×
Siemens Industry Online Support
Siemens AG
Entry type: Application example Entry ID: 22376747, Entry date: 10/13/2014
(0)
Rate

Protection of an Automation Cell Using the SCALANCE S602 V3 and SCALANCE S623 Security Modules via a Firewall

  • Entry
  • Associated product(s)
Problem With the advance of Industrial Ethernet solutions, increased networking with the office world and a large number of unsecured interfaces at the field level, security is of greatest importance also in industrial automation. To protect the internal secure network against threats from the of...

Problem
With the advance of Industrial Ethernet solutions, increased networking with the office world and a large number of unsecured interfaces at the field level, security is of greatest importance also in industrial automation. To protect the internal secure network against threats from the office and IT environment, it is mandatory to control external access to the network or not to allow direct access.
The task of this application is to implement a security concept that meets the special requirements of industrial communication.

Solution
Different approaches are chosen to implement this task.
First variant: An automation cell is to be connected to the company network so that, via access control, only certain devices or communication services have access to the internal nodes.
Second variant: Network nodes (e.g., FTP server) are to be accessible from both the secured and unsecured network without a direct connection between the networks.

The SCALANCE S602 V3 or SCALANCE S623 Security Modules of SIMATIC NET meet these requirements. These modules are part of the Siemens security concept and were developed specifically for industrial automation engineering. They can be configured as a firewall and thus be used to protect automation cells/components.

Your advantages at a glance

  • Protection against data espionage and data manipulation.
  • Protection against overload of the communications system.
  • User-friendly and easy configuration and administration without special knowledge of IT security.
  • Reaction-free installation of SCALANCE S in existing automation networks.
  • Scalable security functionality.
  • SCALANCE S configuration without expert knowledge of IT security by means of a uniform configuration tool, “Security Configuration Tool”, and the standard mode settings.
  • Remote diagnostics: Log files can be evaluated using Syslog server.
  • Controlled separation of networks protects sensitive corporate data against unauthorized access.
Contents of document 1
This document describes the implementation of a security concept by means of access control with the SCALANCE S602 V3. Only specific devices are allowed to communicate with the internal nodes.
This example provides a detailed description of:
  • Configuration in bridge mode.
  • Configuration in routing mode.
  • Configuration of NAT/NAPT.
  • Creation of global, local and user-defined firewall rules.
  • Symbolic addressing of internal nodes.
  • External logging via a Syslog server.

The following points are used as test scenarios

  • Access to the internal file system of the CP343-1 Advanced via FTP.
  • Access to the Web server of the CP343-1 Advanced.
  • Configuration / diagnostics with STEP 7.
  • Node initialization of internal nodes using DCP.
  • Blocking unauthorized access attempts.
  • Logging the data packets.

All test scenarios are demonstrated for both bridge and routing mode.

Contents of document 2
In this document, a demilitarized zone (DMZ) is set up with the SCALANCE S623 to implement a security concept. The external network and the internal network are isolated from one another via the additional network.
This example provides a detailed description of:

  • Setting up a demilitarized zone with the SCALANCE S623 in routing mode.
  • Configuring the firewall for setting up the DMZ.
  • Symbolic addressing of internal nodes.

The following points are used as test scenarios:

  • Access to CPU data from the external network via the DMZ by means of FTP.
  • Sending Syslog messages from the internal network to the DMZ.

Downloads

Content of Downloads

Download

Documentation 
Protection of an Automation Cell Using the SCALANCE S602 V3 Security Module via a Firewall (Bridge/Routing)
22376747_Firewall_S602_DOKU_V30_en.pdf ( 1957 KB )
Code
STEP 7 projects
22376747_Firewall_S602_CODE_V30.zip ( 1046 KB )
Documentation 
Setting up da Demilitarized Zone (DMZ) with the Aid of the SCALANCE S623
22376747_DMZ_S623_DOKU_V10_en.pdf ( 920 KB )
Code
STEP 7 project
22376747_DMZ_S623_CODE_V10.zip ( 981 KB )

Further Information

Title

Link

Secure Remote Access to SIMATIC Stations via Internet and UMTS Entry-ID: 24960449
Industrial Security with SCALANCE S Modules Over IPSec VPN Tunnels Entry-ID: 22056713
Security with SIMATIC NET Entry-ID: 27043887

Last modification
Change wording in HTML.

Additional Keywords
Firewall, S602, SCALANCE  S, NAT, NAPT, routing, bridge, DMZ, S623


Security information
In order to protect technical infrastructures, systems, machines and networks against cyber threats, it is necessary to implement – and continuously maintain – a holistic, state-of-the-art IT security concept. Siemens’ products and solutions constitute one element of such a concept. For more information about cyber security, please visit
https://www.siemens.com/cybersecurity#Ouraspiration.