Siemens SIMATIC NET SCALANCE SC-600 Configuration Manual page 16

Security recommendations
• Use passwords with a high password strength. Avoid weak passwords, (e.g.
password1, 123456789, abcdefgh) or recurring characters (e.g. abcabc).
This recommendation also applies to symmetrical passwords/keys configured on the
device.
• Make sure that passwords are protected and only disclosed to authorized personnel.
• Do not use the same passwords for multiple user names and systems.
• Store the passwords in a safe location (not online) to have them available if they are
lost.
• Regularly change your passwords to increase security.
• A password must be changed if it is known or suspected to be known by unauthorized
persons.
• When user authentication is performed via RADIUS, make sure that all
communication takes place within the security environment or is protected by a
secure channel.
• Watch out for link layer protocols that do not offer their own authentication between
endpoints, such as ARP or IPv4. An attacker could use vulnerabilities in these
protocols to attack hosts, switches and routers connected to your layer 2 network, for
example, through manipulation (poisoning) of the ARP caches of systems in the
subnet and subsequent interception of the data traffic. Appropriate security measures
must be taken for non-secure layer 2 protocols to prevent unauthorized access to the
network. Physical access to the local network can be secured or secure, higher layer
protocols can be used, among other things.
Certificates and keys
This section deals with the security keys and certificates you require to set up TLS, VPN
(IPsec, OpenVPN) and SINEMA RC.
• The device contains a pre-installed X.509 certificate with key. Replace this certificate
with a self-made certificate with key. Use a certificate signed by a reliable external or
internal certification authority. You can install the certificate via the WBM ("System >
Load and Save").
• Use the certification authority including key revocation and management to sign the
certificates.
• Make sure that user-defined private keys are protected and inaccessible to
unauthorized persons.
• If there is a suspected security violation, change all certificates and keys immediately.
• SSH and SSL keys are available for admin users. Make sure that you take appropriate
security measures when shipping the device outside of the trusted environment:
– Replace the SSH and SSL keys with disposable keys prior to shipping.
– Decommission the existing SSH and SSL keys. Create and program new keys
• Use password-protected certificates in the format "PKCS #12".
• Use certificates with a key length of 4096 bits.
16
when the device is returned.
SCALANCE SC-600 Web Based Management (WBM)
Configuration Manual, 10/2021, C79000-G8976-C475-03