Application examples illustrate the solution of automation tasks through an interaction of several

components in the form of text, graphics and/or software modules. The application examples are

a free service by Siemens AG and/or a subsidiary of Siemens AG ("Siemens"). They are

non-binding and make no claim to completeness or functionality regarding configuration and

equipment. The application examples merely offer help with typical tasks; they do not constitute

customer-specific solutions. You yourself are responsible for the proper and safe operation of the

products in accordance with applicable regulations and must also check the function of the

respective application example and customize it for your system.

your responsibility to use them in such a manner that any malfunctions that may occur do not

result in property damage or injury to persons.

Siemens shall not assume any liability, for any legal reason whatsoever, including, without

limitation, liability for the usability, availability, completeness and freedom from defects of the

application examples as well as for related information, configuration and performance data and

any damage caused thereby. This shall not apply in cases of mandatory liability, for example

under the German Product Liability Act, or in cases of intent, gross negligence, or culpable loss of

life, bodily injury or damage to health, non-compliance with a guarantee, fraudulent

mandatorily liable.

By using the application examples you acknowledge that Siemens cannot be held liable for any

damage beyond the liability provisions described.

Siemens reserves the right to make changes to the application examples at any time without

notice. In case of discrepancies between the suggestions in the application examples and other

Siemens publications such as catalogs, the content of the other documentation shall have

precedence.

The Siemens terms of use (https://support.industry.siemens.com) shall also apply.

Siemens’ products and solutions constitute one element of such a concept.

Customers are responsible for preventing unauthorized access to their plants, systems, machines

and networks. Such systems, machines and components should only be connected to an

enterprise network or the Internet if and to the extent such a connection is necessary and only

when appropriate security measures (e.g. firewalls and/or network segmentation) are in place.

For additional information on industrial security measures that may be implemented, please visit

https://www.siemens.com/industrialsecurity.

Siemens’ products and solutions undergo continuous development to make them more secure.

Siemens strongly recommends that product updates are applied as soon as they are available

and that the latest product versions are used. Use of product versions that are no longer

automation systems lead to increased security requirements. It is not sufficient to

offer only superficial and limited protection, since attacks from outside may occur

on several levels. A deep understanding of security and how to apply it is required

for optimal protection.

The first priority in automation is maintaining control over the production process.

Measures intended to reduce the security threats must not interfere with this

priority. The use of an adequate protection concept should ensure that only

authenticated users can carry out (authorized) operations, restricting access to

strategies which are intended to resist the following attacks:

 decrease of availability (e.g. denial of Service)

 bypassing single security mechanisms (such as “man in the middle”)

 intentional incorrect operation by authorized users (such as stealing

 incorrect operations due to misconfigured user privileges

 unauthorized monitoring of data (such as recipes and business secrets or the

 modifying data (for example to alter alarm levels)

 deleting data (for example login files for covering attacks).

consisting of the following components:

security. When selecting appropriate security measures, it must always be ensured

that they provide the necessary level of protection without having unacceptable

impact on the actual operation.

Functional safety addresses protection of the controlled environment against

abnormal operation of the system. On the other hand security addresses protection

violations.

It’s a machine vendor’s task to establish appropriate safety mechanisms. These

machine, a plant section or an entire plant. As the potential threats to an

automation solution change over its life cycle a process to monitor and detect these

threats, known as security management, should be considered. The objective of

this process is to achieve the necessary security level of an automation solution

and to maintain it on a permanent basis. The risk analysis component contained

within a security management process ensures that only appropriate

countermeasures will be implemented to reduce the risks. An example of a security

management process is as follows:

In STEP 7 V5.x and in STEP 7 (TIA Portal), there are different protection facilities -

to protect the know-how of the programs in the blocks against unauthorized

persons.

 Know-how protection

 S7 Block Privacy

If a block protected by this function is opened, only the block interface (IN, OUT

and IN/OUT parameters) and the block comment can be read. The program code,

temporary/static variables and the network comments are not displayed.

It is not possible to modify a protected block.

With the S7 Block Privacy, only FBs and FCs can be protected.

With the attribute KNOW_HOW_PROTECT a know-how protection mechanism for

blocks of type OB, FB and FC can be activated.

The CPU can be the server for a number of communication services. In this mode,

other communication devices can access the CPU data without having been

configured or programmed explicitly for the CPU. In the same way the local CPU

does not have the possibility of controlling the communication to the clients.

Whether this type of communication is admissible for the local CPU or not, is

Communications, for which the local CPU is only server (that means, that there is

no configuration / programming of the communication to the communication

partner), are not possible in the operation of the CPU.

This includes:

 PUT/GET, FETCH/WRITE or FTP access via communication modules

 PUT/GET access by other S7-CPUs

 HMI access via PUT/GET communication

Firewalls make it possible to filter the incoming and outgoing traffic that flows

through a system. A firewall can use one or more sets of “rules” to inspect network

packets as they come in or go out of network connections and either allows the

traffic through or blocks it. The rules of a firewall can inspect one or more

characteristics of the packets such as the protocol type, source or destination host

address, and source or destination port.

The filter capabilities of a package filter can be improved considerably if the IP

packages are checked in their proper context. For instance, a UDP package

arriving from an external computer should only be forwarded internally if another

UDP package has been sent to that computer shortly before from within the

 with UDP connections: simulation of virtual connections

 creation and deletion of dynamic filter rules.

A VPN (virtual private network) is a private network that uses a public network (like

the Internet) for the transmission of private data to a private target network. The

networks need not be compatible with one another.

its own network packages to separate the transport of private data packages from

the others. Due to this fact, the private networks appear as a shared logical (virtual)

network.

An important aspect for the communication of data across network boundaries is

IPSec (IP security). It is a standardized protocol suite and provides for

Network Address Translation (NAT) / Network Address Port Translation (NAPT)

are methods for converting private IP addresses into public IP addresses.

NAT is a protocol for address conversion between two address spaces. The main

task is the conversion of public addresses, i.e. IP addresses used and routed on

the Internet into private IP addresses and vice versa.

Through the use of this technology the addresses of the internal network are not

visible in the external network. In the external network, the internal nodes are only

visible via external IP addresses defined in the address conversion list (NAT table).

The typical NAT is a 1:1 conversion, i.e. a private IP address is converted to a

NAT is the fact that ports can be converted too with this protocol.

The IP address is no longer converted 1:1. Instead, there is only one public IP

address which is converted to a number of private IP addresses by adding port

numbers.

The target address for the internal nodes is an external IP address with a port

number.

The NAPT table contains the assignment of external ports to private IP addresses

including port numbers and is configured and managed in the gateway or router.

The File Transfer Protocol is a specified network protocol for data transmission

For this, FTP creates two logical connections: a control channel via port 21 for the

transmission of FTP commands and their responses as well as a data channel via

port 20 for data transmission.

Secure data transmission with FTP is achieved with a combination of FTP and the

SSL protocol and uses the same ports as in the normal FTP mode (port 20/21).

A certificate which is generated and delivered with the configuration of the security

CP is used as the key for SSL.

Secure FTP data transfer with CPx43-1 Advanced V3 is only possible if the

security function is enabled and is explicitly permitted in the configuration of the

CP.

NTP (secure) allows for secure and authenticated time synchronization by means

of authentication methods and a joint encryption code. Both the NTP server and

the NTP clients must support this function.

A secure time synchronization is supported by CP x43-1 Advanced V3 and CP

1x43-1, if the Security Function is activated and the expanded NTP configuration

has been explicitly activated in the configuration.

The Hypertext Transfer Protocol (HTTP) is part of the family of Internet protocols

and is a standardized procedure for transferring data within a network. HTTP is

primarily used for loading websites from a web server to a web browser.

Data transported via HTTP are readable as plain text and can be intercepted by

third parties.

Today particularly – in the age of online banking, online shopping, and social

networks – it is important that the transmission of confidential and personal data is

secure and protected against unauthorized access.

be configured to use HTTPS exclusively, providing an increased level of security

SNMP – Simple Network Management Protocol – is a UDP-based protocol that

was specified particularly for the administration of data networks and in the

meantime has established itself also as a de facto standard for TCP/IP devices.

The individual nodes in the network – network components or terminals – feature a

SNMP agent that provides information in a structured form. This structure is

referred to as MIB (Management Information Base). In the network node, the agent

is usually implemented as firmware functionality.