Security Guideline Electric Drive and Controls: Project Planning Manual R911342562
Security Guideline Electric Drive and Controls: Project Planning Manual R911342562
Security Guideline Electric Drive and Controls: Project Planning Manual R911342562
Electric Drive
and Controls
Table of Contents
Table of Contents
Page
2 Glossary......................................................................................................................... 3
3 Introduction.................................................................................................................... 5
3.1 Purpose of this guideline........................................................................................................................ 5
3.1.1 Customer feedback............................................................................................................................. 5
3.2 Guideline structure.................................................................................................................................. 5
3.2.1 Differentiating between "IT security" and "Safety"............................................................................... 6
3.3 IT basic protection.................................................................................................................................. 6
3.4 Known vulnerabilities.............................................................................................................................. 6
Table of Contents
Page
4.14.1 Devices (IndraControl VP*) with Windows XP, Windows 7, Windows 10......................................... 30
4.14.2 Default Windows ports....................................................................................................................... 31
4.14.3 Devices (IndraControl VE*) with Windows 7 Embedded Standard 32 and 64 bit.............................. 32
4.14.4 Devices (IndraControl VP*) with Windows 7 Embedded Ultimate 32 and 64 bit............................... 32
4.14.5 Devices (IndraControl VP*) with Windows 10 IoT Enterprise LTSB 64 bit........................................ 32
4.14.6 Devices (IndraControl VP*) with Windows 7 Embedded Standard 32 and 64 bit.............................. 32
4.14.7 Devices (IndraControl VP*) with Windows XP 32 bit......................................................................... 33
4.14.8 Devices (IndraControl VR21*) with Windows Embedded compact 7................................................ 33
4.14.9 Devices PR3x / PR4 (IndraControl VR3x / VR4) with Windows 10 IoT Enterprise LTSB 64 bit........ 33
4.14.10 Device (IndraControl VH21) with Windows Embedded compact 7................................................... 34
4.14.11 Devices (IndraControl VE*) with Windows XP embedded 32 bit....................................................... 34
4.14.12 Devices (IndraControl VE*) with Windows Embedded compact 7.................................................... 35
4.14.13 Devices (IndraControl VE*) with Windows CE ................................................................................. 35
4.14.14 Devices (IndraControl VCP*.2) wtih Windows CE 5.0....................................................................... 35
4.14.15 Devices (IndraControl VCH 08.1) with Windows CE 5.0................................................................... 35
4.14.16 Devices (IndraControl VCH 05.1) with Windows CE 6.0................................................................... 36
4.15 Devices PR21 with Linux Ubuntu core 16............................................................................................ 36
4.16 Software................................................................................................................................................ 36
4.16.1 WebConnector, WebComposer......................................................................................................... 36
4.16.2 WinStudio.......................................................................................................................................... 37
4.17 ctrlX CORE apps.................................................................................................................................. 38
4.17.1 Modbus TCP...................................................................................................................................... 38
4.17.2 PROFINET device............................................................................................................................. 38
5 Possible measures....................................................................................................... 39
5.1 Concept of separation........................................................................................................................... 39
5.2 Service measures by third parties........................................................................................................ 39
5.3 Using firewalls....................................................................................................................................... 39
5.4 Using ACLs........................................................................................................................................... 39
5.5 Using ctrlX CORE as VPN client and firewall....................................................................................... 40
6 Final remark................................................................................................................. 41
6.1 Recommendations................................................................................................................................ 41
7 Sources........................................................................................................................ 43
7.1 References........................................................................................................................................... 43
7.2 Further links.......................................................................................................................................... 43
Index............................................................................................................................ 45
Glossary
2 Glossary
ACL Access Control List
Access authorizations to computer resources (files and programs) are managed us‐
ing the ACL.
BSI Federal Office for Information Security
"BSI" is part of the division of the German Federal Ministry of the Interior.
DHCP "Dynamic Host Configuration Protocol"
The DHCP service allows the assignment of the network configuration to clients by a
server.
EIS, EIS-WS Embedded Information Service, EIS web server for communication with operating de‐
vices
Firewall A "firewall" is a network safety system in hardware and software to protect against
unauthorized access.
(T)FTP (Trivial) File Transfer Protocol
(T)FTP is a file-oriented Client-Server protocol via a TCP connection. "Trivial" means
that there is no function for rights assignment and user authentication.
ICMP Internet Control Message Protocol
ICMP is used to exchange information and error messages via the internet protocol
(e.g. ping).
ICS Industrial Control System
ICS is a superordinate term describing the different types and forms of control sys‐
tems in industrial systems.
IP Internet protocol
"IP" is a network protocol on the level of the switching layer of the OSI model.
IT security "IT security" is VDI/VDE 2182 the information security in the industrial automation.
MEP Multi Ethernet Platform
OCI Open Core Interface
OSI model Open Systems Interconnection Model
OSI model is a reference model for network protocols.
Ping "Ping" is a diagnostic tool used to diagnose the accessibility of a device using an IP
address or the network name.
Port The port is part of a network address used to assign TCP and UDP connections be‐
tween client and server.
RADIUS Remote authentication dial-in user service
Client-server protocol used to authenticate, authorize and account users during dial-
in connections to a computer network.
Router A "router" is a network device to couple computer networks.
Switch A "switch" is a coupling element to connect network segments.
telnet "Telnet" is a character-oriented client-server protocol via a TCP connection.
TCP Transmission Control Protocol
"TCP" is a connection-oriented network protocol on the transport layer of an OSI
model.
Glossary
Introduction
3 Introduction
The topic "IT security" has not been a priority in manufacturing plants. Con‐
trols and systems have been developed and operated under functional as‐
pects.
Due to the increased use of network components, their specific properties
and requirements as well as the discrepancy to existing network structures
and requirements in the office environment, the "IT security" topic becomes
more important.
The requirements of "Industry 4.0" and "Internet of things", assuming a com‐
plete networking of all objects, IT security is a requirement for safe and trou‐
ble-free operation.
The requirements regarding IT security are divided into organizational and
technical aspects.
In order to set up and operate a secure IT system, the network properties of
the components used have to be known. Providing and exchanging informa‐
tion and documentations is necessary to facilitate the implementation of IT
security concepts and solutions for all parties involved (manufacturer, integra‐
tor and operator).
Introduction
Safety IT security
System and software XLC, MLC and MTX ctrlX IndraDrive ctrlX DRIVE SafeLogic
CORE with and with‐ compact
out MLD
Overview security support of the devices and the software of the drive and
control systems.
System and software Frequency con‐ Welding control WebConnector IoT Gateway WinStudio
verter
● CML25
● CML40
● CML40.2
● CML45
● CML65
● CMP40
● CMP60
● CMP70
● MTX micro
Debug access By default, the debug port is open. The Wind-River-Debug-Agent (WDB
agent) is active.
Telnet server The Telnet server is active (the Telnet port is open.)
The login name and the password are integrated in the runtime system. The
password is encrypted (Wind-River encryption "vxencrypt.exe").
FTP server The FTP server is active. (The FTP port is open.)
FTP server access with a "anonymous" user is implemented. This user has
read access to the USER drive.
The login name and the password are integrated in the runtime system. The
password is encrypted (Wind-River encryption " vxencrypt.exe").
More information ● An SNTP client application is available.
● A TFTP client application is available.
● The system does not have a local firewall.
● The ICMP functionality is implemented.
● Only an Ipv4 stack is implemented.
● The OpenCore interface MLPI is implemented for CML25, CML45,
CML65 from firmware version 13VRS
Network infrastructure compo‐ Within the operating system kernel, the functions required for operation for
nents the network infrastructure and the connection of different Ethernet-based bus
systems, also field buses (Sercos, Profinet) and their data exchange, router
and switch components are integrated. The configuration depends on the ap‐
plication and is executed by the user by means of Engineering tools.
Telnet server The Telnet server is disabled (the Telnet port is closed). Instead, the user can
access the control via SSH.
SSH server The command line provided by Telnet is now provided via SSH. The "Telnet"
protocol is disabled due to safety reasons and is not available anymore from
version 14V18 on the previously mentioned controls. The SSH server is ac‐
tive on devices from firmware version 14V18.
FTP server In delivery state, the FTP server is active on the control. (The FTP port is
open.) A prompt is displayed, informing the user that this unsafe service can
be disabled when creating the control.
FTP server access with a "anonymous" user is implemented. This user has
read access to the USER drive.
The login name and the password are integrated in the runtime system. The
password is encrypted (Wind-River encryption "vxencrypt.exe").
SFTP server The Secure File Transfer Protocol (SFTP) is accessed as mechanism for
safe data transfer. The SFTP is part of the SSH- service and provides the
same safety mechanisms. Many known clients such as WinSCP (Windows)
or Filezilla (Windows, Linux, Mac OS) support the data transfer via SFTP. In
delivery state, the SFTP server is active.
MLPI / MLPIS server The OpenCore interface Motion Logic Programming Interface (from firmware
13VRS) as well as the safe variant MLPIS (from firmware 14V20 , only MLC
and XLC) are active in the state upon delivery.
If MLPIS is available, MLPI can be deactivated. It is recommended to do this
and use MLPIS.
Network infrastructure compo‐ Within the operating system kernel, the functions required for operation for
nents the network infrastructure and the connection of different Ethernet-based bus
systems, also field buses (Sercos, Profinet) and their data exchange, router
and switch components are integrated. The configuration depends on the ap‐
plication and is executed by the user by means of Engineering tools.
FTP server ● The FTP server is active (the FTP port is open).
● Access via the FTP server is implemented with an "anonymous" user
and a standard user.
● Both users have read access to the USER drive. The standard user also
has write access to the USER drive.
● The login names and the password are integrated in the runtime sys‐
tem. The password can be overwritten with a customer password by the
user
More information ● The system does not have a local firewall.
● The TFTP client application is available in IndraDrive Advanced devices.
● The ICMP functionality is implemented.
● Only an Ipv4 stack is implemented.
Network infrastructure compo‐ Within the operating system kernel, the functions required for operation for
nents the network infrastructure and the connection of different Ethernet-based bus
systems, also field buses (Sercos, Profinet) and their data exchange, router
and switch components are integrated. The configuration depends on the ap‐
plication and is executed by the user by means of Engineering tools.
systems are integrated. The integration also affects field buses (Sercos,
Ethercat) and their data exchange as well as router and switch components.
The configuration depends on the application and is executed by the user by
means of Engineering tools.
The MultiEthernetPlatform only accepts certain file names. Other files are re‐
jected.
More information ● The system is not equipped via a local firewall.
● The ICMP functionality is implemented
● Only an Ipv4 stack is implemented.
Network infrastructure compo‐ Within the operating system kernel, the functions required for operation for
nents the network infrastructure and the connection of different Ethernet-based bus
systems, also field buses (Sercos, Profinet) and their data exchange, router
and switch components are integrated. The configuration depends on the ap‐
plication and is executed by the user by means of Engineering tools.
4.13.1 Port list CML10, CML20, CML40, CMP40, CML65 (with MLC04VRS),
CMP60, CMP70
Port Protocol Service Status Required for ... [Y/N]
Can be disa‐
Remark Commis‐
Operation Service bled [Y/N]
sioning
Ping
SystemSta‐
- ICMP tusDiagnos‐ open - N Y Y N
tic
Echo
20,21 TCP ftp open - N N N Y
23 TCP telnet open - N N Y N
69 UDP TFTP open - Y Y Y N
HTTP
80 TCP open - Y Y Y N
IMST
Port map‐
111 TCP, UDP open - Y Y Y N
per
CMP40,
CMP60,
123 TCP NTP open CMP70, Y Y Y N
CML40 (on‐
ly MTX)
Modbus/TC
502 - 504 TCP open Y Y Y N
P
CMP40,
CMP60,
dynamic
512 - 1023 UDP open CMP70, Y Y Y N
NFS
CML40 (on‐
ly MTX)
Ping
SystemSta‐
- ICMP tusDiagnos‐ open - N Y Y N
tic
Echo
21 TCP ftp open - Y Y Y N
23 TCP telnet open - N N Y N
69 UDP TFTP open Only MLC N Y Y N
http / EIS-
80 TCP open - Y Y Y N
WS
ComServer/ open|
6040 UDP - Y Y Y N
EIS (HMI) filtered
ComServer/
6042 TCP open - Y Y Y N
EIS (HMI)
Debug
10098 TCP open Only MTX N Y Y N
menu
NCS con‐
10099 TCP open Only MTX Y Y Y N
nection
Emergency
10099 UDP open Only MTX Y Y Y N
channel
System di‐
10110 UDP open Only MTX Y Y Y N
agnostics
Dynamic
10200 -
UDP NFS con‐ open Only MTX Y Y Y N
10300
nection
ILNG.On‐ open|
11001 UDP -
line filtered
11740, IndraLogic
TCP open - Y Y Y N
11741 Gateway
Wind River
17185 UDP open - N N N N
Debug port
SIP, Sercos
35021 TCP NRT server open Y Y Y N
port
Ping
SystemSta‐
- ICMP tusDiagnos‐ open - N Y Y N
tic
Echo
21 TCP ftp open - Y Y Y N
23 TCP telnet open - N N Y N
http / EIS-
80 TCP open - Y Y Y N
WS
MTX:
Port map‐
111 TCP, UDP open CML75, Y Y Y N
per
CML85
123 TCP NTP open Only MTX Y Y Y N
443 TCP https open Not CML75 - Y Y N
Modbus/TC
502 - 504 TCP open - - Y Y Y
P
dynamic
512 - 1023 UDP open Only MTX Y Y Y Y
NFS
open|
972 UDP - Only VPx* - - - -
filtered
open|
974 UDP - Only VPx* - - - -
filtered
open|
980 UDP - Only VPx* - - - -
filtered
open|
982 UDP - Only VPx* - - - -
filtered
open|
984 UDP - Only VPx* - - - -
filtered
open|
985 UDP - Only VPx* - - - -
filtered
open|
988 UDP - Only VPx* - - - -
filtered
open|
990 UDP - Only VPx* - - - -
filtered
open|
994 UDP - Only VPx* - - - -
filtered
ComServer/ open|
6040 UDP Not XM2* Y Y Y N
EIS (HMI) filtered
ComServer/
6042 TCP open - Y Y Y N
EIS (HMI)
Rerouting
8080 TCP open Not CML75 - - - -
to https
Debug
10098 TCP open Only MTX N Y Y N
menu
NCS con‐
10099 TCP open Only MTX Y Y Y N
nection
Emergency
10099 UDP open Only MTX Y Y Y N
channel
System di‐
10110 UDP open Only MTX Y Y Y N
agnostics
Dynamic
10200 -
UDP NFS con‐ open Only MTX Y Y Y N
10300
nection
ILNG.On‐ open|
11001 UDP - - - - -
line filtered
11740, IndraLogic
TCP open - Y Y Y N
11741 Gateway
Ping
SystemSta‐
- ICMP tusDiagnos‐ open - N Y Y N
tic
Echo
21 TCP ftp open - N N N Y
22 TCP ssh, sftp open - Y Y Y Y
http / EIS-
80 TCP open - - - - -
WS
MTX:
Port map‐
111 TCP, UDP open CML75, Y Y Y N
per
CML85
443 TCP https open Not CML75 - Y Y N
Modbus/TC
502 - 504 TCP open - Y Y Y N
P
dynamic
512 - 1023 UDP open Only MTX Y Y Y N
NFS
open|
974 UDP - Only VPx* - - - -
filtered
open|
976 UDP - Only VPx* - - - -
filtered
open|
978 UDP - Only VPx* - - - -
filtered
open|
982 UDP - Only VPx* - - - -
filtered
open|
984 UDP - Only VPx* - - - -
filtered
ComServer/ open|
6040 UDP - Y Y Y N
EIS (HMI) filtered
ComServer/
6042 TCP open - Y Y Y N
EIS (HMI)
Rerouting
8080 TCP open Not CML75 - - - -
to https
Debug
10098 TCP open Only MTX N Y Y N
menu
NCS con‐
10099 TCP open Only MTX Y Y Y N
nection
ILNG.On‐ open|
11001 UDP - - - - -
line filtered
Wind River open|
17185 UDP - N N N Y
Debug port filtered
SIP, Sercos
35021 TCP NRT server open Y Y Y N
port
Commis‐
Operation Service
sioning
open
Can be disa‐
Port Protocol Service Status Remark Required for ... [Y / N]
bled [Y/N]
If OPC UA
4840 TCP OPC UA open Snap is in‐ Y Y Y Y
stalled
CoDeSys; if
11740 ,
TCP Gateway open PLC Snap Y Y Y N
11741
is installed
dynamic
TCP UPnP open - Y Y Y N
>3xxxx
dynamic
TCP UPnP open - Y Y Y N
>4xxxx
If Profinet
Profinet RT Device
34962 TCP / UDP open Y N N N
Unicast Snap is in‐
stalled
If Profinet
Profinet RT Device
34963 TCP / UDP open Y N N N
Multicast Snap is in‐
stalled
If Profinet
Profinet
Device
34964 TCP / UDP Context open Y N N N
Snap is in‐
Mgr.
stalled
Profinet If Profinet
Connection Device
49152 TCP / UDP open Y N N N
Establish‐ Snap is in‐
ment stalled
Ping
SystemSta‐
- ICMP tusDiagnos‐ open - N Y Y N
tic
Echo
Access opt.
20 / 21 TCP ftp open Y Y Y J*
SD
23 TCP telnet open N N Y J*
69 UDP TFTP open FW update Y Y Y J*
http / EIS-
80 TCP open IDST Y Y Y J*
WS
Tab. 4-1: * The port can only be disabled from MPx-20V12 via parameter
P-0-1535 (IP communication settings).
Can be disa‐
Port Protocol Service Status Remark Required for...[Y/N]
bled [Y/N]
Commis‐
Operation Service
sioning
- ICMP Ping open - N Y Y N
Firmware
69 UDP TFTP open N Y Y N
update
Only active
161 , 162 UDP SNMP open if Profinet is Y N N N
active
Can be disa‐
Port Protocol Service Status Remark Required for...[Y/N]
bled [Y/N]
Optional
CoDeSys package
1202 UDP network open Depending Y Y Y N
variables on the user
application
CoDeSys Optional
1217 TCP open N Y Y N
Engineering package
Drive simu‐
UDP/IP virt.
10000 UDP open lation N Y N N
Field bus
(WEM+)
11740 - CoDeSys Optional
TCP open N Y Y N
11743 Engineering package
35021 TCP S-IP open - Y Y Y N
35021 UDP S-IP open - Y Y Y N
Can be disa‐
Port Protocol Service Status Remark Required for ... [Y/N]
bled [Y/N]
Commis‐
Operation Service
sioning
Can be disa‐
Port Protocol Service Status Remark Required for ... [Y/N]
bled [Y/N]
Commis‐
Operation Service
sioning
Can be disa‐
Port Protocol Service Status Remark Required for ... [Y/N]
bled [Y/N]
Commis‐
Operation Service
sioning
Ping
SystemSta‐
- ICMP tusDiagnos‐ open - N Y Y N
tic
Echo
MEP firm‐
69 UDP TFTP open ware up‐ Y Y Y N
date
Modbus/TC
502 TCP open* J* J* N N
P
User-de‐
Modbus/TC fined port
x TCP closed J* J* N Y
P number
(H3.51)
EtherNet/IP
2222 UDP EtherNet/IP open* Implicit J* J* N N
Mes-saging
PROFINET
Connect
34964 UDP PROFINET open* Manager J* J* N N
and RPC
handler
35021 TCP Sercos/IP open Engineering Y Y Y N
35021 UDP Sercos/IP open Engineering Y Y Y N
EtherNet/IP
44818 TCP EtherNet/IP open* Explicit J* J* Y N
Mes-saging
Trace
51000 TCP open N N Y N
(MEP)
TCP Con‐
50001 TCP open N N Y N
sole (MEP)
Tab. 4-2: * = only if the corresponding field bus type of the MultiEthernetPlat‐
form was enabled
Commis‐
Operation Service
sioning
21 TCP ftp open PSUpdate Y/N Y Y Y
80 / dynam‐
TCP http open PSUpdate Y/N Y Y Y
ic
Can be disa‐
Port Protocol Service Status Remark Required for ... [Y/N]
bled [Y/N]
Communi‐
5001 UDP open cation Y Y Y N
PSI<->BOS
Communi‐
5002 - 5130 UDP open cation Y Y Y N
PSI<->BOS
Communi‐
UISe‐
5131 - 5259 UDP open cation Y/N Y Y N
tupV2.0
PSI<->BOS
from ver‐
5270 -52xx UDP PSUpdate open N Y N
sion 3.1.0.0
dynamic
UDP PSUpdate open N N
from port 0
Commis‐
Operation Service
sioning
Disabled
from FW
21 TCP ftp open Y Y Y N
version
1.11
22 TCP ssh , sftp open - Y Y Y N
Can be dis‐
abled from
80 TCP http open Y/N Y Y Y
FW version
1.11.9.0
Communi‐
protocol
4711 TCP open cation Y Y Y N
buffer
PRC<->PRI
PRC detec‐ detection of
5566 UDP open Y Y Y N
tion other PRC
From FW
version
1.11.3
6060 TCP Webserver open can be dis‐ Y/N Y Y Y
abled from
FW version
1.11.9.0
open
MQTT Cli‐ if MQTT
8883 TCP encrypted Y Y Y Y
ent Gateway is
active
Can be disa‐
Port Protocol Service Status Remark Required for ... [Y/N]
bled [Y/N]
IndraLogic
Gateway
Disabled
from FW
version
1.11.4
11740 TCP open N N Y Y
can be dis‐
abled by
the user
from FW
version
1.11.9.0
open
MQTT Cli‐ if MQTT unencryp‐
1883 TCP Y Y Y Y
ent Gateway is ted
active
4.14.9 Devices PR3x / PR4 (IndraControl VR3x / VR4) with Windows 10 IoT
Enterprise LTSB 64 bit
Port Protocol Application
80 TCP HTTP
443 TCP HTTPS
5120 TCP UPnP
22 TCP SSH
Other opened ports are possible, depending on the apps installed on the de‐
vice. For more information, refer to the documentation of the app (e.g. IoT
Gateway)
4.16 Software
4.16.1 WebConnector, WebComposer
Via the WebConnector, visualizations can be connected to controls on all de‐
vices with compatible Java FM. The OPC UA and OCI (MLPI) protocols are
supported. The user has to configure the safe communication via OPC UA.
The safe communication via MLPIS is only supported from version 14V20
and has to be configured by the user during Connect .
The WebConnector is equipped with an integrated web server to provide cus‐
tomer-specific HTML5 pages with direct access to the automation level. The
save data communication is realized via HTTPS and TLS encryption.
The WebConnector is available on VP*. and VE* devices with Windows 7
embedded. By default, the unencrypted communication (HTTP/WS) is active,
as console via port 8085 and Windows service via port 15000, also as en‐
crypted communication (HTTPS/TLS) as console via port 8086 and Windows
service via port 15001. The user has to disable unencrypted communication.
In IndraWorks, the WebComposer is available as Engineering tool for com‐
missioning visualizations. If WebComposer objects are created in the project,
the WebConnector service is started and the ports 15000(HTTP/WS) and
15001(HTTPS/TLS) are active. The WebConnector service is not exiting by
closing IndraWorks. Upon a PC restart, the service is not running anymore
(manual start). If the Webconnector service is not required anymore after
8085 HTTP WebConnector console (if installed) VP* with Win7emb.,VE* with Win7emb.
8086 HTTPS, TLS WebConnector console (if installed) VP* with Win7emb.,VE* with Win7emb.
15000 HTTP WebConnector service (if installed) VP* with Win7emb.,VE* with Win7emb.
15001 HTTPS, TLS WebConnector service (if installed) VP* with Win7emb.,VE* with Win7emb.
4.16.2 WinStudio
WinStudio is a visualization software for all PC-based and embedded sys‐
tems. The product consists of two parts
WinStudio Engineering:
Project planning tool to create individual HMI screens up to complete user in‐
terfaces.
Characteristics of the WinStudio Engineering packages
● Integral part in IndraWorks Engineering to create visualization applica‐
tions.
● Stand-alone editor to create individual visualizations (WinStudio Engi‐
neering stand-alone).
WinStudio Runtime:
Software on the visualization devices is pre-installed or prepared for installa‐
tion (software download).
Characteristics of the WinStudio runtime environment
● WinStudio in IndraWorks HMI interface (IndraWorks OPD). (Default user
interface of the systems MLC, MTX and IL under Windows CE/Windows
7 embedded compact, Win XP/ Win XPe, Win 7/ Win 7e)
Possible measures
5 Possible measures
Physical measures A lockable switching cabinet should be provided to protect controls and
drives from unauthorized access.
Possible measures
Final remark
6 Final remark
Security is a continuous process.
The process requires continuous monitoring and checks by all persons in‐
volved; also by seemingly little affected persons.
All persons involved require basic IT security knowledge.
This knowledge is an important basis for detecting and eliminating of poten‐
tial IT security vulnerabilities and deficiencies.
6.1 Recommendations
● Minimize the device and system visibility in the network
● Do not directly connect devices and systems to the internet
● Provide a firewall for devices, systems and networks and disconnect the
devices, systems and networks from the office network
● If remote maintenance is required, use authorized safe methods, e.g.
VPN Note that the access can only be as safe as the device and the
settings for the user
● Remove or disable all known default accesses and user accounts and
rename them
● If possible, use available account blocking policies to minimize the risk
of brute force attacks
● Implement the rules, forcing the use of strong passwords
● Monitor and protocol the setup of access to administrative level by third
parties
● If possible, disable all unused hardware interface
● Provide all required measures and rules, guaranteeing fast recommis‐
sioning after an incident.
Sources
7 Sources
7.1 References
● NORM VDI/VDE 2182
● NORM ISO/IEC 27000
● NORM BS/IEC 62443
● VDI guideline: "10 questions and answers about IT security in industrial
automation"
● Industrial Network Security; Eric D. Knapp; ISBN-10: 1597496456
Index
Index
A Network infrastructure components............... 13
About this documentation..................................... 1 Telnet server.................................................. 12
ACLs............................................................... 3, 39 TFTP server................................................... 12
Device properties IndaDrive
B More information............................................ 11
Best practices..................................................... 41 Device properties IndraDrive
FTP server..................................................... 11
C Network infrastructure components............... 11
Telnet server.................................................. 10
Complaints............................................................ 5
Device properties PRC 7000
Controls with operating systems from
FTP server..................................................... 13
VxWorks 6.9.......................................................... 9
Network infrastructure components............... 14
Criticism................................................................ 5
SFTP server................................................... 13
ctrlX CORE.......................................................... 40
SSH server..................................................... 13
Customer Feedback.............................................. 5
Device properties PSI 6000 / PST 6000
FTP server..................................................... 13
D Network infrastructure components............... 13
Default Windows ports........................................ 31 Device properties Sercans
Device port overview Debug access................................................ 12
Device (IndraControl VH21) with Win‐ SFTP server................................................... 12
dows Embedded compact 7........................... 34 SSH server..................................................... 12
Devices (IndraControl VCH 05.1) with Device properties SLc Ethernet gateway
Windows CE 6.0............................................ 36 FTP server..................................................... 12
Devices (IndraControl VCH 08.1) with Network infrastructure components............... 12
Windows CE 5.0............................................ 35 Telnet server.................................................. 12
Devices (IndraControl VCP*.2) wtih Win‐ Device properties with operating system
dows CE 5.0................................................... 35 VxWorks 6.3
Devices (IndraControl VE*) with Windows Debug access.................................................. 9
7 Embedded Standard 32 and 64 bit............. 32 FTP server....................................................... 9
Devices (IndraControl VE*) with Windows More information:............................................. 9
CE.................................................................. 35 Network infrastructure components................. 9
Devices (IndraControl VE*) with Windows Telnet server.................................................... 9
Embedded compact 7.................................... 35 Device properties with operating system
Devices (IndraControl VE*) with Windows VxWorks 6.9
XP embedded 32 bit...................................... 34 Debug access.................................................. 9
Devices (IndraControl VP*) with Windows FTP server..................................................... 10
7 Embedded Standard 32 and 64 bit............. 32 MLPI / MLPIS server...................................... 10
Devices (IndraControl VP*) with Windows Network infrastructure components............... 10
7 Embedded Ultimate 32 and 64 bit............... 32 SFTP server................................................... 10
Devices (IndraControl VP*) with Windows SSH server..................................................... 10
XP 32 bit........................................................ 33 Telnet server.................................................. 10
Devices (IndraControl VR21*) with Win‐ Devices port overview
dows Embedded compact 7........................... 33 Devices (IndraControl VP*) with Windows
Devices PR3x / PR4 (IndraControl 10 IoT Enterprise LTSB 64 bit........................ 32
VR3x / VR4) with Windows 10 IoT Enter‐ DHCP.................................................................... 3
prise LTSB 64 bit........................................... 33 Documentation
Devices PR21 with Linux Ubuntu core 16...... 36 Revision history................................................ 1
Device properties
Controls with operating system VxWorks
6.3.................................................................... 8
F
Feedback.............................................................. 5
Device properties ctrlX CORE
Firewalls.............................................................. 39
Network infrastructure components............... 14
Further links........................................................ 43
SSH server..................................................... 14
Device properties frequency converter EFC
FTP server..................................................... 12 G
More information............................................ 13 Glossary................................................................ 3
46/49 Security Guideline Electric Drive and Controls
Index
I Port lists.............................................................. 15
ICS........................................................................ 3 PROFINET device.............................................. 38
Internet sources.................................................. 43 PROFINET device port list.................................. 38
IT security PROFINET Gateway device SLC-0-GPNT
Software......................................................... 36 port list................................................................ 26
IT security / possible measures
Using ctrlX CORE as VPN/firewall com‐ R
ponent............................................................ 40 RADIUS................................................................. 3
IT security/Network configuration........................ 39 Ransom ware...................................................... 31
IT security/possible measure.............................. 39 Recommendations.............................................. 41
IT security/possible measures............................ 39 References.......................................................... 43
Concept of separation.................................... 39
Physical measures......................................... 39 S
Service measures by third parties.................. 39 SafeLogic compact
Use of firewalls............................................... 39 Device properties SLc Ethernet gateway....... 12
Using ACLs.................................................... 39 Safety vs. IT security............................................. 6
IT security/software Security guideline.................................................. 6
WebConnector, WebComposer..................... 36 ctrlX CORE apps............................................ 38
WinStudio....................................................... 37 Default Windows ports................................... 31
IT-Security Device (IndraControl VH21) with Win‐
ctrlX CORE apps............................................ 38 dows Embedded compact 7........................... 34
IT-Security / Software Device properties......................................... 8, 9
Modbus TCP.................................................. 38 Device properties ctrlX CORE....................... 14
PROFINET device......................................... 38 Device properties frequency converter
EFC................................................................ 12
K Device properties IndraDrive......................... 10
Krypto trojans...................................................... 31 Device properties PRC 7000......................... 13
Device properties PSI 6000 / PST 6000........ 13
M Device properties Sercans............................. 12
Modbus TCP....................................................... 38 Devices (IndraControl VCH 05.1) with
Modbus TCP port list.......................................... 38 Windows CE 6.0............................................ 36
Devices (IndraControl VCH 08.1) with
N Windows CE 5.0............................................ 35
Network configuration......................................... 39 Devices (IndraControl VCP*.2) wtih Win‐
dows CE 5.0................................................... 35
P Devices (IndraControl VE*) with Windows
7 Embedded Standard 32 and 64 bit............. 32
Port list CML10, CML20, CML40, CML65
Devices (IndraControl VE*) with Windows
(with MLC 04VRS),CMP40, CMP60, CMP70..... 15
CE.................................................................. 35
Port list CML25, CML45, CML65, HCQ
Devices (IndraControl VE*) with Windows
micro (MTX)........................................................ 17
Embedded compact 7.................................... 35
Port list CML75, CML85, XM2*, VPx*
Devices (IndraControl VE*) with Windows
up to including firmware 14V16...................... 19
XP embedded 32 bit...................................... 34
Port list CML75, CML85, XM2*, XM4*, VPx*
Devices (IndraControl VP*) with Windows
from firmware 14V18...................................... 21
7 Embedded Standard 32 and 64 bit....... 32, 33
Port list ctrlX CORE............................................. 23
Devices (IndraControl VP*) with Windows
Port list devic PSI / PST 6000............................. 28
7 Embedded Ultimate 32 and 64 bit............... 32
Port list device ctrlX DRIVE................................ 25
Devices (IndraControl VP*) with Windows
Port list device PRC 7000................................... 29
10 IoT Enterprise LTSB 64 bit........................ 32
Port list Device Sercans...................................... 27
Devices (IndraControl VP*) with Windows
Port list Device Sercos Gateway SLC-3-
XP, Windows 7, Win 10................................. 30
GS3S.................................................................. 26
Devices (IndraControl VR21*) with Win‐
Port list frequency converter EFC with Multi
dows Embedded compact 7........................... 33
Ethernet Platform(MEP)...................................... 27
Devices IndraControl VP*, VE*, VEP*,
Port list of the IndraDrive devices (with/with‐
VCH*, VR*...................................................... 30
out MLD)............................................................. 24
Port list WebConnector....................................... 37
Port list WinStudio............................................... 37
Security Guideline Electric Drive and Controls 47/49
Index
T
Third parties........................................................ 39
V
VPN/firewall component...................................... 40
W
WebConnector port list....................................... 37
Windows 7.......................................................... 30
Windows systems............................................... 30
Windows XP........................................................ 30
WinStudio............................................................ 37
Bosch Rexroth AG
Bgm.-Dr.-Nebel-Str. 2
97816 Lohr a.Main
Germany
Tel. +49 9352 18 0
Fax +49 9352 18 8400
www.boschrexroth.com/electrics
*R911342562*
R911342562
DOK-IWORKS-SECURITY***-PR11-EN-P