-

Recommended Security Measures for Devices and Solutions

You have to protect components, networks, and systems against unauthorized access and ensure the integrity of data.

As a part of this, you must take organizational and technical measures to protect network-capable devices and solutions. These measures are listed below.

Further Info
In addition to this topic, also read and observe the information given in the following topics:

Do not integrate components and systems into public networks

  • Avoid integrating your components and systems into public networks.
  • If you have to access your components and systems via a public network, use a VPN (Virtual Private Network).

Set up a firewall

  • Set up a firewall to protect your networks and the components and systems integrated into them against external influences.
  • Use a firewall to segment a network or to isolate a controller.
  • Activate the built-in controller firewall, if implemented.

Deactivate unneeded communication channels

  • Deactivate unnecessary communication channels (e.g., SNMP, FTP, BootP, DCP, etc.) on the components that you are using.

Take Defense-in-Depth strategies into consideration when planning systems

It is not sufficient to take measures that have only been considered in isolation when protecting your components, networks, and systems. Defense-in-Depth strategies encompass several coordinated measures that include operators, integrators, and manufacturers.

  • Take Defense-in-Depth strategies into consideration when planning systems.

Restrict access rights

  • Restrict access rights for components, networks, and systems to those individuals for whom authorization is strictly necessary.
  • Deactivate unused user accounts.

Secure access

  • Change the default login information after initial startup.
  • Use secure passwords reflecting the complexity and service life recommended in the latest guidelines.
  • Change passwords in accordance with the rules applicable for their application.
  • Use a password manager with randomly generated passwords.
  • Wherever possible, use a central user administration system to simplify user management and login information management.

Use secure access paths for remote access

  • Use secure access paths such as VPN (Virtual Private Network) or HTTPS for remote access.

Activate security-relevant event logging

  • Activate security-relevant event logging in accordance with the security directive and the legal requirements on data protection.

Use the latest firmware version

Phoenix Contact regularly provides firmware updates.

Any firmware updates available can be found on the product page for the respective device.

  • Ensure that the firmware on all devices used is always up to date.
  • Observe the Change Notes for the respective firmware version.
  • Pay attention to the security advisories published on Phoenix Contact's Product Security Incident Response Team (PSIRT) website regarding any published vulnerabilities.
    You can also access the PSIRT website via the 'Help' menu in PLCnext Engineer.

Use up-to-date security software

  • Install security software on all PCs to detect and eliminate security risks such as viruses, trojans, and other malware.
  • Ensure that the security software is always up to date and uses the latest databases.
  • Use whitelist tools for monitoring the device context.
  • Use an Intrusion-Detection system for checking the communication within your system.

Note
To protect networks for remote maintenance via VPN, Phoenix Contact offers, for example, the mGuard product range of security appliances, a description of which you will find in the latest Phoenix Contact catalog.

Perform regular threat analyses

To determine whether the measures you have taken still provide adequate protection for your components, networks, and systems, threat analyses should be performed regularly.
  • Perform a threat analysis on a regular basis.

Secure access to SD cards

Devices with SD cards require protection against unauthorized physical access. An SD card can be read with a conventional SD card reader at any time. If you do not protect the SD card against unauthorized physical access (such as by using a secure control cabinet), sensitive data is accessible to all.

  • Ensure that unauthorized persons do not have access to the SD card.
  • When destroying the SD card, ensure that the data cannot be retrieved.

Refer to the topic "Controller Security (Settings via WBM)", section "SD card related setting" for details.