×
Siemens Industry Online Support
Siemens AG
Entry type: FAQ Entry ID: 44443744, Entry date: 04/29/2014
(0)
Rate

Which security precautions help against unauthorized access in the SIMATIC PCS 7 / WinCC environment?

  • Entry
  • Associated product(s)

This FAQ is divided into the sections below.

Security Notes
Siemens offers products and solutions with industrial security functions which support the secure operation of plants, solutions, machines, devices and/or networks. They are important components in a comprehensive industrial security concept. The Siemens products and solutions continue to be developed under this aspect. Siemens recommends that you keep yourself regularly informed about product updates.
For the safe operation of Siemens products and solutions it is necessary to take appropriate security measures (cell protection concept, for example) and to integrate each component in an overall industrial security concept which is state of the art. This should also cover the third-party products used. Additional information about industrial security is available at: http://www.siemens.com/industrialsecurity.
In order to keep yourself informed about product updates, we recommend subscribing to our product-specific newsletter. Additional information about this is available at
http://support.automation.siemens.com.

Introduction
Below are descriptions of measures for protecting the IT environment of a process control system against unintentional and unauthorized access. Here, not only a single computer is considered, for example, but always the complete IT environment including the network components. Depending on the configuration available, the first step is to achieve an acceptable security level for the complete IT environment of the process control system by combining different security measures.
In practice, unintentional or unauthorized access can occur in different ways. Therefore we distinguish between the following possible types of access:

  • Local access (directly on the computer)
  • Network access
    • Local network (access via a network with limited range, LAN, for example)
    • Non-local network (access via a network with extensive geographical range, the internet, for example)

Note
The use of IWLAN (Industrial Wireless LAN) is not released for PCS 7 on the plant bus. Operation on the terminal bus is released to a limited extent.

Hardware Access
Unauthorized hardware access is understood to be the mechanical or electrical intervention in a computer system that can be made via the interfaces below:

  • USB interface
  • Flash card
  • CD/DVD drive
  • Disk drive 

Malicious code, a Trojan horse or virus, for example, can be installed and executed on the computer through these interfaces.
Execution can occur with or without user action:

  • Active execution by the user
  • Program installation
    • Opening of a (PDF) document, picture, music file or similar
    • Opening of an e-mail attachment or an e-mail link
    • Opening of a web page
  • Automatic execution without user action
    • Displaying the table of contents of a drive
    • So-called "drive-by attack" or "drive-by infection" through visiting a website
    • "Man-in-the-middle" attack

Software Access
Unauthorized software access through malicious code can have the following effects:

  • Utilization of program interfaces (server services, for example)
  • Execution of actions on the infected system (shutdown or changing of data, for example)
  • Execution of actions on other systems in local and non-local networks

Through these types of access the attacker can obtain control over systems without knowing a system password or having any other access authorization and can then access the data and programs stored there.

Recommended Configurations
Below are recommended configurations for restricting access to systems in the SIMATIC PCS 7 and WinCC environment.

Hardware
SIMATIC PCS 7 Industrial Workstation

In order to prevent unauthorized use of the hardware interfaces in SIMATIC PCS 7 Industrial Workstations we recommend installing the computer system in a lockable cabinet (desk, control cabinet or rack system, for example) and also lock the front cover. The keys should be entrusted to a responsible person like the administrator.

External computer systems
In order to prevent unauthorized use of the hardware interfaces in external computer systems, we recommend installing the system in a lockable cabinet or locating it in a lockable room (computer or server room, for example). The keys should be entrusted to a responsible person like the administrator. Access to computer/server rooms should be permitted only for authorized personnel.

In addition, you should also configure the BIOS of your computer as follows.

  • Protect the BIOS with a password that is known only to the administrator.
  • Set the hard disk as the first boot medium in the boot sequence. This makes it difficult to boot from another medium.
  • If you do not need the USB interfaces (for mouse, keyboard etc., for example), you can deactivate them in the BIOS settings.

Operating system

  • The entry http://support.microsoft.com/kb/967715/en provides a description of how to disable the Autorun functionality in Windows operating systems. Disabling this function will prevent automatic starting of programs from external data media. This is the default setting in more recent versions of the Windows operating system (Windows 7, for example).
  • Assign Windows users rights according to the minimality principle. The users are assigned exactly those rights that they need to fulfill their tasks. Information on user administration is available in Entry ID: 22229786. Standard user rights are sufficient for operating PCS 7 and WinCC.
  • Update the operating system installation regularly using the Security Patches provided by Microsoft. The Security Patches tested for compatibility with SIMATIC PCS 7 are listed in Entry ID: 18490004.
  • Use a virus scanner to protect your system. Entry ID: 64847781 provides information about which virus scanners are released in PCS 7 and WinCC.
  • Use the so-called white listing technology to further protect your system. Entry ID: 88653385 includes information about how to configure this technology.
  • The entry http://support.microsoft.com/kb/555324/en provides a description of how to use ADM templates. By using adapted templates you can define guidelines for users/user groups, which permit, for example, the locking of drivers required for the USB interfaces, CD/DVD drives etc.
  • Distribute these access rights to project folders according to the minimality principle.

Engineering and operator station

  • In the case of OS servers and clients, the AutoLogin of a user should be configured and Runtime should be enabled automatically after user login. A description is available in Entry ID: 23598260 and 23061262.
  • Assign the operator the rights according to the minimality principle. The operator is assigned only exactly those rights that are needed to fulfill his/her tasks.
  • Instructions on assigning rights are available in the manuals below:
  • Operators should not be given the opportunity to access the Windows Desktop (for starting a program, for example). A description is available in Entry ID:
    • 332356 (for Windows Server 2000/2003, Windows 2000 Prof., Windows XP Prof, Windows Vista)
    • 44027453 (for Windows 7, Windows Server 2008)

Note
The security concept must be elaborated together by the network administrators of company networks (IT administrators) and automation networks (automation engineers). They define which rights, programs and processes are required for which applications and on which computers and how the network structure is to be designed to be optimally secure.

Further Information
 

White paper, manual and FAQ Chapter / Section Entry ID
Manual - SIMATIC Process Control System PCS 7 Compendium Part F - Industrial Security (V8.0)   77507462
Manual - SIMATIC Process Control System PCS 7 Security Concept PCS 7 & WinCC (Basic)   60119725
Manual - PCS 7 and WinCC Security Concept (Detail) - Administration of Virus Scanners   38625951
Manual - SIMATIC Process Control System PCS7 Operator Station (V8.0 SP1) Setting user rights 68157026
Manual - WinCC: Working with WinCC Creating a User Administrator 73506085
FAQ - How can you automatically log in a default user after a Runtime reboot without using the SIMATIC Login Box?   19141675
FAQ - With Windows Server 2000/2003, Windows 2000 Professional, Windows XP Professional and Windows Vista, what should you do if disabling the key combinations is ineffective in WinCC?   332356
FAQ - How can you lock key combinations in WinCC V7.0 SP2 and higher, and in WinCC (TIA Portal) with Windows 7 or Windows Server 2008?   44027453
FAQ - How can you have the current picture continued to be shown when you log out of WinCC Runtime?   16626380
FAQ - Which Microsoft Security Patches have been tested for compatibility with SIMATIC PCS 7?   18490004
FAQ - Which Microsoft Security Patches have been tested for compatibility with SIMATIC WinCC?   18752994
FAQ - Compatibility Tool for Automation and Drive Technology   64847781
FAQ - How do you configure the WinCC AutoStart?   23061262
FAQ - How do you configure the Windows AutoLogin?   23598260
Updates - Using whitelisting protection mechanisms with SIMATIC products   49382928
Using white listing with McAfee Application Control in the PCS 7 / WinCC environment   88653385

 

Microsoft entries Link
How to: Use Group Policy to disable USB, CD-ROM, Floppy Disk and LS-120 drivers http://support.microsoft.com/kb/555324/en
How to disable the Autorun functionality in Windows http://support.microsoft.com/kb/967715/en

Additional Keywords
Network architecture, Security settings, Virus infection, DMZ, Plant security, USB device

Security information
In order to protect technical infrastructures, systems, machines and networks against cyber threats, it is necessary to implement – and continuously maintain – a holistic, state-of-the-art IT security concept. Siemens’ products and solutions constitute one element of such a concept. For more information about cyber security, please visit
https://www.siemens.com/cybersecurity#Ouraspiration.
Support to the statistics
With this function the IDs found are listed according to number (format .txt).

Generate list
Copy URL
Display page in new design
mySupport Cockpit
Related links