Siemens SCALANCE S615 Operating Instructions Manual page 14

Security recommendations
• Do not use the same passwords for multiple user names and systems.
• Store the passwords in a safe location (not online) to have them available if they are lost.
• Regularly change your passwords to increase security.
• A password must be changed if it is known or suspected to be known by unauthorized
persons.
• When user authentication is performed via RADIUS, make sure that all communication
takes place within the security environment or is protected by a secure channel.
• Watch out for link layer protocols that do not offer their own authentication between
endpoints, such as ARP or IPv4. An attacker could use vulnerabilities in these protocols to
attack hosts, switches and routers connected to your layer 2 network, for example,
through manipulation (poisoning) of the ARP caches of systems in the subnet and
subsequent interception of the data traffic. Appropriate security measures must be taken
for non-secure layer 2 protocols to prevent unauthorized access to the network. Physical
access to the local network can be secured or secure, higher layer protocols can be used,
among other things.
Certificates and keys
• There is a pre-installed Web server certificate (RSA, 2048 bit key length) and an SSH
Private Key in the device. Replace this certificate with a user-generated, high-quality
certificate with key. Use a certificate signed by a reliable external or internal certification
authority. You can install the certificate in the WBM via "System > Load and Save".
• Use the certification authority including key revocation and management to sign the
certificates.
• Use password-protected certificates in the format "PKCS #12".
• Use certificates with a key length of 4096 bits.
• Make sure that user-defined private keys are protected and inaccessible to unauthorized
persons.
• If there is a suspected security violation, change all certificates and keys immediately.
• SSH and SSL keys are available for admin users. Make sure that you take appropriate
security measures when shipping the device outside of the trusted environment:
– Replace the SSH and SSL keys with disposable keys prior to shipping.
– Decommission the existing SSH and SSL keys. Create and program new keys when the
• Verify certificates based on the fingerprint on the server and client side to prevent "man in
the middle" attacks. Use a second, secure transmission path for this.
• Before sending the device to Siemens for repair, replace the current certificates and keys
with temporary disposable certificates and keys, which can be destroyed when the device
is returned.
14
device is returned.
Operating Instructions, 10/2022, C79000-G8976-C389-07
SCALANCE S615