Industrial cybersecurity
4.9 Secure operation of CPUs
S7-1500R/H redundant system
System Manual, 01/2024, A5E41814787-AF
53
• Password legitimization restricted or enabled (via an instruction or, if applicable, the CPU
display)
• Online access denied due to the possible number of simultaneous access attempts being
exceeded
• Timeout when an existing online connection is inactive
• Logging on to the Web server with the correct or incorrect password
• Creating a backup of the CPU
• Restoring the CPU configuration (Restore)
The above-listed security events are also stored as syslog messages in the local cache of a CPU
as of firmware version V3.1. You can find an overview of all syslog messages in the following
Entry (https://support.industry.siemens.com/cs/ww/en/view/109823696).
The content of a syslog message is based on IEC 62443-3-3.
You can find more information in the section Syslog messages (Page 53).
Connection to a SIEM system
A SIEM system (Security Information and Event Management) analyzes security events in real
time and can be installed, for example, on the syslog server.
4.9.11 Syslog messages
Using syslog messages
International standards and national regulations for the IT security of automation
components require, for example, the ability to log safety-related events.
Syslog (System Logging) is an IETF standard protocol (RFC 5424) for the transfer of recorded
events and meets this requirement. A CPU records the following events, for example:
• Security events
• Firmware updates
• Changes to the user program
• Changes to the configuration
• Changes to the operating state
The collecting of security-relevant events cannot be deactivated. Each CPU as of FW version
V3.1 saves syslog messages in a local cache. By querying this cache, you can view the syslog
messages and identify potential security risks.
The local cache of a CPU is organized as a ring buffer. If the storage limit of the cache is
reached and additional security events occur, the oldest messages in the cache are
overwritten.
If you want to access the local cache with the syslog messages, use the Web API of the web
server (API method Syslog.Browse). You can find information on the procedure in the "Web
server (https://support.industry.siemens.com/cs/us/en/view/59193560)" Function Manual.
You have the option of transferring the events collected by the CPU to a syslog server in the
network.
To Next Page
Loading...
Need help?
General
