Data classification & protection needs The central task for a threat-risk-assessment is the classification of data which is stored/processed in a zone and transmitted between zones via conduits. This classification is done in two steps: Identification of the data available in your system. Classification of… Read More
VPN Via open Internet connections, criminals can copy data or make changes to the system. Using firewalls, the access to automation systems from the external networks can be restricted to authorized connections. In addition, remote connections via the Internet should always be encrypted, for example via a virtual private… Read More
Technical PC hardening measures Any engineering tool, such as PLCnext Engineer, can manipulate devices or processes in your ICS. To reduce the risk of manipulation, perform security evaluations regularly. PC-based hardening and organization measures Protect any PCs used in automation solution environments against security-relevant manipulations. This… Read More
Security levels Security levels according to IEC 62443-3-3 To categorize the severity of potential threads, protection classes are available for the various data classes a zone stores/processes or a conduit transmits. This is the basis for the required level of protection of an entire zone or conduit. In… Read More
Anti-malware inspection The list of security incidents in industry is growing longer all the time: Stuxnet, Industroyer, TRITON, or WannaCry are examples of malware/ransomware which attacked SCADA systems, safety controllers etc. While anti-virus/anti-malware software is common and widespread on IT systems, OT components are often still unprotected. Read More
Least privilege concept The concept of “least privilege” is a basic security concept: Every access and execution right to components and data in your ICS should be restricted to the maximum possible extend for each user. In doing so, care must be taken to ensure that the availability… Read More
Logging and monitoring Log and status data as feedback for security improvements The early detection of security-relevant incidents as well of system errors and performance “bottlenecks” during operation or data transmission depends to a large extent on adequate logging and monitoring. In particular, log data and… Read More
Concepts & tools based on IEC 62443 The following topics describe concepts and tools defined in the IEC 62443 standard: Least privilege concept Defense-in-Depth concept Zones and conduits (with protection needs analysis) Data classification & protection needs Security levels (SLs) Foundational requirements (FR) and system requirements… Read More
ICS security concept by Phoenix Contact This topic describes how Phoenix Contact solves the requirements regarding cyber-security. Note: This description and the illustrations in this chapter are schematic and exemplary in nature. They do not claim to be complete. Details on technical implementations and practical realization can… Read More
Plant management Making (physical) on-site access controllable In addition to the remote access, the “physical access” on site must also be controlled and restricted if necessary. To prevent damage due to unauthorized access: Make sure that only authorized access is possible. Protect the interfaces by… Read More
