Table of Contents
Advertisement
• Verify certificates based on the fingerprint on the server and client side to prevent
"man in the middle" attacks. Use a second, secure transmission path for this.
• Before sending the device to Siemens for repair, replace the current certificates and
keys with temporary disposable certificates and keys, which can be destroyed when
the device is returned.
Physical/remote access
• Operate the devices only within a protected network area. Attackers cannot access
internal data from the outside when the internal and the external network are
separate from each other.
• Limit physical access to the device exclusively to trusted personnel.
The memory card or the PLUG (C-PLUG, KEY-PLUG, CLP) contains sensitive data
such as certificates and keys that can be read out and modified. An attacker with
control of the device's removable media could extract critical information such as
certificates, keys, etc. or reprogram the media.
• Lock unused physical ports on the device. Unused ports can be used to gain
forbidden access to the plant.
• We highly recommend that you keep the protection from brute force attacks (BFA)
activated to prevent third parties from gaining access to the device. For more
information, see the configuration manuals, section "Brute Force Prevention".
• For communication via non-secure networks, use additional devices with VPN
functionality to encrypt and authenticate communication.
• When you establish a secure connection to a server (for example for an upgrade),
make sure that strong encryption methods and protocols are configured for the
server.
• Terminate the management connections (e.g. HTTP, HTTPS, SSH) properly.
• Make sure that the device has been powered down completely before you
decommission it. For more information, refer to "Decommissioning (Page 7)".
• We recommend formatting a PLUG that is not being used.
Hardware / Software
• Use VLANs whenever possible as protection against denial-of-service (DoS) attacks
and unauthorized access.
• Restrict access to the device by setting firewall rules or rules in an access control list
(ACL).
• Selected services are enabled by default in the firmware. It is recommended to enable
only the services that are absolutely necessary for your installation.
For more information on available services, see "List of available services (Page 16)".
• Use the latest web browser version compatible with the product to ensure you are
using the most secure encryption methods available. Also, the latest web browser
versions of Mozilla Firefox, Google Chrome, and Microsoft Edge have 1/n-1 record
splitting enabled, which reduces the risk of attacks such as SSL/TLS Protocol
SCALANCE W1788-x / W1748-1
Operating Instructions, 03/2022, C79000-G8976-C484-05
Security recommendations
13
Advertisement
Table of Contents
