2. Security Services
2.2.4 Firmware Update
The firmware of the security device can be updated. For this purpose, Siemens supplies an encrypted and digitally signed firmware. The user has to authenticate to the security module before loading new firmware. The new firmware is transferred to the security module via HTTPs. The signature of the firmware update is verified. If the verification is successful, the new firmware is decrypted and stored as plain data. A security module accepts only new firmware holding a correct signature. Hence, it is guaranteed that no manipulated flash software is loaded into the security module but only authentic software. The private key for computing the signature is only known to Siemens and stored in a secure way such that new firmware can only be distributed by Siemens. The corresponding public key for the verification is stored in the EEPROM of each security module. The signature of a firmware is checked at updating it, while at booting time only a checksum of the stored firmware is verified. The confidentiality of the firmware is not a security target but only a barrier if someone wants to reconstruct the firmware.
2.3Configuration Management
Before the security module can start the work and protect an automation network, it has to be configured. A tool is used to set the parameters for the configuration of the security module including switches for the firewall, VPN, and logging. A module needs at least the IP parameters which are set automatically in the standard settings. It is possible to configure more than one module at the same time. This configuration software runs on an external PC and the configuration information is sent to the modules via HTTPs.
The configuration data is stored in the internal flash memory. The data is stored as plain data. However, during the data transmission between the configuration PC and the security module the data is securely communicated. If a
Users with restricted rights have only a few choices to configure the module. Even
escrypt GmbH | 9 |
