TLS / HTTP(S) 

To secure the transmission of data between network devices used to build automation infrastructures and systems (such as controllers), or between an engineering software and devices which you configure and commission via this software, you should use security-capable transmission wherever they are supported. Such protocols are, for example:

• TLS (Transport Layer Security): encryption protocol which secures the Internet data transfer. With Phoenix Contact products, the communication between the engineering software PLCnext Engineer and the firmware of PLCnext Technology controllers is handled using TLS.

  TLS is often called SSL (Secure Sockets Layer). SSL is the predecessor of TLS whose latest released version was 3.0. After this version SSL was further developed and released under the name TLS. Known implementations of the TLS/SSL protocol are OpenSSL and GnuTLS.

  Note: To increase the network performance, some New Generation Firewalls (NGFWs) allow the deactivation of the SSL/TLS inspection. Nowadays, the proportion of encrypted data used to infiltrate networks is significantly greater than the proportion of unencrypted attacks. Therefore, this deactivation results in a limitation of the security function as it may allow unauthorized data traffic to pass.

   

• HTTPS (Hypertext Transfer Protocol Secure) is the secure version of network protocol standard HTTP. HTTPS is supported by TLS (SSL) which establishes an encrypted connection between two communication partners, authenticates the server and prevents manipulation of the transmitted data. It therefore ensures a tap-proof connection.
  Identification and authentication take place before the data is sent via HTTPS. For that purpose, a symmetrical key is exchanged in a handshake process. With this key, the data is encrypted by the sender and, after transmission, decrypted by the receiver. An SSL certificate from a public CA is only issued if the server and the domain can be uniquely identified. For this reason, certification authorities require the address data and verify the actual ownership of the domain.

  Use secure access paths such as HTTPS or VPN for remote access.

  Note: Data transmission with HTTPS protects data only during transmission, but data not protected after the transmission is completed on the receiving end. For complete protection, you should use end-to-end encryption or re-encrypt received data immediately after transmission. Never store plain data.