Professional Documents
Culture Documents
A secure plant
Defense in Depth
Task related permissions
Central Administration
Selected Examples
Perimeter with Multiplexing Proxy
Central Administration
Access Restriction
Secure Plant
Security as a philosophy
Risk Management
Periodical
Review of countermeasures
Organisational
Technical
Best Practice:
Defense in Depth
Defence in Depth
Plant security
Access Control
Phyiscal
Persons
Network security
Clear defined segments
Access Control
System integrity
"Prevent misuse"
Internally: Use Roles for Operators
Externally: Use Virus Scanners
Layers of Protection
physical protection
Layers
Protection
Of single accesspoints
Support for Administration Protection perimeterzones certificate based perimeterzones certificate based
authenticated authenticated
Support for Runtime Systems standardize and standardize and
application layer encrypted application layer encrypted
filtering communication filtering communication
Cell based approach secure Authentication secure Authentication
secure secure
Authentication and Authentication and
Split into functional groups and Single SignOn and Single SignOn
Single SignOn Single SignOn
Keep disturbance local System hardening System hardening System hardening System hardening
physical protection
Layers
Of single accesspoints
Security Measures
Supported by WinCC OA
Overview of Security Options
in WinCC OA
Type of Access
WinCC OA is supportive
Protect its core
Provide mechanisms for integration
Perimeter Zones
Encrypted
Communication
Perimeterzone Example: Ultralight Client
Type of Access
Single Access
Perimeter Zones
Encrypted
Communication
ULC connects through firewall
"Hardening for SIMATIC WinCC OA means that the functions and programs, Type of Access
which are not necessary for the operation of the computer within the system
environment, are disabled or restricted."
System Hardening
Central Administration Distributed Systems
Many Options
Type of Access
Kerberos based
Built in: Dist Management
Manual (?)
Combinations
System Hardening
Advantage
Unique user information even in large systems
No Local management
Less engineering effort
Access Restriction to Contents
Security Plugin
Type of Access
Part of API
Free Programable
For all Managers
Works on Message Level
System Hardening
Security and WinCC OA
Long Tradition
Type of Access
Changed from Add-On to Default
Jrgen Mad
ETM professional control
joergen.mad@etm.at
https://portal.etm.at/