Industrial Security for Controllers and HMIs
We offer designs for security of controllers, HMI, and SCADA applications, fully in keeping with the spirit of Totally Integrated Automation, our system architecture for integrated automation.
The SCADA software, our controllers and our HMIs have been coordinated in terms of their security functions. Targeted deactivation of unneeded services allows their interfaces to be hardened without loss of functionality.
New with SIMATIC S7-1500 controllers
The latest controller family SIMATIC S7-1500 offers an improved security concept of protection levels and block protection all the way to communication integrity. Security Integrated protects your investment against unauthorized access and modification and thus contributes to secure plant availability.
Thanks to the increased know-how protection in Step 7, algorithms can be protected against unauthorized access and modifications. This feature protects machines from reproduction and secures your investments.
Improved password protection against unauthorized opening of program blocks with STEP 7 and therefore expanded protection against unauthorized copying, for example, of developed algorithms. It also protects against unauthorized evaluation of program blocks with external programs from the STEP 7 project, of data on the memory card and of program libraries.
An optimized copy protection is supported by linking individual blocks with the serial number of the original memory card on the SIMATIC memory card. This means programs cannot be copied and will only run with the configured memory card.
Access protection (authentication)
Access protection offers protection from unauthorized project modifications. Different user groups can be assigned separate rights by means of authorization levels. An extended access protection is supported by means of an integrated firewall via Security CP 1543-1.
The system helps protect the data transferred to the controller from unauthorized manipulation by, for example, offering a protected transmission of the passwords during authentication. The controller detects and averts the modified or unauthorized transmission of engineering data (including firmware updates).
SIMATIC Logon: User administration and role-based access control
With SIMATIC Logon, you rely on central, plant-wide user administration for SIMATIC engineering and runtime systems. Security mechanisms on the part of the administrator and user ensure reliable protection. The user is uniquely defined by his/her user ID, consisting of user name and password. The administrator can also configure new users or block existing users online, both throughout the plant and across applications.
Deactivation of services
For security reasons, most network services are deactivated in our products in their basic configuration. These services are only activated by configuration if they are needed as part of an automation solution.
Deactivation of hardware interfaces
If a controller, HMI system, or I/O module has unneeded PROFINET interfaces, these can be deactivated via configuration. Plugging in an illegal device thus causes no harm because the port is inactive.
One of the system properties of our PROFINET devices is their robustness against large volumes of network packets or faulty network packets. For example, this robustness will ensure that high network loads or denial-of-service attacks will not impair automation operation. If a network overload occurs in which all communication resources are allocated, regular operation will resume automatically once the network load subsides.
Only authorized persons are permitted to change the configuration or to access functions for automation components that are relevant to the system or process. Our controllers as well as our HMI systems provide access protection mechanisms that allow access only after previously assigned access information (e.g., a password) is entered. This protection is available for configuration interfaces and for other services (e.g., Web servers).
Protection against unauthorized access with integrated know-how protection
SIMATIC STEP 7 and S7 controllers use know-how protection for program blocks to safeguard the confidentiality of the user's know-how contained in the automation solution. Once the program blocks are protected, their content cannot be accessed without entering the correct password.
Know-how protection can be supplemented with copy protection, which prevents duplication of program blocks in STEP 7. The execution of program blocks that have been protected with copy protection is tied to certain properties in the runtime environment. The relevant criteria for this are the serial number of a CPU module or memory card.