• Verify certicates based on the ngerprint on the server and client side to prevent "man in the
middle" attacks. Use a second, secure transmission path for this.
• Before sending the device to Siemens for repair, replace the current certicates and keys with
temporary disposable certicates and keys, which can be destroyed when the device is
returned.
Physical/remote access
• Operate the devices only within a protected network area. Attackers cannot access internal
data from the outside when the internal and the external network are separate from each
other.
• Limit physical access to the device exclusively to trusted personnel.
The memory card or the PLUG (C-PLUG, KEY-PLUG, CLP) contains sensitive data such as
certicates and keys that can be read out and modied. An attacker with control of the
device's removable media could extract critical information such as certicates, keys, etc. or
reprogram the media.
• Lock unused physical ports on the device. Unused ports can be used to gain forbidden access
to the plant.
• We highly recommend that you keep the protection from brute force attacks (BFA) activated
to prevent third parties from gaining access to the device. For more information, see the
conguration manuals, section "Brute Force Prevention (Page8)".
• For communication via non-secure networks, use additional devices with VPN functionality
to encrypt and authenticate communication.
• When you establish a secure connection to a server (e.g. for an upgrade), make sure that
strong encryption methods and protocols are congured for the server.
• Terminate the management connections (e.g. HTTP, HTTPS, SSH) properly.
• Make sure that the device has been powered down completely before you decommission it.
For more information, refer to "Decommissioning (Page10)".
• We recommend formatting a PLUG that is not being used.
Hardware / Software
• Use VLANs whenever possible as protection against denial-of-service (DoS) attacks and
unauthorized access.
• Restrict access to the device by setting rewall rules or rules in an access control list (ACL).
• Selected services are enabled by default in the rmware. It is recommended to enable only
the services that are absolutely necessary for your installation.
For more information on available services, see "List of available services".
• To ensure you are using the most secure encryption methods available, use the latest web
browser version compatible with the product. Also, the latest web browser versions of
Mozilla Firefox, Google Chrome, and Microsoft Edge have 1/n-1 record splitting enabled,
which reduces the risk of attacks such as SSL/TLS Protocol Initialization Vector
Implementation Information Disclosure Vulnerability (for example, BEAST).
Security recommendations
3.1Security recommendations
SCALANCE XR-300
Operating Instructions, 03/2023, C79000-G8976-C586-02 17
To Next Page
Loading...
Need help?
General