Siemens Version: 1.2 manual Introduction, Aug-05, escrypt GmbH

1. Introduction

Automation networks demand for a variety of security goals such that only basic default-rules are preset. Nonetheless, these default rules provide a secure configuration. The security modules are supposed to be easy to configure and handle, also by non IT-experts. The security module can still be precisely configured according to the user’s requirements. With expert knowledge the configuration can be set manually in the advanced modus. The module can be installed to an existing automation network without having to change the network topology or having to configure new network nodes.

The configuration is set on a PC. It is possible to configure several security modules at the same time over the network. For the replacement of broken devices the configuration data can be stored on a removable media, the so-called C-Plug. If a broken module has to be replaced only the removable media needs to be put in the new module such that it starts working based on a secure configuration immediately.

The module is based on the operating system VxWorks of WindRiver. Some components such as packet filter and IPsec were used from OpenBSD, often quoted as the „most secure operating system”. MiniWeb, a development of Siemens, is used as a HTTPs server to provide a secure communication channel for the configuration data between the configuration PC and the security modules. MiniWeb is based on OpenSSL, it uses RC4, 3DES and provides key lengths of up to 2048 bit.

Security modules can be combined in groups so that all modules of a group can communicate with each other through IPsec tunnels. The internal network nodes of a module and also of other modules can be automatically found without the need to configure them manually. The Scalance S 612 can protect a network of up to 32 internal nodes. The Scalance S 613 protects up to 64 internal nodes and has an extended temperature range of -20 ° to +70°. The computer software SOFTNET Security Client provides a secure IP-based access from a PC to subnets. The SOFTNET Security Client automatically enables a PC to communicate through a secure tunnel with a security module. The security modules are supplied by a redundant voltage supply of 24 Volts of DC voltage.