SCALANCE S security modules are the core of the new groundbreaking industrial security concept by Siemens Automation & Drives , based on the protection of automation cells and network segments.
This enables an even more effective protection of the automation network against danger from inside the company, such as deliberate or unintentional incorrect accessing by employees and excessive or unnecessary communication load.
In the case of remote accessing via unsafe networks, such as Internet or WAN, encryption can be used to safeguard the communication against data espionage and manipulation.
As a result of the increasing integrated Ethernet-based interconnection of automation networks with other networks (for example, MES or office networks), or connection to company Intranets and remote maintenance via WAN or Internet, modern industrial communication is subject to considerable risks and dangers.
Existing security concepts designed for office environments are no longer sufficient for the special requirements of automation technology, because they require permanent maintenance and special expert knowledge.
Siemens’ Scalance S sercurity module uses all of the common IT security standards including IPSEC to allow the following security functionality:
* VPN (Virtual Private Network) - for safe authentication (identification) of network subscribers, for data encryption and checking of data integrity.
* Firewall - filters data packages disables or enables communication connections in accordance with a filter list (packet-filter firewall). Both incoming and outgoing communication can be filtered. IP and MAC addresses, as well as communication protocols (ports) are filtered. The firewall can be used as an alternative, or as a supplement to VPN.
* Authentication - every incoming data stream is monitored and checked. The fact that IP addresses can be forged (IP spoofing), checking the IP address (of the client access) is not enough. In addition, client PCs may have changing IP addresses. For this reason authentication is carried out by means of proven VPN mechanisms.
* Data encryption - safe encryption is needed to protect the data exchange against espionage and manipulation. In this way the data will remain unintelligible for any eavesdropper in the network. The Security Module will establish a VPN tunnel to other Security Modules for this purpose.
* Logging - to be able to identify and follow-up attack or access attempts, such data can be stored in a log file and read out with the configuration tool.
* Configuration without special security know-how - the configuration can also be done by users possessing very little knowledge about security mechanisms. The minimum configuration needed is to allocate the Security Modules of a network to groups. Only the modules within a group can establish VPN tunnels with one another. This ensures that only authenticated and authorised devices can access a network subscriber protected by a Security Module.
Data transmission is encrypted and in this way protected against espionage and manipulation. The configuration tool generates the VPN certificates, no elaborate PKI infrastructure or separate creation or loading of keys is necessary.
* Module replacement without programming device - the C-PLUG (Configuration Plug) is available as an option to save all the configuration data of a SCALANCE S module. If a SCALANCE S device should fail, the C-PLUG can be removed and plugged into the new SCALANCE S device, so downtime is reduced considerably.
* Unique strain relief concept - the SCALANCE S series has new strain relief sleeves on electrical ports, which when used with PROFINET compliant Industrial Ethernet connectors for example, FastConnect RJ45 Plug 180, provides improved tensile and bending force resistance (from the connected data cables) in comparison with standard RJ45 connectors.
* Access control for automation devices and protection of data transmission in an industrial environment. Security is completely independent of the protocol, for example, all the IP-based (layer 3) and MAC-based (layer 2) communication can be protected.
* Handling is easy with only a minimum of configuration and no specialist knowledge on IT security is needed.
* Problem free integration into existing networks with neither the network topology having to be changed or adapted, nor any network subscriber newly configured.
* Robust, industrialised design, tailored for the requirements of an industrial environment.
In addition to SCALANCE S, Siemens also provide a SOFTNET Security Client for the design of secure VPN connections of PGs/PCs with network segments protected by SCALANCE.