Description
The security module supports the transfer of management information over the Simple Network Management Protocol (SNMP). For this, there is an "SNMP agent" installed on the security module and this receives and answers the SNMP requests.
Information about the properties of SNMP-compatible devices is available in the so-called MIB files (Management Information Base), but the user must have the necessary rights for this.

SNMPv1
With SNMPv1 a "Community String" is also sent. The "Community String" is like a password sent together with the SNMP request. If the "Community String" is correct, the security module answers with the requested information. If the "Community String" is incorrect, the security module rejects the request and does not answer.

The security modules use the standard values for the community strings below to control the access rights in the SNMP agent:

• For read access: Public
• For read and write access: Private

Note
In the Security Configuration Tool (SCT) the write access over the "Private" community string can be configured by enabling the "Allow write access via community string "private"". The SCALANCE S V3 security modules do not support writing of values over SNMP and do not react to written access attempts. There is no error message nor inconsistency of the projected if you store the settings.

Fig. 01

SNMPv3
With SNMPv3 you can transfer the data encrypted to the network analysis. The security module SCALANCE S does not support writing of values over SNMP.

Note on security
Caution
The functions and solutions described in this article confine themselves predominantly to the realization of the automation task. Furthermore, please take into account that corresponding protective measures have to be taken in the context of Industrial Security when connecting your equipment to other parts of the plant, the enterprise network or the internet. More information is available in Entry ID: 50203404.

Additional Information
Detailed information about Industrial Ethernet Security is available in the manual "SIMATIC NET Industrial Ethernet Security Basics and Applications Configuration Manual" in Entry ID 56577508.

Description
Using dynamic DNS you can access a module with dynamic IP address over the Fully Qualified Domain Name (FQDN).

The security module reports the current WAN IP over which the module can be reached to a provider for dynamic DNS (DynDNS.org, no-ip.com, for example). The provider makes sure that DNS queries to the FQDN of the module are answered with the WAN IP of the module.

The overview below shows which security modules support dynamic DNS as VPN server and VPN client and can use it to communicate with each other.
 

VPN client	VPN server
	SCALANCE S V3	SCALANCE M875 MD741-1
SOFTNET Security Client (SSC)	yes2)	yes1)
SCALANCE S V3	−	−
SCALANCE M875 MD741-1	yes	yes

Table 01

¹⁾ Communication using dynamic DNS is possible with SSC V3 onwards.
²⁾ Communication using dynamic DNS is possible with SSC V4 onwards.

Note

• The CPx43-1 Advanced does not support dynamic DNS.

• The SCALANCE S V3 is not a DNS client. It can only transmit its current IP address to the DNS server, but cannot resolve any domain names.

• The SCALANCE S V3 supports the following providers: DynDNS.org, non-ip.com or a freely defined service.

• The SCALANCE M875 is compatible with the DNS services of the provider DynDNS.org. For dynDNS the M875 needs a public IP address that can be reached from the internet.

Additional information
More information about the security modules is available in the manuals below.
 

Manual	Entry ID
Where can you find information on the topic of "Industrial Security"?	50203404
SIMATIC NET Industrial Ethernet Security SCALANCE S V3.0 Installation and Commissioning Manual	56576669
SIMATIC NET Industrial Ethernet Security Basics and Applications Configuration Manual	56577508
SIMATIC NET Industrial Ethernet Security Getting Started	60166939
UMTS Router with HSDPA SCALANCE M873-0	49507278
SIMATIC NET Telecontrol SCALANCE M875 Operating Instructions	58122394
SIMATIC NET S7-400 - Industrial Ethernet CP 443-1 Advanced (GX30) Device Manual Part B	59187252
SIMATIC NET S7-300 - Industrial Ethernet S7 CPs for Industrial Ethernet CP 343-1 Advanced (GX30) Device Manual Part B	61199572

Table 02

Description
The VPN LED of the SCALANCE M875 indicates whether or not a VPN connection is established.

If the SOFTNET Security Client (SSC) establishes a secure IPsec tunnel connection to the SCALANCE M875, the VPN LED of the M875 lights. The IPsec tunnel connection is monitored by the Dead Peer Detection (DPD). The SSC does not support the DPD. In this way the VPN LED of the M875 does not go out when the IPsec tunnel connection of the SSC is disconnected, but only when the certificate lifetime has expired.

Note on security
Caution
The functions and solutions described in this article confine themselves predominantly to the realization of the automation task. Furthermore, please take into account that corresponding protective measures have to be taken in the context of Industrial Security when connecting your equipment to other parts of the plant, the enterprise network or the internet. More information is available in Entry ID: 50203404.

Additional information

• More information about SCALANCE M875 is available in the manual "SIMATIC NET Telecontrol SCALANCE M875 Operating Instructions" in Entry ID 58122394.
• More information about configuring secure IPsec tunnel connections between the security modules is available in the manual "SIMATIC NET Industrial Ethernet Security Basics and Applications Configuration Manual" in Entry ID: 56577508.

Description
By combining different security functions such as firewall, NAT/NAPT router and VPN (Virtual Private Network) over IPsec tunnel the CPx43-1 Advanced protects individual S7-400 stations, S7-300 stations and even complete automation cells against unauthorized access.

When you enable and use the security functions of the CPx43-1 Advanced you ensure that the CP has the current time and current date. Having the current time and date is extremely important for verifying the validity of the certificates used, for example, when you establish a secure IPsec tunnel connection to one or more security modules.
If you do not take the time from the station (CPU), you can synchronize the time using a SIMATIC procedure or the Network Time Protocol (NTP).

Note on security
Caution
The functions and solutions described in this article confine themselves predominantly to the realization of the automation task. Furthermore, please take into account that corresponding protective measures have to be taken in the context of Industrial Security when connecting your equipment to other parts of the plant, the enterprise network or the internet. More information is available in Entry ID: 50203404.

Additional Information
More information about time synchronization is available in the entries below.
 

Subject	Entry ID
How do you configure the SIMATIC S7-300 as time master or time slave for time-of-day synchronization via Industrial Ethernet in SIMATIC mode?	44049612
How do you configure the SIMATIC S7-400 as time master or time slave for time-of-day synchronization via Industrial Ethernet in SIMATIC mode?	18130164
Which SIMATIC S7-300/S7-400 modules support the NTP time-of-day message and how do you activate this kind of time synchronization?	17990844

Description
The CP1628 enables safe connection to the Industrial Ethernet for SIMATIC PG/PC and PCs with PCI Express slot.

The security functions of the CP1628 are configured in the Security Configuration Tool (SCT).

Local and remote diagnostics of a CP1628
The SCT enables you to diagnose a CP1628 locally or remotely. You can have the security status of the CP1628 displayed in the Online View of the SCT.
The document below describes 3 scenarios of the local and remote diagnostics of one or more CP1628s:

• Local and remote diagnostics of a CP1628 when the NDIS IP address and the Industrial Ethernet IP address of the module are in the same subnet.
• Local and remote diagnostics of a CP1628 when the NDIS IP address and the Industrial Ethernet IP address of the module are in the same subnet.
• Local and remote diagnostics of several CP1628 when the NDIS IP address and the Industrial Ethernet IP address of the module are not in the same subnet.

NET_OnlineDiagnostic_CP1628_with_SCT_en.pdf ( 1116 KB )

Note on security
Caution
The functions and solutions described in this article confine themselves predominantly to the realization of the automation task. Furthermore, please take into account that corresponding protective measures have to be taken in the context of Industrial Security when connecting your equipment to other parts of the plant, the enterprise network or the internet. More information is available in Entry ID: 50203404.

Description
Siemens has analyzed the weak points in the web server of the Runtime system of SIMATIC WinCC flexible and WinCC (TIA Portal) and has prepared remedies.
There are remedies for the weak points available in the WinCC flexible Runtime versions 2004 to 2008 SP2, WinCC Runtime Advanced V11 and SIMATIC Panels (TP, OP, MP, Comfort Panels).

Information about the remedies and updates is available at the following links:

• SIMATIC WinCC flexible 2008 Service Pack 3 - Information about delivery release (Entry ID: 57267466)
• Update for WinCC V11 SP2 (Entry ID: 58112582)
• Update for WinCC Runtime Advanced V11 SP2 (Entry ID: 58112587)

Note on security
Caution
The functions and solutions described in this article confine themselves predominantly to the realization of the automation task. Furthermore, please take into account that corresponding protective measures have to be taken in the context of Industrial Security when connecting your equipment to other parts of the plant, the enterprise network or the internet. More information can be found in Entry ID: 50203404.

Additional Keywords
Security note

Description
This entry provides an overview of:

• Applications & Tools on the topic of "Industrial Security"
• Entries dealing with the topic of "Industrial Security" with special information about
  • Microsoft Security Updates
  • Virus Protection
  • Whitelisting Protection Mechanisms
  • Firewall
  • Virtual Private Network (VPN)
  • Access Control
  • Remote Access via Internet, Gateways
  • Stuxnet
  • Protection against Manipulation

Industrial Security
The growing networking of industrial plants increases productivity. At the same time, however, IT security risks increase likewise, which must be tackled with appropriate protective mechanisms for Industrial Security. It is essential here to have an overall perception that includes both technical measures and staff training as well as the definition of guidelines and processes. This is necessary to achieve optimum security and ensure secure operation of the plant.
More information about technical solutions and our service offering for industrial security is available in the internet at:
http://www.industry.siemens.com/industrial-security

Applications & Tools
The Applications & Tools below provide information on the topic of "Industrial Security".
 

Applications & Tools	Description	Entry ID
Security with SIMATIC NET	This application provides an overview of possible security configurations in the Local Area Network (LAN) and WAN (Wide Area Network) with SCALANCE S61x modules and the SOFTNET security client.	27043887
Industrial Security with SCALANCE S modules via IPSec VPN tunnel (Configuration 4)	These applications show safe teleservicing with SCALANCE S via a Virtual Private Network (VPN).	22056713
Secure remote access to SIMATIC stations via Internet and EGPRS router MD741-1 and SCALANCE S612 (Configuration 9)		24960449
Protection of an automation cell by the Security Module SCALANCE S602 via firewall (bridge/routing) (Configuration 5)	This application shows the configuration of a secure automation cell with SCALANCE S firewall.	22376747
SINAUT ST7 Telecontrol sample configurations in Ethernet, secure Internet and (E)GPRS environment (Configuration 8)	This application shows the configuration of secure internet connections for Telecontrol stations with SINAUT ST7	23810112
User login on the operator panel via HMI-RFI	This application shows how to carry out a secure user login on an operator panel with an HMI-RFI (card reader).	35214239
Diagnostics and teleservicing of SIMATIC Industry PCs	This application shows you how to use the teleservicing option with SIMATIC Industry PCs and the integrated Intel AMT technology.	52310936

Table 01

Microsoft Security Updates
The entries below provide information about using Microsoft Security Updates together with WinCC, PCS 7, SIMOTION and SINUMERIK.
 

Product	Entry title	Entry ID
WinCC	Which Microsoft Security Patches are released for use with SIMATIC WinCC?	18752994
PCS 7	Which Microsoft Security Patches have been tested for compatibility with SIMATIC PCS 7?	18490004
SIMOTION	SIMOTION P350: Compatibility of Microsoft security patches	22159441
SINUMERIK	SINUMERIK 810D/840Di/840D: Compatibility of Microsoft security patches with SINUMERIK PCU 50/70	19739695

Table 02

Virus Protection
The manuals and entries below provide information about virus protection for PCS 7 and SINUMERIK.
 

Product	Entry or manual title	Entry ID
STEP 7
STEP 7 V5.3, V5.4 and V5.5.	Which virus scanner versions can you use for STEP 7 V5.3, V5.4 and V5.5?	37208360
PCS 7
Trend Micro Office Scan	SIMATIC Process Control System PCS 7 Configuration Trend Micro Office Scan V7.3 incl. Patch 2	38006151
	Configuration Trend Micro OfficeScan V8.0	38006929
Symantec AntiVirus	SIMATIC Process Control System PCS 7 Configuration Symantec AntiVirus V10.2	38006339
Symantec Endpoint Protection	SIMATIC Process Control System PCS 7 Configuration Symantec Endpoint Protection 11.0	38004530
McAfee VirusScan	SIMATIC Process Control System PCS 7 Configuration McAfee VirusScan (V8.5; V8.5i; V8.7)	38006821
SINUMERIK
SINUMERIK	Notes on virus protection for SINUMERIK 840D sl / 840Di sl	19577116

Table 03

Whitelisting Protection Mechanisms
The entries below provide information about using whitelisting protection mechanisms with SIMATIC products.
 

Product	Entry title	Entry ID
STEP 7 V5.5	Using whitelisting protection mechanisms with SIMATIC products	49382928
PCS7 V7.1 + SP2
WinCC V7.0 + SP1
WinCC V7.0 + SP2
WinCC flexible 2008 + SP2

Table 04

Firewall
The entries below provide information about configuring a firewall.
 

Product	Entry title	Entry ID
SCALANCE S	Which firewall rules should you configure for SCALANCE S in order to have access to the internet with the PG/PC via the SCALANCE and router?	26517928
	Which firewall rules do you have to define for SCALANCE S in the Security Configuration Tool to allow data traffic between internal and external networks for a specific IP address area?	34675703
EGPRS Router	Which firewall rules should you configure for the EGPRS router MD741-1 in order to have access to the internet with the PG/PC from the LAN of the MD741-1?	31525978
Security Configuration Tool	What are the restrictions when configuring the bandwidth limit of a firewall rule with the Security Configuration Tool V2.1?	27080202

Table 05

Virtual Private Network (VPN)
The entries below provide information about configuring a Virtual Private Network (VPN) with SCALANCE S and SOFTNET Security Client.
 

Product	Entry title	Entry ID
SOFTNET Security Client	How do you configure a VPN tunnel between a PC station and SCALANCE S61x via the internet with the 2008 edition of SOFTNET Security Client?	32447942
	How do you configure a VPN tunnel between a PC station and SCALANCE S61x V2.1 via the internet with the SOFTNET Security Client Edition 2005 HF1?	24953806
SCALANCE S	How is a VPN tunnel between two SCALANCE S S 61x modules configured in Routing mode via the internet?	24968210
	How do you configure a VPN tunnel between a PC station with Windows XP SP2 and SCALANCE S61x V2.1 via the internet with the Microsoft Management Console?	26098354
	What can you do if there is no VPN tunnel set up in the SCALANCE S 61x, the SOFTNET Security Client or the MD740-1?	26361542
	What configuration steps are necessary to forward the coded data packages incoming on the SCALANCE S61x from the VPN tunnel to specific internal nodes only?	24533873

Table 06  

Access Control
The entries below provide information about access control in process control systems like PCS 7.
 

Product	Entry title	Entry ID / Link
WinCC / PCS 7 Process Control System	Which safety precautions help against unauthorized access in the SIMATIC PCS 7 / WinCC environment?	44443744
WinCC / PCS 7 SCADA System
PCS 7 Process Control System	Security concept	60119725

Table 07

Remote Access via Internet, Gateways
The entries below provide information about Remote Access via the internet and you you can use an Industrial Ethernet CP or SCALANCE S as a gateway.
 

Product	Entry title	Entry ID
Remote Access with WinCC flexible	What are the options for remote maintenance of a WinCC flexible Runtime system (Panel/PC) via the internet (WAN)?	19865167
Industrial Ethernet CP or SCALANCE S as Gateway	How do you use an Industrial Ethernet CP or SCALANCE S as a gateway?	45632056

Table 08

Stuxnet
The entries below provide information about the latest developments and the measures recommended by Siemens for handling Stuxnet.
 

Product	Entry title	Entry ID
WinCC / PCS 7	SIMATIC WinCC / SIMATIC PCS 7: Information about malware / viruses / Trojan horses	43876783
SIMOTION	SIMOTION: Latest information about malware / viruses / Trojan horses	44050544
SINUMERIK	SINUMERIK PCU: Latest information about malware / viruses / Trojan horses	44050056

Table 09

Protection against Manipulation
Information about how to recognize and prevent program code manipulation in STEP 7 V5.5 is available in Entry ID: 51577287.