Table of Contents
Advertisement
Secure shell
The AC500 V3 PLC contains a secure shell service to access core logging data in case of
access for ABB
problems which need a deeper analysis. This service is inactive by default, which means that no
service
one can access this privileged shell in the normal operating state.
To activate this service, local access to the PLC is necessary and activation is only valid until
the next power cycle of the PLC. Once activated, the service run on TCP port 22. Each PLC
also protects the secure shell access by an individual password.
Frequently
For more information around cyber security please see our AC500 cyber security FAQ.
asked questions
7.1.1 Defense in depth
The defense in depth approach implements multi-layer IT security measures. Each layer pro-
vides its special security measures. All deployed security mechanisms in the system must be
updated regularly. It is also important to follow the system vendor's recommendations on how
to configure and use these mechanisms. As a basis, the components must include security
functions such as:
●
Virus protection
●
Firewall protection
●
Strong and regularly changed passwords
●
User management
●
Using VPN tunnels for connections between networks
Additional security components such as routers and switches with integrated firewalls should
be available. A defined user and rights concept managing access to the controllers and their
networks is mandatory. Finally, the manufacturer of the components should be able to quickly
discover weaknesses and provide patches.
References: CODESYS Security Whitepaper
Security zones
IT resources vary in the extent to which they can be trusted. A common security architecture is
therefore based on a layered approach that uses zones of trust to provide increasing levels of
security according to increasing security needs. Less-trusted zones contain more-trusted zones
and connections between the zones are only possible through secure interconnections such as
firewallsFig. 22. All resources in the same zone must have the same minimum level of trust. The
inner layers, where communication interaction needs to flow freely between nodes, must have
the highest level of trust. This is the approach described in the IEC 62443 series of standards.
Firewalls, gateways, and proxies are used to control network traffic between zones of different
security levels, and to filter out any undesirable or dangerous material. Traffic that is allowed to
pass between zones should be limited to what is absolutely necessary because each type of
service call or information exchange translates into a possible route that an intruder may be able
to exploit. Different types of services represent different risks. Internet access, incoming e-mail
and instant messaging, for example, represent very high risks.
2023/03/03
Only used services/ports should be enabled (e.g. to enable the functionality of
an FTPS server).
3ADR011074, 1, en_US
Configuration and programming
Cyber security > Defense in depth
75
Advertisement
Table of Contents
