Description
The CP1242-7 is designed for industrial application. It supports TeleControl applications among others. This entry describes the options and mechanisms of the CP1242-7 for data transfer in "TeleControl" mode.

The "TeleControl" mode enables the S7-1200 station to exchange data with a TeleControl server.

Fig. 01

Download
Data transfer with CP1242-7
NET_datatransfer_with_CP1242-7_en.pdf ( 291 KB )

Description
The TELECONTROL SERVER BASIC software connects up to 5000 SIMATIC S7 controllers to a central unit by means of the GSM/GPRS cellular radio standard. This permits cost-effective implementation of telecontrol solutions for logistics, maintenance/servicing and energy optimization.
The S7 interface is the MD720-3 modem for connecting the S7-200. The CP1242-7 is available for integration in the S7-1200. The software also permits worldwide teleservice over STEP 7 with the S7-1200, over GPRS and the internet.
In addition to the simple, small telecontrol applications, system integrators and system houses can offer their customers service by providing various services split into customer groups.

The TeleControl Basic system has the following features for secure communication over WAN:
 

No.	Feature	Description
1	Authorized phone numbers (CLIP list)	Access to stations of the type S7-1200 with CP1242-7 is restricted to phone numbers stored in the CP's configuration. This prevents unauthorized waking of the station and spamming.
2	Password-protected logon of the CP1242-7 on the telecontrol server	Only stations in which the correct password is configured can log onto the telecontrol server. This prevents third-party stations from illegally entering the control system.
3	User administration in the TeleControl Server Basic software	Users and passwords The engineers are assigned different roles. Access is password-protected. User rights Different user types are given different rights. Only authorized users can make changes to the configuration on the telecontrol server.
4	Password-protected TeleService (users and passwords)	You can also create several of your own users per CP1242-7 who can log onto a TeleService session and whose access is permitted by means of a special password. This excludes unauthorized TeleService access.
5	Support of standard SIM cards	If you use standard SIM cards with data rate, most providers prevent access from outside to the IP addresses of the substations when using the public APNs. It is therefore impossible to access the substations from the internet.
6	Data encryption	The protocol between substation and the telecontrol server uses a simple encryption mechanism. This means that it is not easily possible for third parties to read the data stream.
7	Stations logged on temporarily	The substations can be configured as temporary stations (CP1242-7). This means that connections are established only when necessary. There are no unnecessary connections which can be manipulated.
8	Support of private provider APNs	When using private provider APNs, the network operator provides a closed network that does not permit access from the outside.

Note on security
Caution
The functions and solutions described in this article confine themselves predominantly to the realization of the automation task. Furthermore, please take into account that corresponding protective measures have to be taken in the context of Industrial Security when connecting your equipment to other parts of the plant, the enterprise network or the Internet. Further information can be found in Entry ID: 50203404.

Description
If you have a bad radio link, this can lead to brief transmission impairment due to bad signal quality or even interference. It is possible that the TIM modules recognize a connection break and then re-establish the connection shortly afterwards. In such cases, bookkeeping messages are always sent before data messages can be exchanged again.
These brief interferences, which usually last only seconds, finally lead to the overall radio transmission becoming very sluggish and even unstable, because too many bookkeeping messages have to be exchanged.

Take the following measures to minimize recognition of connection and ensuing exchanging of bookkeeping messages.

• In the case of a bad radio link you can set interference suppression on the dedicated line of the TIM 4R-IE. If brief interferences occur, no bookkeeping messages are exchanged between the central TIM 4R-IE and the communication partner.
• Increase the repeat factor
• Increase the extra transmission time
• Use long acknowledgment
  The long acknowledgment prevents data loss with radio links, because interference or noise on the radio link might be erroneously mistaken for a short acknowledgment.

Description
This entry provides an overview of:

• Applications & Tools on the topic of "Industrial Security"
• Entries dealing with the topic of "Industrial Security" with special information about
  • Microsoft Security Updates
  • Virus Protection
  • Whitelisting Protection Mechanisms
  • Firewall
  • Virtual Private Network (VPN)
  • Access Control
  • Remote Access via Internet, Gateways
  • Stuxnet
  • Protection against Manipulation

Industrial Security
The growing networking of industrial plants increases productivity. At the same time, however, IT security risks increase likewise, which must be tackled with appropriate protective mechanisms for Industrial Security. It is essential here to have an overall perception that includes both technical measures and staff training as well as the definition of guidelines and processes. This is necessary to achieve optimum security and ensure secure operation of the plant.
More information about technical solutions and our service offering for industrial security is available in the internet at:
http://www.industry.siemens.com/industrial-security

Applications & Tools
The Applications & Tools below provide information on the topic of "Industrial Security".
 

Applications & Tools	Description	Entry ID
Security with SIMATIC NET	This application provides an overview of possible security configurations in the Local Area Network (LAN) and WAN (Wide Area Network) with SCALANCE S61x modules and the SOFTNET security client.	27043887
Industrial Security with SCALANCE S modules via IPSec VPN tunnel (Configuration 4)	These applications show safe teleservicing with SCALANCE S via a Virtual Private Network (VPN).	22056713
Secure remote access to SIMATIC stations via Internet and EGPRS router MD741-1 and SCALANCE S612 (Configuration 9)		24960449
Protection of an automation cell by the Security Module SCALANCE S602 via firewall (bridge/routing) (Configuration 5)	This application shows the configuration of a secure automation cell with SCALANCE S firewall.	22376747
SINAUT ST7 Telecontrol sample configurations in Ethernet, secure Internet and (E)GPRS environment (Configuration 8)	This application shows the configuration of secure internet connections for Telecontrol stations with SINAUT ST7	23810112
User login on the operator panel via HMI-RFI	This application shows how to carry out a secure user login on an operator panel with an HMI-RFI (card reader).	35214239
Diagnostics and teleservicing of SIMATIC Industry PCs	This application shows you how to use the teleservicing option with SIMATIC Industry PCs and the integrated Intel AMT technology.	52310936

Table 01

Microsoft Security Updates
The entries below provide information about using Microsoft Security Updates together with WinCC, PCS 7, SIMOTION and SINUMERIK.
 

Product	Entry title	Entry ID
WinCC	Which Microsoft Security Patches are released for use with SIMATIC WinCC?	18752994
PCS 7	Which Microsoft Security Patches have been tested for compatibility with SIMATIC PCS 7?	18490004
SIMOTION	SIMOTION P350: Compatibility of Microsoft security patches	22159441
SINUMERIK	SINUMERIK 810D/840Di/840D: Compatibility of Microsoft security patches with SINUMERIK PCU 50/70	19739695

Table 02

Virus Protection
The manuals and entries below provide information about virus protection for PCS 7 and SINUMERIK.
 

Product	Entry or manual title	Entry ID
STEP 7
STEP 7 V5.3, V5.4 and V5.5.	Which virus scanner versions can you use for STEP 7 V5.3, V5.4 and V5.5?	37208360
PCS 7
Trend Micro Office Scan	SIMATIC Process Control System PCS 7 Configuration Trend Micro Office Scan V7.3 incl. Patch 2	38006151
	Configuration Trend Micro OfficeScan V8.0	38006929
Symantec AntiVirus	SIMATIC Process Control System PCS 7 Configuration Symantec AntiVirus V10.2	38006339
Symantec Endpoint Protection	SIMATIC Process Control System PCS 7 Configuration Symantec Endpoint Protection 11.0	38004530
McAfee VirusScan	SIMATIC Process Control System PCS 7 Configuration McAfee VirusScan (V8.5; V8.5i; V8.7)	38006821
SINUMERIK
SINUMERIK	Notes on virus protection for SINUMERIK 840D sl / 840Di sl	19577116

Table 03

Whitelisting Protection Mechanisms
The entries below provide information about using whitelisting protection mechanisms with SIMATIC products.
 

Product	Entry title	Entry ID
STEP 7 V5.5	Using whitelisting protection mechanisms with SIMATIC products	49382928
PCS7 V7.1 + SP2
WinCC V7.0 + SP1
WinCC V7.0 + SP2
WinCC flexible 2008 + SP2

Table 04

Firewall
The entries below provide information about configuring a firewall.
 

Product	Entry title	Entry ID
SCALANCE S	Which firewall rules should you configure for SCALANCE S in order to have access to the internet with the PG/PC via the SCALANCE and router?	26517928
	Which firewall rules do you have to define for SCALANCE S in the Security Configuration Tool to allow data traffic between internal and external networks for a specific IP address area?	34675703
EGPRS Router	Which firewall rules should you configure for the EGPRS router MD741-1 in order to have access to the internet with the PG/PC from the LAN of the MD741-1?	31525978
Security Configuration Tool	What are the restrictions when configuring the bandwidth limit of a firewall rule with the Security Configuration Tool V2.1?	27080202

Table 05

Virtual Private Network (VPN)
The entries below provide information about configuring a Virtual Private Network (VPN) with SCALANCE S and SOFTNET Security Client.
 

Product	Entry title	Entry ID
SOFTNET Security Client	How do you configure a VPN tunnel between a PC station and SCALANCE S61x via the internet with the 2008 edition of SOFTNET Security Client?	32447942
	How do you configure a VPN tunnel between a PC station and SCALANCE S61x V2.1 via the internet with the SOFTNET Security Client Edition 2005 HF1?	24953806
SCALANCE S	How is a VPN tunnel between two SCALANCE S S 61x modules configured in Routing mode via the internet?	24968210
	How do you configure a VPN tunnel between a PC station with Windows XP SP2 and SCALANCE S61x V2.1 via the internet with the Microsoft Management Console?	26098354
	What can you do if there is no VPN tunnel set up in the SCALANCE S 61x, the SOFTNET Security Client or the MD740-1?	26361542
	What configuration steps are necessary to forward the coded data packages incoming on the SCALANCE S61x from the VPN tunnel to specific internal nodes only?	24533873

Table 06  

Access Control
The entries below provide information about access control in process control systems like PCS 7.
 

Product	Entry title	Entry ID / Link
WinCC / PCS 7 Process Control System	Which safety precautions help against unauthorized access in the SIMATIC PCS 7 / WinCC environment?	44443744
WinCC / PCS 7 SCADA System
PCS 7 Process Control System	Security concept	60119725

Table 07

Remote Access via Internet, Gateways
The entries below provide information about Remote Access via the internet and you you can use an Industrial Ethernet CP or SCALANCE S as a gateway.
 

Product	Entry title	Entry ID
Remote Access with WinCC flexible	What are the options for remote maintenance of a WinCC flexible Runtime system (Panel/PC) via the internet (WAN)?	19865167
Industrial Ethernet CP or SCALANCE S as Gateway	How do you use an Industrial Ethernet CP or SCALANCE S as a gateway?	45632056

Table 08

Stuxnet
The entries below provide information about the latest developments and the measures recommended by Siemens for handling Stuxnet.
 

Product	Entry title	Entry ID
WinCC / PCS 7	SIMATIC WinCC / SIMATIC PCS 7: Information about malware / viruses / Trojan horses	43876783
SIMOTION	SIMOTION: Latest information about malware / viruses / Trojan horses	44050544
SINUMERIK	SINUMERIK PCU: Latest information about malware / viruses / Trojan horses	44050056

Table 09

Protection against Manipulation
Information about how to recognize and prevent program code manipulation in STEP 7 V5.5 is available in Entry ID: 51577287.

Description
From STEP 7 V5.0 SP3 HF3 onwards you can reach ST stations online over and beyond subnet limits with the PG/PC, in order, for example, to load user programs or a hardware configuration or in order to execute test and diagnostic functions. You can connect a PG/PC at any place within the network and connect online to any stations which are reached through gateways.

Gateway
The gateway from a subnet to one or more other subnets is in a SIMATIC station that has interfaces to the subnets concerned.

Requirements

• At least STEP 7 V5.0 SP3 HF3 is installed on the PG/PC for configuration and use of the S7 routing function.
• An interface (Industrial Ethernet or PROFIBUS PC CP) is installed in the PG/PC to establish a connection to the gateway. You can use PROFIBUS PC CPs 55xx and 56xx. You can use any NDIS-compatible Ethernet network card (3COM, CP1613, for example) as Industrial Ethernet interface in the PG/PC.
• The associated communications modules of the station support the S7 routing function.
• The network configuration does not go across project boundaries.
• Both the modules and the PG or PC are loaded with the configuration information that contains the latest "knowledge" about the complete network configuration of the project.
  Technical background
  All the modules associated with the gateway must receive information about which subnets can be reached over which routes (= routing information).

Note
The lists below have been updated with the modules of the hardware catalog of STEP 7 V5.4 SP2. This means that older modules which support the S7 routing function are listed in the tables, but are not necessarily included in the hardware catalog of the latest versions of STEP 7.

SIMATIC S7-CPUs
The list below gives an overview of the SIMATIC S7 CPUs that support the S7 Routing function.

584459_Overview_CPUs_en.pdf ( 43 KB )

Communications processors (CPs)
The list below gives an overview of the PROFIBUS and Industrial Ethernet CPs that support the S7 Routing function.

584459_Overview_CPs_en.pdf ( 41 KB )

SIMATIC S7 FM modules
The list below gives an overview of the SIMATIC S7 FM modules that support the S7 Routing function.
 

FM	Version	Order number
FM 356-4 V5.0	V5.0	6ES7356-4BM00-0AE0
FM 356-4 V5.0	V5.0	6ES7356-4BN00-0AE0
FM 456-2	V5.0	6ES7456-2AA00-0AB0

Table 01

Gateways
The list below gives an overview of the gateways that support the S7 Routing function.
 

Link	Version	Order number
IE/PB Link	as from V1.0	6GK1411-5AA00
IE/PB Link PNIO	as from V1.0	6GK1411-5AB00
IWLAN/PB Link PNIO	as from V1.1	6GK1417-5AB00
IWLAN/PB Link PNIO	as from V1.1	6GK1417-5AB01

Table 02

SIMATIC S7 IM modules
The list below gives an overview of the SIMATIC S7 IM modules that support the S7 Routing function.
 

IM	Version	Order number
IM 467	as of V2.0	6ES7467-5GJ02-0AB0
IM 467 FO	as of V2.0	6ES7467-5FJ00-0AB0

Table 03

SIMATIC WinAC RTX, WinAC Slot and WinAC MP
The list below gives an overview of SIMATIC WinAC RTX, WinAC Slot and WinAC MP that support the S7 Routing function.
 

WinAC	Version	Order number
WinAC RTX	as from V4.0	6ES7671-0R...
WinAC Slot 412	as from V3.2	6ES7673-2C...
WinAC Slot 416	as from V3.2	6ES7673-6C...
WinAC MP	as from V4.1	6ES7671-4EE00-0YA0 6ES7671-5EF01-0YA0 6ES7671-7EG01-0YA0

Table 04

SINAUT communications modules
The list below gives an overview of SIMATIC WinAC RTX, WinAC Slot and WinAC MP that support the S7 Routing function.
 

TIM	Version	Order number
TIM 3V-IE	as from V1.0	6NH7800-3BA00
TIM 3V-IE Advanced	as from V1.1	6NH7800-3CA00
TIM 4R-IE	as from V1.0	6NH7800-4BA00
TIM 4RD	as from V3.x	6NH7 800-4AD90

Table 05

Note
The target station does not have to support the S7 Routing function.

Additional Keywords
Module function