Which security precautions help against unauthorized access in the SIMATIC PCS 7 / WinCC environment?
This FAQ is divided into the sections below.
Siemens offers products and solutions with industrial security functions which support the secure operation of plants, solutions, machines, devices and/or networks. They are important components in a comprehensive industrial security concept. The Siemens products and solutions continue to be developed under this aspect. Siemens recommends that you keep yourself regularly informed about product updates.
For the safe operation of Siemens products and solutions it is necessary to take appropriate security measures (cell protection concept, for example) and to integrate each component in an overall industrial security concept which is state of the art. This should also cover the third-party products used. Additional information about industrial security is available at: http://www.siemens.com/industrialsecurity.
In order to keep yourself informed about product updates, we recommend subscribing to our product-specific newsletter. Additional information about this is available at
Below are descriptions of measures for protecting the IT environment of a process control system against unintentional and unauthorized access. Here, not only a single computer is considered, for example, but always the complete IT environment including the network components. Depending on the configuration available, the first step is to achieve an acceptable security level for the complete IT environment of the process control system by combining different security measures.
In practice, unintentional or unauthorized access can occur in different ways. Therefore we distinguish between the following possible types of access:
- Local access (directly on the computer)
- Network access
- Local network (access via a network with limited range, LAN, for example)
- Non-local network (access via a network with extensive geographical range, the internet, for example)
The use of IWLAN (Industrial Wireless LAN) is not released for PCS 7 on the plant bus. Operation on the terminal bus is released to a limited extent.
Unauthorized hardware access is understood to be the mechanical or electrical intervention in a computer system that can be made via the interfaces below:
- USB interface
- Flash card
- CD/DVD drive
- Disk drive
Malicious code, a Trojan horse or virus, for example, can be installed and executed on the computer through these interfaces.
Execution can occur with or without user action:
- Active execution by the user
- Program installation
- Opening of a (PDF) document, picture, music file or similar
- Opening of an e-mail attachment or an e-mail link
- Opening of a web page
- Automatic execution without user action
- Displaying the table of contents of a drive
- So-called "drive-by attack" or "drive-by infection" through visiting a website
- "Man-in-the-middle" attack
Unauthorized software access through malicious code can have the following effects:
- Utilization of program interfaces (server services, for example)
- Execution of actions on the infected system (shutdown or changing of data, for example)
- Execution of actions on other systems in local and non-local networks
Through these types of access the attacker can obtain control over systems without knowing a system password or having any other access authorization and can then access the data and programs stored there.
SIMATIC PCS 7 Industrial Workstation
In order to prevent unauthorized use of the hardware interfaces in SIMATIC PCS 7 Industrial Workstations we recommend installing the computer system in a lockable cabinet (desk, control cabinet or rack system, for example) and also lock the front cover. The keys should be entrusted to a responsible person like the administrator.
External computer systems
In order to prevent unauthorized use of the hardware interfaces in external computer systems, we recommend installing the system in a lockable cabinet or locating it in a lockable room (computer or server room, for example). The keys should be entrusted to a responsible person like the administrator. Access to computer/server rooms should be permitted only for authorized personnel.
In addition, you should also configure the BIOS of your computer as follows.
- Protect the BIOS with a password that is known only to the administrator.
- Set the hard disk as the first boot medium in the boot sequence. This makes it difficult to boot from another medium.
- If you do not need the USB interfaces (for mouse, keyboard etc., for example), you can deactivate them in the BIOS settings.
- The entry http://support.microsoft.com/kb/967715/en provides a description of how to disable the Autorun functionality in Windows operating systems. Disabling this function will prevent automatic starting of programs from external data media. This is the default setting in more recent versions of the Windows operating system (Windows 7, for example).
- Assign Windows users rights according to the minimality principle. The users are assigned exactly those rights that they need to fulfill their tasks. Information on user administration is available in Entry ID: 22229786. Standard user rights are sufficient for operating PCS 7 and WinCC.
- Update the operating system installation regularly using the Security Patches provided by Microsoft. The Security Patches tested for compatibility with SIMATIC PCS 7 are listed in Entry ID: 18490004.
- Use a virus scanner to protect your system. Entry ID: 64847781 provides information about which virus scanners are released in PCS 7 and WinCC.
- Use the so-called white listing technology to further protect your system. Entry ID: 88653385 includes information about how to configure this technology.
- The entry http://support.microsoft.com/kb/555324/en provides a description of how to use ADM templates. By using adapted templates you can define guidelines for users/user groups, which permit, for example, the locking of drivers required for the USB interfaces, CD/DVD drives etc.
- Distribute these access rights to project folders according to the minimality principle.
Engineering and operator station
- In the case of OS servers and clients, the AutoLogin of a user should be configured and Runtime should be enabled automatically after user login. A description is available in Entry ID: 23598260 and 23061262.
- Assign the operator the rights according to the minimality principle. The operator is assigned only exactly those rights that are needed to fulfill his/her tasks.
- Instructions on assigning rights are available in the manuals below:
- Operators should not be given the opportunity to access the Windows Desktop (for starting a program, for example). A description is available in Entry ID:
The security concept must be elaborated together by the network administrators of company networks (IT administrators) and automation networks (automation engineers). They define which rights, programs and processes are required for which applications and on which computers and how the network structure is to be designed to be optimally secure.
|White paper, manual and FAQ||Chapter / Section||Entry ID|
|Manual - SIMATIC Process Control System PCS 7 Compendium Part F - Industrial Security (V8.0)||77507462|
|Manual - SIMATIC Process Control System PCS 7 Security Concept PCS 7 & WinCC (Basic)||60119725|
|Manual - PCS 7 and WinCC Security Concept (Detail) - Administration of Virus Scanners||38625951|
|Manual - SIMATIC Process Control System PCS7 Operator Station (V8.0 SP1)||Setting user rights||68157026|
|Manual - WinCC: Working with WinCC||Creating a User Administrator||73506085|
|FAQ - How can you automatically log in a default user after a Runtime reboot without using the SIMATIC Login Box?||19141675|
|FAQ - With Windows Server 2000/2003, Windows 2000 Professional, Windows XP Professional and Windows Vista, what should you do if disabling the key combinations is ineffective in WinCC?||332356|
|FAQ - How can you lock key combinations in WinCC V7.0 SP2 and higher, and in WinCC (TIA Portal) with Windows 7 or Windows Server 2008?||44027453|
|FAQ - How can you have the current picture continued to be shown when you log out of WinCC Runtime?||16626380|
|FAQ - Which Microsoft Security Patches have been tested for compatibility with SIMATIC PCS 7?||18490004|
|FAQ - Which Microsoft Security Patches have been tested for compatibility with SIMATIC WinCC?||18752994|
|FAQ - Compatibility Tool for Automation and Drive Technology||64847781|
|FAQ - How do you configure the WinCC AutoStart?||23061262|
|FAQ - How do you configure the Windows AutoLogin?||23598260|
|Updates - Using whitelisting protection mechanisms with SIMATIC products||49382928|
|Using white listing with McAfee Application Control in the PCS 7 / WinCC environment||88653385|
|How to: Use Group Policy to disable USB, CD-ROM, Floppy Disk and LS-120 drivers||http://support.microsoft.com/kb/555324/en|
|How to disable the Autorun functionality in Windows||http://support.microsoft.com/kb/967715/en|
Network architecture, Security settings, Virus infection, DMZ, Plant security, USB device