Network Security; Network Segmentation - Siemens SIMOTION P320-4 E Manual

Industrial security
2.3 General security measures
● Configuration of the radio field to restrict the WLAN range so that it is not available outside
the defined areas (e.g. factory building).
● Guidelines that prevent the use of third-party data storage media (e.g. USB sticks) and IT
devices (e.g. notebooks) classified as insecure on the control.
Further information
Further information on integrated security solutions can be found on the Surveillance page
(http://www.buildingtechnologies.siemens.com/bt/global/en/security-solution/Pages/security-
solution.aspx).
2.3.3

Network security

2.3.3.1

Network segmentation

Separation between production and office networks
One important protective measure for your control is the strict separation of the production
networks and the other company networks. This separation creates protection zones for your
production networks.
Note
The products – drives, controllers, commissioning tools (e.g. STARTER or Startdrive) –
described in this manual must only be operated in protection zones.
Separation by means of a firewall system
In the simplest scenario, separation is achieved by means of an individual firewall system
which controls and regulates communication between networks.
Separation via a DMZ network
In the more secure version, the coupling is established via a separate DMZ network. In this
case, direct communication between the production network and the company network is
completely prevented by firewalls and only takes place indirectly via servers in the DMZ
network.
Note
The production networks should also be divided into separate automation cells in order to
protect critical communication mechanisms.
28
SIMOTION P320-4 E / P320-4 S
Manual, 03/2018, A5E36004933B