Beckhoff IPC-Security Manuel d'utilisateur

Documentation aboutIPC SecurityVersion: 2.0.2Date: 2015-01-22

3. Direct Local Access3.1. OverviewThis chapter deals with the scenario that a cyber criminalhas direct, local access to the industrial controller.The

3.1.3. Potential threat scenariosThe following chapter gives a short overview about possible threat scenarios, which may or may not berepresentative i

▪ Changing boot priority▪ Resetting BIOS settings▪ Changing CPU speed (critical for real-time applications)▪ Disabling USB input devices (critical for

SMB and FTP user accountsThese user accounts are needed to use the integrated FTP Server or to share files and folders via theintegrated SMB Server. B

Setting DescriptionEnforce PasswordhistoryRemembers the n last used passwords so that you cannot set them againMaximum passwordageSets the amount of d

Category DescriptionDefault Security This template represents the default security settings that are applied during installa-tion of the operating sys

Template DescriptionDisallowed Software will not run, regardless of the access rights of the user. Blocks users fromexecuting an application by defaul

3.2.3.8. WebserverBeckhoff images that are based on Windows XP or Windows 7, are delivered with an activated IIS Webserverthat hosts different web-bas

3.2.3.14. The Encrypting File System (EFS)With EFS, Windows XP gives you the opportunity to encrypt files and folders on your industrial controller. I

Control Panel. You should control access to these USB ports and also control which USB sticks can beattached to the industrial controller.Please see c

Contents1. Foreword 41.1. Notes on the documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41.1.1. Disclaimer . .

4. Indirect Local Access4.1. OverviewThis chapter is based on the scenario that a cyber criminal has only indirect access to the industrial controller

itself, just as this may be the case for a regular user. Please take the following chapters as a means to gaina better awareness for this scenario.4.1

4.2.2. Windows XP / Windows 74.2.2.1. Windows UpdatesIt is important to understand the different update scenarios from an IT infrastructure point-of-v

Scenario 2: Industrial network entirely separated from IT networkIn this scenario the IT and industrial network are physically separated and there is

TwinCAT – Windows Updates compatibilityWe often get the question if TwinCAT has any known issues with Windows Updates. Up to this date therehave not b

4.3. Complementary Hardware mechanisms4.3.1. Hardware appliances for Anti-VirusVendors of Anti-Virus software sometimes offer special hardware applian

5. Remote Access5.1. OverviewThis chapter is based on the scenario that a cyber criminal tries to attack the industrial controller from aremote locati

Software Category DescriptionMicrosoft Windows XP System software Operating SystemMicrosoft Windows 7 System software Operating SystemMicrosoft Window

5.1.3.4. Exploiting vulnerabilities of the operating systemBy reaching a vulnerable network service of the operating system (e.g. SMBas described in M

5.2. HardeningThis chapter explains some common strategies that can be deployed to actively secure components thatare part of the scenario. Because th

5.2. Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295.2.1. Windows CE . . . . . . . . . . .

5.2.2. Windows XP / Windows 75.2.2.1. Remote dial inWindows XP and Windows 7 enable users to configure a remote dial in connection (via VPN or an atta

Remote Desktop Protocol (RDP) and communication encryptionWhen making a RDP connection to a Windows 7 computer, this computer creates a self-signed ce

A. AppendixA.1. Remote MaintenanceRemote maintenance has always been an important part of every industrial controller. In case of a prob-lem, service

Please also consult [11] for more information.A.1.2. Remote maintenance from inside the organizationA very common scenario is that the service compute

A.1.4. Remote maintenance via VPN server on IPCAs described in chapter 5.2, Windows CE and Windows XP/7 operating systems provide all necessaryfunctio

After the ADS route between both devices has been created, the routing table on Device1 will look as follows:AMS-NetID Transport address Hostname (if

A.3. Third-Party connectivityThird-party connectivity involves the connection of other systems, e.g. HMI, MES, ERP or other externalapplications, to t

▪ Integrated Windows Authentication▪ Authentication via a Security Token, for example Windows Azure ACS▪ X.509 certificatesA.3.2.2. ConfidentialityWCF

A.3.3.2. IntegrityThe signing of messages prevents a third party from changing the contents of a message. This prevents,for example, a write statement

A.4.1. General informationA.4.1.1. Overview Beckhoff web-based servicesThe following table gives an overview about all Beckhoff web-based services tha

1. Foreword1.1. Notes on the documentationThis description is only intended for the use of trained specialists in control and automation technology wh

A.4.1.3. Overview Beckhoff software pathsThe following table gives an overview about all Beckhoff software applications that may be executed in aWindo

A.4.1.4. Overview Beckhoff network servicesDefault network servicesThe following table provides an overview about network services that are part of a

2. Enter a password in the filed Password and Confirm password3. Finish with OKAfter a reboot, users will not be able to select a dialog or start an a

A.4.2.4. Changing password for SMB and FTP userTo change the password for an SMB or FTP user account, you can use the Beckhoff CX Configuration Tool.T

4. The RAS User Management can then be found on the right hand side in this windowFor a detailed description of the RAS Server, please consult the cor

Attribute Type Default value DescriptionEnable DWORD 0x00000000 Disables (0) or enables (1) RAS ServerStartupDelaySeconds DWORD 0x00000000 Specifies t

Protocol Value (Hex) InformationPAP 0x00040000 Password for authentication is being transmitted in clear-text! In-secure!CHAP 0x00080000 Uses a random

To configure the RAS Server for incoming modem connections, you need to open the CX Configuration toolon your CE device:1. Open the Start Menu and go

4. Select Connect to a workplace5. Select No, create a new connection (Please note: This screen only shows if there are any dial inconnections configu

To configure the RAS Server for incoming VPN connections, you need to open the CX Configuration tool onyour CE device:1. Open the Start Menu and go to

1.1.4. Copyright© Beckhoff Automation GmbH, Germany. The reproduction, distribution and utilization of this document aswell as the communication of it

A.4.2.7. Configuring the firewallThe firewall for Windows CE can be configured via the Beckhoff CX Configuration Tool.A.4.3. Windows XP / Windows 7A.4

A.4.3.2. Creating an Audit PolicyTo create an Audit Policy, please perform the following steps:1. Open the Local Security Settings by opening the Cont

A.4.3.4. Configuring security templatesTo view the settings of each template in more detail, you can start the Security Templates Snap-in by per-formi

5. Right-click the Security Configuration and Analysis entry and select Open Database6. Enter a name for this database (can be any name)7. Select the

Value Description0x1 Disables Autorun on drives of unknown type0x4 Disables Autorun on removable devices0x8 Disables Autorun on fixed drives0x10 Disab

This registry key may contain one of the following values:Value Description0x0 Access to the command line is allowed and batch files may be executed0x

restart the operating system to make the changes become active.To make a drive letter disappear from the Explorer view, you need to create a new REG_D

7. In this window, expand the folder Personal and select Certificates8. You should now see a certificate whose Intended Purpose shows Encrypting File

2. Click on Settings and select the tab Computer3. Click on Configure items to exclude from Scans4. Click on Add and select the TwinCAT installation d

Trend MicroThe following screenshots are based on Trend Micro Titanium AntiVirus Plus 2012.1. Open the settings by clicking on the gear icon2. On the

1.2. Documentation statusVersion Comment2.0.2▪ Layout changes2.0.1▪ Revision of the document2.0.0▪ New structure for content▪ Moved step-by-step artic

4. Click on Browse and select the TwinCAT installation directory, by default C:\TwinCAT\, followed byclicking on Open5. Activate the checkbox next to

On the other hand, if you only want specific USB Storage devices to be available on the Controller, the abovesteps can easily be adapted to your needs

3. Open the File menu and select New incoming connection4. To configure a new user account which may be used for the dial in connection, please click

5. When asked How to connect?, select Through the Internet and click on Next. This is also the locationwhere you differentiate between a VPN and a mod

7. After the connection has been set up, you can use the Windows VPN Client to establish a connectionto the IPC Controller. Please see below for the n

forwarding settings as mentioned in the documentation of your Internet router.8. Click on Next9. Enter a Username and a Password for this connection.

A.4.3.17. Configuring RDPYou can configure which users are able to access a computer via RDP by performing the following steps:1. Right-click the symb

A.4.3.18. Configuring IPSecSetting up the IPSec Server (PLC Controller)To configure the PLC Controller as an IPSec Server you need to open the IP Secu

3. Right-click the Server (Request Security) profile and select Properties4. Select the All IP traffic rule and click on Edit5. Using the tab Authenti

A.4.3.19. Configuring the firewallWindows Firewall (Windows 7)IPC Security 69

2. Introduction2.1. AbstractBeckhoff Industrial PCs and Embedded PCs provide a platform based on a standardized and wellsupportedoperating system to p

Windows Firewall (Windows XP)70

B. Contact InformationB.1. Support and ServiceBeckhoff and their partners around the world offer comprehensive support and service, making availablefa

▪ on-site service▪ repair service▪ spare parts service▪ hotline servicehotline: + 49 (0) 5246/963-460fax: + 49 (0) 5246/963-479e-mail: service@beckhof

Bibliography[1] Beckhoff Automation GmbH & Co. KG. Infosys - ADS Introduction, 2015. URL http://infosys.beckhoff.com/content/1031/tcadscommon/html

General overview and contentChapter 2 provides the reader with an overview about security in industrial automation and describes thecontent of this do

2.5. Addressing security concernsTo address security-related concerns, or security-issues with our products, you may contact us at product-secinfo@bec