Data classification & protection needs The central task for a threat-risk-assessment is the classification of data which is stored/processed in a zone and transmitted between zones via conduits. This classification is done in two steps: Identification of the data available in your system. Classification of… Read More
VPN Via open Internet connections, criminals can copy data or make changes to the system. Using firewalls, the access to automation systems from the external networks can be restricted to authorized connections. In addition, remote connections via the Internet should always be encrypted, for example via a virtual private… Read More
Logging and monitoring Log and status data as feedback for security improvements The early detection of security-relevant incidents as well of system errors and performance “bottlenecks” during operation or data transmission depends to a large extent on adequate logging and monitoring. In particular, log data and… Read More
Concepts & tools based on IEC 62443 The following topics describe concepts and tools defined in the IEC 62443 standard: Least privilege concept Defense-in-Depth concept Zones and conduits (with protection needs analysis) Data classification & protection needs Security levels (SLs) Foundational requirements (FR) and system requirements… Read More
ICS security concept by Phoenix Contact This topic describes how Phoenix Contact solves the requirements regarding cyber-security. Note: This description and the illustrations in this chapter are schematic and exemplary in nature. They do not claim to be complete. Details on technical implementations and practical realization can… Read More
Plant management Making (physical) on-site access controllable In addition to the remote access, the “physical access” on site must also be controlled and restricted if necessary. To prevent damage due to unauthorized access: Make sure that only authorized access is possible. Protect the interfaces by… Read More
Firewalls General information on firewalls A firewall is a system component which protects individual computers, IT systems and ICS networks from attacks and data corruption/misuse. Firewalls can prevent or restrict the spread of malware. The firewall is installed at a suitable system boundary. i.e., zone boundary… Read More
Keys: PSK, private/public This topic introduces basic knowledge on keys. Pre-shared Keys (PSK) Pre-shared keys (PSKs) can be used for authentication purposes. When establishing, for example, a VPN or WLAN connection, the PSK is used for exchanging the (symmetric) session key between the applications involved. Read More
Remote access/remote maintenance Consideration: risks and benefits The increasing network capabilities of devices used to build automation infrastructures and systems enable a variety of new opportunities. Remote access to systems and data facilitates monitoring and maintenance of plants via the Internet. This saves costs, shortens the response… Read More
(Central) User management General considerations on user management If communication is allowed through a firewall or possible via local access, access should be protected by a user login. Users in this context may be human users, software processes, and devices used to build automation infrastructures and systems. Read More
