Software (security functions)
• Keep the firmware up to date. Check regularly for security updates for the device. You can
find information on this at the Industrial Security (
) website.
• Inform yourself regularly about security recommendations published by Siemens
ProductCERT (
http://www.siemens.com/cert/en/cert-security-advisories.htm
).
• Only activate protocols that you require to use the device.
• Disable encryption methods with a low security level.
• The option of VLAN structuring provides protection against DoS attacks and unauthorized
access. Check whether this is practical or useful in your environment.
• Use a central logging server to log changes and accesses. Operate your logging server within
the protected network area and check the logging information regularly.
Authentication
Note
Accessibility risk - Risk of data loss
Do not lose the passwords for the device. Access to the device can only be restored by resetting
the device to factory settings which completely removes all configuration data.
• Replace the default passwords for all user accounts, access modes and applications (if
applicable) before you use the device.
• Define rules for the assignment of passwords.
• Use passwords with a high password strength. Avoid weak passwords, (e.g. password1,
123456789, abcdefgh) or recurring characters (e.g. abcabc).
This recommendation also applies to symmetrical passwords/keys configured on the device.
• Make sure that passwords are protected and only disclosed to authorized personnel.
• Do not use the same passwords for multiple user names and systems.
• Store the passwords in a safe location (not online) to have them available if they are lost.
• Regularly change your passwords to increase security.
• A password must be changed if it is known or suspected to be known by unauthorized
persons.
• When user authentication is performed via RADIUS, make sure that all communication takes
place within the security environment or is protected by a secure channel.
• Watch out for link layer protocols that do not offer their own authentication between
endpoints, such as ARP or IPv4. An attacker could use vulnerabilities in these protocols to
attack hosts, switches and routers connected to your layer 2 network, for example, through
manipulation (poisoning) of the ARP caches of systems in the subnet and subsequent
interception of the data traffic. Appropriate security measures must be taken for non-secure
layer 2 protocols to prevent unauthorized access to the network. Physical access to the local
network can be secured or secure, higher layer protocols can be used, among other things.
Recommendations on network security
SCALANCE X-200
14
Operating Instructions, 11/2021, C79000-G8976-C284-15