process control system pcs 7 support and remote dialup

� �Support and Remote Dialup

___________________

___________________

___________________

___________________

SIMATIC

Process Control System PCS 7Support and Remote Dialup

Commissioning Manual

12/2011 A5E02657554-02

Preface 1

Support and Remote Dialup 2

Dialup 3

Practical information 4

Legal information

Legal information Warning notice system

This manual contains notices you have to observe in order to ensure your personal safety, as well as to prevent damage to property. The notices referring to your personal safety are highlighted in the manual by a safety alert symbol, notices referring only to property damage have no safety alert symbol. These notices shown below are graded according to the degree of danger.

DANGER indicates that death or severe personal injury will result if proper precautions are not taken.

WARNING indicates that death or severe personal injury may result if proper precautions are not taken.

CAUTION with a safety alert symbol, indicates that minor personal injury can result if proper precautions are not taken.

CAUTION without a safety alert symbol, indicates that property damage can result if proper precautions are not taken.

NOTICE indicates that an unintended result or situation can occur if the relevant information is not taken into account.

If more than one degree of danger is present, the warning notice representing the highest degree of danger will be used. A notice warning of injury to persons with a safety alert symbol may also include a warning relating to property damage.

Qualified Personnel The product/system described in this documentation may be operated only by personnel qualified for the specific task in accordance with the relevant documentation, in particular its warning notices and safety instructions. Qualified personnel are those who, based on their training and experience, are capable of identifying risks and avoiding potential hazards when working with these products/systems.

Proper use of Siemens products Note the following:

WARNING Siemens products may only be used for the applications described in the catalog and in the relevant technical documentation. If products and components from other manufacturers are used, these must be recommended or approved by Siemens. Proper transport, storage, installation, assembly, commissioning, operation and maintenance are required to ensure that the products operate safely and without any problems. The permissible ambient conditions must be complied with. The information in the relevant documentation must be observed.

Trademarks All names identified by ® are registered trademarks of Siemens AG. The remaining trademarks in this publication may be trademarks whose use by third parties for their own purposes could violate the rights of the owner.

Disclaimer of Liability We have reviewed the contents of this publication to ensure consistency with the hardware and software described. Since variance cannot be precluded entirely, we cannot guarantee full consistency. However, the information in this publication is reviewed regularly and any necessary corrections are included in subsequent editions.

Siemens AG Industry Sector Postfach 48 48 90026 NÜRNBERG GERMANY

A5E02657554-02 Ⓟ 11/2011

Copyright © Siemens AG 2011. Technical data subject to change

Support and Remote Dialup Commissioning Manual, 12/2011, A5E02657554-02 3

Table of contents

1 Preface ...................................................................................................................................................... 5

1.1 Structure and organization of the document..................................................................................5

1.2 Special Notes.................................................................................................................................6

2 Support and Remote Dialup....................................................................................................................... 7

2.1 Definitions ......................................................................................................................................7

2.2 Concept..........................................................................................................................................8

3 Dialup ...................................................................................................................................................... 11

3.1 Local dialup..................................................................................................................................12

3.2 Remote dialup..............................................................................................................................13 3.2.1 Network medium ..........................................................................................................................13 3.2.2 Support device .............................................................................................................................14 3.2.3 Control System Network Access..................................................................................................15

3.3 Choice of technology ...................................................................................................................16

4 Practical information ................................................................................................................................ 21

4.1 General information .....................................................................................................................21

4.2 Siemens Remote Service (SRS)..................................................................................................22

Table of contents

Support and Remote Dialup 4 Commissioning Manual, 12/2011, A5E02657554-02


Preface 11.1 Structure and organization of the document

The Security Concept PCS 7 & WinCC has several parts:

● The basic document provides a central overview and path through Security Concept PCS 7 & WinCC.

It systematically describes the basic principles and security strategies of the security concept. All additional detail documents assume the reader has read the basic document.

● The detail documents (this is one such detail document) explain the individual principles, solutions and configuration recommended there in detailed form, and each focuses on a particular detailed issue. The detail documents are supplemented, updated and published independently of one another to ensure that they are always up-to-date.

Preface 1.2 Special Notes


1.2 Special Notes

Objective of the Security Concept PCS 7 & WinCC The main priority of automation is to maintain control over production and process. Even measures which aim to prevent the spread of a security threat must not affect control over production and process.

Security Concept PCS 7 & WinCC is intended to ensure that only authenticated users can perform authorized (permitted) operations via operating permissions (assigned to them) for authenticated devices. These operations should only be performed via defined and planned access routes to ensure safe production or coordination of a job without danger to humans, the environment, product, goods to be coordinated and the business of the enterprise.

Security Concept PCS 7 & WinCC, therefore, recommends the use of the latest available security mechanisms. To achieve the highest possible level of security, scaled, system-specific configurations should never contradict the basic principles of this security concept.

Security Concept PCS 7 & WinCC is intended to facilitate the cooperation between network administrators of company networks (IT administrators) and automation networks (automation engineers) to exploit the advantages provided by the networking of process control technology and the data processing of other production levels, without increasing security risks at either end.

Required Knowledge This documentation is aimed at anyone who is involved in configuring, commissioning and operating automated systems based on SIMATIC. It is assumed that readers have appropriate management knowledge of office IT.

Validity Security Concept PCS 7 & WinCC incrementally replaces the following previous documents and recommendations: "Security Concept PCS 7" and "Security Concept WinCC", and is valid as of WinCC V6.2 and PCS 7 V7.0.


Support and Remote Dialup 2

This detailed report focuses exclusively on remote maintenance, remote support and remote administration of a system. A description of remote control of a system is not included in this detailed report. However, information on remote control is provided in the detailed report “Management of Communication within and between Security Cells”.

2.1 Definitions

Virtual Private Network (VPN) Source: Microsoft Help & Support Center Windows Server 2003

An extension of a private network which encompasses encapsulated, encrypted and authenticated connections over shared or public networks. Private networks can establish remote access and routing connections over the Internet using VPN connections.

Point-to-Point Tunneling Protocol (PPTP) Source: Microsoft Help & Support Center Windows Server 2003

A network technology that supports multi-protocol VPNs (Virtual Private Networks). This provides remote users with secure access to internal company networks over the Internet or other networks by connecting via an Internet Service Provider (ISP) or by establishing a direct connection over the Internet. PPTP encapsulates IP (Internet Protocol) data, IPX (Internetwork Packet Exchange) data and NetBEUI (NetBIOS Extended User Interface) data in IP packets. Such encapsulation is also referred to as tunneling. This means that users can remotely run applications that are dependent on specific network protocols.

Layer 2 Tunneling Protocol (L2TP) Source: Microsoft Help & Support Center Windows Server 2003

An industry-standard Internet tunneling protocol that provides encapsulation to send PPP (Point-to-Point Protocol) frames for packet-oriented media. On IP networks, L2TP traffic is transmitted in the form of UDP (User Datagram Protocol) messages. On Microsoft operating systems, L2TP is used in conjunction with IPsec (Internet Protocol Security) as the VPN (Virtual Private Network) technology to provide VPN connections via RAS (Remote Access) or router-to-router. L2TP is described in RFC 2661.

Support and Remote Dialup 2.2 Concept


2.2 Concept

Concept Owing to the increase in networking and as systems are connected to company networks and the Internet and distances increase between support employees and systems (e.g. onshore support employee; system requiring support is located on a ship), support and remote dialup is growing in significance.

However, support and remote dialup is associated with additional dangers. Exceptions have to be defined at the access point firewalls, creating additional weak points for hackers, and support employees can unintentionally infect the system with malware such as viruses and Trojans etc..

To minimize this risk, a “Defense in Depth” strategy is recommended for support and remote dialup, as for the entire Security Concept PCS 7 & WinCC. This means that there is no direct dialup to the endpoint for maintenance, but dialup is achieved with a combination of multiple technologies and security mechanisms over a central access point to ensure the highest possible security for the entire system.

The VPN server described below is part of the back firewall and therefore the responsibility of the system administrator, and is published over the front firewall to the WAN (intranet/office network). The external VPN solution preferred by Siemens for PCS 7 systems, the Siemens Remote Service (SRS), may be used as an alternative to an internal VPN solution. The Siemens Remote Service is based on a platform technology. Common Remote Service Platform (CRSP) (for more information, see Chapter Practical information (Page 21)).

This configuration ensures that the front firewall has absolutely no routing information for the Process Control Network (PCN) or information on the network structure in the Manufacturing Control System (MCS) level. Hence, even if the front firewall is bypassed by an attacker, there is no access to the system. A Microsoft Internet Security and Acceleration Server (MS ISA Server) is shown as the firewall in the following diagrams. The successor Microsoft Thread Management Gateway (MS TMG) that came out in 2010 may also be used. Further information on the configuration of an ISA Server/TMG as a firewall is provided in the detailed report Managing the MS ISA Server/MS TMG as an Access Point.



Demo System The following diagram shows a demo system with front and back firewalls and all the devices described in Chapter Auto-Hotspot, e.g. the support and dialup stations of the support employee.

DomainControll

Firewall

Historian WebClient

SIMATIC IT Server SIMATIC IT SQL-Server

DomainController

DomainController

FirewallISA Server

Front-Firewall

FirewallISA Server

Back-Firewall

WANIntranet

Support Station

Support Station

Router ISDN

Router ISDN

Virusscan Server

Terminal Server WSUS Server

Perimeter Network

Enterprise Control Network

Process Control NetworkSCALANCE X based redundant Ring

DomainController

DomainController

MaintenanceServer

Engineering StationOS ServerOS Server

OS ClientWinCC Client

WinCC ServerWinCC Server

Control System NetworkSCALANCE X based redundant Ring

Manufacturing Operations System

S7-400H S7-400 S7-400 S7-400FH Figure 2-1 Demo system with front and back firewall


Dialup 3

In principle, there are two different dialup options:

● local dialup, when the support employee is on site

● remote dialup over the intranet/office network, Internet or telephone network

Dialup 3.1 Local dialup


3.1 Local dialup

Support station belonging to the system The support station is a stationary support PC that is either physically located on the system as an ES in the Process Control Network (PCN) and is therefore part of the system or physically located as a remote ES in a perimeter network / Manufacturing Operating Network (MON) of the Manufacturing Execution Systems (MES) and therefore a trusted, remote system PC. In both cases, security is ensured by correctly implementing the Security Concept PCS 7 & WinCC basic document. As project files and backup copies are frequently changed on engineering stations in contrast to process control computers, external data media (USB sticks, CDs etc.) must also be scanned for viruses and malware before being inserted into engineering stations.

Mobile Support PC / PG (Support Laptop) If the support employee brings his/her own support PC onto site, he/she should only be allowed to connect to the network at the access points specifically provided – so-called support ports.

This can be done, for example, with modern devices from the SCALANCE X 300 and 400 ranges. Individual ports can be configured so that connected computers can only participate in network communication if they have a valid certificate for each connection, which the SCALANCE device can verify on a RADIUS server, which in turn grants access. This ensures that only support employees who have been granted an applicable certificate can participate in network communication.

The support employee then creates a VPN connection to the back firewall. As the support employee is on site and system personnel are supervising constantly, a PPTP dialup with a standard support user account is sufficient. In this case, a user account is queried (in conjunction with the MS Remote Access Server (RAS)) via a user authentication server (e.g. the MS Internet Authentication Server (IAS) / RADIUS server) and this can be used by all support employees for dialup on site. Each time the support job is completed, the system administrator must change the password for the standard support user. The update status of the virus scanner and the activated local firewall etc. are then checked on the support PC using the quarantine functionality of the ISA Server\TMG in the back firewall. The content and the nature of checking can be defined by the system operator depending on the specific security requirements. Only after checking has completed successfully can the support employee access the system PCN or a specific engineering station. If access to the Control System Network (CSN) is also required, the quarantine scripts must be designed such that the additional network cards of an engineering station (e.g. CP1613) in contact with the CSN are initially deactivated and only reactivated after checking has completed successfully.

Dialup 3.2 Remote dialup


3.2 Remote dialup

3.2.1 Network medium

Direct connection between devices Direct connections are initialized between two devices, e.g. two ISDN routers or two Siemens Teleservice devices. A Point-to-Point connection over which data can be exchanged is always established between the two devices. It is usually possible to configure the devices so that they only allow or accept connections to or from defined call numbers or devices. In addition, they can frequently be set up so that the “dialup” has to be manually confirmed before the connection is established. It is therefore possible to ensure that the connection is in fact established by the support employee via a telephone conversation. For the above reasons, use of a PPTP-VPN connection is sufficient in this scenario.

Internet If dialup is via the Internet, maximum possible security must be guaranteed, as in principle every user on the Internet can attempt to establish a dialup connection to the VPN server. The VPN server is part of the back firewall and therefore the responsibility of the system administrator and is published over the front firewall to the WAN (Internet/intranet/office network). In this scenario, the front firewall accepts VPN connections by proxy and then forwards them to the back firewall. This configuration ensures that the front firewall has absolutely no routing information for the PCN or information on the network structure within the MCS level.

A unique user with a strong password must be created for each support employee for access to be transparent. Users should only be enabled temporarily and following consultation by telephone. A particularly secure tunnel protocol, such as L2TP-IPsec VPN, must be used for communication to guarantee the integrity and confidentiality of the data via a high level of security and encryption depth.



3.2.2 Support device

Defined Support PC If the support employee is an internal company employee who has to access the system regularly or, for example, the software manufacturer who has a maintenance contract with the system operator, it is recommended that a system support PC is made available to the support service provider for the support employee. The system operator installs this support PC as per the internal company security policies, configures it for support dialup (IPsec, certificates, user), installs the required programs and deploys the PC to the support service provider. Once VPN dialup has been successful (either via the Internet or a direct connection), the support PC is in a quarantine network and is checked using the quarantine functionality of the ISA Server\TMG (back firewall). A simple check is sufficient to determine that the settings have not been changed and that they still conform to internal company security policies. After checking has completed successfully, the support PC is granted access to the PCN and can provide support on the PCN. Organizational measures (e.g. contractual conditions) must be implemented to ensure that the support employee is informed that the support PC may only be used for this defined task.

Any (non-specific) PC If the support employee works with his/her own PC, i.e. a device that is completely unknown to the system operator and which the system operator cannot configure, greater security requirements must be applied to access. Once VPN dialup has been successful (either via the Internet or a direct connection), the support PC is in a quarantine network and is checked using the quarantine functionality of the ISA Server\TMG (back firewall). A comprehensive check must be carried out, including a full virus scan, installation of missing security updates, activation of the local firewall etc. If the PC passes the check successfully, it is granted remote access, either to an engineering station located on the system itself or to an engineering station installed in the perimeter network for this purpose. It is recommended that Remote Desktop, NetMeeting (in future, Windows Live Meeting) or a terminal server is used for the remote connection. The terminal server in the perimeter network can provide the support employee with the applications he/she requires. Remote Desktop is part of the Windows operating system and is therefore constantly updated via standard security updates. In addition, Remote Desktop comes with its own encryption in the form of the Remote Desktop Protocol (RDP) and permits the querying of user certificates for authentication. Remote access can be limited to so-called “keyboard-video-mouse” information, thereby preventing direct access to data. NetMeeting is also included in the Windows operating system and offers the same advantages. NetMeeting has certificate-based encryption (comparable to HTTPS), whereby the user can integrate his/her own certificates with individually defined encryption strength. One advantage of NetMeeting is that the system operator can follow the activity of the support employee on his/her monitor and intervene if necessary.



3.2.3 Control System Network Access Support access to the CSN may only be provided via a remote connection to an engineering station that is connected to the CSN.

Either Remote Desktop or NetMeeting (in future, Windows Live Meeting) should be used for the reasons mentioned above.

Dialup 3.3 Choice of technology


3.3 Choice of technology The following decision trees are designed to help choose remote dialup technology to suit requirements and the situation.

Support access to the Process Control Network

Figure 3-1 Support access to the Process Control Network



Support access to the entire system

Figure 3-2 Support access to the entire system



Non-administrative remote access to third-party programs

Figure 3-3 Non-administrative remote access to third-party programs



Administrative remote access to system programs

Figure 3-4 Administrative remote access to system programs



Administrative remote access to the entire system

Figure 3-5 Administrative remote access to the entire system


Practical information 44.1 General information

If remote administration and support tools are used, it must be ensured that the programs are activated in the local firewall of the computer to be serviced.

NetMeeting Information on NetMeeting is available here:

http://support.microsoft.com/kb/878451/en

Remote support The help wizard account (installed during a remote support session) is the primary account used to set up a remote support session. This account is created automatically when you initiate a remote support session and has limited access to the computer. The help wizard account is managed by the service session manager for Remote Desktop help and is automatically deleted if remote support is no longer required/has been completed.

More information on remote support is available here: http://go.microsoft.com/fwlink/?LinkId=38569

http://support.microsoft.com/kb/878451/en�

http://go.microsoft.com/fwlink/?LinkId=38569�

Practical information 4.2 Siemens Remote Service (SRS)


4.2 Siemens Remote Service (SRS) SRS can be used as an alternative to an internal VPN solution or a direct connection between devices. SRS can be used for all the scenarios described in the previous chapters that require use of any (non-specific) support PC.

SRS is an external, central VPN solution. Only an SRS router is installed on the system, which functions in the same way as an ISDN router in the aforementioned scenarios, or the existing infrastructure is used to create a site-to-site coupling with the Siemens DMZ. A secure channel between the dialup support PC and the SRS router is created on the system via a central server center (DMZ). The advantage for the customer is that he/she relinquishes responsibility for administration, maintenance and service. I.e. securing the channel, the type of encryption, checking the dialup support PC and defining which users are permitted to dial up falls under the responsibility of the SRS provider and is contractually agreed between the customer and the SRS provider.

In addition, SRS also manages which tools may be used for system support and ensures that all tools are available in the SRS server center via the terminal server, and that the tools are up-to-date and secure.

All tools recommended by PCS 7 & WinCC for remote access are supported by SRS.

For more information on CRSP, please contact your sales partners and visit http://support.automation.siemens.com/WW/view/en/42346681.

The SRS solution is described in detail in a separate manual.

http://support.automation.siemens.com/WW/view/en/42346681�

process control system pcs 7 support and remote dialup

Documents