Useful Information For The Protection Of Confidential Plc Configuration Data - Siemens SIMATIC ET 200AL System Manual

Tips and rules for password management
• Manage your passwords in a password manager.
• Use TIA Portal's password policy verification settings to check newly entered passwords for
compliance and prevent trivial passwords, for example:
– In the project tree, navigate to the area "<Project name> > Security settings > Settings"
– Specify, for example, the minimum number of characters the password must have or
• You do not have to assign different passwords for each CPU in a system or machine. If the
requirements are met, you can also define the same password for a group of CPUs. This
strategy also has advantages in the replacement parts scenario: If the group password is
also assigned to the replacement CPU, the workload of replacing the CPU is reduced.
Note here the risk that if the password of one of these CPUs is compromised, all CPUs with
the same password are vulnerable.
• The definition of passwords also has an impact on the replacement part case, as the
password for confidential PLC configuration data must be transferred to the new
(replacement) CPU in addition to the configuration (see Rules for the replacement parts
scenario (Page 72)).
• With S7-1500R/H CPUs, the password for confidential PLC configuration data is only
loaded onto one of the two CPUs during loading. In order that the sync-up process works
and that the partner CPU also works properly, the password must be transferred to the
partner CPU before the sync-up, using the Online and Diagnostics editor:
– In the Online and diagnostics view, you specify the area "Password to protect
– Enter the required password and click the "Set" button.
See also
Useful information for the protection of confidential PLC configuration data (Page 63)
3.6.2.2

Useful information for the protection of confidential PLC configuration data

The concept for Secure Communication protected by security standards comprises the
following components:
• A password-based key information that is used for protecting confidential configuration
data (e.g. private keys for certificates, passwords).
• A standardized log (TLS) that ensures communication between the participants (e.g.
programming device and CPU).
Communication
Function Manual, 05/2021, A5E03735815-AJ
area and select the "Password policies" area.
the minimum number of special characters.
confidential PLC configuration data".
If the correct password has been entered, the partner CPU can use the protected PLC
configuration data and start the sync-up process.
Communications services
3.6 Secure Communication
63