SIEMENS西门子 SIMOTICS SD低压电机 1LE0001-2CA23-3AA4

        SecurecommunicationCommunication protection concerns the reliability andtrust of data exchanged betweencommunication partners. Datatampering by unauthorized users must be prevented.Regardless ofcontext, secure communication is based on the concept of publickeyinfrastructure (PKI).2.1.1 OverviewPublic key infrastructure(PKI)The attribute "secure" is used to describe communicationmechanisms that rely on public keyinfrastructure (PKI). Public keyinfrastructure (PKI) refers to a system that can issue,distributeand verify digital certificates. Issued digitalcertificates are used in within the PKI to securecomputer-basedcommunication by signing and encrypting messages on thenetwork.Components that you have configured in STEP 7 (TIA Portal)for secure communication use anasymmetric key method with a publickey and a private key. TLS (Transport Layer Security) isemployed asthe encryption protocol. TLS is the successor to the SSL (SecureSockets Layer)protocol.The essential principle of securecommunication includes the following components:• An asymmetricencryption protocolThis protocol enables the following:– Encryptionor decryption of messages using public or private keys–Verification of signatures on messages and certificatesThemessages/certificates are signed by the sender/certificate ownerwith that entity's privatekey. The recipient/verifier checks thesignature with the public key of the sender/certificateowner.•Transport and storage of public keys by means of X.509certificates:– X.509 certificates are digitally signed data thatmake it possible to verify the veracity ofpublic keys with respectto the associated identity.– X.509 certificates can contain moreprecise information about or restrictions on the useof public keys,for example, the date from which or until which a public key inacertificate is valid.– X.509 certificates contain informationabout the certificate issuer in secure form.TIA Portal V17 lets theuser use custom, user-specific certificates for communicationpartners,giving the system additional security. If one device iscompromised, the other devices remainsecure because they use othercertificates. The certificates can be imported or, in TIAPortal,generated with the certificate manager. More information onthe use of certificates in TIA Portalcan be found at the followinglink: \3\ in chapter 4.3.2 Security mechanisms on the S7CPUSecurityArticle ID: 90885010, V3.0, 11/2022 12© Siemens AG 2022All rights reservedObjectives for secure communicationSecurecommunication is employed to achieve the following goals:–Confidentiality, i.e. data are secret or non-readable tounauthorized eavesdroppers.– Integrity, i.e. the message receivedby the recipient is the same unmodified messagethat was sent by thesender. The message was not modified along its transport path.–Endpoint authentication, i.e. the communication partner as endpointis exactly who itclaims to be and is the intended destination. Theidentity of the communication partneris verified.If theseobjectives were in the past primarily a concern for the IT worldand networkedcomputers, today machines and controllers withvaluable data in the industrial environment are,because they arenetworked, subject to the very same dangers. They therefore posestringentrequirements for secure data exchange.It is commonpractice to protect the automation cell with the cell securityconcept by using afirewall or a VPN connection, e.g. with thesecurity module. However, there is increasing needto transmit datato external computers in encrypted form via an intranet or publicnetworks.Secure communication with STEP 7As of V14, STEP 7 providesthe PKI required for the configuration and operation ofsecurecommunication. This document describes in greater detail thefollowing communicationmechanisms:• Secure PG/HMI communication•Secure Open User Communication (OUC)• Secure OPC UAcommunicationAll of the methods listed above use the TLS (TransportLayer Security) protocol to safeguard thedata in communication.2Security mechanisms on the S7 CPUSecurityArticle ID: 90885010,V3.0, 11/2022 13© Siemens AG 2022 All rights reserved2.1.2 SecurePG/HMI communicationOverviewAs of version V17, central componentsof TIA Portal, STEP 7 and WinCC work together with thelatestcontrollers and HMI devices to implement innovative andstandardized (secure) PG/PCcommunication and HMI communication,referred to as PG [programming device] / HMIcommunication forshort.ComponentsWe refer in particular to the following CPUfamilies:• S7-1500 controller family with firmware version V2.9 orlater• S7-1200 controller family with firmware version V4.5 orlater• Software controller with firmware version V21.9 or later•SIMATIC Drive Controller with firmware version V2.9 or later•PLCSim and PLCSim Advanced version V4.0In addition, HMI componentshave been updated to provide support for securePG/HMIcommunication:• Panels or PCs configured with WinCC Basic,Comfort and Advanced• PCs with WinCC RT Professional• WinCC UnifiedPCs and Comfort PanelsSINAMICS RT SW version V6.1 onward andSTARTDRIVE version V17 onward have also beenupdated.Properties ofPG/HMI communicationThe main feature of PG/HMI communication is itssimplicity: Establishing an online connectionfrom a programmingdevice (with TIA Portal installed) to a CPU (for example todownload aprogram) requires minimal effort. Here, the onlineconnection also meets criteria such asconfidentiality and integrityon the basis of an established SIMATIC communication standard.Inthe process of integrating machines and plants into an open ITenvironment, however, it isalso necessary to set up switches forcommunication between the programming device / HMIdevice and theCPU. Communication must not only be secure with respect tointegrity andconfidentiality of sensitive data, rather,communication security also needs to measure up towidely acceptedsecurity standards and thereby meet the requirements for thefuture.As of TIA Portal version V17, PG/HMI communication has beenupgraded: The TLS protocol(Transport Layer Security) is availableto secure PG/HMI communication by means ofstandardized securitymechanisms.ProcessSecure PG/HMI communication relies on theprogramming device and HMI panel verifying theauthenticity of theCPU by means of the communication certificate (sent by the CPU whentheconnection is established) and recognizing the CPU as"trustworthy". Secure PG/HMIcommunication is only possible when thePG/HMI panel trust the CPU. When the connection isbeingestablished, the CPU transmits the communication certificate to thecommunicationpartner (programming device or HMI panel). To ensurethat communication between the CPUand a programming device / HMIpanel is secure, the CPU must possess a certificate. However,thiscertificate is only issued once the project is downloaded to theCPU. Secure communicationbetween the programming device / HMI paneland CPU is described below.Initial connection setup to the CPU –Preparation phaseThe Figure below explains the initial connectionsetup sequence from a programming device orHMI panel to the CPU.This is known as the "preparation phase".2 Security mechanisms onthe S7 CPUSecurityArticle ID: 90885010, V3.0, 11/2022 14© SiemensAG 2022 All rights reservedFigure 2-2 TLS connection setup1.Connection request CPUGeneration of a selfsigned certificatesent asresponseto connectionrequestManual confirmation(self-signedcertificatetrustworthy) because noautomaticauthenticity checkispossibleProject dataImplicitly configured CPUcertificate for PG/PCandHMI communication isloadedPLC is not configuredEven the initialconnection setup for downloading to the CPU is secured with the TLSprotocol inthe model of secure PG/HMI communication.However, forthis connection setup step, the CPU uses its manufacturer devicecertificate (ifpresent) or a self-signed certificate. Use of theCPU is restricted in this phase. In this phase, theCPU waits forthe provision of password-based key information. In simple terms:It is waiting forthe password for sensitive PLC configuration data.See chapter 2.4.1. This phase is referred tobelow as the"preparation phase". The CPU indicates that it is in thepreparation phase througha corresponding message in the diagnosticbuffer.Downloading a project to the CPU provides the CPU with theproject data:– Hardware configuration, including configuredcertificates for secure communication(OPC UA, HTTPS, secure OUC,secure PG/HMI communication)– User programExiting the preparationphaseThe password for confidential PLC configuration data and/orthe key information generated fromthe password are not saved in theproject by TIA Portal.Therefore, the password will be requested ina series of dialogs during the initial download (orwhen a newproject is downloaded), then transferred to the CPU. Only throughthis step is the2 Security mechanisms on the S7 CPUSecurityArticleID: 90885010, V3.0, 11/2022 15© Siemens AG 2022 All rightsreservedCPU able to use the protected PLC configuration data. Thisconcludes the preparation phaseand the CPU can go into RUN.NoteIfyou do not protect confidential PLC configuration data with apassword, the password willnot need to be entered during theinitial download. While this does not affect thePG/HMIcommunication sequence, you must bear in mind thatconfidential PLC configuration data(e.g. private keys) havevirtually no protection against unauthorized access. Seechapter2.4.1.PG/HMI communication startupWhen the CPU is loaded andit has received the CPU certificate for secure PG/HMIcommunication,the programming device will reconnect – this time on the basis ofthedownloaded CPU certificate.2.1.3 Secure Open User Communication(OUC)TCP/IP-based Open User Communication (OUC) has become thestandard for communicationwith SIMATIC S7 CPUs. In the S7 CPU, OUCis implemented on the basis of instructions (e.g.TCON, TSEND, TRCVund TDISCON). To establish secure TCP communication with theS7 CPU,the data block with system data type TCON_IP_V4_SEC must beused.S7-1500 CPUs with firmware version V2 or later support securecommunication with addressingvia a domain name server (DNS).To setup secure TCP communication with a domain name, you must createyour own datablock with the system data type TCON_QDN_SEC, assignparameters and call the system datatype right at the instruction.The TCON instruction supports the TCON_QDN_SEC andTCON_IP_V4_SECsystem data type. As of firmware version V2.5, the TSEND_C andTRCV_Cinstructions also support the system data types TCON_QDN_SECand TCON_IP_V4_SEC.Additional information on the structure ofsecure OUC and on the S7 CPU can be found at thefollowing link: \4\in chapter 4.3.2.1.4 Secure OPC UA communicationOPC UA allows dataexchange between different systems, both within the processandproduction level as well as with systems on the control andenterprise levels.This option also contains security risks. Forthis reason, OPC UA offers a range of securitymechanisms:• Identifyverification of OPC UA server and OPC UA clients,• User identityverification, and• Signed/encrypted data exchange between OPC UAserver and OPC UA clients.The security settings should only becircumvented when there is good reason to do so:• Duringcommissioning, or• With island projects without an Ethernetconnection to the outside world.A secure connection between the OPCUA server and an OPC UA client is only establishedwhen the servercan identify itself to the client. This is the purpose of theserver certificate. Link\5\ in chapter 4.3 provides moreinformation on working with the OPC UA server/client certificateinTIA Portal.Automated certificate management with Global DiscoveryServer (GDS)As of firmware V2.9, the OPC UA server of the S7-1500CPU supports certificate managementservices which can be used by aGlobal Discovery Server (GDS), for example.Using GDS pushmanagement functions, OPC UA certificates, trusted lists andCertificateRevocation Lists (CRLs) can be updated for the OPC UAserver of the S7-1500 CPU on anautomated basis. Automation ofcertificate management saves manual effort in giving the CPUa newconfiguration, for instance, after a certificate's validity periodexpires and the CPU isredownloaded. In addition, you can use theGDS push management functions to transfer2 Security mechanisms onthe S7 CPUSecurityArticle ID: 90885010, V3.0, 11/2022 16© SiemensAG 2022 All rights reservedupdated certificates and lists in theCPU's STOP and RUN states. More information on OPC UAcertificatemanagement with GDS can be found at link \6\ in chapter 4.3.2.2Access protectionAccess to the CPU should only be granted toauthorized persons, processes and devices. Thisentails an on-siteaccess restriction and system access to the CPU.2.2.1 On-siteaccess restriction (S7-1500)CPU lockThe SIMATIC S7-1500 has ahinged front cover with a display and control keys. It mustbeopened in order to insert or remove the SIMATIC Memory Card, orto manually change the CPUoperating state. To protect the CPUagainst unauthorized access, this front cover can beadequatelysecured with the locking tab. Your options include:• Securing thefront cover with a padlock, or• Attaching a sealFigure 2-3 CPUlockDisplay lockThe SIMATIC S7-1500 additionally offers a passwordauthentication function on the display. It ispossible to configurea CPU access password for each access level. If access is disabled,theuser receives a message in TIA Portal that the password iscurrently invalid. This on-sitedeactivation can, for example, offeradditional protection against undesired, invalidconfigurations. Thelegitimation setting for the password is only active when the CPUis in RUNmode. If the CPU is in STOP mode, access with thepasswords remains possible.To protect the CPU functions that can beoperated from the display, a display password can bedefined in TIAPortal. This is accomplished in the CPU properties under "Display> Password".Due to the restricted character set and thedifficulty of entering characters with the display keys,thepassword in this case is limited to uppercase letters andnumbers.NoteIf the CPU is in STOP mode, access with the appropriatepassword is possible regardless ofthe setting on the display.2Security mechanisms on the S7 CPUSecurityArticle ID: 90885010,V3.0, 11/2022 17© Siemens AG 2022 All rights reservedFigure 2-4Display lock2.2.2 Project access protectionTIA Portal provides auser management function (UMAC – User Management and AccessControl)for projects. It allows you to create and manage users and roles inyour project. Youcan also protect your project and define whichuser is allowed to perform which functions. Whenyou set up projectprotection, you are created as the project administrator. Then youcan createadditional users and assign them roles with certainrights. After project protection is enabled, theproject can only beopened and modified by authorized users.Note Note that projectprotection cannot be removed once set up.The project administratorcan add the following users and user groups to a project:• Localproject users:Local project users are users who are defined andmanaged in a TIA Portal project. Theseuser accounts are valid onlyfor this one project. Using project user accounts is a goodideawhen the entire automation solution is created within oneproject.The system additionally creates the local project user"Anonymous". This user does notneed to authenticate itself with apassword. You can use roles to grant this user certainrights. Notethat your project's security will be greatly diminished if youassign this user toomany rights. The anonymous user "Anonymous" isdisabled by default. It cannot be deleted.• Global users and usergroups:These user accounts are defined and managed outside of TIAPortal in UMC (UserManagement Component). You can import globalusers and user groups into the variousTIA Portal projects thatthese users will be working on. Adding users and user groupsfromUMC requires the corresponding rights in UMC. Global users canalso use the single signon method to authenticate themselves.UMC –User Management ComponentAdditionally, you can install the "UserManagement Component UMC" software package on oneor more computers.It provides central user management. This creates a systemofinterconnected UMC installations (UMC ring server, UMC server).In this UMC system, you candefine users and user groups, or importthem from a Windows Active Directory. When UMC isinstalled, you canaccess the UMC server from TIA Portal in order to add users anduser groups(defined on the UMC server) to the TIA Portal usermanagement. In this way you can alsoassign users and user groupsthe necessary function rights to a TIA Portal project viaroles.Within TIA Portal, however, you cannot modify the data of theusers and user groups that wereadded from UMC. As a result, forexample, you cannot change passwords or other data of UMCusers orUMC user groups even if you are an administrator in the project.This is only possiblein UMC. You nevertheless have the option ofsynchronizing the user management in TIA Portalwith UMC, and youcan check the synchronization status. This allows you to fixinconsistenciesbetween the global users and user groups in UMC andthe UMC users/user groups that havealready been imported into TIAPortal.