On the system side, SIMATIC PCS 7 supports implementation of guidelines and recommendations of the security concept by:

• Compatibility with current versions of the following virus scanners: Trend Micro OfficeScan, Symantec Norton AntiVirus and McAfee VirusScan
• Use of the local Windows firewall
• Automatic setting of safety-related parameters during setup, e.g. in DCOM, registry and Windows firewall
• Operator administration and authentication using SIMATIC Logon (for details, see "SIMATIC Logon" section)
• CP 1628 communication module with integrated security features (firewall, VPN) as an alternative to the Industrial Ethernet connection of SIMATIC PCS 7 Industrial Workstations
• Integration of the SCALANCE S602, S612, S623 and S627-2M industrial security modules
• Automation firewall
• Application whitelisting

CP 1628 communication module

CP 1628 communication module

The CP 1628 is a PCI Express card (PCIe x1) with its own microprocessor and integrated 2-port switch (2 x RJ45 connection, 10/100/1000 Mbps) for the connection of SIMATIC PCS 7 workstations to Industrial Ethernet.

In contrast to the comparable CP 1623, it has additional security features:

• Stateful Inspection Firewall for filtering communication based on their IP/port addresses
• Limiting bandwidth to avoid communication overload
• Secure communication through virtual private network (VPN) over IPsec tunnel
• Secure transmission of network analysis information to the network management system (SNMP V3)
• Secure transfer of the time (NTP V3)
• Monitoring through log files and their analysis using a syslog server

With the built-in security mechanisms, the CP 1628 can protect PCS 7 stations as well as their data communication within an automation network and remote access over the Internet. It enables secure access to individual stations or entire automation cells that are protected by security modules. Different security measures, such as firewall and VPN over IPsec tunnel, can also be combined.

For more information and technical specifications for the CP 1628 communication module, refer to the Catalog IK PI, section Industrial Ethernet, under System Utilities, System connection for PG/PC/IPC.

SCALANCE S industrial security modules

SCALANCE S industrial security modules

The SCALANCE S industrial security modules provide scalable security features, such as firewall, port filter, NAT, NAPT address translation and DHCP server (S602, S612, S623 and S627-2M) as well as authentication and data encryption with virtual private network (VPN) over IPsec tunnel (S612, S623 and S627-2M). They can be used, for example, to safeguard the cross-cell data exchange between components of automation and process control systems. Since they can be operated in bridge mode as well as router mode, they can therefore also be used directly at IP subnet boundaries.

The SCALANCE S industrial security modules have a rugged industrial design. For connection to Industrial Ethernet, they have 2 (S602 and S612) or 3 (S623 and S627-2M) 10/100/1000 Mbps ports (RJ45). In addition, the S627-2M is equipped with two slots for optional 2-port media modules (electrical or optical; for ordering data, see SCALANCE X-300).

Product versions:

• SCALANCE S602 industrial security modules
  • Uses the Stateful Inspection Firewall to protect network segments against unauthorized access
  • "Ghost mode" for protection of individual, even alternating, devices by dynamically taking over the IP address
• SCALANCE S612 industrial security modules
  • Uses the Stateful Inspection Firewall and VPN (Virtual Private Network) functionality to protect network segments against unauthorized access, data manipulation and espionage
  • Up to 128 IPsec tunnels can be operated simultaneously
• SCALANCE S623 industrial security modules
  • Uses the Stateful Inspection Firewall and VPN (Virtual Private Network) functionality to protect network segments against unauthorized access, data manipulation and espionage
  • Up to 128 IPsec tunnels can be operated simultaneously
  • Additional RJ45 DMZ port (yellow) for setting up a "Demilitarized Zone" (DMZ), which can terminate VPNs and is secured by firewalls to the red and green port
  • Redundant protection of automation cells by means of router and firewall redundancy as well as stand-by linking of the redundant device via the yellow port
• SCALANCE S627?2M industrial security modules
  • Uses the Stateful Inspection Firewall and VPN (Virtual Private Network) functionality to protect network segments against unauthorized access, data manipulation and espionage
  • Up to 128 IPsec tunnels can be operated simultaneously
  • Additional RJ45 DMZ port (yellow) for setting up a "Demilitarized Zone" (DMZ), which can terminate VPNs and is secured by firewalls to the red and green port
  • Redundant protection of automation cells by means of router and firewall redundancy as well as stand-by mode of the redundant device; status matching of the firewall by means of a synchronization cable between the yellow ports
  • Two additional slots for one 2-port media module each (see SCALANCE X-300) for direct integration in ring structures and FO networks with two additional switched red or green ports per module
  • Bridging of longer cable runs; use of existing 2-wire cables by deploying MM992-2VD (variable distance) media modules

Note:

Using the supplied Security Configurations Tool (SCT), it is easy to create and configure the security modules that can communicate securely with one another. You do not require any special IT knowledge.

The complete configuration can be saved on the optional swap medium C?PLUG (order separately) and transmitted to another security module. This permits easy and fast replacement of modules in the event of a fault.

For more information and technical specifications of the SCALANCE S security modules, see Catalog IK PI, section "Industrial Ethernet", "Industrial Ethernet Security".

Automation firewall

The automation firewall (see Catalog ST PCS 7 AO, "Architecture and Configuration" section) features Stateful Inspection packet filter, application layer firewall, VPN gateway functionality, URL filtering, Web proxy and intrusion prevention. Depending on the plant size, it can be used as a front and back firewall or in a three-homed configuration. It thus protects the access point to the production environment, e.g. from the office or intranet networks. The automation firewall is supplied preinstalled.

The value of the Automation Firewall is increased even further by integrated services, e.g.:

• Hotline support
• Replacement service
• Software Update Service

Additive services complete the offerings, for example, customized firewall solutions or integration of firewalls in customer systems.