Technical and organizational security measures
To achieve security, a holistic approach is necessary: An adequate security concept must include the technology used, defined processes, and the people involved, i.e., it must specify both technological and organizational measures.
Many but not all threats can be defended against with appropriate technical measures. These technical measures must be supplemented by organizational measures that address personnel, procedures, policies and practices. Please refer to 360° Security- The Holistic Approach for details.
From the systemic point of view, further requirements and interfaces arise regarding the following:
- Network architecture of the automation solution
- Configuration of the automation solution
- User account management
- Certificate management
- Firewall settings management
- Device and patch management
- Remote Maintenance
The following aspects can help to fulfill these requirements:
- Network segmentation: Data exchange between different internal plant parts (zones) can be configured.
- Use of firewalls.
- Encrypted data transmission: Incoming and outgoing communication can be encrypted using VPN, for example via IPsec or OpenVPN.
- Authentication of any human user or software process that request the establishment of a communication connection within your network (for example using certificates).
- Implementation of a secure certificate management/PKI system.
- Integration into user administrations: By configuring users network-wide, each employee can be assigned and managed individual access.
- Secure remote access: For remote maintenance of machines via insecure networks, it makes sense to use additional security appliances (e.g. mGuard from Phoenix Contact). Here, it is important that the configurations of the devices used to build automation infrastructures and systems are matched to each other. Secure remote access is also mandatory for wireless connections (mobile access).
- Implementation of a powerful (new generation) anti-malware inspection tool on all network components for which a tool is available and can be installed. Other components (if no anti-malware tools can be installed) should be protected by alternative measures.
- Implementation of NAT/PAT devices which protect the devices located in your internal (private) networks from being visible from the external (public) network.
In addition, individual device ports in the internal network that can be accessed, for example, via connected laptops or mobile storage media should be protected and report an alarm in the event of a local attack. - Implementation of a suitable logging and monitoring system which allows the continuous evaluation of events, accesses etc. in your plant network.
- Realization of suitable PC hardening measures that reduce the risk of compromized engineering/configuration PCs in your network which in turn could influence the application running on controllers or the configuration of any network device or field device.
- Implementation of a suitable data backup system that enables the data recovery after a data loss or a necessary attack-related reconfiguration/setup of system components.
- Integration with device and patch management: Intelligent and efficient device and patch management is provided as a solution or interface for managing multiple devices in the automation solution. It enables the central creation and administration of all security-relevant device settings and supports firmware upgrades.
• Published/reviewed: 2024-12-16 • Revision 016 •