26
2.2 Industrial Security and Installation Guidelines
(1) Protection of hardware and applications
(a) Precautions
• Do not integrate any components or systems into public networks.
– Use VPN "Virtual Private Networks" for use in public networks. This allows you to control and filter the
data traffic accordingly.
• Always keep your system up-to-date.
– Always use the latest firmware version for all devices.
– Update your user software regularly.
• Protect your systems with a firewall.
– The firewall protects your infrastructure internally and externally.
– This allows you to segment your network and isolate entire areas.
• Secure access to your plants via user accounts.
– If possible, use a central user management system.
– Create a user account for each user for whom authorization is essential.
– Always keep user accounts up-to-date and deactivate unused user accounts.
• Secure access to your plants via secure passwords.
– Change the password of a standard login after the first start.
– Use strong passwords consisting of upper/lower case, numbers and special characters. The use of a password
generator or manager is recommended.
– Change the passwords according to the rules and guidelines that apply to your application.
• Deactivate inactive communication ports respectively protocols.
– Only the communication ports that are used for communication should be activated.
– Only the communication protocols that are used for communication should be activated.
• Consider possible defence strategies when planning and securing the system.
– The isolation of components alone is not sufficient for comprehensive protection. An overall concept is to
be drawn up here, which also provides defensive measures in the event of a cyber attack.
– Periodically carry out threat assessments. Among others, a comparison is made here between the protective
measures taken and those required.
• Limit the use of external storage media.
– Via external storage media such as USB memory sticks or SD memory cards, malware can get directly into
a system while bypassing a firewall.
– External storage media or their slots must be protected against unauthorized physical access, e.g. by using a
lockable control cabinet.
– Make sure that only authorized persons have access.
– When disposing of storage media, make sure that they are safely destroyed.
• Use secure access paths such as HTTPS or VPN for remote access to your plant.
• Enable security-related event logging in accordance with the applicable security policy and legal requirements
for data protection.
(2) Protection of PC-based software
(a) Precautions
Since PC-based software is used for programming, configuration and monitoring, it can also be used to manipu-
late entire systems or individual components. Particular caution is required here!
To Next Page
Loading...
