4.1.1 Protection of hardware and applications
n
Do not integrate any components or systems into public networks.
–
Use VPN "Virtual Private Networks" for use in public networks. This allows you to
control and filter the data traffic accordingly.
n
Always keep your system up-to-date.
–
Always use the latest firmware version for all devices.
–
Update your user software regularly.
n
Protect your systems with a firewall.
–
The firewall protects your infrastructure internally and externally.
–
This allows you to segment your network and isolate entire areas.
n
Secure access to your plants via user accounts.
–
If possible, use a central user management system.
–
Create a user account for each user for whom authorization is essential.
–
Always keep user accounts up-to-date and deactivate unused user accounts.
n
Secure access to your plants via secure passwords.
–
Change the password of a standard login after the first start.
–
Use strong passwords consisting of upper/lower case, numbers and special char-
acters. The use of a password generator or manager is recommended.
–
Change the passwords according to the rules and guidelines that apply to your
application.
n
Deactivate inactive communication ports respectively protocols.
–
Only the communication ports that are used for communication should be acti-
vated.
–
Only the communication protocols that are used for communication should be
activated.
n
Consider possible defence strategies when planning and securing the system.
–
The isolation of components alone is not sufficient for comprehensive protection.
An overall concept is to be drawn up here, which also provides defensive meas-
ures in the event of a cyber attack.
–
Periodically carry out threat assessments. Among others, a comparison is made
here between the protective measures taken and those required.
n
Limit the use of external storage media.
–
Via external storage media such as USB memory sticks or SD memory cards,
malware can get directly into a system while bypassing a firewall.
–
External storage media or their slots must be protected against unauthorized
physical access, e.g. by using a lockable control cabinet.
–
Make sure that only authorized persons have access.
–
When disposing of storage media, make sure that they are safely destroyed.
n
Use secure access paths such as HTTPS or VPN for remote access to your plant.
n
Enable security-related event logging in accordance with the applicable security
policy and legal requirements for data protection.
Precautions
HMI
Industrial Security and Installation guidelines
Industrial security in information technology > Protection of hardware and applications
HB160 | TP-smart | H71-71A41-0 | en | 23-10
38
