PLCnext Security use cases and security context 

PLCnext is supporting different security use cases:

  1. Openness is the leading approach, security is not a leading requirement:
    1. Industrial Security application note (AH EN INDUSTRIAL SECURITY) must be considered
  2. Security is an overall system design requirement, and is ensued by the system design:
    1. WBM offers support by User Management, Certificate Authority, Firewall, Syslog, etc.
    2. No security certification of the device is provided.
  3. PLCnext Technology device is an IEC 62443-4-1/4-2 certified component:
    1. Security profile must be activated. 
    2. Security context described in this PLCnext Security Info Center must fit the required automation system use cases.
    3. IEC 62443-3-3 and IEC 62443-2-4 system design and installation/maintenance processes are supported. 
    4. Centralized security functions like Device and Update Management (DaUM), logging, backup and restore or OT PKI might be combined on an Edge Device and moved from the Service Management zone (IT) to the Manufactoring zone (OT) to separate IT and OT more strictly.

 

PLCnext Technology secure-by-design features

PLCnext Technology was developed according to the secure-by-design procedures from the beginning.

The next formal step was to certify the development process according to IEC 62443-4-1, and to prove the PLCnext Technology Security Level 2 feature set by an IEC 62443-4-2 certification.
To build an automation solution with PLCnext Technology based on the IEC 62443-4-1/4-2 certification the definitions described in this PLCnext Security Info Center must be fulfilled.
The activation of the Security Profile (Link) is mandatory.

The following features build the base of the PLCnext Security.
 

Hardware measures

  • TPM-protected Phoenix Contact device certificate 
  • Integrity check of devices while booting (depending in part on the controller model)  (2152 FW implementation not HW)
  • Network segmentation by independent intefaces (e.g. the use of left-aligning AXC F XT ETH 1TX, depending on the controller model)
  • Use of an SD card with encryption (coming soon from Phoenix Contact)  (planned for 2024.0 TLS)

Firmware measures

  • Basing on Yocto Linux with secure-released components and automatic vulnerability supervision
  • Secure communication via TLS 1.2, TLS 1.3, HTTPS, OPC UA, SFTP, SSH, VPN
  • User Manager supporting roles, permissions, credentials, and LDAP connection
  • Certificate store for manufacturers, system integrators, and asset owners
  • Firewall with management of different interfaces, levels for chains and rules
  • Syslog-ng for secure message management and central storage
  • Time synchronization via NTP
  • Backup and restore via rsync
  • Device and Update Management (DaUM) for e.g. firmware updates

 

 

 

 

 

•  Web browser recommendation: Chrome/Edge 88 or newer, Firefox ESR 90 or neweror Safari  • 
• Published/reviewed: 2023-11-02 • Revision 011 •