● Install virus and spyware protection
●
Use containers or virtual machines
● Create strong passwords by applying a strong password policy
● Create and keep backups
● Use encryption when possible
● Disable weak encryption algorithms
● Separate data and programs
● Enable and use disk quotas
● Strong logical access control
● Adjust default settings, especially passwords
Verification phase
● Verification of antivirus - Check antivirus is active and updated
● Verification of the identification - Check that test and unauthorized accounts are removed
● Verification of intrusion detection systems - Check malicious traffic is blocked
● Verification of audit logging - Check audit log is enabled
● You can use the checklist out of the
cyber security white paper
Operation phase
●
Keep software up-to-date, especially by applying security patches
● Keep antivirus up and running
● Keep antivirus definitions up-to-date
● Delete unused user accounts
● Lock an active session whenever it is unattended, e.g., lock the screen of the PC or of the
control panel (HMI)
Decommissioning phase
● Delete all credentials stored in the device like certificates and user data
Ä
Chapter 12
“Decommissioning” on page 96.
References:
Hardening in Wikipedia (2021)
7.1.4
Certificates factory default - no encryption
As of Automation Builder Release 2.6.0, the encryption of the AC500 communication policy
is set to “No encryption” by default. The reason for that is that the PLC clock defaults to
01/01/1970 when shipped from the factory, any pre-installed certificate would already be expired
when the user attempts to connect.
Connection of the PLC to the Automation Builder and Internet access.
The PLC must be equipped with a battery to keep the date in case of power off.
The PLC must be set to the current date and time.
1.
If necessary reboot the PLC.
2. Connect the PLC to the Automation Builder again.
The basis for an official trusted signed certificate is the creation of a Certificate Signing
Request.
As an example, the creation of a certificate for a FTP server is described.
Preliminary
work
Create an CA-
signed certifi-
cate
Configuration and programming
Cyber security > Certificates factory default - no encryption
2023/03/033ADR011074, 1, en_US80
To Next Page
Loading...
