Phoenix Contact industrial security guideline 

Introduction

The increasing interconnection of systems, components, and devices as well as the growing amount of data to be transmitted and stored (in a word: the achievements of Industry 4.0) result in a higher risk of cyber attacks. This is also promoted by the increasing spread of open industrial standards. Therefore, the best possible protection against cyber attacks, threats, and abusive or erroneous data misuse/manipulation must be the logical and highly prioritized consequence of this digital development.

Last but not least, in addition to the financial, business and customer interests in smooth and undisturbed operations and data with integrity, there are also legal requirements in terms of security , such as the European NIS Directive (EU 2016/1148) or the German IT Security Act (V2.0 valid from May 28, 2021). Refer to Security-relevant laws and industrial standards for details.

According to current directives and relevant laws, it is primarily the operator of relevant facilities who is required to implement appropriate protective measures. To do this, he needs a consistent security concept that defines uniform and sufficient protective measures. This concept must include the manufacturer of the industrial automation components, the system integrator who integrates these components into the asset (i.e., the plant manufacturer) as well as the plant user/operator.

The IEC 62443 standard defines such a security concept which holistically covers all the roles in the ICS area. In order to securely operate a company or plant, an ISMS (Information Security Management System) needs to be implemented to address the cyber-security risks and implement and improve the technical and organizational counter measures. This is the subject of this manual.

The purpose of such an ISMS is to establish the greatest possible level of cyber-security while taking economic aspects into account. This means that all security-related measures must be defined and implemented at a required and justified level.

"Cyber-security" is generally understood to mean the protection of information and systems against theft and deliberate or accidental manipulation. Cyber-security has the goal to ensure the

of data and IT systems or OT systems, i.e., Industrial Control Systems (ICS) in our current context.

Our support on your way to security

The present document contains the information that is necessary to integrate and use Phoenix Contact components within your plant in a secure way.

The guideline is aimed at

• system integrators,
• plant owners, and
• plant operators

who integrate, configure, parameterize, and use components supplied by Phoenix Contact.

The present documentation is not specifically related to any specific device or software version. It is rather to be understood as generic information which has to be supplemented by the related product-specific information given in the respective device manual or software user guide.

Prerequisite level of knowledge

The information given in the present documentation is aimed solely at the group mentioned above who are familiar with the relevant concepts of automation technology as well as the applicable standards and other regulations.

Knowledge of the following is required:

• The devices used to build automation infrastructures and systems,
• The software tools used for device configuration and parameterization as well as
• The security-relevant regulations in the field of application, in particular the applicable parts of the IEC 62443 standard, and
• The safety and accident prevention regulations given by relevant safety standards, applicable sector standards and local safety guidelines in the field of application.

Qualified personnel

The information given in this guide must only be used and applied by qualified personnel: These are appropriately skilled personnel or persons instructed by skilled personnel who are familiar with the relevant IT/ICS security-concepts for automation and network technology as well as the applicable standards (IEC 62443) and other regulations.

Phoenix Contact assumes no liability for erroneous handling or damage resulting from disregard of information contained in this documentation.

Improper modifications to devices can endanger safety and the system's cyber security, or damage devices

Within the scope of the information described in the present guideline, any modifications to the hardware and firmware of the devices in the system are not permitted.