2.3.3
Network security
2.3.3.1
Network segmentation
Separation between production and office networks
One important protective measure for your control is the strict separation of the production
networks and the other company networks. This separation creates protection zones for your
production networks.
Note
The products – drives, controllers, commissioning tools (e.g. STARTER or Startdrive) –
described in this manual must only be operated in protection zones.
Separation by means of a firewall system
In the simplest scenario, separation is achieved by means of an individual firewall system
which controls and regulates communication between networks.
Separation via a DMZ network
In the more secure version, the coupling is established via a separate DMZ network. In this
case, direct communication between the production network and the company network is
completely prevented by firewalls and only takes place indirectly via servers in the DMZ
network.
Note
The production networks should also be divided into separate automation cells in order to
protect critical communication mechanisms.
General security measures
Observe the general security measures even within protection zones, for example:
● Virus scanners (Page 33)
● Reduction of attack points (Page 33)
Network segmentation with SCALANCE S
Siemens provides SCALANCE S security modules to meet network protection and network
segmentation requirements.
Industrial security
2.3 General security measures
SIMOTION P320-4 E / P320-4 S
30
Commissioning and Hardware Installation Manual, 11/2016