Technical PC hardening measures 

Any engineering tool, such as PLCnext Engineer, can manipulate devices or processes in your ICS. To reduce the risk of manipulation, perform security evaluations regularly. 

PC-based hardening and organization measures

Protect any PCs used in automation solution environments against security-relevant manipulations. This can be facilitated, for example, by taking the following measures:

• Boot up your PC regularly, and only from data carriers that are secured against manipulation.
• Set up restrictive access rights for any personnel that absolutely must have authorization.
• Identification of each user on the PC must be mandatory. For this purpose, passwords can be used or multifactor authentication can be implemented.
  Passwords should be defined according to a password policy (strong and time-limited passwords). Furthermore, user roles and user authorization should be managed in a (Central) User Management system.
• Activate the BIOS password protection to prevent unauthorized modifications in the BIOS settings.
• Only allow necessary boot options (BIOS setting) to make sure that the PC only boots from media which are considered secure (e.g., internal hard disk). Deactivate all other boot media (USB sticks etc.)
• Deactivate the autorun option if not required for the operation.
• Encrypt your project data.
• Deactivate unused services.
• Uninstall any software that is not used.
• Use a suitable and up-to-date virus/malware detection software.
• Use a firewall to restrict access.
• Use whitelist tools to protect important directories and data against unauthorized changes.
• Activate security-relevant event logging in accordance with the security directive and the legal requirements on data protection.
• Activate the update feature in accordance with the security directive.
• Activate the automatic screen lock function and automatic logout after a specified time.
• Perform backups regularly.
• Only use data and software from approved sources.
• Do not follow any hyperlinks listed that are from unknown sources, such as emails.

Keep software up-to-date

• Always use the latest software version of all tools (e.g., PLCnext Engineer) installed as well as the latest operating system version on your PC.
• Check for any software updates available on the respective product page from Phoenix Contact: phoenixcontact.net/product/1046008
• Observe the Change Notes for the respective software version.
• Pay attention to the security advisories published on Phoenix Contact's Product Security Incident Response Team (PSIRT) website regarding any published vulnerabilities.

Password protection of PCs with ICS-related software tools

Implementation of a suitable user authentication on the Windows PCs involved must ensure that each user is known and authorized to use your ICS-related tools, such as the engineering software PLCnext Engineer.

• Users must log-on to Windows (standard login mechanism).
• Separate account per user (no "group login").
• Corporate policies regarding user administration, password rules, etc., must be defined.
• Logged-on Windows user is allowed to launch and use the software.
• Standard Windows login must be supplemented by multifactor authentication tool: verification of the user identity, e.g. via a mobile app (push notification, biometric recognition, etc.), via a PIN or finger print, hardware/software token, etc.
• A suitable and up-to-date virus/malware detection software must be used, and a firewall is activated and configured.