Security Features; Security Performance Features On The External Ethernet Interface - Siemens SENTRON 7KN POWERCENTER 3000 Manual

Installing, connecting, commissioning

4.7 Security features

4.7 Security features
The security features of a central communication device, such as 7KN Powercenter 3000,
provide protection against unauthorized access and require specific attention during use in
the same way that a lock on a door provides both protection and is also an obstacle that can
be overcome with the matching key.
Assuming the necessary security measures are applied, the security features protect the
7KN Powercenter 3000 from unauthorized accesses.
For each application of the 7KN Powercenter 3000, depending on the hazard potential and
the operating environment, a decision must be made as to which security features will be
used.
It is important consistently to disconnect the external network environment from the network
of the switchgear assembly.
The smart assembly network must be physically protected, e.g. doors, sheet metal
enclosures, locks, must be protected from all tampering. This network must never be
connected to another network with unknown or insecure network nodes.
Each Security measure can be selected via the Web user interface → Settings → General for
each Ethernet interface and each feature.
● On the X1P1 interface, security measures (hardening) are activated on delivery and can
be deactivated.
● On the X2P1 interface, security features are deactivated on delivery and can be
activated. For that reason, the X2P1 interface has to be used when the device is
commissioned for the first time.
4.7.1

Security performance features on the external Ethernet interface

● Signed firmware: 7KN Powercenter 3000 can only be operated with firmware signed by
SIEMENS. This makes operation with corrupted or manipulated firmware impossible.
Downgrading to firmware that may be faulty is not possible either.
● IP filter: On 7KN Powercenter 3000, up to 5 different privileged IP addresses or IP
subnets, the so-called firewall whitelist, can be selected. If this option is used, all further
IP addresses/IP address ranges or subnets are excluded from communication that are
not entered in the firewall whitelist.
Note
A single IP address is entered as follows: xxx.xxx.xxx.xxx/32 e.g. for 192.168.10.15/32.
The IP subnet is entered as follows: xxx.xxx.xxx.xxx/24 and therefore, e.g. for IP address
range 192.168.10.1 to 192.168.10.254
If more than 5 explicit IP addresses are required, the applications (=IP addresses) can be
grouped together into one IP subnet (IP address range), which is then specified.
38
7KN POWERCENTER 3000
Manual, 10/2019, L1V30579222003-01