 kHz)
ronment with multiple SCALANCE W access points. WLAN cli-
◾ OEM version with neutral front foil for customer-specific
ents which are connected via a layer 2 network (switches)
design
using different access points can communicate directly with
◾ Diagnostics via 3-color LED status display one another. This could pose a security risk depending on
◾ Prevention of misuse through protected and documented the application. “Inter AP Blocking“ is used to specify those
access to machines communication partners or gateways that WLAN clients are
◾ Simple integration into existing hardware permitted to communicate with, thereby minimizing the se-
◾ ATEX II approval (for SIMATIC RF1060R and RF1070R only) curity risk. Communication with other devices in the network
◾ Reading and writing of data on ID/card is prevented using KEY-PLUG W700 Security (6GK5907-
◾ Creation of customer-specific parameter assignments for 0PA00). It can be used with all SCALANCE W access points
reader via the config card with a KEY-PLUG slot. SCALANCE W-1700 devices include the
function without KEY-PLUG.
◾ Handling and storage of customer-specific key material in
26 the reader for data access 27
© Siemens 2020 © Siemens 2020
MORE ON INDUSTRIAL SECURITY
Corporate Network
Enterprise
Application RUGGEDCOM
Server(s) CROSSBOW Client
Operations Center
Remote Site
RUGGEDCOM Multi-Service Platform RUGGEDCOM APE1808 Application Processing Engine line module with
the RX1500 LAN Switch LAN Switch
RUGGEDCOM RST2228 RUGGEDCOM RST2228
G_RCM0_XX_00222
Engineering Workstations
and oil & gas industries are exposed to cyber threats. engine based on Intel Quad core CPU and x86_64 architec-
Intrusion Prevention System (IPS)
Next Generation Firewall (NGFW)
Field Devices
RUGGEDCOM, a family of rugged networking devices from ture which supports either Linux or Windows 10 in the form RUGGEDCOM CROSSBOW –
Secure Remote Access
Siemens, is perfect for these industries. RUGGEDCOM factor of a line module for the RX1500 series of devices. The
devices exceed the requirements of the IEC 61850-3 and RUGGEDCOM APE1808 provides a standards-based platform RUGGEDCOM cybersecurity solutions hosted on the RUGGEDCOM APE1808
IEE 1613 standards for error-free operation despite electro- to install applications such as Next Generation Firewalls,
magnetic interference, humidity, vibration and temperature Intrusion Detection Systems with Deep Packet Inspection
extremes from -40° to +85°C. These devices are built to be and Intrusion Prevention Systems, Siemens proprietary soft- Task
Advantages at a glance
secure and enable the integration of advanced cybersecurity ware such as CROSSBOW for Secure Access Management Secure a typical OT network in harsh environments from
applications onto any industrial network. and SINEC NMS (Operations) for network management, pro- malicious events (cyberattacks, malware, misuse and unau- ◾ Passive implementation of a comprehensive cyber
RUGGEDCOM Multi-Service Platform viding a cost-effective way to ensure comprehensive cyber- thorized access) without affecting network availability security solution with zero disruptions
security for any industrial network.
RUGGEDCOM Multi-Service Platform: a family of rugged, hot- Solution ◾ Includes real time monitoring and risk alerts with IDS,
swappable and modular Ethernet devices which function as RUGGEDCOM CROSSBOW RUGGEDCOM APE1808 installed with a NGFW application is analysis of OT protocols with DPI, Next Generation
an all-in-one switch, router with VPN and firewall and which A proven Secure Access Management solution designed to used with the RUGGEDCOM RX1510 gateway router for ap- Firewall and IPS for blocking threats and secure
are typically used as the main point of entry between the provide NERC CIP compliant access to Intelligent Electronic plication level protection from cyberattacks. It is also remote access to the field assets
local area network and the WAN. It includes the RX1400 Devices (IEDs). It provides remote IED access, activity log- equipped with an integrated Intrusion Prevention System ◾ Eliminates the need for specialized cybersecurity
compact Edge router and the RX1500 series of compact ging, data privacy and secure connection to field devices (IPS) to monitor activity, prevent suspicious behavior and re- appliances, reducing training and operational costs
(RX1510, RX1511 and RX1512) and rack mount (RX1501 without having to go to the field, delivering productivity port events to a SIEM server.
and RX1500) devices. ◾ One box integrated solution with the RUGGEDCOM
gains for administrators and users alike. Integrated Intrusion Detection System with Deep Packet in- Multi-Service Platform and APE1808 with bundled
Their cybersecurity capabilities include: RUGGEDCOM Layer 2 Ethernet switches provide security at spection for OT protocols (IDS/DPI) solution is installed on software from leading cybersecurity providers
◾ Stateful Inspection Firewall with Network Address the local area network level, including MAC-based port secu- the APE1808 module in the Operations Center and at the ◾ All in one customized hardware, software and ser-
Translation (NAT) rity, RADIUS authentication, SSH/SSL encryption for pass- remote site to collect, analyze and report on all traffic pass- vices solution offered by Siemens Professional
◾ IPsec VPN for encryption and authentication of all IP pack- words, VLANs and the ability to enable/disable ports. ing through the sensor (Northbound or Southbound). Services
ets at the network layer Siemens offers end-to-end cybersecurity solutions, including RUGGEDCOM CROSSBOW Secure Access Manager in the Op-
◾ Strong encryption to further secure all network traffic network appliances, consultation, design and implementa- erations Center and the CROSSBOW SAM-L installed on the
with algorithms like AES, RSA and ECC tion support with the Siemens Professional Services team. RUGGEDCOM APE1808 in the remote site router provide
NERC-CIP compliant remote access.
28 29
© Siemens 2020 © Siemens 2020
MORE ON INDUSTRIAL SECURITY
Automation Firewall
Next Generation
Ethernet
Terminal bus
G_IK10_XX_10342
in der PCS 7-Freigabe = for PCS
mentation of this strategy in a system is described in detail ◾ Patch7???
management: the system is kept current using an
◾ Physical access protection update strategy (e.g., with operating system, software
in “PCS 7 Compendium Part F - Industrial Security“.
SIMATIC PCS 7 is certified based on this recommended ◾ Cell segmentation using firewalls and firmware updates). This minimizes the risk of an
system configuration in accordance with IEC 62443-3-3 ◾ System hardening attack on known security gaps.
(TÜV Süd). ◾ Patch Management ◾ User administration: use of a central user administration
in order to explicitly define access rights, group mem-
◾ User administration (SIMATIC Logon)
berships, roles and policies for system users. This is
◾ Malware detection and prevention done following the principle of limiting rights to those
◾ Training and processes needed for the respective task.
◾ Virus scanner: use of an up-to-date virus scanner to
◾ Access protection: systems and access controls secured minimize the risk of harm and negative impacts on
by factory security including access authorizations by systems and system operation.
means of typos ◾ Regular training of all personnel for the purpose of
◾ Firewalls: segmentation of networks, formation of adhering to all defined processes and ensuring the
perimeter networks (DMZ), restriction and logging of security of the system.
30 network communication 31
© Siemens 2020 © Siemens 2020
MORE ON INDUSTRIAL SECURITY
The increasing internetworking of production and office has In order to avoid the loss of production and downtimes, the Advantages at a glance
Security Consulting for a risk-based security
made many processes faster and easier. Uniform use of the roadmap data traffic between networks must be checked, analyzed and ◾ Tested and released for SIMATIC PCS 7
same data and information creates synergies. This trend, selectively released without affecting the process control sys-
◾ Protection against known and unknown threats
however, also poses increased risks. tem function. This is the only way to optimally protect the sys-
Security Consulting includes comprehensive analysis of ◾ Very good value for money
tem without any disadvantages for productivity. Firewalls with
Today it is no longer just the office environment which is threats, identification of risks and concrete recommenda-
complementary services are predestined for this. With the ◾ First-class firewall solution for the segmentation of IT/
under threat from viruses and hacker attacks. There is also a tions of security measures.
Automation Firewall Next Generation, Siemens offers a tested OT networks based on the «Zones & Conduits» model of
risk of intrusions, influencing of integrity and loss of know-
◾ You benefit from: a plant-specific and risk-based and validated standard firewall in three performance classes IEC 62443
how in production facilities. Many weak spots in security are
security roadmap for a consistently optimal security (220, 820, 850). It is designed for use with SIMATIC PCS 7 and ◾ Time savings, as many application protocols are
not obvious at first glance. For this reason, it is advisable to
level. WinCC. integrated by default
review and optimize the security of existing automation envi-
ronments in order to maintain a high level of plant availability. The Automation Firewall Next Generation cooperates per-
Security Implementation for risk reduction
fectly with the communication products of SIMATIC NET. It Service by Siemens
The Industrial Security Services portfolio provides a compre- measures
features comprehensive hardware and software functions for ◾ Checking the plant network
hensive product range for developing, implementing and
SIMATIC PCS 7 and WinCC projects, e.g.,
maintaining a strategy conforming to the defense in depth Security Implemenation means the implementation of ◾ Development of a perimeter firewall concept
concept. The scalable offer includes comprehensive advice security measures to increase the security level of plants ◾ Application Layer and Stateful Inspection Firewall ◾ Installation and configuration of a perimeter firewall in
(Security Consulting), technical implementation (Security and production facilities. ◾ Classification of all applications, on all ports, at any time automation systems
Implementation) and continuous service (Security
◾ You benefit from: prevention of security gaps and ◾ Enforcement security policies for each user and site ◾ Documentation of the firewall configuration
Optimization).
better protection against cyber threats thanks to ◾ High availability (active/active and active/passive)
technical and organizational measures. Support by Palo Alto Networks (3 or 5 years)
◾ Redundant power supply input for increased reliability
(PA-220 and PA-850) ◾ Premium Support Available 24/7
Security Optimization for comprehensive,
continuous protection ◾ Hardened operating system (PanOS is Linux-based) ◾ Spare parts shipment and hardware replacement the
◾ Possibility to check Layer 7 traffic, such as of the S7 pro- following working day
Security Optimization means continuous monitoring, reg- tocol (detection of start, stop, read, write) or of OPC ◾ Feature releases and software updates, updates for
ular adjustment and updating of the implemented mea- ◾ Secure System Architecture subscriptions
sures through our security tools. ◾ Documentation and FAQs, online portal for customer
support
◾ You benefit from: maximum transparency with
regard to the security status of your plants and
proactive prevention of potential threat scenarios
thanks to our security tools which are designed
specifically for your industrial environment.
32 33
© Siemens 2020 © Siemens 2020
Terms, definitions
Cybersecurity, also referred to as computer security or IT secu- Authentication via an external server
rity, is the protection of hardware, software, information and The concept of RADIUS is based on a central authentication
offered services of computer-based systems from theft, sabo- server. An end device can only access the network or a net-
tage and misuse. work resource after the logon data of the device has been Learn everything
verified by the authentication server. Both the end device about industrial security:
Demilitarized zone (DMZ)
and the authentication server must support the Extensive
A demilitarized zone or DMZ denotes a computer network Authentication Protocol (EAP). ◾ An overview of our security products and
with security-related control of the ability to access the con- services
nected servers. The systems in the DMZ are shielded from System hardening
◾ The latest innovations from the field of
other networks (such as Internet, LAN) by one or more fire- System hardening involves the disabling of unneeded inter-
industrial security
walls. This separation can allow access to publicly accessible faces and ports, thereby reducing the vulnerability of the
www.siemens.com/industrial-security
services (e.g., email) while allowing the internal network network to external and internal attacks. Every level of an
(LAN) to be protected against unauthorized access. The point automation system is considered: the control system, network ◾ www.siemens.com/network-security
is to make computer network services available to both the components, PC-based systems and programmable logic
◾ www.siemens.com/scalance-s
WAN (Internet) and the LAN (intranet) on the most secure controllers.
basis possible. A DMZ’s protective action works by isolating a
Virtual Private Network (VPN)
system from two or more networks.
A VPN tunnel connects two or more network nodes (e.g.,
Firewall security components) and the network segments behind
Security components which allow or block data communica- them. Encrypting the data within this tunnel makes it impossi-
tion between interconnected networks according to specified ble for third parties to listen in on or falsify the data when it is
security restrictions. Firewall rules are configured for this. It is transmitted over a non-secure network (e.g., the Internet).
thus possible to specify that only a particular PC may access a
Virtual LAN (VLAN)
given controller, for example.
VLANs (IEEE 802.1Q) enable logical separation of the data
Industrial Security traffic between pre-defined ports on the switches. The result
Industrial security comprises the protection of information, is several “virtual” networks on the network, which exists only
data and intellectual property during processing, transmission once physically. Data communication takes place only within
and storage in the industrial environment. Availability, integ- a VLAN.
rity and confidentiality are to be safeguarded. The purpose is
Whitelisting
to defend against attacks, threats, dangers and economic
losses and to minimize risks. Guidance is provided by various Whether it’s for individuals, companies or programs: a
national and international standards such as IEC 62443, ISO/ whitelist – or positive list – refers to a collection of like ele-
IEC 27000, ISO/IEC 15408 and the national laws in effect, e.g., ments that are classified as trustworthy. Whitelisting for PCs
Federal Data Protection Act in Germany. ensures that only those programs which are actually required
can be executed.
Port security
The access control function allows individual ports to be
blocked for unknown nodes. If the access control function is
enabled on a port, packets arriving from unknown MAC
addresses are discarded immediately. Only packets arriving Industrial
from known nodes are accepted. security at
a glance
Follow us on:
twitter.com/siemensindustry
youtube.com/siemens
34 35
© Siemens 2020
siemens.com/network-security