Siemens SIMATIC NET RUGGEDCOM APE Configuration Manual page 14

•
•
•
Authentication
•
•
•
•
•
•
Physical/remote access
•
•
•
RUGGEDCOM APE (Application Processing Engine)
Configuration Manual, 08/2023, C79000-G8976-1415-06
Before using the RUGGEDCOM APE, make sure all relevant CERT security
advisories for the RUGGEDCOM RX1500-series hosting the APE have been
applied. For the latest information about security patches for Siemens products,
visit the CERT Services website [https://new.siemens.com/global/en/products/
services/cert.html]. Updates to Siemens Product Security Advisories can
be obtained by subscribing to the RSS feed on the
Advisories website [https://new.siemens.com/global/en/products/services/
cert.html#SecurityPublications], or by following @ProductCert on Twitter.
Only enable the physical ports that are required on the module. Unused physical
ports could potentially be used to gain access to the network behind the module.
When using the Windows®-based version of the RUGGEDCOM APE, as per the
local environment's security policy, use Bitlocker to avoid unauthorized access to
sensitive information stored on the hard drive.
When using the Linux-based version of the RUGGEDCOM APE, as per the
local environment's security policy, add an administrative account, disable
the root user on Debian Linux, and replace any default passwords. For a list
of default user profiles and passwords, refer to "Logging in to RUGGEDCOM
APE" (Page 13).
To prevent unauthenticated access to the BIOS, configure a supervisor password
and set the power on password. For more information, refer to "Setting the BIOS
Password" (Page 14).
When using the Linux-based version of the RUGGEDCOM APE, ensure the GRUB
bootloader password is configured. For more information, refer to "Setting the
GRUB Bootloader Password" (Page 16).
Use strong passwords. Avoid weak passwords such as password1, 123456789,
abcdefgh, etc.
Passwords should not be re-used across different usernames and systems, or
after they expire.
If an application on the RUGGEDCOM APE uses SSH and/or TLS keys, generate
new keys and protect them inline with the environment's local security policy
before provisioning the unit.
Do not connect the device to the Internet. Deploy the device only within a secure
network perimeter.
Exercise extreme caution when changing any settings in the BIOS. For example,
USB and PXE boot are disabled by default; enabling these settings is not
advisable for securing the module.
Control access to the USB, SD card slot, and gigabit Ethernet ports to the same
degree as any physical access to the module.
1.3 Security recommendations
ProductCERT Security
Overview
5