Introduction 1

Fundamental safety
instructions 2

What is industrial security? 3

SINUMERIK / SIMOTION /
SINAMICS Why is industrial security
so important? 4
Motion Control
Industrial Security Security measures in
automation and drive 5
technology

Configuration Manual
Security management 6

General security measures 7

Product-specific security
measures 8

References A

01/2023
6FC5397-5EP40-6BA2
Legal information
Warning notice system
This manual contains notices you have to observe in order to ensure your personal safety, as well as to prevent
damage to property. The notices referring to your personal safety are highlighted in the manual by a safety alert
symbol, notices referring only to property damage have no safety alert symbol. These notices shown below are
graded according to the degree of danger.

DANGER
indicates that death or severe personal injury will result if proper precautions are not taken.

WARNING
indicates that death or severe personal injury may result if proper precautions are not taken.

CAUTION
indicates that minor personal injury can result if proper precautions are not taken.

NOTICE
indicates that property damage can result if proper precautions are not taken.
If more than one degree of danger is present, the warning notice representing the highest degree of danger will
be used. A notice warning of injury to persons with a safety alert symbol may also include a warning relating to
property damage.
Qualified Personnel
The product/system described in this documentation may be operated only by personnel qualified for the specific
task in accordance with the relevant documentation, in particular its warning notices and safety instructions.
Qualified personnel are those who, based on their training and experience, are capable of identifying risks and
avoiding potential hazards when working with these products/systems.
Proper use of Siemens products
Note the following:

WARNING
Siemens products may only be used for the applications described in the catalog and in the relevant technical
documentation. If products and components from other manufacturers are used, these must be recommended or
approved by Siemens. Proper transport, storage, installation, assembly, commissioning, operation and maintenance
are required to ensure that the products operate safely and without any problems. The permissible ambient
conditions must be complied with. The information in the relevant documentation must be observed.

Trademarks
All names identified by ® are registered trademarks of Siemens AG. The remaining trademarks in this publication
may be trademarks whose use by third parties for their own purposes could violate the rights of the owner.
Disclaimer of Liability
We have reviewed the contents of this publication to ensure consistency with the hardware and software
described. Since variance cannot be precluded entirely, we cannot guarantee full consistency. However, the
information in this publication is reviewed regularly and any necessary corrections are included in subsequent
editions.

Siemens AG Document order number: 6FC5397-5EP40-6BA2 Copyright © Siemens AG 2015 - 2023.

Digital Industries Ⓟ 01/2023 Subject to change All rights reserved
Postfach 48 48
90026 NÜRNBERG
GERMANY
Table of contents

1 Introduction ........................................................................................................................................... 7
1.1 About Industrial Security ...................................................................................................... 7
1.2 About this documentation ................................................................................................... 8
1.3 Feedback on the technical documentation ......................................................................... 10
1.4 mySupport documentation ................................................................................................ 11
1.5 Service and Support........................................................................................................... 12
1.6 OpenSSL ............................................................................................................................ 14
1.7 General Data Protection Regulation .................................................................................... 15
2 Fundamental safety instructions......................................................................................................... 17
2.1 General safety instructions................................................................................................. 17
2.2 Warranty and liability for application examples ................................................................... 18
2.3 Security information .......................................................................................................... 19
3 What is industrial security?.................................................................................................................. 21
4 Why is industrial security so important? ............................................................................................. 23
4.1 Trends with an impact on industrial security ....................................................................... 23
4.2 Possible corporate security vulnerabilities........................................................................... 24
5 Security measures in automation and drive technology..................................................................... 25
5.1 Security measures.............................................................................................................. 26
5.2 Siemens Industrial Holistic Security Concept ....................................................................... 28
5.3 Standards and regulations.................................................................................................. 29
6 Security management ......................................................................................................................... 31
7 General security measures .................................................................................................................. 33
7.1 Defense in depth concept................................................................................................... 34
7.2 Plant security ..................................................................................................................... 36
7.2.1 Physical protection of critical production areas.................................................................... 36
7.3 Network security................................................................................................................ 38
7.3.1 Network segmentation ...................................................................................................... 38
7.3.1.1 Separation between production and office networks........................................................... 38
7.3.1.2 Network segmentation with SCALANCE S ........................................................................... 39
7.3.2 PROFINET products and SNMP ............................................................................................ 42
7.3.3 Cloud Security ................................................................................................................... 42
7.3.4 Smart sensors (IoT) in the network ..................................................................................... 43
7.4 System integrity................................................................................................................. 46
7.4.1 System hardening .............................................................................................................. 46

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 3
Table of contents

7.4.1.1 Services and ports.............................................................................................................. 46

7.4.1.2 User accounts .................................................................................................................... 46
7.4.1.3 PC/notebooks and mobile devices in an industrial environment........................................... 47
7.4.1.4 Data storage ...................................................................................................................... 47
7.4.1.5 Transporting data .............................................................................................................. 48
7.4.1.6 Passwords.......................................................................................................................... 48
7.4.1.7 Product security notifications.............................................................................................. 49
7.4.1.8 Virus scanner ..................................................................................................................... 49
7.4.1.9 Whitelisting ....................................................................................................................... 50
7.4.2 Patch management............................................................................................................ 50
7.4.2.1 Product software................................................................................................................ 51
7.4.3 Data integrity..................................................................................................................... 51
7.4.4 Disposal............................................................................................................................. 52
8 Product-specific security measures ..................................................................................................... 53
8.1 SINUMERIK ........................................................................................................................ 54
8.1.1 Firewall and networking..................................................................................................... 54
8.1.2 Physical protection of the NCU ........................................................................................... 56
8.1.3 Machine control panels - SINUMERIK (MCP/MPP)................................................................. 56
8.1.4 System hardening .............................................................................................................. 57
8.1.4.1 Deactivating hardware interfaces ....................................................................................... 57
8.1.4.2 Communication services and used port numbers................................................................ 58
8.1.4.3 Integrity and authenticity protection SINUMERIK ONE ......................................................... 58
8.1.4.4 Secure Boot with SINUMERIK ONE ...................................................................................... 58
8.1.5 Virus protection ................................................................................................................. 58
8.1.5.1 Whitelisting ....................................................................................................................... 60
8.1.5.2 Virus protection / memory card .......................................................................................... 60
8.1.6 Security updates / patch management................................................................................ 60
8.1.7 Account management........................................................................................................ 61
8.1.7.1 Definition of access levels................................................................................................... 61
8.1.7.2 Safety Integrated password ................................................................................................ 63
8.1.7.3 CNC lock function .............................................................................................................. 64
8.1.7.4 Deleting the preinstalled SSH key ....................................................................................... 64
8.1.7.5 PLC web server .................................................................................................................. 65
8.1.7.6 Access levels for softkeys.................................................................................................... 65
8.1.7.7 BIOS and AMT access protection......................................................................................... 65
8.1.7.8 Password protection for Create MyConfig (CMC) ................................................................. 66
8.1.8 Know-how protection ........................................................................................................ 66
8.1.8.1 SINUMERIK Integrate Lock MyCycles ................................................................................... 66
8.1.8.2 SINUMERIK Integrate Lock MyPLC ....................................................................................... 67
8.1.8.3 OPC UA.............................................................................................................................. 68
8.1.8.4 User administration in the TIA Portal .................................................................................. 68
8.1.8.5 SIMATIC Logon................................................................................................................... 69
8.1.9 Data backup ...................................................................................................................... 69
8.1.10 Disposal............................................................................................................................. 70
8.2 CNC Shopfloor Management Software ............................................................................... 71
8.2.1 System overview................................................................................................................ 71
8.2.2 Cloud applications (In Cloud) ............................................................................................. 71
8.2.2.1 Manage MyMachines ......................................................................................................... 72
8.2.2.2 Manage MyMachines /Remote............................................................................................ 73
8.2.2.3 Analyze MyPerformance..................................................................................................... 74
8.2.3 PC/Server/Desktop applications (In Line) ............................................................................. 74

Industrial Security
4 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
 Table of contents

8.2.3.1 MCenter ............................................................................................................................ 74

8.2.3.2 Cloud mode ....................................................................................................................... 78
8.2.4 Control-related applications (In Machine, Industrial Edge for Machine Tools) ....................... 79
8.2.4.1 Industrial Edge for Machine Tools ....................................................................................... 79
8.2.4.2 Analyze MyWorkpiece /Monitor .......................................................................................... 84
8.2.4.3 Analyze MyMachine /Condition .......................................................................................... 85
8.2.4.4 Protect MyMachine /3D Twin .............................................................................................. 86
8.3 SIMOTION.......................................................................................................................... 88
8.3.1 System hardening .............................................................................................................. 89
8.3.1.1 Port security ...................................................................................................................... 89
8.3.1.2 Virus scan, Windows security patches, SIMOTION P............................................................. 90
8.3.2 Secure project storage ....................................................................................................... 90
8.3.3 Know-how protection ........................................................................................................ 92
8.3.3.1 Secure access control with SIMATIC Logon.......................................................................... 92
8.3.3.2 Know-how protection in engineering ................................................................................. 92
8.3.3.3 Copy protection for the configuration on the control system. .............................................. 93
8.3.4 Offline/online comparison .................................................................................................. 94
8.3.5 SIMOTION IT Web server .................................................................................................... 96
8.3.6 OPC UA server.................................................................................................................... 99
8.3.7 Disposal........................................................................................................................... 100
8.4 SINAMICS ........................................................................................................................ 101
8.4.1 Network security.............................................................................................................. 101
8.4.2 Know-how protection ...................................................................................................... 101
8.4.3 Parameters: Access levels and password ........................................................................... 103
8.4.4 Using the memory card.................................................................................................... 103
8.4.5 Safety Integrated ............................................................................................................. 104
8.4.6 Backing up and restoring data .......................................................................................... 105
8.4.6.1 Backup and restore .......................................................................................................... 105
8.4.6.2 Redundant data backup ................................................................................................... 106
8.4.6.3 Redundant_backup_more_info......................................................................................... 106
8.4.7 Communication services and used port numbers_Further_information ............................. 107
8.4.8 Communication services and used port numbers.............................................................. 107
8.4.9 Integrated web server ...................................................................................................... 107
8.4.9.1 Certificates for the secure data transfer ............................................................................ 108
8.4.10 Information about individual interfaces ............................................................................ 109
8.4.11 Disposal........................................................................................................................... 111
8.4.12 SINAMICS Startdrive and TIA Portal................................................................................... 112
8.4.12.1 Malfunctions of the machine as a result of incorrect or changed parameterization ............ 112
8.4.12.2 SINAMICS Startdrive......................................................................................................... 112
8.4.12.3 SINAMICS STARTER........................................................................................................... 113
8.4.13 SINAMICS Drive Control Chart (DCC)................................................................................. 115
8.4.13.1 Industrial security with SINAMICS DCC.............................................................................. 115
8.4.13.2 Use write and know-how protection ................................................................................. 118
8.4.14 SINAMICS Smart Access Module ....................................................................................... 118
8.5 SIMOCRANE ..................................................................................................................... 120
A References ......................................................................................................................................... 121
Glossary ............................................................................................................................................. 125
Index .................................................................................................................................................. 133

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 5
Table of contents

Industrial Security
6 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
Introduction 1
1.1 About Industrial Security
Digitalization and the increasing networking of machines and industrial plants are also
increasing the risk of cyberattacks. Appropriate protective measures are therefore mandatory,
especially for critical infrastructure facilities. To protect industrial plants and systems
comprehensively against cyber attacks, measures must be applied simultaneously at all levels.
From the operational up to the field level – from access control to copy protection.
Visit our website for more information on Industrial security (https://www.siemens.com/
industrialsecurity).

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 7
Introduction
1.2 About this documentation

1.2 About this documentation

Content
The "Industrial Security" documentation contains the necessary measures and information for
planning and configuring plants and systems. The documentation serves as a reference manual
and guideline. This documentation cannot and does not want to suggest that there is 100%
security because the current range of threats is much too diverse and complex. This
documentation includes all of the necessary measures that should be taken into account for
configuring systems in a secure environment. This documentation is intended to support
machine manufacturers in safely operating their controls or plants. You, as operator, are
responsible for implementing the security measures.

Target group
This documentation is intended for manufacturers of machine tools / production machines,
particularly:
• Planners and project engineers
• IT department of end users and OEMs
The following knowledge is a prerequisite for implementing the described security concepts:
• Administration of the IT technologies familiar from the office environment
• Configuration of the SINUMERIK/SIMOTION/SINAMICS products used

Structure
The manual is essentially divided into three parts:
• Description of the topic Industrial Security in the industrial context
• General security measures: This chapter describes universal measures you can take in
general - regardless of the product used - to make your system secure
• Product-specific measures: In this chapter - structured according to MC products - special
functionalities of the products are explained, which you can use to protect your system.

Standard scope
This documentation only describes the functionality of the standard version. This may differ
from the scope of the functionality of the system that is actually supplied. Please refer to the
ordering documentation only for the functionality of the supplied drive system.
It may be possible to execute other functions in the system which are not described in this
documentation. This does not, however, represent an obligation to supply such functions
with a new control or when servicing.
For reasons of clarity, this documentation cannot include all of the detailed information
on all product types. Further, this documentation cannot take into consideration every
conceivable type of installation, operation and service/maintenance.

Industrial Security
8 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
 Introduction
1.2 About this documentation

The machine manufacturer must document any additions or modifications they make to the
product themselves.

Websites of third-party companies

This document may contain hyperlinks to third-party websites. Siemens is not responsible for
and shall not be liable for these websites and their content. Siemens has no control over the
information which appears on these websites and is not responsible for the content and
information provided there. The user bears the risk for their use.

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 9
Introduction
1.3 Feedback on the technical documentation

1.3 Feedback on the technical documentation

If you have any questions, suggestions or corrections regarding the technical documentation
which is published in the Siemens Industry Online Support, use the link "Send feedback" link
which appears at the end of the entry.

Industrial Security
10 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
 Introduction
1.4 mySupport documentation

1.4 mySupport documentation

With the "mySupport documentation" web-based system you can compile your own individual
documentation based on Siemens content, and adapt it for your own machine documentation.
To start the application, click on the "My Documentation" tile on the "mySupport links and
tools" (https://support.industry.siemens.com/cs/ww/en/my) portal page:

The configured manual can be exported in RTF, PDF or XML format.

Note
Siemens content that supports the mySupport documentation application can be identified by
the presence of the "Configure" link.

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 11
Introduction
1.5 Service and Support

1.5 Service and Support

Product support
You can find more information about products on the internet:
Product support (https://support.industry.siemens.com/cs/ww/en/)
The following is provided at this address:
• Up-to-date product information (product announcements)
• FAQs (frequently asked questions)
• Manuals
• Downloads
• Newsletters with the latest information about your products
• Global forum for information and best practice sharing between users and specialists
• Local contact persons via our Contacts at Siemens database (→ "Contact")
• Information about field services, repairs, spare parts, and much more (→ "Field Service")

Technical support
Country-specific telephone numbers for technical support are provided on the internet at
address (https://support.industry.siemens.com/cs/ww/en/sc/4868) in the "Contact" area.
If you have any technical questions, please use the online form in the "Support Request" area.

Training
You can find information on SITRAIN at the following address (https://www.siemens.com/
sitrain).
SITRAIN offers training courses for automation and drives products, systems and solutions from
Siemens.

Siemens support on the go

Industrial Security
12 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
 Introduction
1.5 Service and Support

With the award-winning "Siemens Industry Online Support" app, you can access more than
300,000 documents for Siemens Industry products – any time and from anywhere. The app
can support you in areas including:
• Resolving problems when implementing a project
• Troubleshooting when faults develop
• Expanding a system or planning a new system
Furthermore, you have access to the Technical Forum and other articles from our experts:
• FAQs
• Application examples
• Manuals
• Certificates
• Product announcements and much more
The "Siemens Industry Online Support" app is available for Apple iOS and Android.

Data matrix code on the nameplate

The data matrix code on the nameplate contains the specific device data. This code can be read
with a smartphone and technical information about the device displayed via the "Industry
Online Support" mobile app.

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 13
Introduction
1.6 OpenSSL

1.6 OpenSSL
This product can contain the following software:
• Software developed by the OpenSSL project for use in the OpenSSL toolkit
• Cryptographic software created by Eric Young.
• Software developed by Eric Young
You can find more information on the internet:
• OpenSSL (https://www.openssl.org)
• Cryptsoft (https://www.cryptsoft.com)

Industrial Security
14 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
 Introduction
1.7 General Data Protection Regulation

1.7 General Data Protection Regulation

Siemens observes standard data protection principles, in particular the data minimization rules
(privacy by design).
For this product, this means:
The product does not process or store any personal data, only technical function data (e.g.
time stamps). If the user links this data with other data (e.g. shift plans) or if he/she stores
person-related data on the same data medium (e.g. hard disk), thus personalizing this data,
he/she must ensure compliance with the applicable data protection stipulations.

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 15
Introduction
1.7 General Data Protection Regulation

Industrial Security
16 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
Fundamental safety instructions 2
2.1 General safety instructions

WARNING
Danger to life if the safety instructions and residual risks are not observed
If the safety instructions and residual risks in the associated hardware documentation are not
observed, accidents involving severe injuries or death can occur.
• Observe the safety instructions given in the hardware documentation.
• Consider the residual risks for the risk evaluation.

WARNING
Malfunctions of the machine as a result of incorrect or changed parameter settings
As a result of incorrect or changed parameterization, machines can malfunction, which in turn
can lead to injuries or death.
• Protect the parameterization against unauthorized access.
• Handle possible malfunctions by taking suitable measures, e.g. emergency stop or
emergency off.

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 17
Fundamental safety instructions
2.2 Warranty and liability for application examples

2.2 Warranty and liability for application examples

Application examples are not binding and do not claim to be complete regarding configuration,
equipment or any eventuality which may arise. Application examples do not represent specific
customer solutions, but are only intended to provide support for typical tasks.
As the user you yourself are responsible for ensuring that the products described are
operated correctly. Application examples do not relieve you of your responsibility for safe
handling when using, installing, operating and maintaining the equipment.

Industrial Security
18 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
 Fundamental safety instructions
2.3 Security information

2.3 Security information

Siemens provides products and solutions with industrial security functions that support the
secure operation of plants, systems, machines and networks.
In order to protect plants, systems, machines and networks against cyber threats, it is
necessary to implement – and continuously maintain – a holistic, state-of-the-art industrial
security concept. Siemens’ products and solutions constitute one element of such a concept.
Customers are responsible for preventing unauthorized access to their plants, systems,
machines and networks. Such systems, machines and components should only be connected
to an enterprise network or the internet if and to the extent such a connection is necessary
and only when appropriate security measures (e.g. firewalls and/or network segmentation)
are in place.
For additional information on industrial security measures that may be implemented, please
visit
https://www.siemens.com/industrialsecurity.
Siemens’ products and solutions undergo continuous development to make them more
secure. Siemens strongly recommends that product updates are applied as soon as they are
available and that the latest product versions are used. Use of product versions that are no
longer supported, and failure to apply the latest updates may increase customer’s exposure
to cyber threats.
To stay informed about product updates, subscribe to the Siemens Industrial Security RSS
Feed under
https://www.siemens.com/cert.
Further information is provided on the Internet:
Industrial Security Configuration Manual (https://support.industry.siemens.com/cs/ww/en/
view/108862708)

WARNING
Unsafe operating states resulting from software manipulation
Software manipulations, e.g. viruses, Trojans, or worms, can cause unsafe operating states in
your system that may lead to death, serious injury, and property damage.
• Keep the software up to date.
• Incorporate the automation and drive components into a holistic, state-of-the-art industrial
security concept for the installation or machine.
• Make sure that you include all installed products into the holistic industrial security concept.
• Protect files stored on exchangeable storage media from malicious software by with suitable
protection measures, e.g. virus scanners.
• On completion of commissioning, check all security-related settings.

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 19
Fundamental safety instructions
2.3 Security information

Industrial Security
20 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
What is industrial security? 3
Definition of industrial security
Generally, industrial security is understood to be all of the measures for protecting against the
following:
• Loss of confidentiality due to unauthorized access to data
• Loss of integrity due to data manipulation
• Loss of availability (e.g. due to destruction of data or Denial-of-Service (DoS))

Objectives of industrial security

The objectives of industrial security encompass:
• Fault-free operation and guaranteeing of availability of industrial plants and production
processes
• Preventing hazards to people and production due to cyber security attacks
• Protection of industrial communication from espionage and manipulation
• Protection of industrial automation systems and components from unauthorized access and
loss of data
• Practicable and cost-effective concept for securing existing systems and devices that do not
have their own security functions
• Utilization of existing, open, and proven industrial security standards
• Fulfillment of legal requirements
An optimized and adapted security concept applies for automation and drive technology. The
security measures must not hamper or endanger production.

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 21
What is industrial security?

Industrial Security
22 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
Why is industrial security so important? 4
4.1 Trends with an impact on industrial security

Global trends
There are many new trends which affect industrial security. These effects underscore the
relevance of security functions and measures.
• Cloud computing in general
The number of network connections across the world is constantly increasing. This
increasingly enables technologies such as cloud computing and the associated applications.
In conjunction with cloud computing, there has been a massive increase in the number of
mobile devices, such as cell phones and tablet PCs.
• Wireless technology
On the other hand, the increasing use of mobile devices has only become possible thanks to
the ubiquitous availability of mobile networks. Wireless LAN is also becoming increasingly
available. The development of new WLAN and mobile radio standards continues to advance.
• Worldwide remote access to plants, machines and mobile applications
• The Internet of Things (IoT)
Millions of electronic devices are now network-capable and are communicating via the
Internet.
To keep networked components and applications running smoothly, your plant needs a
network infrastructure and applications that reliably protect against cyber attacks.

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 23
Why is industrial security so important?
4.2 Possible corporate security vulnerabilities

4.2 Possible corporate security vulnerabilities

Possible corporate security vulnerabilities

The security chain of a company is only as strong as its weakest link. Security vulnerabilities can
occur in numerous places in an organization, such as:
• Employees / external companies
• Production plants
• Network infrastructure
• Data centers / PC workstations
• Laptops/tablets
• Printers
• Smartphones/smartwatches
• Mobile data storage media
A holistic approach is needed to identify security problems and find solutions. Binding
guidelines and regulations must address all relevant areas of a company: Devices, systems,
processes and employees.
The topic of data security is becoming increasingly important in the industrial environment,
especially due to the worldwide increase in legal requirements for data protection.

Possible threats:
Potential security threats include confidentiality, integrity, and availability. Examples of threats
are:
• Espionage of data
• Manipulation of data or software
• Sabotage of production plants
• System stoppage, e.g. due to virus infection or malware
• Unauthorized use of system functions

Possible effects of a security incident

• Loss of intellectual property
• Loss of production or reduced product quality
• Negative company image and economic damage
• Catastrophic environmental influences
• Danger to people and machines

Industrial Security
24 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
Security measures in automation and drive
technology 5
Siemens automation and drive technology concerns itself with security aspects at the following
levels:
• Application security refers to products and functions that take into consideration the needs
of industrial security in the field of automation. This involves particular consideration of the
application and task at hand, as well as the people performing the actions in an automated
plant. This allows industrial security to be easily implemented in production processes.
• Security support provides support during the analysis, planning, implementation, testing
and optimization of industrial security - by means of specialists with special knowledge of
networks and the industry. These services lead to the highest possible level of industrial
security and operating capacity of the production plant.
With its "Industrial Cybersecurity Services" portfolio, Siemens offers comprehensive
customer support: With this service you can implement protective measures to increase the
security level of plants and production facilities. More information about the entire
"Industrial Cybersecurity Services" portfolio is provided on the Internet (https://
new.siemens.com/uk/en/products/services/digital-enterprise-services/industrial-security-
services.html).

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 25
Security measures in automation and drive technology
5.1 Security measures

5.1 Security measures

With increasing digitalization, comprehensive security in the automation system is becoming
ever more important. For this reason, industrial security is a core element of every product that
can be networked.

Integration of security into the products

The following measures ensure the integration of security in current Siemens products for
automation and drive technology:
• The requirements specified in IEC 62443-4-1 for the product lifecycle management (PLM)
process are implemented. The implementation was certified by TÜV.
• Threat and Risk Analyses (TRAs) are used to analyze and assess potential threats. Identified
critical vulnerabilities are implemented in the product as basic functions according to the
Security by Design principle.
• Code analyses are used to identify and correct possible errors.
• Siemens implements measures to secure integrity in its products and its manufacturing
processes. This improves the detection of manipulation attempts.
• Siemens constantly checks the measures relating to hardening:
– Operating systems are configured in such a way that points of attack (e.g. via ports,
unneeded services) are minimized.
– Siemens tests its products to detect weak points at an early stage.
– Siemens offers a focused hotfix/patch managementservice.

Protection of the development infrastructure and supply chain

As manufacturer of automation and drive products, Siemens supports secure operation for its
customers by securing the development infrastructure and supply chain:
• The Siemens ProductCERT (https://siemens.com/cert) (Cyber Emergency Readiness Team) is
the central department for security-related incidents in the Siemens product and solution
environment. Siemens ProductCERT supports development work with consulting and other
services. ProductCERT provides information about current threats and vulnerabilities as well
as the appropriate countermeasures.
• Industrial security is a dynamic and complex subject that requires continuous monitoring and
adaptation of new security measures. Information on how Siemens protects its products and
solutions against cyber attacks and how industry profits from the competence of Siemens
can be found on the Internet (https://new.siemens.com/global/en/company/topic-areas/
cybersecurity.html).

Industrial Security
26 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
 Security measures in automation and drive technology
5.1 Security measures

Provision of patches, security components, and appropriate services

As manufacturer of automation and drive products, Siemens supports secure operation for its
customers through direct support of integrators and operating companies by providing
patches, security components and the appropriate services:
• SIEMENS offers monitoring through a SIEM system to monitor residual risk. SIEM stands for
Security Information and Event Management and has become an established term in IT
security. Such systems are able to identify and evaluate security-relevant events and notify
the administrator.
• To improve the security of industrial control systems, Siemens also provides monitoring by
OSA (OT Security Appliance) (https://siemens.sharepoint.com/teams/rc-cn-
OTSecurityAppliance).
OSA addresses the OT security monitoring market, and is a holistic OT-SIEM solution, that on
one hand takes into consideration the properties of OT systems, and on the other hand,
offers the complete transparency of OT systems, including assets and operational risks.

See also
Always active (https://new.siemens.com/global/en/products/automation/topic-areas/industrial-
security/certification-standards.html#Alwaysactive)

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 27
Security measures in automation and drive technology
5.2 Siemens Industrial Holistic Security Concept

5.2 Siemens Industrial Holistic Security Concept

Siemens places great emphasis on protecting the integrity and guaranteeing the confidentiality
of the processed data for its own products. Intellectual property and know-how of the Siemens
products are also in focus.
To achieve this, the Siemens Industrial Holistic Security Concept (SI HSC) is applied which
protects development departments and production plants (see the following diagram).
Multi-level security systems and basic security improvements of the IT infrastructure are
implemented. In parallel, process improvements have been introduced and training in
security awareness provided in the development and production. These measures are being
performed continuously by Siemens and clearly demonstrated by the security levels reached.
SI HSC also benefits the customers who Siemens has selected as partners for their industrial
solutions, or who want to orientate themselves on the concept. Siemens suppliers are
also considered with regard to security so that Siemens already applies the same security
standards when purchasing as for the manufacture of its own products.

0RQLWRULQJRI
5HVLGXDO5LVN
3URWHFWLRQ
&RQFHSW 0RQLWRULQJRIWKH
7DUJHW UHVLGXDOULVNLQRUGHUWR
3URWHFWLRQ LPSURYHWKHVHFXULW\
6HOHFWLRQDQG FRQFHSWZKHQUHTXLUHG
/HYHO LPSOHPHQWDWLRQRI
%XVLQHVV VXLWDEOHPHDVXUHVLQ
HJZKHQQHZWKUHDWV
DSSHDU
,PSDFW 6HFXULW\UHTXLUHPHQWV RUGHUWRIXOILOOWKH
$VVHVVPHQW PXVWEHIXOILOOHGE\WKH VWLSXODWHGUHTXLUH
,7LQIUDVWUXFWXUHDQG PHQWVHJFHOO
6FRSH SURWHFWLRQFRQFHSW
6LJQLILFDQFHRI ,7SURFHVVHVEDVHG
NQRZKRZSURWHFWLRQ RQLQWHUQDWLRQDO
DQGSURGXFWLQWHJULW\ VWDQGDUGV,(&
3URGXFWVDQG IRUWKHFRPSDQ\ DQG,62
EXVLQHVVDUHDVWDNHQ
LQWRDFFRXQWLQWKH
+ROLVWLF6HFXULW\
&RQFHSW

Figure 5-1 SI HSC security management process

See also
Secure digitalization - holistic approach (https://securing-digitalization.dc.siemens.com/de/)

Industrial Security
28 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
 Security measures in automation and drive technology
5.3 Standards and regulations

5.3 Standards and regulations

Siemens takes the applicable Industrial Security standards and regulations into consideration
throughout the entire development process:
• ISO 2700X: Management of information security risks
• IEC 62443: IT security for industrial higher-level control systems – network and system
protection
Further information on certifications and standards in the Industrial Security field can be
found on the Internet (https://new.siemens.com/global/en/products/automation/topic-areas/
industrial-security/certification-standards.html).

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 29
Security measures in automation and drive technology
5.3 Standards and regulations

Industrial Security
30 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
Security management 6
Security management process according to IEC 62443 and ISO 27001 forms the basis for the
successful implementation of industrial security.

5ISFBU
BOE

SJTL
BOBMZTJT

7BMJEBUJPO
BOE
(VJEFMJOFT
BOE

 JNQSPWFNFOU PSHBOJ[BUJPOBM

NFBTVSFT

(VJEFMJOFT
BOE

PSHBOJ[BUJPOBM

NFBTVSFT
5FDIOJDBM

NFBTVSFT

Figure 6-1 Security management process

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 31
Security management

Procedure
1. Perform a threat and risk analysis. Determine all potential risks and define countermeasures
for reducing the risk to an acceptable level.
A threat and risk analysis includes the following steps:
– Identification of threatened objects
– Analysis of value and potential for damage
– Threat and weak point analysis
– Identification of existing security measures
– Risk evaluation
– Evaluation of effects with respect to protection goals: Confidentiality, integrity, and
availability
2. Define guidelines and introduce coordinated, organizational measures.
Establish awareness of the high relevance of industrial security at all levels in the company.
Define guidelines and processes for a consistent approach to security compliance.
3. Introduce coordinated technical measures.
4. Conduct a security audit to ensure that all of the measures have been implemented and that
they have also eliminated or reduced the identified risks.
Note
Continuous process
Due to ever-changing threat scenarios, this process must be constantly repeated. Implement
the security management process as a continuous process.

See also
General security measures (Page 33)
Product-specific security measures (Page 53)

Industrial Security
32 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
General security measures 7
In this chapter you will learn about the general security measures you must take in order to
protect your system from threats.
Additional specific security measures for SINUMERIK, SIMOTION and SINAMICS products can
be found in Section Product-specific security measures (Page 53).

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 33
General security measures
7.1 Defense in depth concept

7.1 Defense in depth concept

To protect industrial plants and systems comprehensively against cyber attacks, measures must
be applied simultaneously at all levels. From the operational up to the field level – from access
control to copy protection. For this purpose, we use "Defense in Depth" as a general protection
concept, according to the recommendations of ISA99 / IEC 62443, the leading standard for
security in industrial automation.

%FGFOTF
JO
%FQUI

1MBOU
TFDVSJUZ

4FDVSJUZ
SJTLT
/FUXPSL
TFDVSJUZ
GPSDF
UP
BDU

4ZTUFN
JOUFHSJUZ

Figure 7-1 Defense in depth strategy

Further information on the defense in depth concept and the planning of a protection
concept for industrial plants can be found on the Internet (https://new.siemens.com/
global/en/products/automation/topic-areas/industrial-security/planning.html).

Industrial Security
34 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
 General security measures
7.1 Defense in depth concept

Protection levels
A defense in depth model has a three level structure:
• Plant security
Plant security represents the outermost protective ring. Plant security includes
comprehensive physical security measures, e.g. entry checks, which should be closely
coordinated with protective measures for IT security.
• Network security
The measures, grouped under the keyword "Network security", form the core of the
protective measures. This refers to the segmentation of the plant network with limited and
secure communication between subnetworks ("secure islands") and the interface check with
the use of firewalls.
• System integrity
"System integrity" represents the combination of two essential protection aspects. PC-based
systems and the control level must be protected against attacks. Steps include the following
measures:
– Integrated access protection mechanisms in the automation components to prevent
unauthorized changes via the engineering system or during maintenance
– The use of antivirus and whitelisting software to protect PC systems against malware
– Maintenance and update processes to keep the automation systems up-to-date
(e.g. patch management, firmware updates, etc.)

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 35
General security measures
7.2 Plant security

7.2 Plant security

$QODJHQVLFKHUKHLW

Unauthorized persons may be able to enter the production site/building and damage or
alter production equipment as a result of gaps in a company's physical security. Confidential
information can also be lost. This can be prevented if both the company's site and the
production areas are protected accordingly.

7.2.1 Physical protection of critical production areas

Company security
The company's physical security must be ensured by taking the following measures:
• Closed off and monitored company premises
• Entry control, keys / card readers and/or security personnel
• Escorting of external personnel by company employees
• Security processes in the company are taught and followed by all employees

Physical production security

The physical security of a production location must also be ensured by taking the following
measures, for example:
• Separate access control for critical areas, such as production areas
• Installation of critical components in lockable control cabinets or in lockable electrical rooms
(monitoring and alarm functions are recommended). Control cabinets must be equipped
with a cylinder lock if the electrical room cannot be locked, or if components are installed
outside a lockable electrical room. Do not use simple locks, such as universal, triangular/
square or double-bit locks.
• Configuration of the radio field to restrict the WLAN range so that it is not available outside
the defined areas (e.g. factory building).
• Guidelines that prevent the use of third-party data storage media (e.g. USB sticks) and IT
devices (e.g. notebooks) classified as insecure on systems.

Industrial Security
36 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
 General security measures
7.2 Plant security

Additional information
Additional information on integrated Siemens security solutions can be found on the Siveillance
page (https://new.siemens.com/global/en/products/buildings/security/security-
management.html).

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 37
General security measures
7.3 Network security

7.3 Network security

1HWZRUNVHFXULW\

Network security includes all measures taken to plan, implement and monitor security in
networks. This includes the control of all interfaces, e.g. between the office network and
plant network, or remote maintenance access via the Internet.

7.3.1 Network segmentation

7.3.1.1 Separation between production and office networks

One important protective measure for your automation or drive system is the strict separation
of the production networks and the other company networks. This separation creates protection
zones for your production networks.

Note
The products described in this manual must only be operated in defined protection zones.

Separation by means of a firewall system

In the simplest scenario, separation is achieved by means of an individual firewall system which
controls and regulates communication between networks.
See also Network segmentation with SCALANCE S (Page 39)

Separation via a DMZ network

In the more secure variant, the coupling is established via a separate DMZ network. In this case,
direct communication between the production network and the company network is completely
prevented by firewalls and only takes place indirectly via servers in the DMZ network.

Note
The production networks should also be divided into separate automation cells in order to
protect critical communication mechanisms.

Industrial Security
38 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
 General security measures
7.3 Network security

General security measures

Observe the general security measures even within protection zones, for example as listed
in System hardening (Page 46):

7.3.1.2 Network segmentation with SCALANCE S

Siemens provides SCALANCE S security modules to meet network protection and network
segmentation requirements. Further information on SIEMENS SCALANCE S can be found on the
Internet (https://siemens.com/scalance-s).

SCALANCE S security module

SCALANCE S security modules with Security Integrated provide:
• Stateful inspection firewall
In order to implement user-specific control and logging, firewall rules can also be specified
that only apply to certain users.
• VPN via IPsec (data encryption and authentication)
This establishes a secure tunnel between authenticated users whose data cannot be
intercepted or manipulated. The most important aspect is the protection against external
access via the Internet.
• NAT/NATP (address translation)
• Router functionality (PPPoE, DDNS) for broadband Internet access (DSL, cable)
• SCALANCE S623 with additional VPN port (DMZ) enables the secure connection of an
additional network for service and remote maintenance purposes. S623 also permits the
secure, redundant connection of subordinate networks by means of routers and firewall
redundancy.
• SCALANCE S615 has five Ethernet ports with which different network topologies can be
protected by means of a firewall or Virtual Private Network VPN (IPsec and OpenVPN), and
security concepts implemented flexibly.

Requirement

NOTICE
Data misuse
Long distances between the device to be protected and the upstream security modules
represent an invitation for data misuse.
• Note that upstream security modules, such as SCALANCE S, must be installed close to the
device to be protected in a locked control cabinet. This ensures that data cannot be
manipulated here without notice.

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 39
General security measures
7.3 Network security

Principle
The following application example shows cell segmentation by several SCALANCE S modules,
each of which is upstream of the automation cells. The data traffic to and from the devices within
automation cells can be filtered and controlled with the SCALANCE S firewall. If required, the
traffic between the cells can be encrypted and authenticated. Secure channels and client access
from the PCs to the cells can be established via SOFTNET Security Client, VPN client software for
PCs.

Industrial Security
40 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
 General security measures
7.3 Network security
3ODQWVHFXULW\

2EMHFWVHFXULW\
6HFXULW\PDQDJHPHQW

2IILFHQHWZRUN '0= *356 6&$/$1&(

'RPDLQ 3&ZLWK 6HUYHU 6HUYHU 8076 0
FRQWUROOHU &3
6,0$7,&
6ZLWK
&3
1HWZRUNVHFXULW\

,QWHUQHW
66&
URXWHU
6&$/$1&( &HQWUDO
6 :HE DUFKLYH
VHUYHU VHUYHU ,QWHUQHW 6,0$7,&ILHOG3*
ZLWK62)71(7
VHFXULW\FOLHQW
6&$/$1&(
0

,QGXVWULDO(WKHUQHW
6&$/$1&(6 6&$/$1&(6

3URGXFWLRQQHWZRUN
3URGXFWLRQ 3URGXFWLRQ 3URGXFWLRQ 3URGXFWLRQ 3URGXFWLRQ

6,180(5,.
6,0$7,& 6,0$7,& 'VO
6,0$7,& 6ZLWK 6ZLWK
6ZLWK 6ZLWK &3 &3
&60 &3 $GYDQFHG $GYDQFHG
6\VWHPLQWHJULW\

6,0$7,&
6

352),1(7 352),1(7 352),1(7 352),1(7 352),1(7

6,0$7,& 6,0$7,& 6,0$7,&

(7 6 (7 (7 6,0$7,& 6,0$7,& 6,0$7,&
63 63 73 (76 .73
&RPIRUW

6,0$7,& 6,1$0,&6 6,0$7,& 6,1$0,&6 6,0$7,& 6,027,21'[ZLWK 6,1$0,&6

73 73 73 6,1$0,&6

Figure 7-2 SCALANCE S application example

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 41
General security measures
7.3 Network security

VPN access

Note
Note that a SCALANCE S security module must always be used for VPN access.

7.3.2 PROFINET products and SNMP

Note
Products with PROFINET provide the option of reading out and writing to parameters via SNMP
(Simple Network Management Protocol, Port 160/161).
• Do not only identify components based on their SNMP parameters alone, but also use the
information provided on the type plate (e.g. MAC address, serial number, etc.).

7.3.3 Cloud Security

Since the number of cloud applications is growing increasingly and the cloud continues to grow
in its significance, the issue of security in the cloud environment is also becoming more and more
important.
The following addresses are designed to give you a general idea of how you can make your
system safe in the cloud environment. Inform yourself about the applicable requirements
and tried and tested solutions/best practices.

Initial orientation
• Companion Guide for Cloud - CIS Organization (https://www.cisecurity.org/press-release/cis-
controls-companion-guide-for-cloud-now-available/)
• Matrix Cloud Control - CSA Organization (https://cloudsecurityalliance.org/artifacts/cloud-
controls-matrix-v4/)
• Questionnaire Cloud Security - CSA Organization (https://cloudsecurityalliance.org/artifacts/
consensus-assessments-initiative-questionnaire-v3-1)
• Top Threats Cloud Security - CSA Organization (https://cloudsecurityalliance.org/research/
working-groups/top-threats/)

Industrial Security
42 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
 General security measures
7.3 Network security

Siemens Cloud solutions

Siemens offers first-class cloud management paired with excellent know-how for business
solutions. This ensures maximum security for our customers. Inform yourself about the Siemens
Cloud solutions:

Figure 7-3 Siemens Cloud solutions

• Overview of Siemens Cloud portfolio (https://www.sw.siemens.com/portfolio/cloud)

• Industrial Cloud Computing (https://www.plm.automation.siemens.com/global/en/our-
story/glossary/industrial-cloud-computing/58773)
• Siemens MindSphere (https://www.plm.automation.siemens.com/global/en/products/
mindsphere/)

7.3.4 Smart sensors (IoT) in the network

IoT sensors or smart sensors (e.g. IP cameras) perform analog measurements in the physical
world. In addition to the actual measured quantity acquisition, they also combine the complete
signal conditioning and signal processing in one enclosure. They process data, exchange data,
and even apply their own algorithms to it.

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 43
General security measures
7.3 Network security

This interaction with the physical world made possible by IoT sensors can result in significant
cybersecurity and privacy risks:

WARNING
Risks when using IoT sensors
• Analog measured values can be easily manipulated (light intensity, temperature, voltage
can be falsified).
• The increasing use of IoT sensors can involve the acquisition of enormous amounts of
private and sensitive data, which must be handled with confidentiality.
• IoT sensors are also used to protect sensitive areas. In a worst-case scenario, a security attack
on such a device could put human lives at risk, cause significant property damage, or result
in production downtime or the like.
• IoT network interfaces often enable remote access to physical systems. Manufacturers,
vendors and third parties are thus able to remotely access IoT devices for management,
monitoring, maintenance and troubleshooting purposes. As a result, the physical systems
that are accessible via the IoT may be at much greater risk of security attacks than before.
• Many IoT devices must meet strict requirements regarding performance, reliability,
resilience, security, and other objectives. These requirements may conflict with general
security requirements and regulations in the company (e.g. regular security patches and
updates).
Whereas non-smart sensors rely exclusively on local networking, Internet networking in
smart sensors allows attacks from any location in the world that has Internet access,
increasing the machine's exposure and thus the risk of attacks.
Become aware of these risks, consider these risks in your risk analysis, and take appropriate
measures to protect your system/plant.

Industrial Security
44 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
 General security measures
7.3 Network security

Measures when using IoT sensors

Figure 7-4 Smart sensors

Due to the risks mentioned above, keep the attack surface as small as possible when using
IoT sensors and implement the following measures:
• Ensure a secure transmission between sensor and our product (SINUMERIK, Edge,
SINAMICS). If possible, use smart sensors with integrated security measures (e.g. integrity
protection of communication).
• Ensure self-protection of the sensor (e.g. unique identifiability, redundancy in signal
processing (principle of functional safety)).
• Use only smart sensors that are compliant with the law.
• Secure physically vulnerable areas through physical measures (Siemens Industrial Holistic
Security Concept (Page 28), Defense in depth concept (Page 34)).

More information
You can obtain more useful information on the topic of "Safe use of IoT sensors" on the Internet
from the following sources:
• Only relevant for Germany: Basic IT protection compendium from the Federal Office for
Information Security (BSI) (https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/
Grundschutz/International/bsi-it-gs-comp-2019.html?nn=409850)
• Open Web Application Security Project® (OWASP) (https://owasp.org/www-project-internet-
of-things/#div-seek_and_understand)
• Internal Report NISTIR 8228 (https://nvlpubs.nist.gov/nistpubs/ir/2019/NIST.IR.8228.pdf).

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 45
General security measures
7.4 System integrity

7.4 System integrity

6\VWHPLQWHJULW\

System integrity is understood to mean the "integrity" or "correctness" of the data or the
correct response of the system. Thus, the following measures for protecting the system
integrity should ensure that the data/functionality of the system cannot be manipulated by
unauthorized persons or that manipulations can be detected.

7.4.1 System hardening

7.4.1.1 Services and ports

Activated services and ports represent a risk. To minimize the risk, only the necessary services
for all of the automation components should be activated. Ensure that all activated services are
taken into account (especially Web servers, FTP, remote maintenance, etc.) in the security
concept.
A description of all of the ports used can be found in the Equipment Manuals/Function
Manuals of the respective products.

7.4.1.2 User accounts

Any active user account that allows access to the system is thus a potential risk. Therefore, take
the following security measures:
• Reduction of configured/activated user accounts to the actually needed minimum
• Use of secure access data for existing accounts. This also involves assigning a secure
password.
• Regular checks, especially of the locally configured user accounts
• Regular change of passwords

Industrial Security
46 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
 General security measures
7.4 System integrity

7.4.1.3 PC/notebooks and mobile devices in an industrial environment

The terminal devices used in industrial environments (PCs, notebooks and mobile devices) must
meet the generally applicable security requirements. Therefore, take the following measures:
• The terminal device that is used is set up, administered, regularly checked and patched by the
appropriate departments. This ensures it is always kept up-to-date. This also means that
software and operating systems which are supported and maintained by the manufacturer
are always installed.
• A current virus scanner, which is adapted to the operating system used, must be installed on
the terminal device that is used. Both the virus patterns and the software itself must be
regularly updated. Or, alternatively, work with the Whitelisting (Page 50) method.
• Activate a firewall with appropriate settings on the terminal device that is used.
• Use a configuration without admin. rights on the terminal device that is used.
• Encrypt all of the hard drives or mass storage units (e.g. eMMC or SSD) of the terminal device
that is used to protect sensitive data against unauthorized access.
• Do not use the terminal device for other tasks, e.g. in the office network. This is part of the
separation of networks dealt with in Chapter "Separation between production and office
networks (Page 38)".
• Secure terminal devices from data theft using a physical lock (e.g. Kensington lock) or do not
leave them unmonitored.
• If you leave protected terminal devices at the workstation, always activate the lock mode of
the operating system. This prevents access to the terminal device and the contents of the
screen can no longer be read.
• Set up user accounts (Page 46) for the access rights accordingly.
• Take appropriate measures to protect unneeded interfaces (e.g. USB, network, etc.) to
prevent unauthorized access. This can be done physically using commercially available USB
port locks or via corresponding software measures.

7.4.1.4 Data storage

When you store security-relevant data on your PC, you are responsible for secure data storage.
These include, for example, the following measures:
• Consequent marking of your documents according to confidentiality levels by introducing a
document classification.
• Protection of your encrypted storage locations, such as sharepoints, against manipulation.
• If absolutely necessary, only store your confidential or security-relevant data encrypted on
your PC / systems or the network.
Security-relevant data includes sensitive data, such as archives, passwords, or executable
files (*.exe).
• Regularly back up your security-relevant data and carefully protect it against loss and
manipulation.

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 47
General security measures
7.4 System integrity

7.4.1.5 Transporting data

Apply the following measures when transporting data:
• Always encrypt your emails if you send confidential and/or security-relevant data by email.
• If you wish to transport confidential and/or security-relevant data on a data storage medium
(USB flash drive, hard disk, etc.), carefully investigate as to which data storage media are
considered secure. A regular virus check must be carried out for these data storage media.
Always save your data on local data storage media so that the data is encrypted.
These measures are especially important for sensitive data, such as archives, passwords, or
executable files (*.exe).

7.4.1.6 Passwords

NOTICE
Data misuse caused by using passwords that are not secure enough
Data can be easily misused by using passwords that are not secure enough. Insecure passwords
can easily be guessed or decoded.
• Therefore, change the default passwords during the commissioning and adapt them at
regularly defined intervals.
• Also change passwords for functions that you yourself do not use to ensure that such
unused functions are not misused.
• Always keep your passwords secure, and ensure that only authorized persons have access
to these passwords.

Assigning secure passwords

Observe the following rules when creating new passwords:
• When assigning new passwords, make sure that you do not assign passwords that can be
guessed, e.g. simple words, key combinations that can be easily guessed, etc.
• Passwords must always contain a combination of upper-case and lower-case letters as well
as numbers and special characters. PINS must comprise an arbitrary sequence of digits.
• When assigning a password, always ensure you are adhering to the applicable company
specifications, e.g. special password policy of the respective company.
• Observe that, in accordance with the applicable company specifications, passwords with the
maximum required minimum length must be assigned.
• Wherever possible and where it is supported by the IT systems, a password must always have
a character sequence as complex as possible.
Programs are available that can help you to manage your passwords. Using these programs,
you can encrypt, save and manage your passwords and secret numbers – and also create
secure passwords.
Additional information on assigning secure passwords can be found in Chapter References
(Page 121).

Industrial Security
48 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
 General security measures
7.4 System integrity

7.4.1.7 Product security notifications

Note
Complying with product security notifications
Threats are extremely diverse in nature and are continually changing. As a consequence, always
keep yourself up-to-date on a regular basis through the Industry Online Support (https://
support.industry.siemens.com/sc/ww/en/sc/2090) regarding whether there are new and
relevant product security notifications for your particular products. Comply with the instructions
provided in the product security notifications.

7.4.1.8 Virus scanner

An anti-virus program, virus scanner or virus protection program is a software that can detect,
block and, if required, eliminate computer viruses, computer worms or Trojans horses.
In principle, virus scanners can only detect known malware (viruses, worms, Trojans, etc.)
or harmful logic and therefore cannot provide protection against all viruses or worms. For
this reason, virus scanners can only be considered as a complement to general precautionary
measures.
The use of a virus scanner must not impact the production operations of a plant. As the
last consequence, this will lead to even a virus-infected computer not being permitted to
immediately shut down if this would cause the control of the production process to be lost.

NOTICE
Data misuse when using online virus scanners
If you use an online virus scanner, then security-relevant or confidential data can get into the
wrong hands and be misused.
• Therefore, do not check any security-relevant or confidential data via an online virus
scanner.

Note
Keep virus scanners up-to-date
Always ensure that the virus scanner database is always up-to-date.

Note
Do not install several virus scanners together.
You must always avoid installing several virus scanners together in one system.

Note
Operation in a local network
Always use a virus scanner when locally connecting with the plant or system network.

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 49
General security measures
7.4 System integrity

7.4.1.9 Whitelisting
The basic philosophy of whitelisting is that all applications are mistrusted, unless they have been
classified as trustworthy after an appropriate check. This means that a whitelist is maintained in
the system. This whitelist therefore contains all applications that have been classified as
trustworthy and consequently can be run on your PC systems.
Whitelisting mechanisms provide additional/alternative protection against undesired
applications or malware and unauthorized changes to installed applications or executable
files (.exe, .dll).
Heed the corresponding product-specific information (Page 53) to determine whether the
use of virus scanners and/or whitelisting is recommended.

7.4.2 Patch management

WSUS
The WSUS (Windows Server Update Service) system functionality provided by Microsoft is
available for current Windows systems. WSUS supports administrators by providing Microsoft
updates in large local networks. WSUS automatically downloads update packages (Microsoft
update) from the Internet and offers them to the Windows clients for installation.
The fully automatic update process ensures that Microsoft security updates are always
available on Siemens clients.

NOTICE
Security gaps for out-of-date operating systems
Note that security updates, hotfixes, etc. are no longer supplied by Microsoft for obsolete
operating systems < Windows 10. As a consequence, dangerous security gaps can occur with
your operating system.
• Therefore always upgrade your operating system - if possible - to the latest version.
• If you work with an older operating system, take appropriate additional measures (e.g.
Allow-List) to protect your system.

Note
Before installing Microsoft Updates, note the following important points:
• Prior to the update, back up the system status in the case that you have to restore the
original software. Ensuring the compatibility of the update with the individual system
configuration is the responsibility of the customer.
• Never establish a direct connection to the WSUS server in the Internet! Ensure that the
environment is secure and install an intermediate layer (e.g. DMZ network, firewall,
SCALANCE S modules, etc.).

Industrial Security
50 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
 General security measures
7.4 System integrity

7.4.2.1 Product software

Note
Out-of-date product software also represents a potential security gap for attacks.
• As a consequence, always install the latest product software versions.

7.4.3 Data integrity

Data integrity is understood to mean the correctness (integrity) of data and the correct
functioning of systems. Ensuring the integrity of the data is thus an essential goal of information
security. Integrity protection should not be confused with protecting the confidentiality.

NOTICE
Corruption of data and the resulting malfunctioning of the system
For automation and drive systems as well as controller components, data such as archives and
programs can be imported from external sources. This data influences the behavior of these
systems and should therefore be protected against unauthorized changes.
Data such as archives, programs, and OA applications can also be saved and archived. The
systems currently do not provide the capability of ensuring the integrity of programs, archives,
and OA applications.
Therefore take your own measures for ensuring integrity to guarantee the data integrity of your
archives, OA applications, or other saved data:
• Apply the Siemens Industrial Holistic Security Concept.
• Use digital signatures to protect data.
• Ensure there is sufficient access protection:
– Restrict access rights such as to data archives/Sharepoints accordingly.
– Do not send any unencrypted/unsigned emails.

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 51
General security measures
7.4 System integrity

7.4.4 Disposal
The products are to be disposed of in accordance with the respectively valid national regulations.
The products described in this manual are extensively recyclable on account of the low-toxic
composition of the materials used. To recycle and dispose of your old equipment in an
environmentally friendly way, please contact an appropriate disposal company.

NOTICE
Misuse of data resulting from insecure methods of deleting data
Incomplete or insecure deletion of data from memory cards or hard drives can lead to misuse
of the data of the part programs, archives, etc. by third parties.
• Therefore ensure that all storage media are securely deleted before disposing of the
product :
• There are programs that support you in securely deleting/formatting storage media.
Alternatively, contact a certified data destruction specialist to take care of this task.

Also observe the special disposal information of the products in Chapter Product-specific
security measures (Page 53).

Industrial Security
52 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
Product-specific security measures 8
In this chapter, you will find additional product-specific security measures for the SINUMERIK
products and the CNC Shopfloor Management Software, SIMOTION, SINAMICS and SIMOCRANE.

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 53
Product-specific security measures
8.1 SINUMERIK

8.1 SINUMERIK
The following chapter provides you with an overview of the security-related measures you must
take to protect your classic SINUMERIK control from threats. Detailed descriptions and
procedures can be found in the corresponding SINUMERIK documentation.
We are currently providing product-specific, security-relevant measures and features
specifically for SINUMERIK ONE control systems in a separate document. This
Configuration Manual is specifically designed to meet the requirements of the new
security standard IEC 62443. In the future, you will find it on the Internet at
the following address: Industrial Security SINUMERIK ONE Configuration Manual (https://
support.industry.siemens.com/cs/ww/en/view/109808781)
Detailed descriptions of existing security features are also provided in the SINUMERIK ONE
product documentation / online help.
Many products (SINUMERIK, SIMOTION, SINAMICS) contain OpenSSL. The following applies to
these products:
• This product contains software (https://www.openssl.org/) that has been developed by the
OpenSSL project for use in the OpenSSL toolkit.
• This product contains cryptographic software (mailto:eay@cryptsoft.com) created by Eric
Young.
• This product contains software (mailto:eay@cryptsoft.com) developed by Eric Young.

8.1.1 Firewall and networking

NCU/PCU networking structure

The following graphic shows the networking of the control (NCU) and the IPC. X130 at the NCU
and eth 1 at the IPC are used to establish a connection to the company network. A firewall
protects these two interfaces against unauthorized access.
The NCU contains a packet filter functionality (firewall) that filters the connection to the
factory network. This integrated firewall is preconfigured with optimum settings for the
incoming and outgoing communication. The firewall is configured in such a way that access
to the networks behind the firewall is blocked, and when several logon attempts are made
from a certain IP address, this is identified, blocked and prevented. In this way, the control is
protected against brute-force attacks.
The IPC has the firewall function via the Windows functionality.

NOTICE
Data misuse via an unprotected interface
Since the X120 interface of the NCU or the eth2 port of the IPC are not protected by a firewall,
there is a risk of misuse of data. The interface only provides the option of establishing a
connection to the local plant/system network.
• As a consequence, never connect this local network with the Internet/company network.

Industrial Security
54 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
 Product-specific security measures
8.1 SINUMERIK

(WKHUQHW )LUPHQQHW]ZHUN
HWKZLWK )LUHZDOO
ILUHZDOO 6HUYHU
6,180(5,.23
3&87&8

HWK
6,180(5,.
RSHUDWRUSDQHO
&RPSDQ\QHWZRUN
;ZLWKILUHZDOO &RPSDQ\QHWZRUN
/RFDO+0, ;ZLWKILUHZDOO
SODQWV\VWHP
QHWZRUN
;

6,180(5,.['
;
/RFDOVHUYLFH
;
;EHL6,180(5,.21(
352),1(7
6,180(5,.21(
6,180(5,.'VO

Figure 8-1 Networking of NCU/IPC

Firewall settings
Ethernet interface X130 of the NCU and the eth1 interface of the IPC are protected by a firewall
for security reasons. If individual programs require access to a communication port for
communication purposes, you can activate or deactivate the firewall via SINUMERIK Operate.
Additional ports can be separately released.
Alternatively, you can configure the firewall via the "basesys.ini".

Further information
Further information on the configuration of the firewall and default settings can be found in the
following manuals:
• SINUMERIK Operate (IM9) (https://support.industry.siemens.com/cs/de/en/view/
109769186)
• Diagnostics Manual (808D) (https://support.industry.siemens.com/cs/de/en/view/
109763685)

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 55
Product-specific security measures
8.1 SINUMERIK

8.1.2 Physical protection of the NCU

NOTICE
Misuse, manipulation and theft
Modules, such as the NCU, are open equipment. If not protected, there is the risk of misuse by
unauthorized personnel, manipulation or theft of data (e.g. CompactFlash Card).
• As a consequence, always install NCUs in housings and locked control cabinets or in
electrical rooms. Only appropriately trained and authorized personnel may access these
housings, electrical cabinets and electrical rooms. Information on the permitted locks can
be found in Chapter Physical protection of critical production areas (Page 36).
• Further information on the control cabinet installation of the NCU can be found in the
SINUMERIK 840D sl NCU 7x0.3 PN Manual (https://
support.industry.siemens.com/cs/ww/en/view/109782727) or in the corresponding
Equipment Manuals for SINUMERIK ONE: "NCU1750" and "NCU1760".

8.1.3 Machine control panels - SINUMERIK (MCP/MPP)

Machine control panels (Machine Control Panels and Machine Push Button Panels) are available
for user-friendly operation of SINUMERIK machine functions.

Note
Only operate the machine control panels (MCP/MPP) on an internal, local machine network and
secure them against any possible external access.

Note
Firmware update
For MCP/MPP/PP72-48 firmware updates or module diagnostics (Port 3845) contact Siemens
Service&Support (https://support.industry.siemens.com/sc/ww/en/sc/2090).

See also
Passwords (Page 48)

Industrial Security
56 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
 Product-specific security measures
8.1 SINUMERIK

8.1.4 System hardening

8.1.4.1 Deactivating hardware interfaces

Deactivating interfaces

Measure Description
Deactivate/activate Ethernet You can activate or deactivate the Ethernet interfaces in the BIOS of the PCU.
interfaces in the BIOS of the You can find detailed information on this in PCU-Basesoftware (IM8) Commissioning Manual
PCU (https://support.industry.siemens.com/cs/de/en/view/109748542), Chapter "BIOS settings".
Deactivating/activating To prevent malware entering the control or the plant network via the USB interfaces, you can
USB interfaces disable the USB interfaces of the NCU. Use the service command "sc_usb disable". Enter the
relevant command on the Service Desktop in the "Run" dialog box or at the prompt. Use this
function to make your system more secure and protect it from unwanted manipulation and
malware.
Further information can be found in the PCU-Basesoftware (IM8) Commissioning Manual
(https://support.industry.siemens.com/cs/de/en/view/109748542), Chapter "How to discon‐
nect the USB interfaces".
 

Deactivating ports

Measure Description
Deactivating the PROFINET In STEP 7 HW Config, a PROFINET interface port of a SINUMERIK PLC can be deactivated (X150).
port for It is activated by default. The SINUMERIK PLC cannot be accessed via a deactivated PROFINET
SINUMERIK 840D sl PLC interface port.
Further information can be found in the SIMATIC S7-300 CPU 31xC and CPU 31x Equipment
Manual: Technical specifications (https://support.industry.siemens.com/cs/de/en/view/
12996906), Chapter "Configuration of the port properties".
No communication function.
Note that no communication functions, such as PG/OP functions, open IE communication or S7
communication (PROFINET IO), are possible via a deactivated port.
Deactivating the PROFINET The PROFINET port can be deactivated in the TIA Portal under "Device configuration". Select the
port for SINUMERIK ONE PLC PLC and then switch to the menu "General > PROFINET interface> Advanced op‐
tions > Port > Port options". Uncheck the box for "Activate this port for use".
Further information can be found in the TIA Portal online help.
Deactivating For secure operation, only one defined access point should be available to the network for
a PROFINET port of diagnostics/maintenance. All of the other ports to the controls, devices, or switches (Scalance
SCALANCE X switch X) should be deactivated. This prevents unauthorized access.
(possible as of the X200 ser‐ Further information can be found in the SIMATIC NET Configuration Manual: SCALANCE X-200
ies) Industrial Ethernet switches (https://support.industry.siemens.com/cs/de/en/view/
109757352), Chapter "Ports".

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 57
Product-specific security measures
8.1 SINUMERIK

8.1.4.2 Communication services and used port numbers

SINUMERIK supports certain communication protocols. The address parameters, the relevant
communication layer as well as the communication role and the communication direction are
decisive for each protocol.
This information allows you to match the security measures for the protection of the
automation system to the used protocols (e.g. firewall).
Further information can be found in the product information for "SINUMERIK port lists"
(available soon).

8.1.4.3 Integrity and authenticity protection SINUMERIK ONE

Note
System hardening for software solutions
When using SINUMERIK Integrate software and other PC applications (e.g. Create MyConfig
(CMC) or Access MyMachine (AMM)), make sure that the PC on which the software is used,
always fulfills the requirements of industrial security.
These include, for example:
• Current Microsoft security updates
• Current virus scanner software
• Activated firewall, etc.
Further information can be found in Section System integrity (Page 46).

8.1.4.4 Secure Boot with SINUMERIK ONE

Note
Only signed software
The SINUMERIK ONE NCUs have a Secure Boot feature that ensures that only software that is
signed by Siemens can be loaded onto the NCU. This concerns both GIV software versions of the
controller and any other software (e.g. SINAMICS TEC). Once a *.tgz file is imported and there
is no accompanying *.sig file, the NCU will no longer ramp up.
In this situation, the controller can no longer be accessed via any interface. The previously
installed software can no longer be deleted.

8.1.5 Virus protection

In the context of the length of the service life of a machine tool, the use of antivirus software
does not make sense.

Industrial Security
58 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
 Product-specific security measures
8.1 SINUMERIK

The reasons for this are as follows:

• Continuous pattern updates necessary
The protection of an antivirus program is only as good as the up-to-datedness of its virus
patterns. Providing this in day-to-day production of the machine without a direct Internet
connection is not possible without further action.
• Changed patterns and background scans affect the runtime behavior of the controller
Scans that run in the background can influence the system load and thus the system behavior
of the machine. The longer the pattern list, the more time and resource-consuming the scan,
which means the influence increases as the machine ages.
• Short support times
As a rule, updates and patterns for antivirus software are provided by the end of the
operating system support, at the latest. However, a machine tool generally has a
significantly longer service life than a Windows operating system. Therefore the protection
becomes ineffective against new threats over time.
• Unforeseeable backlash effects on machine functionality
In certain circumstances, a pattern update can result in a desired system function being
detected by the antivirus software as a suspicious operation and prevented from executing,
which can have unforeseeable consequences for the operation of the machine.

Reasons for whitelisting

The use of whitelisting makes sense for protecting a Windows-based IPC in the SINUMERIK
system for the following reasons:
• In a normal scenario, whitelisting does not require updates to continuously protect the
machine.
• Whitelisting does not lose its protective effect over the service life of the machine (apart from
technical progress).
• Whitelisting also protects against malware that may not yet be known to an antivirus
program.

Note
Measures for protecting against viruses in a CNC environment
Take all the necessary measures for virus protection in the CNC environment. This also includes
the proper handling of data storage media, USB sticks and network connections, precautionary
measures when copying data and during software installations, etc.

See also
Virus signatures (https://support.automation.siemens.com/WW/view/en/19577116)

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 59
Product-specific security measures
8.1 SINUMERIK

8.1.5.1 Whitelisting

SINUMERIK application example

Using the McAfee Application Control Software as example, a description as to how SINUMERIK
PCU 50 with Windows XP can be "hardened" is provided. The licensed software can be used with
the PCU 50 as a standalone version (Solidifier/Solidcore). The whitelisting software is directly
purchased from the manufacturer.
A detailed description of this application can be found on the Internet (https://
support.industry.siemens.com/cs/ww/en/view/89027076).

8.1.5.2 Virus protection / memory card

The memory card must be handled with particular care for all SINUMERIK devices that use a
memory card so that no malicious software is loaded to the system.

WARNING
Risk of death due to software manipulation when using exchangeable storage media
Storing files on exchangeable storage media poses an increased risk of infection, e.g. with
viruses and malware. Incorrect parameter assignment can cause machines to malfunction,
which can lead to injuries or death.
• Protect files stored on exchangeable storage media from malicious software using
appropriate protection measures, e.g. virus scanners.

8.1.6 Security updates / patch management

For organizational reasons, it is not possible to provide the latest Windows security patch when
the PCU / the IPC is shipped.
Windows 10-based SINUMERIK IPCs are basically delivered with variant LTSB 2016. This
version of Windows not only provides extended support, but also gives you the capability of
installing patches for specific problems and there are no compulsory updates.
Provide your Windows-based devices with the current security updates in a timely manner.
These updates should not take place during machine operation. Therefore, use a local WSUS
server (see Chapter Defense in depth concept (Page 34)).

Note
Before installing Microsoft Updates, note the following important points:
• Prior to the update, back up the system status for a fallback, if necessary. Ensuring the
compatibility of the update with the individual system configuration is the responsibility of
the customer.
• Never establish a direct connection to the WSUS server in the Internet! Ensure that the
environment is secure and install an intermediate layer (e.g. DMZ network, firewall,
SCALANCE S modules, etc.).

Industrial Security
60 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
 Product-specific security measures
8.1 SINUMERIK

Since it is usually difficult to regularly update the Windows operating system of an IPC for
a machine that is in use, and no more updates are available after the end of the support
period, you should ensure the IPC is protected in accordance with the Defense in Depth
concept (Page 34), e.g. by means of a security router and the use of a whitelisting solution.
Possibly identified security weak points of the NCU are taken into account or corrected in the
current CNC software version.

Note
Availability
The availability of Microsoft security updates is published via Microsoft Security Bulletins. The
use of security updates is entirely up to the customer and is their sole responsibility. This can be
realized based on the "evaluation of maximum severity" provided in the Microsoft Security
Bulletin. Microsoft publishes information on security updates for the PCU and download links on
the Internet (https://technet.microsoft.com/en-us/security/bulletins).

See also
Patch management (Page 50)

8.1.7 Account management

8.1.7.1 Definition of access levels

Access to functions and machine data

The access concept controls access to functions and data areas. Access levels 1 to 7 are available,
where 1 represents the highest level and 7 the lowest level. Access levels 1 to 3 are locked using
a password and 4 to 7 using the appropriate key-operated switch.

Ac‐ Locked by Area Data class

cess
level
1 Password: SUNRISE Machine manufacturer Manufacturer (M)
2 Password: EVENING Service Individual (I)
3 Password: CUSTOMER User User (U)
4 Key-operated switch set‐ Programmer, machine setter User (U)
ting 3
5 Key-operated switch set‐ Qualified operator User (U)
ting 2
6 Key-operated switch set‐ Trained operator User (U)
ting 1
7 Key-operated switch set‐ Semi-skilled operator User (U)
ting 0

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 61
Product-specific security measures
8.1 SINUMERIK

Linux passwords / NCK

Level User name UID

1 manufact 102
2 service 103
3 user 104
4 operator3 105
5 operator2 106
6 operator1 107
7 operator 108

Corresponding to the named user, there is always a Unix group with the same name (also
with the GID to the UIDs). As user, you are always member of your own group and also in
all "lower-level" groups. For example, "operator2" is a member of the "operator2", "operator1"
and "operator" groups. The file access rights are mainly controlled via these groups.

NOTICE
Data misuse caused by using passwords that are not secure enough
Data can be easily misused when passwords that are not secure enough are created. Passwords
that are not secure enough can be easily hacked into.
The default passwords for the basic commissioning procedure are listed in the documentation.
• Therefore, always change the preassigned default passwords during commissioning
• Change the passwords at regularly defined intervals.
• For CNC software <V4.8: During commissioning, change the Linux password in addition to
the SINUMERIK Operate passwords. You can find additional information in the
Commissioning Manual "NCU operating system".
• A continuous warning appears on the SINUMERIK ONE if the default passwords are not
changed.
Further information on assigning secure passwords can be found in Chapter Passwords
(Page 48).

Industrial Security
62 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
 Product-specific security measures
8.1 SINUMERIK

Note
Changing passwords between SINUMERIK Operate and Linux
The access levels for SINUMERIK Operate and Linux are merged as of software version 4.8 SP3
(840D sl/828D) and 6.13 (SINUMERIK ONE). Changing a password for SINUMERIK Operate
simultaneously changes the relevant password in Linux and vice versa. It is important to note the
following behavior:
• When a general NC reset is performed, no passwords are reset to the default passwords.
• Following a software upgrade, the SINUMERIK Operate passwords apply to the NC
unchanged.
• Once a password has been changed, it cannot be reset to its original state.
• When recommissioning the system with Restore [-full] (menu item in the Emergency Boot
System "Recover system from USB memory stick (reformat CF card)"), the CF card is formatted
and restored to a system in the delivery state. The passwords are not included in the
SINUMERIK archive. Therefore, always change the default passwords after a Restore [-full] to
individual passwords.

8.1.7.2 Safety Integrated password

In SINUMERIK Operate, commissioning data is generally protected via various access levels. You
protect the safety-related drive parameterization additionally with the Safety Integrated
password. This password is stored in the drive data so that it can be changed only by authorized
persons who know the password.

Note
The SINAMICS Safety password must be used for SINUMERIK Safety
The assignment of the Safety Integrated password using the SINUMERIK Operate screen is
supported as of V4.8 SP2 HF1. The assignment of the Safety Integrated password is also
supported by a screen form of the SINUMERIK ONE Commissioning Tool.
• Always set a Safety password to prevent parameters from being changed using the external
configuration software Starter or the commissioning software SINAMICS Startdrive.
Further information can be found in the Safety Integrated plus Commissioning Manual (https://
support.industry.siemens.com/cs/de/en/view/109777982).

Further information
You can find further information on how you can change the passwords of the access levels
along with other information on access levels for programs and softkeys and access rights for
files in the SINUMERIK Operate (IM9) Commissioning Manual (https://
support.industry.siemens.com/cs/ww/en/view/109801207), Chapter "General settings > Access
levels".

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 63
Product-specific security measures
8.1 SINUMERIK

8.1.7.3 CNC lock function

You can use the "CNC lock function" and the encrypted file that was created with SINUMERIK
Integrate Access MyMachine (AMM) application to activate a lock date in the control. This allows
the use of the machine to be limited to the time until the lock date is reached. The NC Start
function of the control is locked when the lock date is exceeded.
The CNC lock function supports the business model with time-limited use. This protects
against unauthorized use beyond the set interval.

Note
Only for SINUMERIK 828D
Note that the CNC lock function is only available on the SINUMERIK 828D controller.

Further information on the CNC lock function and on the creation of a lockset file can be
found at:
• "SINUMERIK Integrate Access MyMachine /P2P (PC)" Operating Manual (https://
support.industry.siemens.com/cs/de/en/view/109770206)
• "PLC" Function Manual, Chapter "P4: PLC for SINUMERIK 828D > CNC lock function"

8.1.7.4 Deleting the preinstalled SSH key

Application
Removing the SSH key preinstalled by Siemens reduces the risk of data misuse. However, in order
to ensure sufficient access to the system, you can define and install your own SSH key.

Service command
The service command 'sc' is a tool used for performing a range of service tasks on a SINUMERIK
NCU:

Syntax: sc clear preinstalled-keys

Alternative names: ---
Authorization level service

This command deletes all of the SSH keys preinstalled by Siemens on the control. When
called from the service system, the keys on the CompactFlash card are affected, and not the
SSH keys on the service system itself.

Further information
You can find additional information in the Base Software and Operating Software
Commissioning Manual (https://support.industry.siemens.com/cs/de/en/view/109763236).

Industrial Security
64 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
 Product-specific security measures
8.1 SINUMERIK

8.1.7.5 PLC web server

In the delivered state, the PLC has no password and the Web server of the PLC is not activated.

Note
• If you activate the PLC Web server in the S7 project, you must define an appropriate user and
an associated password for it. Create a secure password. When creating a new password,
carefully follow the information provided in Chapter Passwords (Page 48).
• Only use the HTTPS protocol to establish communication confidentiality and integrity.

Further information
Further information on the PLC web server can be found in the Function Manual S7-1500, ET
200SP, ET200pro web server (https://support.industry.siemens.com/cs/ww/en/view/
59193560).

8.1.7.6 Access levels for softkeys

The display and operation of softkeys can be suppressed by both the OEM and the user. This
allows the operating software to be specifically adapted to the required functional scope and
therefore be configured as transparently as possible. To prevent access to functions in the
operating software, or to restrict the possibility of operator errors, restricts the functional system
scope.

Note
Applicability of modified access levels for softkeys
The setting of specific access levels for softkeys on a PCU only affects the respective PCU softkeys
themselves. To implement access rights on the NCU, both the manufacturer and the user must
use the appropriate mechanisms and set the rights accordingly.
Further information can be found in the SINUMERIK Operate (IM9) Commissioning Manual
(https://support.industry.siemens.com/cs/ww/en/view/109801207), Chapter "Access levels for
programs".

8.1.7.7 BIOS and AMT access protection

In order to prevent unauthorized access to the BIOS of the PCU 50 and the SIMATIC IPCs, make
sure that you use a very secure BIOS password (see Section Passwords (Page 48))

Further information
Further information on BIOS settings of the PCU 50 can be found in the PCU-Basesoftware
(IM8) Commissioning Manual (https://support.industry.siemens.com/cs/de/en/view/
109748542).

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 65
Product-specific security measures
8.1 SINUMERIK

Setting the password for AMT (Intel® Active Management Technology)

The Active Management Technology (AMT) function is used for the remote management of the
PCU. For remote management, generally suitable protective measures must be taken (such as
network segmenting) in order to guarantee secure operation of the plant.
For security reasons, AMT is deactivated when a PCU is delivered. When you activate AMT
the first time in the BIOS setup, assign a strong password to prevent misuse of the remote
management.
Further information on the AMT function of the PCU as well as the procedure for changing
the password can be found on the Internet (https://support.industry.siemens.com/cs/de/en/
view/52310936).

8.1.7.8 Password protection for Create MyConfig (CMC)

NOTICE
Data misuse due to incorrect assignment of rights
Access data, such as the pre-configured passwords for access to the control system, can be
stolen and misused.
• For that reason, set up organizational measures to ensure that only authorized persons are
given access to these files.

Note
Password protection for linked external files
The protection mechanisms integrated into CMC (password protection) are ineffectual for linked
external files that are integrated into the CMC context.

Note
Protecting CMC packages from reimporting
Note that CMC packages have to be protected by password against being reimported.
• For that reason, always set up a password against reimporting when you assign a password
for a new project.

8.1.8 Know-how protection

The following functions provide protection of technological know-how and prevent

unauthorized access to the SINUMERIK controllers:

8.1.8.1 SINUMERIK Integrate Lock MyCycles

Using the "SINUMERIK Integrate Lock MyCycles" (cycle protection) function, cycles can be
encrypted and then stored protected in the control. The cycles are encrypted outside the control
using the SINUMERIK Integrate Access MyMachine/P2P program.

Industrial Security
66 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
 Product-specific security measures
8.1 SINUMERIK

For cycles with cycle protection, execution in the NC is possible without any restrictions.
In order to protect the manufacturer's know-how, any type of view is inhibited for cycles with
cycle protection.
This software option is available for SINUMERIK 808D, 828D and 840D sl control systems and
SINUMERIK ONE.
You can find an application example for cycle protection for SINUMERIK on the Internet
(https://support.industry.siemens.com/cs/ww/en/view/109474775).

Further information
Further information on cycle protection can be found in the SINUMERIK Access
MyMachine /P2P (PC) Operating Manual (https://support.industry.siemens.com/cs/ww/en/view/
109811131).

8.1.8.2 SINUMERIK Integrate Lock MyPLC

With the aid of block properties, you can protect the blocks created in the SIMATIC PLC from
unauthorized changes, for example.
The block properties should be edited when the block is open. In addition to properties
that can be edited, data that is only displayed for your information is also displayed in the
respective dialog field: It cannot be edited.
A block that has been compiled using this option does not allow you to view the instruction
section. The interface of the block can be viewed, but not changed.

Further information
You can find further information on block protection in the SIMATIC Programming with STEP 7
Programming and Operating Manual (https://support.industry.siemens.com/cs/de/en/view/
109751825), Chapter "Block properties".

Note
The integrated CP in the SINUMERIK 840D sl does not support the "Module access protection /
protection level" option.

Encryption of blocks
As of STEP 7 Version 5.5 SP3 and the CNC system software V4.5 SP2 for 840D sl/ 840D sl or V6.13
for SINUMERIK ONE, you can create encrypted block protection for functions and function blocks
in the offline and online view. You can use this function to encrypt your blocks and protect the
block code against external access.
The option "SINUMERIK" and, if required, "SIMATIC" must be selected for the encryption with
SINUMERIK.

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 67
Product-specific security measures
8.1 SINUMERIK

A detailed procedure of how to encrypt your blocks can be found on the Internet (https://
support.automation.siemens.com/WW/view/en/45632073).

8.1.8.3 OPC UA
OPC UA (Unified Architecture) is a standardized, industrial communication protocol for access to
control data, e.g. by higher-level control systems. Variables of a SINUMERIK 840D sl,
SINUMERIK 828D or SINUMERIK ONE can be read and written to via this communication protocol
using the SINUMERIK Integrate Access MyMachine /OPC UA software option.

NOTICE
Date misuse resulting from an insecure connection to the client
There is a danger of data misuse due to an unencrypted connection to the OPC UA client.
• Therefore, always encrypt your connection to the OPC UA client.
• Information on the encryption of the data connection can be found in the SINUMERIK
Access MyMachine /OPC UA Configuration Manual (https://
support.industry.siemens.com/cs/us/en/view/109807257).

NOTICE
Data misuse due to incorrect user administration / rights assignment
A significant security risk can ensue through incorrect user administration and faulty right
assignment. Users can access data or actions for which they have not been authorized.
• As a consequence, always very carefully consider which users are assigned which rights. As
administrator, you are responsible for professional user administration and assignment of
rights.

Note
Selecting a secure password
Always set a secure password for your connection to the OPC UA client! Further information on
selecting a secure password can be found in Section Passwords (Page 48).

8.1.8.4 User administration in the TIA Portal

The TIA Portal gives you the capability of using user administration for projects. In this way, for
example, a project can be protected against unintentional or unauthorized modification. A user
sets up the project protection to activate user management. This user is created as a project
administrator. Once the project protection has been activated, the project can only be opened
and edited by authorized users. Note that project protection cannot be revoked.
User administration via the TIA Portal is available for the SINUMERIK 840D sl and SINUMERIK
ONE controllers.

Industrial Security
68 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
 Product-specific security measures
8.1 SINUMERIK

UMC - User Management Component

In addition, you can install the "User Management Component UMC" software package, which
provides central user administration, on one or more computers.

Further information
Further information on the topic of secure user administration can be found in the TIA Portal
online help.

8.1.8.5 SIMATIC Logon

User administration and traceability

The SIMATIC Logon option package is used to set up access rights for products and libraries in
STEP 7. These projects can therefore only be accessed by an authorized group of people. SIMATIC
Logon can be used in conjunction with SINUMERIK STEP 7.
More detailed information can be found in Chapter Secure access control with SIMATIC Logon
(Page 92).

8.1.9 Data backup

There are different archive forms and archiving methods in the SINUMERIK for the different
components.

Time of the data backup

Perform a data backup at the following times:
• After commissioning
• After changing machine-specific settings
• After the replacement of a hardware component
• Before and after a software upgrade
• Before the activation of memory-configuring machine data
You can find further information in the following manuals:
• SINUMERIK 840Dsl Commissioning CNC Commissioning Manual (https://
support.industry.siemens.com/cs/ww/en/view/109801198)
• Installation Manual SINUMERIK ONE New installation and upgrade

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 69
Product-specific security measures
8.1 SINUMERIK

Note the general information on secure data storage with regard to archives in Section Data
storage (Page 47).

NOTICE
Misuse of confidential data on the control system
On the control system, there is a risk of confidential data being misused.
• As a consequence, it is not permissible to load confidential data to the control (e.g. using the
"SINUMERIK Integrate Access MyMachine/P2P" software).
• Always store confidential data in an encrypted form locally on an encrypted storage location
in the network.

8.1.10 Disposal

NOTICE
Misuse of data resulting from insecure methods of deleting data
Incomplete or insecure deletion of data from memory cards or hard drives can lead to misuse
of the data of the part programs, archives, etc. by third parties.
• Therefore ensure that all storage media are securely deleted before disposing of the
product :
• There are programs that support you in securely deleting/formatting storage media.
Alternatively, contact a certified data destruction specialist to take care of this task.

Industrial Security
70 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
 Product-specific security measures
8.2 CNC Shopfloor Management Software

8.2 CNC Shopfloor Management Software

The following chapter provides you with an overview of the security-related measures you can
take to protect your CNC Shopfloor Management software products from threats. Detailed
descriptions and procedures can be found in the corresponding documentation of the CNC
Shopfloor Management software.

8.2.1 System overview

A leading-edge IT architecture is created based on the CNC Shopfloor Management Software,
more specifically, at three levels – "In Cloud", "In Line" and "In Machine". These levels correspond
to the 3 platforms "MindSphere", "MCenter" and "SINUMERIK/SINUMERIK Edge", with their
numerous tailored functions extending from the field to the cloud. 

In
Cloud MindSphere

In MCenter
Line

In SINUMERIK
SINUMERIK
Machine Edge

Figure 8-2 CNC Shopfloor Management Software

8.2.2 Cloud applications (In Cloud)

MindSphere provides state-of-the-art security during on-site data collection and when
transferring and saving to the Cloud.
The security framework is oriented on the principles of industry standards, e.g. IEC 62443,
International Organization for Standardization (ISO)/IEC 27001, and the Federal Office for
Information Security (BSI) and recommendations from authorities on working with data in
Cloud environments.
In accordance with proven communication practices of the industry, all communication
between the client and MindSphere is protected by TLS V1.2 via public end points.
Reliable x509 certificates from the Siemens Trust Center are used. These correspond to
the requirements of the European Telecommunications Standards Institute (ETSI) and of the
Certification Authority Browser Forum (CA/B Forum).
Further information on encryption for MindSphere can be found in
the MindSphere Whitepaper (https://www.plm.automation.siemens.com/global/en/topic/
mindsphere-whitepaper/28842).
Saved data is always saved by Siemens on high-performance servers in the computer centers
of the infrastructure providers. All of the infrastructure centers meet the highest standards

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 71
Product-specific security measures
8.2 CNC Shopfloor Management Software

for data security and are protected against cyber threats. As commercial providers of a Cloud
IaaS (Infrastructure as a Service), they provide higher security standards than typical private,
local facilities for data storage. The computer centers are operated in accordance with the
Best Practices of the industry.
As an additional layer of security, all of the Cloud infrastructure partners must ensure on-site
security measures such as electronic photo ID badges, card owner access control, biometrics,
digital video monitoring with recording and alarm monitoring.

Figure 8-3 MindSphere

8.2.2.1 Manage MyMachines

Security standards for SINUMERIK and other supported control systems with MindSphere
connection
The connection between control systems and MindSphere via TLS 1.2 /HTTPS complies with the
highest security standards.
SINUMERIK versions and software versions of other supported control systems that do not
comply with these standards are not part of the product. Additional security measures must
be taken for these versions.
You are solely responsible for preventing unauthorized access to your plants, systems,
machines, and networks. Systems, machines and components should only be connected to
the company network or the Internet when necessary. And if so, only if appropriate security
measures (e.g. use of firewalls and network segmentation) are in place.

NOTICE
Data misuse due to an unprotected Internet connection
An unprotected Internet connection can lead to data misuse, e.g. when transferring asset data.
Therefore, before you establish a network connection, make sure that your PC is connected to
the Internet only through a secure connection. Pay attention to the security-relevant notes.

Industrial Security
72 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
 Product-specific security measures
8.2 CNC Shopfloor Management Software

Plant and system security for SINUMERIK control systems/other supported control systems
The necessary security measures (e.g. virus scanners, firewalls, operating system patching, etc.)
must be implemented and updated on the control systems.

Operational safety of the PC

The necessary security measures (e.g. virus scanners, firewalls, operating system patching, etc.)
must be implemented on the PCs used for visualization and configuration of MindSphere
applications at the OEM or at the end user.

8.2.2.2 Manage MyMachines /Remote

Security measures and system hardening

Note
As user of Manage MyMachines /Remote, always ensure that you operate the product with the
latest versions of SINUMERIK Integrate client/client of other supported control systems and
Manage MyMachines /Remote Service Engineer and Machine Operator Clients. Also follow the
guidelines for industrial security contained in Chapters 1.3 and 2.3 of the Manage MyMachines /
Remote Function Manual (https://support.industry.siemens.com/cs/ww/en/view/109759394). 

SINUMERIK control systems and other supported control systems are connected to
MindSphere via "TLS 1.2 /HTTPS" complies with the highest security standards.  
The automatic confirmation of the machine identity, used in conjunction with token provided
in MindSphere for the onboarding of the machine, ensures that the correct machine is
accessed during a remote session. 

Disposal
To completely remove an installation of Manage MyMachines /Remote, you should ensure that
all of the software and certificates have been properly deleted from your Microsoft Windows
device or SINUMERIK control system or any other supported control systems, including backup
systems. The data will continue to be available in MindSphere, unless the tenant is closed.  
More information on the topic of disposal can be found in the Manage MyMachines /Remote
Function Manual (https://support.industry.siemens.com/cs/ww/en/view/109759394).
More information on general concepts for secure remote access to industrial plants can be
found in the following documents:
• cRSP IT Security Concept (https://support.industry.siemens.com/cs/ww/en/view/
109759394)
• Siemens common Remote Service Platform (cRSP) (https://www.downloads.siemens.com/
download-center/Download.aspx?pos=download&fct=getasset&id1=A6V11272777)

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 73
Product-specific security measures
8.2 CNC Shopfloor Management Software

Secure archiving
When archiving your exported data, keep in mind that you are responsible for ensuring that this
data is archived securely.
This includes, for example, the following measures:
• Save exported data to an area with restricted access within the OEM/end user location:
– e.g. on SharePoints with access restrictions
– or databases with user administration/authorization
• Protect your encrypted data storage locations, such as SharePoints, against manipulation.
• If necessary, store your confidential or security-relevant data only as encrypted data on your
PC/system or in the network. Security-relevant data includes sensitive data such as archives,
passwords or executable files (*.exe).
• Regularly back up your security-relevant data and carefully protect it from loss and tampering.

See also
cRSP IT security concept (https://www.downloads.siemens.com/download-center/
Download.aspx?pos=download&fct=getasset&id1=A6V11272775)

8.2.2.3 Analyze MyPerformance

Note
For recommended security measures for the Analyze MyPerformance product, observe the
recommendations and measures for Manage MyMachines (Page 72).

8.2.3 PC/Server/Desktop applications (In Line)

8.2.3.1 MCenter

Access to the resources of the MCenter server

Note
Access to the resources of the MCenter server
Read and write access to the file system and resources of the operating system (in particular to
the Microsoft Windows Registry) of the MCenter server is only enabled for users with
administrator rights. Make sure that these administrator IDs have sufficiently strong passwords.

Industrial Security
74 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
 Product-specific security measures
8.2 CNC Shopfloor Management Software

NOTICE
Data manipulation possible
Within the production/machine network (intranet), there is a risk that a hacker can access the
file system of the MCenter server or the various MCenter clients. There, the hacker can
manipulate various system components (e.g. the content of databases). As a consequence, the
attacker can change tool data, NC programs, machine archives or the system structure itself,
for example. This type of attack cannot be prevented by MCenter.
• As the person responsible for the machine network, it is therefore imperative that you take
the appropriate industrial security measures for the production/machine network.

Use of open programming interfaces

NOTICE
Data misuse by using open programming interfaces
There is a potential risk of data misuse when using open programming interfaces.
• Therefore, when using open programming interfaces, only use clients that at least
communicate with the MCenter server via "TLS /https" communication paths.

Communication security for MCenter applications

The system is prepared for the use of the TLS protocol. All modules and services must
communicate via encrypted channels that meet current security requirements. Consequently,
the system is prepared to use the TLS protocol. The server requires a digital certificate that
confirms the identity of the server. You can purchase these items from certification bodies
(certification authorities). The certificate must be digitally signed. The clients must trust these
certificates. If you use your own generated, self-signed certificate, the master certificates must
be provided on the control elements on Linux and Windows computers. And the master
certificates must also be provided on TLS proxies when they are used. You are fully responsible
for the correct implementation and verification of your system.
If you are using an outdated client (e.g. a Microsoft Windows NT computer) that does not
support the required TLS protocols, you should use a hardware proxy to resolve this issue.
Such hardware can provide an additional encryption layer for the communication channel.
You must also ensure that the hardware proxy is appropriately and properly encrypted. The
hardware proxy is not part of the product.

Note
• For a secured communication (HTTPS) between a client and the server, you require a digital
certificate that confirms the identity of the server.
• If the database is running on a separate server, encrypted SQL communication requires a
certificate on the DB server.
For more information, see the Mcenter Installation Manual, sections "Setting up an encrypted
connection" and "Setting up encrypted communication for SQL server".

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 75
Product-specific security measures
8.2 CNC Shopfloor Management Software

System hardening
System hardening is the removal of all software components and functions that are not
absolutely required by the desired application to fulfill the intended task.
To protect your assets or production unit, you must have the appropriate knowledge and the
installed system must be hardened. System hardening should be based on the appropriate
Microsoft and other hardening guidelines. For example, you can find expert instructions in
CIS (Center for Internet Security) manuals or, if accessible, in documents available at the
company, or you can choose the source that best suits you.
Installation and maintenance technicians need to continuously improve their industrial
security knowledge because information security threats are increasing by the day. System
security risks are increasing continuously, and as a Siemens customer you need to prepare
accordingly.
You can reuse system configurations that have already been hardened. However, these
configurations should also be reviewed periodically and new rules must be applied.

System hardening of third-party software: Microsoft™ Internet Information Server,

Microsoft™ SQL Server, browsers
MCenter requires third-party software: For example, the Microsoft™ Internet Information
Server, Microsoft™ SQL Server products and various browsers. They must be hardened
according to the latest technology. In particular, restrict access to the Microsoft™ SQL Server
to the local host and protect access with a password. Encrypt access to the database. In
addition, you should only use current browsers for communication with the MCenter server.
Secure communication cannot be guaranteed when using outdated browsers (SSL instead of
TLS).

System hardening of neighboring products to MCenter

MCenter communicates with neighboring software products, e.g. tool setting stations or
Teamcenter. They must be hardened according to the latest technology so that there are no
negative effects via this communication path.
Finally, you must also have the knowledge and the experience to configure the IIS server. You
must always be prepared to respond to the actual hardship requirements. You are responsible
for making the correct system security settings in the client environment.

Examples:
• If a remote desktop connection is provided, the highest possible security configuration must
be ensured to avoid a possible MITM (man-in-the-middle) attack.
• Protect your system from code injection by using state-of-the-art technology and expertise.
• Store certificates securely so that they cannot be exported by unauthorized entities. In such
cases, you must follow the hardening guidelines when setting up.
• Servers must run in a secure, restricted server zone/server room that can only be accessed by
authorized personnel.
• Encrypt server memory or the data on it to prevent attacks on the system if the system is
physically compromised.
• Back up your system regularly to protect your data.
• The license server is provided or available only locally.

Industrial Security
76 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
 Product-specific security measures
8.2 CNC Shopfloor Management Software

Network file exchange via common drives

Note
Network file exchange via common drives (Server Message Block, SMB)
If you use SMBs for exchanging files with MCenter functions, only use standard authentication
mechanisms (user name / password). Also restrict the accesses for each user accordingly. Data
storage on shared drives should be kept to a minimum.

Virus scanner
Protect files from malware using appropriate protection measures, such as virus scanners.
Use an external virus scanner when uploading files with Mcenter and its applications.

Data backup
For data backup on machine tools, see Section "Data backup (Page 69)".
Create a backup copy of your data in the following cases:
• Before and after upgrading the software
• After setup/commissioning
• When changing the hardware configuration
• After replacing the hardware
• On a regular basis
The backup must contain all elements of Mcenter, such as:
• Database
• IIS configuration
• License server
• Applications

Firewall settings
Make absolutely sure that firewalls are "enabled" and only open ports that are actually used and
absolutely necessary for operation. Other ports must not be left open, as they could also provide
another attack surface.
If a remote desktop connection is provided, the highest possible security configuration must
be ensured to avoid a possible MITM (man-in-the-middle) attack.
Prepare yourself against DoS (Denial of Service) attacks, for example, by setting up
appropriate firewall rules, implementing an IPS (Intrusion Prevention System) and/or a WAF
(Web Application Firewall).

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 77
Product-specific security measures
8.2 CNC Shopfloor Management Software

Phishing for passwords

Hackers could attempt to obtain login data that would allow them to perform actions within
Mcenter on behalf of the user. Hackers could, for example, forge Siemens e-mails and websites
and thus gain access to confidential information of Mcenter users. Users are then prompted, for
example, to enter access data into a form and then send it to their Mcenter organization.

Note
In case of suspicious e-mails, you should pay attention to the following:
• Be on your guard when you receive e-mails from someone you do not know, especially if the
e-mails contain links and attachments. Never open suspicious attachments and do not click
on any links in the e-mail.
• Carefully check the sender’s complete e-mail address.
• Check the integrity of the links embedded in the e-mail (e.g. by moving the mouse over the
link). Telltale signs are misspellings or links containing a confusing company name.
• Use digital signatures in e-mails.
• If in doubt, never disclose confidential information.

8.2.3.2 Cloud mode

If the AMM and AMC applications are used in cloud operation, the Siemens AG as operator
ensures the security of the SINUMERIK Integrate server. Customers only have to ensure the
security of the infrastructure on the machine side.

Firewall of the machine network

In contrast to standalone operation, a connection to the cloud server outside the machine and
company networks is required when using the SINUMERIK Integrate AMM and AMC
applications. The associated firewalls must enable the required ports. However, only the
required ports should be opened. Further information on the required firewall settings can be
found in the SINUMERIK Integrate Installation Manual, Section "System requirements".

Industrial Security
78 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
 Product-specific security measures
8.2 CNC Shopfloor Management Software

Phishing for passwords

"Phishers" could attempt to obtain login data, which would allow them to carry out actions
within SINUMERIK Integrate in the name of the user. Hackers could, for example, falsify e-mails
and websites from SIEMENS and thus gain access to confidential information from
SINUMERIK Integrate users. The users are then prompted, for example, to enter the access data
in a form and then send it to their SINUMERIK Integrate organization.

Note
You should observe the following when you encounter suspicious e-mails:
• Be on your guard when you receive e-mails from someone you do not know, especially if the
e-mails include links and attachments. Never open suspicious attachments and do not click
on any links in the e-mail.
• Carefully check the sender’s complete e-mail address.
• Check the integrity of the links embedded in the e-mail (e.g. by moving the mouse over the
link). Tell-tale signs are spelling mistakes or where links contain a confusing company name.
• Use digital signatures in emails.
• If in doubt, never divulge any confidential information.

Handling of confidential information

The communication route between the company's firewall and the SINUMERIK Integrate server
is protected against malicious attacks by secure communication protocols (TLS). Third parties
cannot eavesdrop on the transferred information or change it. Also note the company-specific
guidelines for the transfer of confidential information via AMM and AMC.

8.2.4 Control-related applications (In Machine, Industrial Edge for Machine Tools)

8.2.4.1 Industrial Edge for Machine Tools

Overview
The Industrial Edge for Machine Tools is a remote-controlled Edge device that functions as a
field gateway as well as a computation node for any user workload within an extended IoT/OT
architecture. Thus, Industrial Edge for Machine Tools allows a vertical flow of information and
data processing between all layers:
• In Machine
• In Line
• In Cloud
This also contains the temporary or permanent saving of process data. Industrial Edge for
Machine Tools thus has the task, through its security architecture, of not allowing any
regression/erosion of the present network security and of the data protection level. In order

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 79
Product-specific security measures
8.2 CNC Shopfloor Management Software

to not cancel the individual security mechanisms of the Industrial Edge for Machine Tools,
organizational support is also needed here. 

Industrial Security
80 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
 Product-specific security measures
8.2 CNC Shopfloor Management Software

Security features and security measures

'DWDIORZIURP,QGXVWULDO(GJHIRU0DFKLQH 'DWDIORZIURP0LQG6SKHUHWR
7RROVWR0LQG6SKHUH+7736#
,QWHUQHW

,QGXVWULDO(GJHIRU0DFKLQH7RROV
2QERDUGLQJLQIRUPDWLRQ +7736#LQLWLDWHGE\
8VDJHDQGELOOLQJGDWD

7/6
,QGXVWULDO(GJHIRU0DFKLQH7RROV
'HYLFHDQGDSSOLFDWLRQORJV &RQILJXUDWLRQGDWD
2SWLRQDO,R7GDWD )LUPZDUHDQGDSSOLFDWLRQV

2SWLRQDO

&RPSDQ\SUR[\LQFOILUHZDOO %URZVHU
PLQGVSKHUHLRDQG7&3SRUWPXVWEHUHOHDVHG GDWDEDVH
&RPSDQ\QHWZRUN

'DWDIORZIURP,QGXVWULDO(GJHIRU0DFKLQH
7RROVWRFRPSXWHUVLQWKHFRPSDQ\QHWZRUN 
7/6

,R7GDWDYLDWKH23&8$VHUYHURIWKH
,QGXVWULDO(GJHIRU0DFKLQH7RROV
23&7&3#
,R7GDWDDQGZHEFRQWHQWYLDWKHUHYHUVH
SUR[\RIWKH,QGXVWULDO(GJHIRU0DFKLQH
7RROV+7736#

9SRZHUVXSSO\ 6,180(5,.1&8

;3
;3
0DFKLQHQHWZRUN
LQWKHFRQWUROFDELQHW

;
'DWDIORZEHWZHHQ,QGXVWULDO(GJHIRU
0DFKLQH7RROVDQGWKH1&8
'DWDIORZIURPWKH23&8$VHUYHUWR 1&SURJUDPVSURFHVVHGE\WKH,QGXVWULDO
,QGXVWULDO(GJHIRU0DFKLQH7RROV (GJHIRU0DFKLQH7RROV
,R7GDWD +)SUREHGDWDDQGKHDUWEHDWVLJQDO
,R7GDWD

6&$/$1&(
2SWLRQDO23&8$VHUYHU

'DWDIORZ
:LULQJ
)RUVHFXULW\UHDVRQVOLPLWLQJRIWKHGDWDIORZDQGFHUWLILFDWHEDVHGDXWKHQWLFDWLRQLVDFWLYH

Figure 8-4 Connection and wiring Industrial Edge for Machine Tools

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 81
Product-specific security measures
8.2 CNC Shopfloor Management Software

The Industrial Edge for Machine Tools is equipped with 2 physical network connections
(RJ45), which, according to the manual, are to be used for connecting to the In Machine and
In Line level. Ensure that the port assignment is correct due to the following reasons: 
• The communication for the "In Machine" network is assumed to be unprotected for the most
part.
• No uncontrolled connectivity to higher-level networks (In Line, In Cloud) is possible for the
"In Machine" network. 
Through a multi-level network architecture, the Industrial Edge for Machine Tools ensures the
isolation of both networks, which is only overcome by an application-defined flow of data.
Due to the use of container technology, there are additional mechanisms for isolating the
workload (Edge application) with regard to network, memory and CPU resources. 
Communication of the Industrial Edge for Machine Tools in the direction of "In Cloud" and
"In Line" always takes place via an encrypted end-to-end channel (TLS 1.3). In addition,
communication of the Industrial Edge for Machine Tools with data bus is also protected
via an encrypted end-to-end channel (TLS 1.3). Supplemental to this, the integration into
a PKI-based trust chain is supported. This ensures both its restriction to only permitted
communication partners and a trustworthy transmission. For the in line exchange of data
in environments with special security requirements, client-based authorization via client
certificates is also possible.
The initial exchange of certificates needed for secure communication between the Edge
Management System (MindSphere / In Cloud) and Industrial Edge for Machine Tools (In Line)
takes place during what is known as the onboarding procedure. Onboarding includes the
exchange of a "shared secret", which connects a logical device (MindSphere asset) with a
physical device (Industrial Edge for Machine Tools). Since this exchange does not take place
via the same communication infrastructure, a compromise can be ruled out as early as
the onboarding procedure. A second aspect of the onboarding is the linking/integration of
the MindSphere IoT services (Timeseries Store, FileStore, Fleetmanager, etc.) in the correct
MindSphere tenants. The Industrial Edge for Machine Tools platform also ensures that no
data flow into a tenant or asset that is not defined for this purpose can be established at any
time.

Note
The requirement for using Industrial Edge for Machine Tools is a MindSphere tenant, including
a valid MindAccess account (at least IoT value plan S).

The Industrial Edge for Machine Tools communicates exclusively via "outgoing" connections.
This means that no exposition of the Industrial Edge for Machine Tools on the In Line or In
Cloud level is needed. Rather, this scenario is discouraged. Regardless of this configuration,
the accessibility of the MindSphere end points from Industrial Edge for Machine Tools
must be temporarily guaranteed. This concerns onboarding, the firmware update, or the (de)-
installation of Edge applications.  The Industrial Edge for Machine Tools allows applications
(Industrial App) to not only provide data via a controlled path In Cloud, but these applications
also provide user interfaces and/or interfaces (APIs), to allow new workflows (In Line) or to
supplement existing ones. Under certain circumstances, applications provide their own user
and access management options for this purpose. The associated security information can be
found in the relevant documentation. 
Communication of the Industrial Edge for Machine Tools with the SINUMERIK only takes
place via the "In Machine" network and is encrypted in accordance with the respective

Industrial Security
82 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
 Product-specific security measures
8.2 CNC Shopfloor Management Software

protocols. The authorization mechanisms vary depending on the protocol used, however.
Since some protocols are protected using weak protection mechanisms, it is important in
such cases to adhere to adequate password guidelines and to ensure within an organization
that passwords are never saved or are only saved in urgent cases. 
The Industrial Edge for Machine Tools is also protected against unwanted manipulation
or weakening of the security features on both the firmware and application levels by the
following features: 
• Measured / Secured Boot
• Full Disk Encryption
• Rootless Access 
To ensure a high level of security of the Industrial Edge for Machine Tools over a long period
of time, the firmware is continuously being further developed and hardened. This is required
to adapt to the ever intensifying cyber security threat situation. For this purpose, an update
mechanism is available as part of the Industrial Edge for Machine Tools firmware, which is
integrated into the corresponding IT process as part of a continuous security strategy.  

Note
Industrial Edge for Machine Tools Version 3.4.0 and higher provides MQTT with authentication
functions.

IP-based filtering (not recommended)

Users with IP-based filtering in their firewall can use the following two static IPs, which can be
added to the allow list for data upload traffic:
• 75.2.111.226
• 99.83.250.213
Dynamic IP addresses of the end point "resource.edge.mindsphere.io" are required to
provide firmware and applications for Industrial Edge for Machine Tools. They must
be downloaded from the Internet page (https://ip-ranges.amazonaws.com/ip-ranges.json//
XmlEditor.InternalXmlClipboard:219100ae-0ac2-89ab-0ca2-05d2451c4e26), where the IP
address ranges, for which the service is defined as CLOUDFRONT ("Service": "CLOUDFRONT"),
must be included in the allow list.

Note
A subscription for the "AmazonIpSpaceChanged" topic can be used to provide notification as to
when changes are made to the IP address ranges so that firewall rule sets can be automatically
updated: AmazonIpSpaceChanged (https://aws.amazon.com/blogs/aws/subscribe-to-aws-
public-ip-address-changes-via-amazon-sns/).

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 83
Product-specific security measures
8.2 CNC Shopfloor Management Software

8.2.4.2 Analyze MyWorkpiece /Monitor

Overview
Analyze MyWorkpiece /Monitor is an "Industrial Edge for Machine Tools" application for
qualitative monitoring and evaluation of the machining process. For this purpose, various
measured values are stored during machining.

Users and rights

To access the Analyze MyWorkpiece /Monitor application, a local user on Industrial Edge for
Machine Tools must be assigned to the user group shown below. To do this, the system
administrator first creates a user group for the Industrial Edge for Machine Tools device. Then he
or she creates one user or more users assigned to this user group.
For more information about the user group, see Analyze MyWorkpiece /Monitor Installation
Manual (https://support.industry.siemens.com/cs/ww/en/view/109775323).
The following user group is available for Analyze MyWorkpiece /Monitor:

User group Authorizations

amwmonitor Access to all functions of Analyze MyWorkpiece /Monitor

Changing the password

Change your password at regular intervals.
1. Open the drop-down list at the top right of the title bar.
2. Click on "Change Password". (You will be redirected to the administration environment
"miniweb")
3. Change the password.
For more information on changing the password, see the Industrial Edge user
documentation.

Managing the MQTT service

In the user settings, Analyze MyWorkpiece /Monitor offers the possibility to configure a MQ TT
connection.
Notifications (MQTT notifications) can then be sent to an MQTT broker to inform MQTT
clients that a monitoring job has been completed and a report is available that can be
downloaded. For each completed monitoring job, Analyze MyWorkpiece /Monitor sends
an MQTT notification to the configured MQTT broker containing a download link for the
generated report, the corresponding monitoring results, and additional information about
the completed monitoring job.
The MQTT interface can be used as alternative to REST-API - or in conjunction with REST-API
- to obtain monitoring results and to avoid unnecessary REST queries. You can find additional
general information on the MQTT protocol at the MQTT homepage (https://mqtt.org).

Industrial Security
84 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
 Product-specific security measures
8.2 CNC Shopfloor Management Software

8.2.4.3 Analyze MyMachine /Condition

Overview
Analyze MyMachine /Condition is an application that analyzes and tracks the status of your
machine. Specific mechatronic tests as well as data analytical methods are used for this purpose.
The hybrid application consists of an Industrial Edge for Machine Tools and a MindSphere
application.

Users and rights

The system administrator creates user groups and users. It then assigns individual users to the
appropriate user group.
The following user groups are available for the Industrial Edge for Machine Tools application:

User group Authorizations

OEMMachineCommissioningEngineer • Display of measurements and measurement groups
• Create measurements and measurement groups
• Edit measurements and measurement groups
• Delete measurements and measurement groups
OEMServiceEngineer • Display of measurements and measurement groups
This role has no authorization to edit measurements.

The following user groups are available for the MindSphere application:
• Standard user: ammcondition
• Administrator: ammcondition
You can edit users and roles in the MindSphere application "MindSphere settings". More
information can be found at: MindSphere documentation (https://siemens.mindsphere.io/en/
docs/mindaccess.html)

Access levels at the SINUMERIK control system

Authorizations are assigned via the access levels on the SINUMERIK control system. Access levels
can be changed by entering a password or adjusting the keyswitch position.

Access level Authorization

0 Access level: SIEMENS
1 Access level: Machine manufacturer
2 Access level: Service
3 Access level: User
4 Access level: keyswitch position 3, programmer, machine setter
5 Access level: keyswitch position 2, qualified operator
6 Access level: keyswitch position 1, trained operator
7 Access level: keyswitch position 0, trainee operator

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 85
Product-specific security measures
8.2 CNC Shopfloor Management Software

Access levels of the SINUMERIK Authorization

user interface
0,1,2 Access for commissioning engineers
• Selecting and executing measurements that have not been ref‐
erenced
• Selecting referenced measurements
4,5,6,7 Access for machine operators
• Selecting referenced measurements
Note: If a measurement series is enabled on the control that has not
yet been referenced, then the machine operator cannot see this
measurement series.

Authentication of REST API

The Analyze MyMachine /Condition REST-API is hosted on the Industrial Edge for Machine Tools
"miniweb" administration environment. The following authentications are supported:
• Basis authentication
• Client certificate authentication
The following user groups are supported:
• OEMMachineCommissioningEngineer
• OEMServiceEngineer
You can find more information in the
Edge tutorial (https://new.siemens.com/global/en/markets/machinebuilding/machine-tools/
cnc4you/cnc4you-videos/edge-tutorials/edge-tutorial-7.html).

8.2.4.4 Protect MyMachine /3D Twin

Overview
Protect MyMachine /3D Twin visually represents the machining process and machine
movements using 3D simulation, calculates possible collisions in advance, and stops machining
when they are detected. For example, you can simulate and monitor the execution of NC
programs in AUTOMATIC mode, MDI mode or during manual traverse movements and tool
changes in JOG mode. Collision avoidance is based on a machine model of the real machine. This
model also describes the protection areas of the machine and is provided by the machine
manufacturer.
As an operator in PMM /3D Twin, you define the variable protection areas such as tools
with holders, stock and clamping operations. These are stored in a library. The "Collision
Avoidance" function regularly calculates the clearance with respect to protection areas from
collision pairs. If two protected areas approach each other and a defined safety distance is
reached, an alarm is displayed and the program is stopped before the corresponding traverse
block and/or traverse motion is stopped.

Industrial Security
86 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
 Product-specific security measures
8.2 CNC Shopfloor Management Software

Security disclaimer
The transport of exported files must be secured by technical means such as encrypted/signed
emails, encrypted/signed USB flash drives, etc., especially in public environments and on the
Internet.
Exported data files must be stored within the OEM end user area with restricted
access (e.g. restricted access to SharePoint, databases, etc.) by user administration,
e.g. with login information (see also security notes Using SINUMERIK Industrial
Edge for Machine Tools Protect MyMachine /3D Twin Operating Manual (https://
support.industry.siemens.com/cs/ww/en/view/109805644)).
The customer is responsible for secure communication between SINUMERIK and the Edge
Box. Options for maintaining a secure connection include:
• Point-to-point connection between and SINUMERIK and the Edge Box. Use of a short
communication line and device placement in the same cabinet as SINUMERIK.
• Protection of the logical and physical access points of the SINUMERIK system

Data backup
For data backup or transfer between machine projects, you can export and import "*.zip"
archives into the 3D simulation. You export/import the archive in the "Settings" tab.
The archive contains the following data:
• All library components (e.g. stocks, tool components)
• Tool data (tools with defined protected areas)
• Machine model
• Settings (holder diameter, language)

Note
You can export/import archives only when 3D simulation is not active.

Data storage, export and import

The 3D simulation uses a storage folder located on Samba Share. This folder is used, for example,
to save the exported data or to search for the data to be imported (e.g. library). Data can only be
exchanged via this folder. The folder is integrated as an external drive in SINUMERIK Operate.
If the term "storage folder" is used in the following description, the specification
refers to this path. For more information about "Samba Share", see SINUMERIK
Industrial Edge for Machine Tools Protect MyMachine /3D Twin Installation Manual (https://
support.industry.siemens.com/cs/ww/en/view/109805641).

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 87
Product-specific security measures
8.3 SIMOTION

8.3 SIMOTION

SIMOTION security measures

The following section provides an overview of the Industrial Security features available for
SIMOTION (Motion Control) in order to protect your plant against threats.

Security functions
• There is only compiled code on the controller by default. For this reason, no upload and
consequently no re-engineering is possible.
• No modifications can be made to the configuration without the matching engineering
project.
• Know-how protection for source programs with password and encryption.
• Applicative copy protection for the configuration on the control system
• Detection of source code manipulation with the SIMOTION SCOUT engineering system.
• Activating/deactivating unused functions (web server, OPC UA server, ports, etc.)
• Use of the SIMATIC Logon for access to a project only with the appropriate rights.
• Virus scan and security updates for SIMOTION PC-based controllers (SIMOTION P).
A production plant is typically divided into several different network segments. These
"segments" are components that have the required security functions connected upstream.
They are shown with a padlock symbol in the overview graphic.

Operations level
PCS7 PCS7
WinCC WinCC UMTS

Softnet Securtiy
Internet
Client/Step 7…
Scalance
S623
Scalance XR324-12M DSL Modem Scalance M875

Step 7, TIA Portal,

SIMOTION SCOUT,
Control level
Scalance X308-2M
WinCC
SIMATIC S7-1500
CP1628 Scalance S612 mit CP 1543-1

SIMATIC S7 SIMATIC S7

SIMATIC S7-1200
HMI HMI

SIMOTION SIMATIC ET 200S/ SIMOTION SIMATIC ET 200S/

SINAMICS ET200SP SINAMICS ET200SP

Field level
Figure 8-5 Display of a typical production plant with protected areas

Industrial Security
88 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
 Product-specific security measures
8.3 SIMOTION

Reference
Detailed descriptions and further procedures can be found in the corresponding SIMOTION
documentation.
Many products (SINUMERIK, SIMOTION, SINAMICS) contain OpenSSL. The following applies to
these products:
• This product contains software (https://www.openssl.org/) that has been developed by the
OpenSSL project for use in the OpenSSL toolkit.
• This product contains cryptographic software (mailto:eay@cryptsoft.com) created by Eric
Young.
• This product contains software (mailto:eay@cryptsoft.com) developed by Eric Young.

8.3.1 System hardening

8.3.1.1 Port security

Deactivating hardware ports

As of version 4.4, individual hardware ports of PROFINET interfaces (e.g. X150 interface ports)
can be set to Disable in the engineering system (HW Config) for SIMOTION devices. This prevents
devices being connected without permission and also increases security in terms of third-party
access to the system. You should therefore deactivate unused ports.

Note
A SIMOTION device can no longer be accessed via a deactivated PROFINET interface hardware
port.

The engineering system and the PN stack ensure that at least one port on each interface is
not set to Disable to prevent users locking themselves out. The default setting is Automatic
settings.

Further information
Further information on the logical Ethernet ports and protocols used for SIMOTION can be found
in the Communication with SIMOTION System Manual (https://
support.industry.siemens.com/cs/ww/en/view/109801516), Chapter "Services used".

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 89
Product-specific security measures
8.3 SIMOTION

8.3.1.2 Virus scan, Windows security patches, SIMOTION P

General information on virus scanners

Once an industrial PC system is connected to the Internet, either directly or via an internal
company network, there is a danger that it can become infected with a virus. However, malicious
software is not only able to reach the system via the Intranet/Internet, but also, for example, via
a removable storage device (such as a USB memory stick) attached to the system for backing up
data.

SIMOTION P320 virus scanner

A virus scanner that runs on Microsoft Windows, as used in office or home computers, has a deep
impact on a system's processes. There are, for example, processes such as real-time scans or
regular system scans. Such interventions can cause performance issues for the system, and as
a result, for the SIMOTION Runtime software. Although the SIMOTION Runtime software runs in
a real-time environment, it still depends on the available system resources.

Note
Because of the resulting performance impairments, the installation and use of a standard virus
scanner on a SIMOTION P320 during system runtime is not permitted.

Using a virus scanner

As a standard virus scanner cannot be used for SIMOTION P320, an alternative procedure is
followed. The virus scanner is installed to a separately bootable Windows PE operating system.
It is started, for example, from a CD or a USB storage device and then performs a virus scan.

Note
FAQ Service & Support portal
More information on using a virus scanner on a SIMOTION P320 can be found in the FAQ "How
can a virus scanner be used on a SIMOTION P3x0?" (https://
support.automation.siemens.com/WW/view/en/59381507) which is available as a download
from the Service & Support portal.

8.3.2 Secure project storage

Project data storage in SIMOTION SCOUT

All relevant data, configurations and programs are stored in the project. Only the programs and
libraries encrypted via the know-how protection can be stored in a project. To protect the entire
project, you should protect the project data with conventional office solutions, e.g. password-
protected archives or encrypted hard disks.

Industrial Security
90 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
 Product-specific security measures
8.3 SIMOTION

File structure
The SIMOTION SCOUT project data can come in the following formats:
Engineering data (ES)
• Standard storage: File structure in the project tree
STEP 7/TIA Portal and SIMOTION SCOUT objects in the project directory. These objects are not
secure and can be edited by anyone if there is no know-how protection for programs and
libraries or external file encryption is used. Programs in this context programs are
synonymous with units, which can contain the programs, function blocks and functions.
• XML data
Project data created via an XML export/import. The know-how protection is retained.
Runtime data (RT) - data on the CF card
• ZIP archive of the SIMOTION project (not binary).
The project archive is stored on the memory card of the respective SIMOTION controller
(CFAST, CF card, MMC). The archive can be transferred, e.g. via SIMOTION SCOUT or using
standard methods (FTP transfer).
• Binaries (zipped, unzipped)
Binaries contain the compiled, executable project with the configurations and applications.
Changes cannot be made during runtime without the SIMOTION SCOUT project because the
project is stored as binary data on the SIMOTION controller.
The following figure shows an example of possible project data storage with display of the
protected data.

File structure in the project tree

STEP 7, SIMOTION SCOUT

ZIP archive

XML file

Compiled in binary form

Encrypted programs,
Compiled in binary form, libraries and password-
cannot be decompiled protected modules
without the project

Figure 8-6 SIMOTION SCOUT project data storage

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 91
Product-specific security measures
8.3 SIMOTION

8.3.3 Know-how protection

8.3.3.1 Secure access control with SIMATIC Logon

User administration and traceability

The SIMATIC Logon option package is used to set up access rights for products and libraries in
STEP 7. These projects can therefore only be accessed by an authorized group of people. SIMATIC
Logon can be used in conjunction with SIMOTION SCOUT.

SIMATIC Logon supports the following functions:

• Assignment of individual authorization levels to users or user groups for the execution of
specific actions (e.g. read, write, transfer blocks).
• Logging of online activities and logon actions on the computer. Access and changes in the
project are reproducible.
• Assignment of authorization to users / user groups only for a limited time.
• Password aging strategies

Change log
A change log can be recorded when the access protection is activated. This includes, for
example:
• Activation
• Deactivation
• Configuration of access protection and the change log
• Opening and closing of projects and libraries including their download to the target system
as well as activities to change the operating state

8.3.3.2 Know-how protection in engineering

Know-how protection types

The know-how protection in SIMOTION SCOUT prevents unauthorized viewing and editing of
your programs. Multiple logins are possible. The standard login can be set for the engineering
session.
A distinction is made between two types of know-how protection:
• Know-how protection for programs and libraries
• Know-how protection for drive units (as of SINAMICS V4.5)
You set a login and a password under Project -> Know-how protection. The know-how
protection for the program is activated via the Set menu command. The programs contained
in the project are still visible to the user in this session, but the program names are displayed
with a padlock symbol.

Industrial Security
92 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
 Product-specific security measures
8.3 SIMOTION

Programs and libraries

The know-how protection protects the programs and libraries in your project. Unauthorized
viewing and editing of your programs is prevented when the know-how protection is activated.
You can set the know-how protection for individual programs or for all programs in a project.
Access protection and encryption can be set in several levels for the following types of data:
• Programs (units in Structured Text (ST), Motion Control Chart (MCC) and LAD/FBD that
contain programs, function blocks, and functions)
• Drive Control Charts (DCC)
• Libraries

You can select three different security levels for the encryption:
• Standard
Access only with user login and password (backward compatible with versions before V4.2).
• Medium
Improved coding of the password (due to a new procedure, no backward compatibility
without knowledge of the password).
Programs and libraries can be recompiled at any time even without knowledge of the
password.
• High (only for ST source files in libraries)
Compilation is only possible after the password has been entered.
Protected libraries can also be used after an export without knowledge of the password,
because in this case the compilation result is also exported.
– An export without source texts is also possible when exporting libraries
Highest protection. Complete removal of the source texts in the engineering upon export.
The export only contains the compilation result (recompilation no longer possible).
The block interfaces are always visible.

Drive units in SIMOTION SCOUT

The know-how protection for drive units only applies online and is used to protect intellectual
property, in particular, the know-how of machine manufacturers, against unauthorized use or
reproduction of their products.
A detailed description can be found in Chapter Know-how protection (Page 101).

8.3.3.3 Copy protection for the configuration on the control system.

Copy protection for SIMOTION projects

Measures can be taken to tie the configuration to the memory card or the controller. This
prevents illegal duplication of the configuration.
The serial numbers of the CPU, memory card and DRIVE-CLiQ components in the application
can be queried via system functions. This enables the machine manufacturer to create a
block with an encryption algorithm which generates a key from the currently installed serial
numbers during runtime and compares it with a machine key. Each machine configuration

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 93
Product-specific security measures
8.3 SIMOTION

has a specific machine key which is generated by the machine manufacturer and stored in
the application, and which can be entered by the end customer, for example, via the HMI,
particularly during maintenance work.
In addition, special agreements can also be made regarding extended know-how protection
and copy protection through the use of a SIMOTION Open Architecture technology package.

Original machine Copied machine

Figure 8-7 Copy protection of binary SIMOTION SCOUT projects

8.3.4 Offline/online comparison

Project comparison
You can use the SIMOTION SCOUT/STARTER Project comparison function (start this via the Start
object comparison button) to compare objects within the same project and/or objects from
different projects (online or offline).
The offline/online comparison is used to detect in detail any subsequent manipulations of the
project data on the plant in comparison to your secured engineering data. Thus you check if
any unauthorized third parties accessed the system.
The following comparisons are possible:
• Offline object with offline object from the same project
• Offline object with offline object from a different project
• Offline object with online object
The project comparison in SIMOTION SCOUT contains all objects in a project, such as
SIMOTION devices, drive units, libraries, programs (units), technology objects, I/Os as well
as the configuration of the execution system.
The offline/online comparison provides support for service jobs or for detecting changes to
the project data.
It may, for example, be the case that inconsistencies are indicated when you switch to online
mode in the project navigator, i.e. there are deviations between your project in SIMOTION
SCOUT and the project loaded into the target system.

Industrial Security
94 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
 Product-specific security measures
8.3 SIMOTION

Possible causes can include, for example:

• A program has been changed
• The result of compiling a program is different
• There is a deviation on the global device variables
• The execution system has been changed
• The hardware configuration has been changed
• A library has been changed
• A configuration data item for an axis has been changed
The object comparison allows you to establish these differences and, if necessary, run a data
transfer to rectify the differences.

Detailed offline/online comparison

You can determine specific differences between the offline and the online project by performing
a complete project comparison. If there are discrepancies, you can determine the changes/
manipulation to the source code down to the program line level, when the additional
information (source information) has also been stored on the target system during the
download. This is also possible with the LAD/FBD and MCC graphical programming languages.

Figure 8-8 Example of ST detail comparison

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 95
Product-specific security measures
8.3 SIMOTION

8.3.5 SIMOTION IT Web server

Introduction
SIMOTION devices provide a Web server with preprepared standard websites. These websites
can be displayed via Ethernet using a commercially available browser. Additionally, you have the
option of creating your own HTML websites and incorporating service and diagnostic
information. The web server can be deactivated. If the Web server is active, secure operation of
the plant can be ensured via the integrated security concept and the user administration.

Deactivating/activating the Web server

The Web server with all functions and services can be activated or deactivated in the SIMOTION
SCOUT or SIMOTION SCOUT TIA project under the hardware configuration of the controller. You
can activate or deactivate individual functions.

Figure 8-9 Activating the SIMOTION IT Web server functions in SIMOTION SCOUT or SIMOTION SCOUT TIA

Note
To activate the Web server, you must establish a user administration scheme with password-
protected user access.

Security concept of HTTP/S, FTP and Telnet access on the Web server
As of version V4.4, access to the SIMOTION IT Web server is protected by a multi-level security
concept.
The security status of the Web server is indicated by the security level on the website. This
security level can have three different levels: Low, Normal, High

Industrial Security
96 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
 Product-specific security measures
8.3 SIMOTION

Security Level Low

The device is supplied with an empty user database. No projects exist yet. The security level is
low to allow configuration of the device.
• In this state, access to the Web server as an anonymous user is possible to enable use of
functions such as the project and firmware update or OPC XML.
• FTP and Telnet access are also possible.
• New users can be entered in the empty user database.

Security Level Normal

The controller has a user database. A project exists on the controller and HTTP, HTTPS, FTP,
and Telnet are activated in the hardware configuration.
• User password authentication is required for access to websites with sensitive content (e.g.
firmware update, watch table, etc.), FTP and Telnet.
As soon as a project has been loaded to the controller, Security Level Normal is active, with
an empty user database as required. Standard websites are still visible. All other websites can
only be accessed with the necessary authentication.

Security Level High

High security with maximum access protection:
• HTTP, HTTPS, FTP and Telnet have been deactivated via the project in the hardware
configuration. Access to the Ethernet via the various ports of the services is then no longer
possible. The Web server cannot be used.

User management
SIMOTION IT uses a user database to safeguard access to a device. The groups are stored in the
user database along with their assigned users. The defined user groups can be assigned access
rights to the individual Web server websites. The Web server is accessed after the
authentication.

Authentication
• There are users (USERs).
• Each user has a password. This is encrypted.
• Users belong to groups (GROUP).
• Websites, directories, and applications are protected by secure areas defined for each group.
• Only users that belong to the secure area can access the protected website.
• Each secure area has a group of users who have access authorization.
• A user can belong to different groups.

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 97
Product-specific security measures
8.3 SIMOTION

Encrypted data transfer (HTTPS)

The Web server can be accessed via an HTTP as well as an HTTPS connection. The Transport Layer
Security protocol (TLS) in HTTPS enables encrypted data transmission between a client
(browser) and the SIMOTION controller (web server). Secure transmission can be forced by
deactivation of the HTTP port for security reasons.
Certificates must be generated and installed for encrypted communication between the
browser and the Web server. A device comes supplied with a standard root certificate and
a private key of the Web server as a file. These files should be replaced with your own to
increase the security of HTTPS access to the device.

Key files
• Delivery state
In order for you to be able to access the SIMOTION controller via the SIMOTION IT diagnostics
standard websites (in their delivery state) via HTTPS, a root certificate and a private key are
supplied as a file on the device.
• Creating the TLS certificate yourself
Using the Perl Tool and the Perl Script (cert.pl) provided, the certificates required for customer
facilities (sites) can be generated and combined to form packages that can be loaded.
There are two ways of acquiring your own server certificate (TLS certificate):
• Create a root certificate (self-signed) and a private key using a certificate software.
• Purchase a server certificate from a certificate authority.

Importing the TLS certificate into the browser

If you use TLS with your own certification authority, you will need to prepare your PCs for
communication with the SIMOTION control. To do this, the root certificate must be added to
the list of certificates in your browser.

Further information
Further information on the SIMOTION IT web server can be found in the following
documentation:
• SIMOTION IT Diagnostics and Configuration Diagnostics Manual (https://
support.industry.siemens.com/cs/de/en/view/109767636)
• SIMOTION IT OPC UA Programming Manual (https://support.industry.siemens.com/cs/de/en/
view/109767638)
• SIMOTION IT Programming and Web Services Programming Manual (https://
support.industry.siemens.com/cs/ae/en/view/109801546)
• SIMOTION IT Virtual Machine and Servlets Programming Manual (https://
support.industry.siemens.com/cs/de/en/view/109767639)

Industrial Security
98 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
 Product-specific security measures
8.3 SIMOTION

8.3.6 OPC UA server

Introduction
SIMOTION has implemented an OPC UA server with DA (Data Access).
OPC UA binary encoding is supported. Access to an arbitrary OPC UA client can be protected
via authentication and encrypted data transfer.

Configuration

Note
Before connecting to the OPC UA server, ensure that the environment is secure and install a
hardware-based intermediate layer (e.g. DMZ network, firewall, SCALANCE S modules, etc.).

The OPC UA server can be activated or deactivated via HW Config from TIA Portal or STEP 7.

Figure 8-10 Activating the SIMOTION IT Web server functions in SIMOTION SCOUT or SIMOTION SCOUT TIA

Further settings are made via the SIMOTION IT Web server configuration masks:
• Enabling of the Ethernet interface and associated port of SIMOTION for the OPC UA access.
• Definition of the user name, password and user group as part of the user administration of
the SIMOTION IT Web server.
• Handling of the certificates for the encryption of the data transfer.

Further information
Further information on the OPC UA server can be found in the SIMOTION IT OPC UA
Programming Manual (https://support.industry.siemens.com/cs/ww/en/view/109801547).

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 99
Product-specific security measures
8.3 SIMOTION

8.3.7 Disposal

NOTICE
Data misuse
Unsafe disposal of the storage media (CF card/CFast/SSD) can lead to misuse of the data of the
part programs, archives, etc. by third parties.
• Therefore, ensure that the data on the storage media that is used is securely deleted before
disposing of the product.
Use programs that support you in securely deleting/formatting storage media.

Industrial Security
100 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
 Product-specific security measures
8.4 SINAMICS

8.4 SINAMICS
The following chapter provides you with an overview of the Industrial Security features available
for SINAMICS to protect your converters from threats. In the following, you will find topics which
you should pay special attention to regarding Industrial Security:
• Write and know-how protection
• Parameters: Access levels
• Using the memory card
• Note on Safety Integrated
• Communication services and used port numbers
• Web server
• Information about individual interfaces
• SINAMICS Startdrive and STARTER
• SINAMICS Drive Control Chart (DCC)
Detailed descriptions and procedures can be found in the corresponding SINAMICS
documentation.
Many products (SINUMERIK, SIMOTION, SINAMICS) contain OpenSSL. The following applies to
these products:
• This product contains software (https://www.openssl.org/) that has been developed by the
OpenSSL project for use in the OpenSSL toolkit.
• This product contains cryptographic software (mailto:eay@cryptsoft.com) created by Eric
Young.
• This product contains software (mailto:eay@cryptsoft.com) developed by Eric Young.

8.4.1 Network security

Note
SINAMICS products may only be used in a secure and trusted network. Observe the information
on this topic in Chapter "Network segmentation (Page 38)".

8.4.2 Know-how protection

Some SINAMICS converters provide you with a "Know-how protection" function: This function
offers you protection of your intellectual property, especially the know-how of machine
manufacturers against unauthorized use, modification or reproduction of their products.

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 101
Product-specific security measures
8.4 SINAMICS

Effect
Adjustable parameters which are not recorded in an exception list can neither be read nor
written.

Exceptions

• The know-how protection does not affect parameters that are provided with the following attributes:
  • KHP_WRITE_NO_LOCK
– These parameters are excepted from the know-how protection and can therefore be written to despite
the know-how protection.
– For a list of these parameters, see the List Manual of the respective product.
– These parameters are not included in the exception list.
  • KHP_ACTIVE_READ
– These parameters can also be read, but not written, with activated know-how protection.
– For a list of these parameters, see the List Manual of the respective product.
– These parameters are not included in the exception list.
• Know-how protection does not prevent the execution of certain functions:
  • In particular, the "Restore factory settings" function is still possible despite know-how protection.
• For a full list of executable functions, please refer to the following references.

Further information
For more information on this topic, see the following references:
• SINAMICS S120 Drive Functions Function Manual (https://
support.industry.siemens.com/cs/de/en/view/109771805)
Chapter "Know-how protection"
• SINAMICS G110M operating instructions (https://support.industry.siemens.com/cs/de/en/
view/109757594)
Chapter "Know-how protection"
• SINAMICS G120 Operating Instructions
Chapter "Know-how protection"
• SINAMICS S and SINAMICS G List Manuals
Section "Parameters for write protection and know-how protection"
• SINAMICS G130, G150 and S150 Operating Instructions
Chapter "Know-how protection"

Industrial Security
102 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
 Product-specific security measures
8.4 SINAMICS

8.4.3 Parameters: Access levels and password

For the G110M, G120, G130, G150, S110, S120 and S150 series devices, the SINAMICS
parameters are divided into the access levels 0 to 4. With the aid of the access levels, you can
specify which parameters can be modified by which user or input/output device:
• With the aid of parameter p0003, you can specify which access levels you can select with the
BOP or IOP.
• Parameters of access level 4 are password-protected and only visible for experts up to
SINAMICS RT V4.9.
The SINAMICS S and SINAMICS G List Manuals specify in which access level the parameter can
be displayed and changed.

Further information
For detailed information on this topic, see the following references:
• SINAMICS S120 Drive Functions Function Manual (https://
support.industry.siemens.com/cs/de/en/view/109771805)
Chapter "Parameters"
• SINAMICS S120 Safety Integrated Function Manual (https://
support.industry.siemens.com/cs/de/en/view/109771806)
Section "Handling the safety password"
• SINAMICS G110M List Manual
Chapter "Overview of parameters"
• SINAMICS G120 Operating Instructions
Chapter "Parameters"
• SINAMICS S and SINAMICS G List Manuals
Section "Explanation of the list of parameters"
• SINAMICS G130, G150 and S150 Operating Instructions
Chapter "Parameters"

8.4.4 Using the memory card

The memory card must be handled with particular care for all SINAMICS devices that use a
memory card so that no malicious software or erroneous parameterizations are spread between
different commissioning PCs or inverters.

WARNING
Risk of death due to software manipulation when using exchangeable storage media
Storing files onto exchangeable storage media amounts to an increased risk of infection of the
commissioning PCs, e.g. with viruses or malware. Incorrect parameter assignment can cause
machines to malfunction, which can lead to injuries or death.
• Protect files stored on exchangeable storage media from malicious software using
appropriate protection measures, e.g. virus scanners.

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 103
Product-specific security measures
8.4 SINAMICS

WARNING
Risk of death due to software manipulation when using exchangeable storage media
Storing the parameterization (incl. Safety Integrated parameterization) on exchangeable
storage media carries the risk that the original parameterization (with Safety Integrated) will be
overwritten, for example, by the memory card of another drive without Safety Integrated.
Incorrect parameter assignment can cause machines to malfunction, which can lead to injuries
or death.
• Ensure that only the memory card that belongs to the respective inverter is used.
• Ensure that only trained or authorized personnel have access to the enclosures, cabinets or
electrical equipment rooms.

8.4.5 Safety Integrated

To actually reduce the risk for machines and plants through the use of Safety Integrated
functions, working with Safety Integrated functions requires special care for all SINAMICS
devices that have it.

DANGER
Unexpected movement of machines caused by inactive safety functions
Inactive or non-adapted safety functions can trigger unexpected machine movements that
may result in serious injury or death.
• Observe the information in the appropriate product documentation before commissioning.
• Carry out a safety inspection for functions relevant to safety on the entire system, including
all safety-related components.
• Ensure that the safety functions used in your drives and automation tasks are adjusted and
activated through appropriate parameterizing.
• Perform a function test.
• Only put your plant into live operation once you have guaranteed that the functions
relevant to safety are running correctly.

Note
Important safety notices for Safety Integrated functions
If you want to use Safety Integrated functions, you must observe the safety instructions in the
Safety Integrated manuals.

Industrial Security
104 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
 Product-specific security measures
8.4 SINAMICS

8.4.6 Backing up and restoring data

8.4.6.1 Backup and restore

SINAMICS provides several procedures for backing up and restoring your data. In the
documentation ("More information") you will find which procedures can be used with which
devices.

Webserver/Startdrive
The "Back up and restore" function provides you with the following options:
• Backing up parameters that have already been set
• Assigning a name to the backup file
• Restoring parameters from a valid parameter backup and loading them to the drive
• Restore drive factory settings

Smart Access Module

• Via the backup web page, you can back up parameters to the Smart Access Module and
download the backup file to your local hard drive.
• Via the restore web page, you can upload, download, delete or restore the selected file.

SINAMICS V20 parameter loader

Up to 100 parameter sets with parameter settings can be written from the memory card to the
converter or saved from the converter to the memory card without connecting the converter to
the line supply.

More information
For detailed information on this topic, see the following references.
• SINAMICS S120 Drive Functions Function Manual (https://
support.industry.siemens.com/cs/ww/en/view/109781535)
Chapter "Web server"
• SINAMICS S120 Commissioning Manual with Startdrive (https://
support.industry.siemens.com/cs/ww/de/view/109781583/en)
Chapter "Saving settings on the memory card of the drive"
• SINAMICS S210 Operating Instructions (https://support.industry.siemens.com/cs/ww/en/
view/109771824)
Chapter "Backup and restore"
• SINAMICS G120 Operating Instructions "SINAMICS G120 Smart Access" (https://
support.industry.siemens.com/cs/ww/en/view/109771299)
Chapter "Backup and restore"

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 105
Product-specific security measures
8.4 SINAMICS

• SINAMICS G130, G150 and S150 Operating Instructions

Chapter "Web server"
• SINAMICS V20 Operating Instructions (https://support.industry.siemens.com/cs/de/de/view/
109768394/en)
Chapter "Commissioning via the SINAMICS V20 Smart Access" and "Parameter loader"

8.4.6.2 Redundant data backup

Saving settings outside the converter

We recommend that you additionally back up the settings on a storage medium outside the
converter. Without a backup, your settings will be lost in the event of a converter failure.
The following storage media are available for your settings:
• Memory card
• PG/PC
• Operator panel
In the documentation ("More information") you will find which procedures can be used with
which devices.

SINAMICS S120
In conjunction with the "Firmware update via the web server" and the associated remote access,
the "Redundant data backup on a memory card" provides safe access again to the device in the
event of an interruption of the connection or the power supply. This redundant data backup
cannot be deactivated.

8.4.6.3 Redundant_backup_more_info

More information
For detailed information on this topic, see the following references.
• SINAMICS S120 Drive Functions Function Manual (https://
support.industry.siemens.com/cs/ww/en/view/109781535)
Chapter "Redundant data backup on a memory card"
• SINAMICS S120 Commissioning Manual with Startdrive (https://
support.industry.siemens.com/cs/ww/de/view/109781583/en)
Chapter "Saving settings on the memory card of the drive"
• SINAMICS S210 Operating Instructions (https://support.industry.siemens.com/cs/ww/en/
view/109771824)
Chapter "Backup and restore"
• SINAMICS G Operating Instructions

Industrial Security
106 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
 Product-specific security measures
8.4 SINAMICS

• SINAMICS G130, G150 and S150 Operating Instructions

• SINAMICS V20 Operating Instructions (https://support.industry.siemens.com/cs/de/de/view/
109768394/en)
Chapter "Backup and restore"

8.4.7 Communication services and used port numbers_Further_information

For detailed information on this topic, see the following references:
• SINAMICS S120
– Starting from firmware Version 5.2
SINAMICS S120 Communication Function Manual (https://
support.industry.siemens.com/cs/ww/en/view/109771803)
– Older firmware versions
SINAMICS S120 Drive Functions Function Manual (https://
support.industry.siemens.com/cs/de/en/view/109771805)
– Including: Section "Communication services and used port numbers"
• SINAMICS G Function Manual Fieldbuses (https://support.industry.siemens.com/cs/ww/de/
view/109757336/en)
Section "Ethernet and PROFINET protocols that are used"
• SINAMICS G130, G150 and S150 Operating Instructions
Chapter "Communication services and used port numbers"

8.4.8 Communication services and used port numbers

SINAMICS converters support specific communication protocols. The address parameters, the
relevant communication layer, as well as the communication role and the communication
direction are decisive for each protocol. You require this information to match the security
measures for the protection of the automation system to the used protocols (e.g. firewall). Some
of the security measures described here are restricted to Ethernet and PROFINET networks.

8.4.9 Integrated web server

The SINAMICS web server provides information on a SINAMICS device via its websites. This is
accessed via an Internet browser.

Data transfer
In addition to the normal (unsecured) transmission (http), the Web server also supports secure
transmission (HTTPS). Secure transmission (HTTPS) is the recommended setting.

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 107
Product-specific security measures
8.4 SINAMICS

Note
Smart Access Module
The web server of the Smart Access Module does not support secure transmission (HTTPS).
Alternatively, you can use an encrypted WLAN transmission.

By entering "HTTP://" or "HTTPS://" in front of the address of the drive, you can decide yourself
whether normal or secure transmission is used to access the data.
For safety reasons, secure transmission can be forced by deactivation of the http port.

Access rights
The normal protection mechanisms of SINAMICS also apply for access via the web server,
including password protection. Further protective mechanisms have been implemented
especially for the Web server. Different access options have been set for different users,
depending on the function. The parameter lists are protected so that only users with the
appropriate rights can access or change the data.

Further information
For detailed information on this topic (e.g. the supported Internet browsers), see the following
references:
• SINAMICS S120 Drive Functions Function Manual (https://
support.industry.siemens.com/cs/ww/en/view/109781535)
Section "Web server"
• SINAMICS S210 Operating Instructions (https://support.industry.siemens.com/cs/ww/en/
view/109771824)
• SINAMICS V20 Operating Instructions (https://support.industry.siemens.com/cs/de/de/view/
109768394/en)
• SINAMICS G120 Smart Access Operating Instructions (https://
support.industry.siemens.com/cs/ww/en/view/109771299)
• SINAMICS G130, G150 and S150 Operating Instructions

8.4.9.1 Certificates for the secure data transfer

Protecting the HTTPS access

The "Transport Layer Security" (TLS) protocol enables encrypted data transfer between a client
and the SINAMICS drive. HTTPS access between the browser and the drive is based on Transport
Layer Security.
The encrypted variant of communication between the browser and the Web server using
HTTPS requires the creation and installation of certificates (default configuration, self-created
certificates or server certificates from a certification authority).

Industrial Security
108 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
 Product-specific security measures
8.4 SINAMICS

TLS
Transport Layer Security (TLS V1.2 or higher) is a hybrid encryption protocol for secure transfer
of data in the Internet.

Key files
You need 2 key files (a public certificate and a private key) for the encryption method used by the
Transport Layer Security.

Certificate handling
The necessary certificate and key is generated on the drive so that you can access the drive
via HTTPS in the SINAMICS as delivered. For this reason, the firmware certificate should
only be used in secure networks (e.g. PROFINET below a PLC) or for direct point-to-point
connections on the service interface X127.
Instead, use a certificate confirmed by an external certification center. The references cited in
the following contain a detailed description of the procedure.

Further information
For detailed information on this topic, see the following references:
• SINAMICS S120 Drive Functions Function Manual (https://
support.industry.siemens.com/cs/de/en/view/109771805)
Section "Certificates for the secure data transfer"
• SINAMICS G130, G150 and S150 Operating Instructions

8.4.10 Information about individual interfaces

X127 LAN (Ethernet)

Ethernet interface X127 is intended for commissioning and diagnostics, which means that it
must always be accessible. Note the following restrictions for the X127 interface:
• Only local access is possible
• No networking or only local networking in a locked control cabinet permissible
If you require remote access to the control cabinet, then you must apply additional security
measures so that misuse through sabotage, data manipulation by unqualified persons and
intercepting confidential data are completely ruled out.

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 109
Product-specific security measures
8.4 SINAMICS

X140 serial interface (RS232)

You connect an external HMI device for operator control/parameter assignment via the serial
interface X140.

NOTICE
Access to the inverters only for authorized personnel
Unauthorized persons may be able to damage or alter production equipment as a result of gaps
in a company's physical security. Confidential information can also be lost or altered as a result
of this. You can prevent this if you protect the company site and the production areas
accordingly.
• You can find information on suitable protective measures in Section "Physical protection of
critical production areas (Page 36)".

X150 LAN (Ethernet)

The network with which interface X150 is connected must be separated from the rest of the
plant network in accordance with the Defense in Depth concept (see Chapter "General security
measures (Page 33)"). Access to cables and possibly open connections must be implemented in
a protected fashion, as in a control cabinet.

X1400 LAN (Ethernet)

The network with which interface X1400 is connected must be separated from the rest of the
plant network in accordance with the Defense in Depth concept (see Chapter "General security
measures (Page 33)"). Access to cables and possibly open connections must be implemented in
a protected fashion, as in a control cabinet.

Further information
For detailed information on this topic, see the following references:
• SINAMICS S120
– SINAMICS S120 Control Units and Additional System Components Equipment Manual
(https://support.industry.siemens.com/cs/de/en/view/109771804)
Section on the respective interfaces
– Starting from firmware Version 5.2: SINAMICS S120 Communication Function Manual
(https://support.industry.siemens.com/cs/ww/en/view/109771803)
– Older firmware versions:
SINAMICS S120 Drive Functions Function Manual (https://
support.industry.siemens.com/cs/de/en/view/109771805)
• SINAMICS G and SINAMICS S Operating Instructions
• SINAMICS V90 Operating Instructions

Industrial Security
110 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
 Product-specific security measures
8.4 SINAMICS

8.4.11 Disposal

NOTICE
Data misuse resulting from unsafe disposal of the product
Unsafe disposal of the product can lead to misuse of the parameter data by third parties.
• Therefore, before disposal, restore all the parameters to the factory settings.
You can find further information on restoring the factory settings in the Function Manual or
Operating Instructions of the respective product.

NOTICE
Data misuse resulting from unsafe disposal of the memory card
Unsafe disposal of the memory card can lead to misuse of the data etc. by third parties. Among
other things, the data backups required for operating the converter are located on the memory
card.
• Therefore, ensure that the data on the memory card is securely deleted before disposing of
the product. There are programs that support you in securely deleting/formatting the
memory card.
• This concerns all products that have a memory card.

Note
Deleting user-defined certificates
Make sure you securely remove all user-defined certificates before disposing of a SINAMICS
product. A hacker can use your certificates to gain access to your protected data transmission.
• Products with memory card
– Delete the files SINAMICS.key and SINAMICS.crt from the directory
OEM\SINAMICS\WEB\WEBCONF\CERT on the memory card.
• Products with optional memory card (e.g. SINAMICS S210)
– Create empty files ("SINAMICS.key" and "SINAMICS.crt") with the corresponding file
names.
– Copy these files to the memory card.
– Insert the memory card into the converter.
– Restart the converter.
– Alternatively, when you no longer need data from the memory card: reformat the
memory card.
You can find further information in the Function Manual or Operating Instructions of the
respective product.

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 111
Product-specific security measures
8.4 SINAMICS

8.4.12 SINAMICS Startdrive and TIA Portal

8.4.12.1 Malfunctions of the machine as a result of incorrect or changed parameterization

WARNING
Malfunctions of the machine as a result of incorrect or changed parameterization
As a result of incorrect or changed parameterization, machines can malfunction, which in turn
can lead to injuries or death.
• Protect the parameter settings against unauthorized access.
• Respond to possible malfunctions by applying suitable measures (e.g. EMERGENCY STOP or
EMERGENCY OFF).

8.4.12.2 SINAMICS Startdrive

Startdrive in the TIA Portal

SINAMICS Startdrive is an option package in the TIA Portal with which SINAMICS drives are
commissioned. With regard to Industrial Security, you must consider the corresponding
specifications for SINAMICS drives and for the TIA Portal.
In addition to the commissioning of single drives, you can also use Startdrive to configure
drives on SIMATIC control systems such as the S7-1500. Information on how to proceed with
SIMATIC controllers can be found in the TIA Portal online help at "Configuring networks".

Commissioning computer
Ensure the security of the commissioning computer. Follow the general security measures
(Page 33) for this purpose.

Device know-how protection

• You can protect the parameterization of your drive from unauthorized access via the "know-
how protection" function.
• The function is only available online.
• Device know-how protection is supported as of Startdrive V16.

Security functions
• Activation/deactivation of unused functions (web server, ports)
• Write protection for the parameter assignment, p-parameters are readable, but not
writeable, protects against unintentional changes to the parameter assignment (only
available online).

Industrial Security
112 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
 Product-specific security measures
8.4 SINAMICS

Protecting backup files in the Windows file system

If you create backup files of charts or projects with Windows tools, also protect these files with
Windows tools against unauthorized access using secure passwords. The Startdrive project itself
is protected for integrity.

Scripting (Openness)
Scripts (Openness) are used for automating sequences in Startdrive. You must therefore test the
scripts before using them on machines.

WARNING
Risk due to incorrect configurations for automated operating actions
Scripting provides the extensive automation options that are required to be able to automate
manual operator actions in the Startdrive tools and therefore to optimize the time required for
the recurring configuration of projects and tasks.
The script programmer and the script user are responsible for the operator actions
implemented in scripting.
Incorrect configurations that are not discovered in tests can result in serious physical injury or
death.
• Run systematic tests on new and modified scripts to verify and validate them.
• Before running a script, make sure it has the correct content. Verify and validate the results
of script execution by tests on the machine.

As for DCCs, scripts can also be protected via know-how protection.

8.4.12.3 SINAMICS STARTER

Commissioning drives with STARTER

Drives of the MICROMASTER and SINAMICS families can be commissioned with STARTER. An
integrated version of STARTER is contained in SIMOTION SCOUT. For information on SIMOTION
SCOUT, see "SIMOTION (Page 88)".

Commissioning computer
Ensure the security of the commissioning computer. Follow the general security measures
(Page 33) for this purpose.

Protecting backup files in the Windows file system

If you create backup files of charts or projects with Windows tools, also protect these files with
Windows tools against unauthorized access using secure passwords.

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 113
Product-specific security measures
8.4 SINAMICS

Security functions
• Know-how protection for the parameter assignment, scripts and DCCs and DCC libraries with
password and encryption
• Copy protection for the configuration on the drive unit. The project can only be opened
together with the original card.
• Detection of parameter manipulation with STARTER via the project comparison, see also
"Offline/online comparison (Page 94)"
• Activation/deactivation of unused functions (web server, ports), see also "Integrated web
server (Page 107)"
• Write protection for the parameter assignment, p-parameters are readable, but not
writeable, protects against unintentional changes to the parameter assignment (only
available online).

Know-how protection for drive units

In addition to the know-how protection for DCCs, DCC libraries and scripts, you can also protect
the parameter assignment of your drive against unauthorized access via the know-how
protection for the drive. The function is only available online. See also "Know-how protection
(Page 101)".

Scripting
Scripts are used for automated execution in STARTER. You must therefore test the scripts before
using them on machines.

WARNING
Risk due to incorrect configurations for automated operating actions
Scripting provides the extensive automation options that are required to be able to automate
manual operator actions in the STARTER/SCOUT tools and therefore to optimize the time
required for the recurring configuration of projects and tasks.
The script programmer and the script user are responsible for the operator actions
implemented in scripting.
Incorrect configurations that are not discovered in tests can result in serious physical injury or
death.
• Run systematic tests on new and modified scripts to verify and validate them.
• Before running a script, make sure it has the correct content. Verify and validate the results
of script execution by tests on the machine.

As for DCC charts, scripts can also be protected via know-how protection.

Industrial Security
114 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
 Product-specific security measures
8.4 SINAMICS

8.4.13 SINAMICS Drive Control Chart (DCC)

8.4.13.1 Industrial security with SINAMICS DCC

Overview
SINAMICS Drive Control Chart (DCC) offers a modular, scalable technology option, which has
chiefly been developed for drive-related, continuous open-loop and closed-loop control
engineering tasks within the drive.

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 115
Product-specific security measures
8.4 SINAMICS

With the Drive Control Chart Editor based on CFC, you configure the technology functions
with DCC for SINAMICS drives graphically.
• Startdrive
The following figure shows the data flow of the configuration data when configuring with
SINAMICS DCC:
7,$3RUWDO

3URMHNWWUHH  3ODQ  7DVN&DUGV 

3URMHFW '&&6WDQGDUGEORFNV
'ULYHXQLW $OO%ORFNV 

, $''
,  ,
, ,
,
$''

/LEUDULHV
08/


 

① Loading
② Import of DCB libraries
Figure 8-11 Flow of configuration data: TIA-DCC

• STARTER
The following figure illustrates the data flow of the configuration data when configuring with
SINAMICS DCC and the ways to protect the configured/programmed DCC sources:

Industrial Security
116 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
 Product-specific security measures
8.4 SINAMICS

'&&&)&

$GG

0XO

&RQILJXULQJ &RPSLOLQJ

%DFNXSLQWKHILOHV\VWHP
67$57(5FKDUWVDQGOLEUDULHV

%ORFNW\SHLPSRUW /RDGLQJ

'&%OLEUDU\6,1$0,&6
6,1$0,&6

'&&OLEUDU\6,1$0,&6
'&&

Figure 8-12 Flow of configuration data: Example for DCC Classic V2.1 ... V3.4 (STARTER)

Startdrive: Option package DCC

Note the following special features regarding Startdrive:
• DCC does not provide a backup in the file system.
• The DCB libraries used are loaded implicitly with the project into the target device
• DCC does not offer any chart know-how protection

Commissioning computer
Ensure the security of the commissioning computer. Follow the general security measures
(Page 33) for this purpose.

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 117
Product-specific security measures
8.4 SINAMICS

Using know-how protection

DCCs, DCC libraries, programs and backup files are subject to an increased risk of manipulation.
Therefore, use the know-how protection, the write protection for drive units and the know-how
protection for DCC charts and DCC libraries in STARTER, see also Use write and know-how
protection (Page 118).
Information on know-how protection can also be found in the "Motion Control SINAMICS/
SIMOTION Editor Description DCC" Programming and Operating Manual.

Protecting backup files in the Windows file system

If you create backup files of charts or projects with Windows tools, also protect these files with
Windows tools against unauthorized access using secure passwords.

Note the information on SINAMICS and on the engineering systems

Also note the Industrial Security information for SINAMICS drives and engineering systems with
which SINAMICS drives are commissioned. Particularly the information on network security is
important, see also Network security (Page 38).

8.4.13.2 Use write and know-how protection

Prevent unauthorized changes by means of know-how protection

WARNING
Danger to life through manipulation of DCC charts and DCC libraries
The use of unprotected DCC charts and DCC libraries entails a higher risk of manipulation of
DCCs, DCC libraries and backup files.
• Protect important DCC charts and DCC libraries via "Know-how protection programs" or
"Know-how protection drive units" in SCOUT or STARTER. Assign a strong password to
prevent manipulation.
• Protect important DCC charts and DCC libraries via "Know-how protection drive units" in
Startdrive V16 or higher. Assign a strong password to prevent manipulation.
• Therefore, for "Know-how protection programs" or "Know-how protection drive units", use
passwords which include at least eight characters, upper and lower case letters, numbers,
and special characters.
• Make sure that only authorized personnel can access the passwords.
• Protect the backup files on your file system using a write protection.

8.4.14 SINAMICS Smart Access Module

The optional Smart Access Module offers you an intelligent solution for commissioning the
SINAMICS V20 or G120 converter.

Industrial Security
118 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
 Product-specific security measures
8.4 SINAMICS

The Smart Access Module is a web server module with integrated WLAN connectivity. It
allows web-based access to the converter from a connected device (conventional PC with
WLAN adapter, tablet or smartphone). This module is only intended for commissioning and
therefore cannot be used with the converter for the long term.

NOTICE
WLAN: Changing a default password
The misuse of passwords can also represent a considerable security risk. As a result of incorrect
or changed parameterization, machines can malfunction, which in turn can lead to injuries or
death.
• After logging on to the Smart Access Module for the first time, change the module's default
password.
• Assign a secure password. Information on this can be found in the Operating Instructions of
the respective converter.

NOTICE
Unauthorized access to the converter via the SINAMICS Smart Access Module
Unauthorized access to the converter via the Smart Access Module as a result of cyber attacks
could lead to interruptions in the process and thus to property damage or personal injury.
• Before you log in to the web pages, check the status LED on the Smart Access Module. If the
status LED is green or flashing, unauthorized access could have occurred: Switch the
SINAMICS Smart Access Module off and then on again using the on-off switch to re-establish
the WLAN connection.

For detailed information on this topic, see the following references:

• SINAMICS V20 Converter Operating Instructions (https://
support.industry.siemens.com/cs/de/en/view/109773836)
• SINAMICS G120 Smart Access Operating Instructions (https://
support.industry.siemens.com/cs/ww/en/view/109771299)

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 119
Product-specific security measures
8.5 SIMOCRANE

8.5 SIMOCRANE
Availability, productivity, and safety are the decisive factors in crane applications. Since
SIMOCRANE products are based on products from SIMOTION and SINAMICS, observe the
product-specific hardening measures in Chapters SIMOTION (Page 88) and SINAMICS
(Page 101) for hardening.

Industrial Security
120 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
References A
General information
Additional general information about Industrial Security is available on the Internet:
• Industrial security (https://www.siemens.com/industrialsecurity)
• Cyber security (https://new.siemens.com/global/en/company/topic-areas/
cybersecurity.html)
• Industrial Cybersecurity (https://new.siemens.com/global/en/products/automation/topic-
areas/industrial-security/planning.html)
• Secure Digitalization (https://new.siemens.com/global/en/products/automation/topic-areas/
industrial-security/certification-standards.html#Alwaysactive)
• Certifications and standards (https://new.siemens.com/global/en/products/automation/
topic-areas/industrial-security/certification-standards.html)
• Whitepapers and downloads (https://new.siemens.com/global/en/products/automation/
topic-areas/industrial-security/downloads.html)

Secure passwords
More information on assigning secure passwords can be found in the chapter under the
following addresses:
• European Network and Information Security Agency (enisa). (https://www.enisa.europa.eu/
media/news-items/basic-security-practices-regarding-passwords-and-online-identities)
• National Institute of Standards and Technology (NIST) (https://nvlpubs.nist.gov/nistpubs/
SpecialPublications/NIST.SP.800-63b.pdf)
• Federal Office for Information Security (BSI) (https://www.bsi.bund.de/EN/Themen/
Verbraucherinnen-und-Verbraucher/Informationen-und-Empfehlungen/Cyber-
Sicherheitsempfehlungen/Accountschutz/Sichere-Passwoerter-erstellen/sichere-
passwoerter-erstellen_node.html)(only relevant for Germany)

Web pages of the products

Additional product-specific information about Industrial Security is available on the individual
product websites:
• SINUMERIK: SINUMERIK homepage (https://www.siemens.com/sinumerik)
• SIMOTION: SIMOTION homepage (https://www.siemens.com/simotion)
• SINAMICS: SINAMICS homepage (https://www.siemens.com/sinamics)

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 121
References

Product-specific manuals
Product-specific manuals for the individual products can be found on the Internet:
• "SINUMERIK 840D sl NCU 7x0.3 PN" Manual (https://
support.industry.siemens.com/cs/ww/en/view/109782727)
• "Commissioning CNC: NC, PLC, Drive" Commissioning Manual (https://
support.industry.siemens.com/cs/ww/en/view/109777906)
• "SINUMERIK 840D sl Operating System NCU (IM7)" Commissioning Manual (https://
support.industry.siemens.com/cs/ww/en/view/109783230)
• "SINUMERIK 840D sl Base Software and HMI sl" Commissioning Manual (https://
support.industry.siemens.com/cs/de/en/view/109254363)
• SINUMERIK 840Dsl Safety Integrated plus Commissioning Manual (https://
support.industry.siemens.com/cs/de/en/view/109777982)
• "SINUMERIK Operate (IM9)" Commissioning Manual (https://
support.industry.siemens.com/cs/ww/en/view/109801207)
• PCU-Basesoftware (IM8) Commissioning Manual (https://
support.industry.siemens.com/cs/de/en/view/109748542)
• "PCU Base Software (IM10)" Commissioning Manual (https://
support.industry.siemens.com/cs/de/en/view/109769185)
• SINUMERIK Access MyMachine /P2P (PC) Operating Manual (https://
support.industry.siemens.com/cs/ww/en/view/109770206)
• SINUMERIK Access MyMachine /OPC UA Configuration Manual (https://
support.industry.siemens.com/cs/de/en/view/109777871)
• Manage MyMachines /Remote Function Manual (https://
support.industry.siemens.com/cs/ww/en/view/109759394)
• Diagnostics Manual 808D (https://support.industry.siemens.com/cs/de/en/view/
109763685)
• SIMOTION IT Programming and Web Services Programming Manual (https://
support.industry.siemens.com/cs/de/en/view/109767637)
• SIMOTION IT Diagnostics and Configuration Diagnostics Manual (https://
support.industry.siemens.com/cs/ww/en/view/109801545)
• SIMOTION IT Virtual Machine and Servlets Programming Manual (https://
support.industry.siemens.com/cs/ww/en/view/109801548)
• SIMOTION IT OPC UA Programming Manual (https://
support.industry.siemens.com/cs/ww/en/view/109801547)
• BA_G110M (https://support.industry.siemens.com/cs/ww/en/view/109782996)
• Communication with SIMOTION System Manual (https://
support.industry.siemens.com/cs/ww/en/view/109801516)
• SINAMICS S120 Drive Functions Function Manual (https://
support.industry.siemens.com/cs/ww/en/view/109781535)
• SINAMICS S120 Control Units and Additional System Components Equipment Manual
(https://support.industry.siemens.com/cs/ww/en/view/109782370)

Industrial Security
122 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
 References

• SINAMICS S120 Safety Integrated Function Manual (https://

support.industry.siemens.com/cs/ww/en/view/109781722)
• SINAMICS S120 Communication Function Manual (https://
support.industry.siemens.com/cs/ww/en/view/109781721)
• SINAMICS S120/S150 List Manual (https://support.industry.siemens.com/cs/ww/en/view/
109781807)
• G110M Operating Instructions (https://support.industry.siemens.com/cs/ww/en/view/
109782996)
• G120 Operating Instructions (https://support.industry.siemens.com/cs/ww/en/view/
109771299)
• SINAMICS G Fieldbuses Function Manual (https://support.industry.siemens.com/cs/ww/de/
view/109757336/en)
• S210 Operating Instructions (https://support.industry.siemens.com/cs/ww/en/view/
109801184)
• V20 Operating Instructions (https://support.industry.siemens.com/cs/de/en/view/
109773836)
• Function Manual S7-1500, ET 200SP, ET200pro web server (https://
support.industry.siemens.com/cs/ww/en/view/59193560)
• SIMATIC Programming with STEP 7 Programming and Operating Manual (https://
support.industry.siemens.com/cs/de/en/view/109751825)
• SIMATIC S7-300 CPU 31xC and CPU 31x Equipment Manual: Technical specifications (https://
support.industry.siemens.com/cs/de/en/view/12996906)
• SIMATIC NET Configuration Manual: SCALANCE X-200 Industrial Ethernet switches (https://
support.industry.siemens.com/cs/de/en/view/109757352)

See also
Safety Integrated plus Commissioning Manual (https://
support.industry.siemens.com/cs/de/en/view/109763246)

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 123
References

Industrial Security
124 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
Glossary

Allow-List
An Allow-List or Block-List involves a positive or negative list that can be used to protect
systems in the IT environment. Allow-List and Block-List apply opposing strategies and are
used in the widest range of domains.
The Allow-List is based on the approach that basically everything that is not explicitly entered
in the list is prohibited. As a consequence, only requested and trustworthy entries are in the
Allow-List. This means that the entries in the list represent exceptions to the general block
rule.

AMC
Abbreviation for SINUMERIK Integrate Analyze MyCondition

AMD
Abbreviation for SINUMERIK Integrate Access MyData

AMM
Abbreviation for SINUMERIK Integrate Access MyMachine

AMP
Abbreviation for SINUMERIK Integrate Analyze MyPerformance

AMT
Abbreviation for Intel® Active Management Technology

Area of attack
The scope to which a system can be deprived of its protection so that it can be attacked.

Attack
An attempt to destroy a resource, to deprive it of its protection, to change it, to deactivate it,
to steal it, to gain unauthorized access to it or to use it in an illegal way.

Authentication
Verification of the identity of a user, process or device, frequently as prerequisite for the
permission to access resources in an information system.

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 125
Glossary

Authorization
The right granted by a system entity to access a system resource.

Availability
Property to be accessible and usable when requested by an authorized entity.

Block-List
An Allow-List or Block-List involves a positive or negative list that can be used to protect
systems in the IT environment. Allow-List and Block-List apply opposing strategies and are
used in the widest range of domains.
With a Block-List, everything is permitted that is not in the list. The Block-List is a negative
list, which lists the targets, programs and addresses that are not trusted or are not
permissible. With the negative list, it is possible to specifically prohibit individual applications
or communication targets.

Brute force
There are no efficient algorithms for solving many of the problems in computer science.
The most natural and simplest approach to an algorithmic solution for a problem is to
simply try out all possible solutions until the correct one is found. This method is called
brute-force searching. One typical application is given again and again when it comes to
listing an example of brute-force searching - the "cracking" of passwords. Passwords are often
encrypted using cryptographic hash functions. Directly calculating the password from the
hash value is practically impossible. However, a password cracker can calculate the hash
values of numerous passwords. If a value matches the value of the stored password, then
the password (or another, randomly matching password) has been found. In this case, brute
force refers to the simple trial and error approach of entering every possible password.

Cloud computing
Cloud computing is the storage of data in a remote data center, and can also involve
the execution of programs that are not installed on local computers, but rather in the
(metaphoric) cloud.

Code injection
Code injection is the exploitation of a computer error caused by processing invalid data.
Injection is used by an attacker to inject code into a vulnerable computer program and cause
it to execute.

Confidentiality
Property which ensures that the information is not made available or disclosed to
unauthorized individuals, entities or processes.

Industrial Security
126 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
 Glossary

Cyber security
Cyber security is the practice of defending computers, servers, mobile devices, electronic
systems, networks, and data from malicious attacks. It also includes the security of
information technologies and electronic information. The term is broad and applies to
everything from computer security to disaster recovery, i.e. the restoration after an incident,
to the training of end users.

Defense in depth
Creation of multiple security mechanisms, especially in a layer structure, with the intention
of slowing down or completely preventing attacks.

Denial of service (DoS)

Denial of service (DoS) is the non-availability of an IT-based service that is normally available.
Although there can be many reasons for such non-availability, the term "DoS" is generally
used when infrastructure systems are overloaded. This can be the result of an unintentional
overload or through a deliberate attack on a server, a computer or other components in a
network.

DMZ
The demilitarized zone is an autonomous subnet that separates the local area network (LAN)
from the Internet through firewall routers (A and B). The firewall routers are configured in
such a way that they reject data packets for which there were no previous data packets. If a
data packet is sent from the Internet to the server, it is therefore rejected by firewall router A.
If, however, a hacker gains access to a server within the DMZ and sends data packets to the
LAN in an attempt to analyze or hack it, these are rejected by firewall router B.

Firewall
Device to connect networks with one another, which restricts the exchange of data between
two connected networks.

Hacker
Person involved in an intentional hacking activity. The reasons for these activities can be
malicious or not malicious, or also remain within the limits of what is ethnically and legally
acceptable.

Hardening
Procedure in which the security of a system is increased by reducing the area of attack.

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 127
Glossary

IANA
The Internet Assigned Numbers Authority (IANA) is a department of ICANN, and is
responsible for assigning numbers and names in the Internet, especially IP addresses. It is
one of the oldest institutions in the Internet.

Incident
One or more unwanted or unexpected events that impair the company operation and
endanger the information security. The cause can be security holes, incorrect configurations
or misconduct and their exploitation.

Industrial security
Measures to increase the industrial security standards of a plant. They protect against
unauthorized access to higher-level control systems, industrial controls and PC-based systems
of the plant as well as against cyber attacks.

Information security
Safeguards the confidentiality, integrity and availability of information.

Integrity
Property which guarantees that resources are free of error and complete.

Internet of Things (IoT)

General term for technologies of a global infrastructure of information organizations which
allow physical and virtual objects to be linked together and allows them to work together via
information and communication techniques.

IPsec (Internet Protocol Security)

IPsec is an expansion of the Internet protocol (IP) to include encryption and authentication
mechanisms. This way, the Internet protocol can transport cryptographically secured IP
packets via insecure public networks.

Malware
Malware is a general term for programs that have been developed to damage users. There
are numerous types of malware, e.g. viruses, trojans, rootkits or spyware.

Man-in-the-disk attack
The concept of a "man-in-the-disk" attack is similar to that of a "man-in-the-middle" attack as
it includes intercepting and editing data, which is exchanged between an external memory
and an application.

Industrial Security
128 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
 Glossary

Man-in-the-middle attack
In cryptography and cyber security, a man-in-the-middle attack is a cyber attack where the
attacker secretly interjects in the communication between two parties and possibly changes
the associated data. The two parties involved think that they are directly communicating with
one another as the attacker interjected himself between the two parties.

MMP
Abbreviation for SINUMERIK Integrate Manage MyPrograms

MMT
Abbreviation for SINUMERIK Integrate Manage MyTools

NAT (Network Address Translation)

NAT is a process used in IP routers that connect local networks to the Internet. Since, in
general, Internet access is only via one IP address (IPv4), all other nodes in the local network
require a private IP address. Private IP addresses can be used several times, but are not valid
in public networks. For this reason, nodes with a private IP address cannot communicate
with nodes outside the local network. In order for all computers with a private IP address to
have access to the Internet, the Internet access router must replace the IP addresses of the
local nodes with a separate, public IP address in all outgoing data packets. In order for the
incoming data packets to be assigned to the correct station, the router saves the current TCP
connections in a table. The NAT router "memorizes" which data packets belong to which TCP
connection. This process is called NAT (Network Address Translation).

NCU
Central control module of a CNC control for NC, HMI, PLC and closed-loop control.

OpenVPN
OpenVPN is a program to establish a virtual private network (VPN) via an encrypted TLS
connection. Libraries belonging to the OpenSSL program are used for encryption. OpenVPN
uses either UDP or TCP for transferring data.

Patch management
Area of the system management whose tasks include the procurement, testing and installing
of several patches (code changes) for an administered computer system or in such a system.
At the same time, a subprocess of the Security Vulnerability Management whose tasks
include the correction and containment of security holes for Siemens products by means of
software corrections.

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 129
Glossary

Patterns of viruses
Designation for the database of virus scanners, which contains the schematic and code-
specific structure of all known viruses. This is usually a file that is used and processed by the
virus scanners. The schemata contained in the file are used when checking for viruses and
with them the files to be checked are compared.

PCU
Highly integrated industrial PC for the user interface or system software and user interface of
a CNC.

Phishing
The term "phishing" describes the threat of "using bait to fish for passwords" in e-mails, via
counterfeit links or even text messages (e.g. SMS). What are known as "phishers" attempt to
obtain data via serious or official-looking e-mails and websites. With the aid of malware, they
exploit weak points, e.g. in the operating system or web browser.

Remote access
Use of systems which are within the perimeter of the security zone and that can be accessed
from another geographical location with the same rights as if the systems were physically at
the same location.

SCADA
Supervisory Control and Data Acquisition (SCADA) involves monitoring and controlling
technical processes using a computer system.

Security
Safeguards the confidentiality, integrity and availability of a product, a solution or a service.

Security hole
Weak point in a computer system that allows an attacker to violate the integrity of the
system. As a rule, this is the result of program errors or design defects in the system.
A weak point of a resource or operator element that can be exploited by one or more threats.

SIEM system
SIEM stands for Security Information and Event Management and has become an established
term in IT security. Such systems are able to identify and evaluate security-relevant events
and notify the administrator.

Industrial Security
130 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
 Glossary

Switch
Network component for connecting several terminal devices or network segments in a local
network (LAN).

Threat
Potential cause of an undesirable incident which may result in damage to a system or
organization.

Threat and Risk Analysis (TRA)

The Threat and Risk Analysis is a Siemens-wide standardized method for use in the product,
solution and service business, for product development, engineering or service projects. The
method is intended to help those involved in the project to identify typical security defects
and weak points, analyze the hazards that could exploit these defects and weak points, and
evaluate the resulting risks.

TIA Portal
The TIA Portal is an automation framework for the SIMATIC S7-1200, S7-300, S7-400 and
S7-1500 CPU families from Siemens.
"TIA" stands for Totally Integrated Automation. In the TIA Portal, all of the necessary software
tools are combined under one user interface.

TLS
Transport Layer Security (TLS V1.2 or higher) is a hybrid encryption protocol for secure
transfer of data in the Internet.

VPN (Virtual Private Network)

An encrypted connection of computers or networks via the Internet. It enables confidential
data to be exchanged via public networks.

WSUS (Windows Server Update Services)

Windows Server Update Services (WSUS in short) is the software component of the Microsoft
Windows Server since Version 2003 which is responsible for patches and updates. It is the
successor version of the Software Update Services software component.

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 131
Glossary

Industrial Security
132 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
Index
Deactivating a PROFINET interface
SINUMERIK 840D sl, 57
A SINUMERIK ONE, 57
Defense in depth, 34
Anti-virus program, 49
Defense in depth concept, 34
Application security, 25
Disable
USB interface, 57
Disabling a USB interface
B SINUMERIK, 57
BIOS password DMZ network, 38
PCU 50, 65
Block encryption
SINUMERIK, 67 E
Block protection, 67
Effects, 24
SINUMERIK, 67
Encrypting cycles
SINUMERIK, 66
Exchangeable storage media
C SINAMICS, 103, 104
Certificates SINUMERIK, 60
SIMOTION, 98 Exchangeable storage medium, 48
SINAMICS, 108
Change
Password, 48 F
Changing passwords
Firewall, 38, 47
SINUMERIK, 63
Firmware update
Cloud, 42
MCP/MPP, 56
Cloud Applications, 42
Cloud computing, 23
Cloud Security, 42
Code analysis, 26
H
Communication Hard disk, 48
Communication services, 58 Encrypting, 47
Used port numbers, 58 HMI password, 63
Communication services Hotfix management, 26
SINAMICS, 107 HTTPS
Company security, 36 SIMOTION Web server, 98
Confidentiality levels, 47
Copy protection
SINUMERIK, 66 I
IEC 62443, 29
Industrial security
D Definition, 21
Data Objectives, 21
transporting, 48 Possible effects, 24
Data privacy, 24 Threats, 24
Data storage, 47 Interfaces
Encrypting, 47 Backing up, 47
Internet of things, 23

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 133
Index

Internet of Things, 23 Password quality, 48

IoT, 23 Patch management, 26
ISO 27005, 29 Patches, 60
PC
Measures, 47
K PCU 50 BIOS password, 65
Physical production security, 36
Know-how protection
Plant security, 35
SINAMICS, 101
PLM, 26
Ports, 46
Product Lifecycle Management process, 26
L Product security notifications, 49
Linux password, 63 ProductCERT, 26
Lock MyCycles Protection levels, 35
SINUMERIK Integrate, 67 Protection zone, 38
Lock MyPLC
SINUMERIK Integrate, 67
R
Regulations, 29
M Remote access, 23
Main entry, 67
MCP/MPP
Firmware update, 56 S
Mobile device
SCALANCE S, 39
Measures, 47
Security integrity, 26
Mobile devices, 23
Security management process, 31
Mobile networks, 23
Security module
Mobile radio standards, 23
SCALANCE S, 39
Mobile terminal device
Security service, 25
Locking, 47
Security support, 25
Mobile terminal devices
Security update, 60
Measures, 47
IPC, 60
PCU, 60
Security vulnerabilities, 24
N Services, 46
NCK password, 63 SI HSC, 28
Network security, 35 SIEM system, 27
Notebook Siemens Industrial Holistic Security Concept, 28
Measures, 47 Business Impact Assessment, 28
Monitoring of residual risk, 28
Scope, 28
P Target Protection Level, 28
SIMATIC Logon, 92
Parameters: Access levels
SIMOTION
SINAMICS, 103
Copy protection, 93
Password
Industrial Security, 88
Change, 48
Know-how protection, 92
Characters, 48
Ports, 89
Complexity, 48
Project comparison, 94
Inputs, 48
Project storage, 90
Length, 48
Safe, 48

Industrial Security
134 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2
 Index

Virus scanners, 90 Transport

Web server, 96 Data, 48
SINAMICS Transport Layer Security
Certificates, 108 SINAMICS, 108
Communication services, 107 Trojans, 49
Exchangeable storage media, 103, 104
Know-how protection, 101
Parameters: Access levels, 103 U
Software manipulation, 103, 104
USB port lock, 47
Transport Layer Security, 108
USB stick, 48
Used port numbers, 107
Used port numbers
Virus protection, 103, 104
SINAMICS, 107
Web server, 107
User accounts, 46
X140, 110
SINUMERIK
Block encryption, 67
Block protection, 67
V
Changing passwords, 63 Virus protection
Copy protection, 66 SINAMICS, 103, 104
Deactivating a PROFINET port, 57 SINUMERIK, 59, 60
Disabling a USB interface, 57 Virus protection program, 49
Encrypting cycles, 66 Virus scanner, 49
Exchangeable storage media, 60 Viruses, 49
Software manipulation, 60
Virus protection, 59, 60
Web server, 65 W
Whitelisting, 60
Web server
SINUMERIK 808D, 54
SIMOTION, 96
SINUMERIK 828D, 54
SINAMICS, 107
SINUMERIK 840D sl, 54
SINUMERIK, 65
SINUMERIK Integrate
Whitelisting, (SINUMERIK)
Lock MyCycles, 67
Windows Server Update Service, 50
Lock MyPLC, 67
Wireless technology, 23
SINUMERIK MC, 54
Worms, 49
SINUMERIK ONE, 54
WSUS, 50
Smart Access Module
SINAMICS G120, 118
SINAMICS V20, 118
Software manipulation
X
SINAMICS, 103, 104 X140
SINUMERIK, 60 SINAMICS, 110
Standards, 29
System integrity, 35

T
Tablet PCs, 23
Threat and Risk Analysis, 26
Threats, 24
TLS, 108
TRA, 26

Industrial Security
Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2 135
Index

Industrial Security
136 Configuration Manual, 01/2023, 6FC5397-5EP40-6BA2