Virus protection and firewalls
Firewalls and virus scanners at dedicated access points protect individual computers or networks within the security cells against unauthorized access and infiltration.
The SIMATIC PCS 7 Security Concept supports the use of the Microsoft® Forefront Threat Management Gateway, the Windows firewall as well as Scalance S security modules and VPN connections to IPSec. These modules differ from office equipment due to their industrial capability and optimized communication of process information. In addition to firewalls, virus scanners are the most well-known security precautions. SIMATIC PCS 7 supports the three most commonly used virus scanners for production and control systems.
Trendmicro™ Office Scan Corporate Edition.
Symantec™ Antivirus Corporate Edition.
McAfee™ VirusScan Enterprise.
A. Automation firewall
The automation firewall is based on the Microsoft ®Forefront Threat Management Gateway 2010, and it is provided with stateful inspection packet filters, application layer firewall, VPN gateway functionality, URL filtering, Web proxy, virus scan, and intrusion prevention. It thus protects the access point to the production environment e.g. from the office or intranet/Internet networks. It can be used as follows, depending on plant size:
Access point firewall for secure remote access in process plants and IT networks.
Three-homed firewall for plants with complex perimeter networks.
Front and back firewall for maximum protection in larger plants with extensive perimeter networks.
The automation firewall is supplied preinstalled. A user-friendly configuration wizard is provided for setup.
B. Application whitelisting
Application whitelisting protection mechanisms guarantee that only trustworthy applications and programs are executed on a station of the SIMATIC PCS 7 process control system. They prevent both the execution of illegal software and the modification of installed applications, thus adding to the existing protection against malware (malicious software)
1. Benefits of Whitelisting
Based on a positive list, so it does not require continuous updates to combat new malware threat.
Additional "layer of defense"
Effective protection against "zero-day exploits"
Logging of attacks on the system (local / central)
2. PCS 7-specific support
McAfee Application Control has been compatibility-tested with the following PCS 7 versions: V6.1.4, V7.0.3, V7.1.2, V7.1.3 and V8.0
C. User and rights management
Consistent user and rights management with precise access control is another key element of the security concept. The Least Privilege Principle applies here. This means that the individual user or the individual application receives only those rights required for the actual task at hand. This is the best way to avoid intentional or unintentional operation errors.
SIMATIC PCS 7 supports central user management with the SIMATIC Logon software package, which enables the assignment of permissions for SIMATIC applications and plant areas.
Logon uses the Windows user management tools for functions such as automatic logoff and automatic expiration of passwords.