Table of Contents
Advertisement
• Verify certificates based on the fingerprint on the server and client side to prevent
"man in the middle" attacks. Use a second, secure transmission path for this.
• Before sending the device to Siemens for repair, replace the current certificates and
keys with temporary disposable certificates and keys, which can be destroyed when
the device is returned.
Physical/remote access
• Restrict physical access to the device to qualified personnel.
• The storage medium (C-PLUG, KEY-PLUG) contains sensitive data such as
certificates, keys, etc. that can be read out and modified.
• Using the button, you can reset the device to the factory defaults.
• If the device is publicly accessible, disable the functions of the button using the
software.
• Lock unused physical ports on the device. Unused ports can be used to gain
forbidden access to the plant.
• We strongly recommend that you leave Brute Force Prevention (BFP) enabled to
protect the device from unauthorized access. For more information, see the
configuration manuals, section "Brute Force Prevention".
• For data transmission via a non-secure network, use an encrypted VPN tunnel (IPsec,
OpenVPN) to encrypt and authenticate communication.
• When you establish a secure connection to a server (for example for an upgrade),
make sure that strong encryption methods and protocols are configured for the
server.
• Terminate management connections correctly (WBM, SSH etc.).
• Using remote logging, ensure that the system protocols are forwarded to a central
logging server. Make sure that the server is within the protected network and check
the protocols regularly for potential security violations or vulnerabilities.
• With communication via non-secure networks, use the authentication options offered
by the protocol.
Hardware/Software
• The option of VLAN structuring provides protection against DoS attacks and
unauthorized access. Check whether this is practical or useful in your environment.
• Restrict access to the device using firewall rules.
• Use a central logging server to log changes and access operations. Operate your
logging server within the protected network area and check the logging information
regularly.
• Selected services are enabled by default in the firmware. It is recommended to enable
only the services that are absolutely necessary for your installation.
For more information on available services, see "List of available services (Page 13)".
SCALANCE SC-600
Operating Instructions, 10/2021, C79000-G8976-C453-04
Security recommendations
15
Advertisement
Table of Contents
