Siemens SCALANCE S615 Operating Instructions Manual

Also see for SCALANCE S615: Configuration manual Getting started Manual

Security recommendationsSCALANCE S615Operating Instructions, 10/2022, C79000-G8976-C389-07 15Physical/remote access• If possible, operate the devices only within a protected network area. Attackers cannotaccess internal data from the outside when the internal and the external network areseparate from each other.• Limit physical access to the device exclusively to trusted personnel.The memory card or the PLUG (C-PLUG, KEY-PLUG, CLP) contains sensitive data such ascertificates and keys that can be read out and modified. An attacker with control of thedevice's removable media could extract critical information such as certificates, keys, etc.or reprogram the media.• Lock unused physical ports on the device. Unused ports can be used to gain forbiddenaccess to the plant.• We highly recommend that you keep the protection from brute force attacks (BFA)activated to prevent third parties from gaining access to the device. For more information,see the configuration manuals, section "Brute Force Prevention".• If possible, use the VPN functionality to encrypt and authenticate communication forcommunication via non-secure networks.• When you establish a secure connection to a server (for example for an upgrade), makesure that strong encryption methods and protocols are configured for the server.• Terminate the management connections (e.g. HTTPS, SSH) properly.• Make sure that the device has been powered down completely before you decommissionit. For more information, refer to "Decommissioning (Page 3)".• We recommend formatting a PLUG that is not being used.Hardware / Software• Use VLANs whenever possible as protection against denial-of-service (DoS) attacks andunauthorized access.• Restrict access to the device by setting firewall rules or rules in an access control list (ACL).• Selected services are enabled by default in the firmware. It is recommended to enableonly the services that are absolutely necessary for your installation.For more information on available services, see "List of available services (Page 13)".• To ensure you are using the most secure encryption methods available, use the latest webbrowser version compatible with the product. Also, the latest web browser versions ofMozilla Firefox, Google Chrome, and Microsoft Edge have 1/n-1 record splitting enabled,which reduces the risk of attacks such as SSL/TLS Protocol Initialization VectorImplementation Information Disclosure Vulnerability (for example, BEAST).• Ensure that the latest firmware version is installed, including all security-related patches.You can find the latest information on security patches for Siemens products at theIndustrial Security (https://www.siemens.com/industrialsecurity) or ProductCERT SecurityAdvisories (https://www.siemens.com/cert/en/cert-security-advisories.htm) website.For updates on Siemens product security advisories, subscribe to the RSS feed on theProductCERT Security Advisories website or follow @ProductCert on Twitter.