8

© Siemens AG 2014

Industrial Security

8/2 Security Integrated

8/2 Introduction
8/8 SCALANCE S
8/19 SCALANCE M
8/20 CP 1243-1 and CP 1543-1
8/21 CP 343-1 Advanced and
CP 443-1 Advanced
8/23 CP 1628
8/24 SOFTNET Security Client
8/27 Industrial Security Services

Siemens IK PI · 2015
 © Siemens AG 2014

Industrial Security
Security Integrated
Introduction

■ Overview
Industrial security
That is why industrial security is so important
As the use of Ethernet connections all the way down to the field industrial plant with comprehensive security protection against
level increases, the associated security issues are becoming attacks, the appropriate measures must be taken.
a more urgent topic for industry. After all, open communication Siemens can support you here in selectively implementing these
and increased networking of production systems involve not measures – within the scope of an integrated range for Industrial
only huge opportunities, but also high risks. To provide an Security.
Threat overview

No. Threat Explanation

1 Unauthorized use of remote
maintenance access
2 Online attacks
via office/enterprise networks
3 Attacks against standard
components used in the
ICS network
4 (D)DoS attacks
5 Human error and sabotage
6 Introduction of harmful code
via removable media and
external hardware
7 Reading and writing messages
in the ICS network
8 Unauthorized access
to resources
9 Attacks on network components
10 Technical faults and acts of God
Maintenance access provides deliberate openings to the outside in the ICS network 1).
However, they are often inadequately protected.
In general, office IT equipment is connected with the Internet in many ways.
Usually, there are also network connections from the office network to the ICS network,
allowing attackers to use this route.
Standard IT components (commercial off-the-shelf, COTS) such as operating systems,
application servers, or databases generally contain flaws and weak points which can be
exploited by attackers. If these standard components are also used in the ICS network,
this increases the risk of a successful attack on the ICS systems.
(Distributed) denial of service attacks can be used to disrupt network connections and
required resources and cause systems to crash, e.g. to disrupt the functionality of an ICS.
Deliberate actions – regardless of whether by internal or external agents – are a massive
threat for all security goals. In addition, negligence and human error are a great danger,
especially when it comes to protecting confidentiality and availability.
The use of removable media and mobile IT components of external employees always
presents a great risk of malware infections. The importance of this aspect was demonstrated
by Stuxnet, for example.
Because most control components presently communicate via plain-text protocols, and are
thus unprotected, it is often possible to read and insert commands without great difficulty.
In particular, insiders or follow-up attacks after intrusion from the outside have an easy time
if authentication and authorization for services and components in the process network are
non-existent or insecure.
Network components can be manipulated by attackers, for example to carry out
man-in-the-middle attacks or to make sniffing easier.
Failures are always possible as a result of extreme environmental influences or technical

8
defects – the risk and the potential for damage can only be minimized here.
1) Industrial Control Systems (ICS)
Source: BSI-A-CS 004 | Version 1.00 dated April 12, 2012; page 2 of 2
Note:
The list of threats came about as a result of close cooperation
between BSI and business representatives.
With its BSI analyses, the Federal Office for Information Security
(BSI) publishes statistics and reports on current topics in
cyber security.
Please send comments and notes to: [email protected]

8/2 Siemens IK PI · 2015

 © Siemens AG 2014
■ Overview (continued)
Defense in depth
Plant security
Network security
System integrity
Security guidelines
Network security as a central component of the Siemens Industrial Security concept
Siemens Industrial Security –
continuous protection for your plant
An optimum industrial security solution can only be implemented
if new approaches are taken because they must be continuously
adapted to new threats. There is no such thing as absolute
security. To ensure a comprehensive and permanent solution,
we provide in-depth advice, partner-like cooperation, and
constant further development of our security measures and
products.
All-round, but also in-depth protection
With Defense in Depth, Siemens provides a multi-level concept
that offers your plant both all-round and in-depth protection.
The concept is based on the components, plant security,
network security, and system integrity, as recommended by
ISA 99 / IEC 62443 – the leading standard for security in
industrial automation. While conventional plant security defends
the plant against physical attacks, network protection and and
protection of system integrity protect against cyber attacks and
unauthorized access by operators or external persons.
Industrial Security
Security Integrated
Introduction
Physical access protection
Processes & guidelines
Cell protection and perimeter network
Firewalls & VPN
System hardening
Authentication/user administration
Patch management
Detection of attacks
G_IK10_XX_10336
Industrial security services
Factors for success: Network security
Network security means protecting automation networks from
unauthorized access. This includes the monitoring of all inter-
faces such as the interfaces between office and plant networks
or the remote maintenance access to the Internet, which can be
accomplished by means of firewalls and, if applicable, by estab-
lishing a DMZ (demilitarized zone = secure, protected zone).
The DMZ is used to provide data for other networks, without
granting direct access to the automation network. The secure
segmenting of the plant network into individually protected auto-
8
mation cells minimizes risks and increases security. Cell division
and device assignment are based on communication and
protection requirements. Data transmission is encrypted by
means of a VPN and is thus protected from data espionage and
manipulation. The communication stations are securely authen-
ticated. The cell protection concept can be implemented and
communication can be secured using "Security Integrated" com-
ponents such as SCALANCE S Security Modules, SCALANCE M
wireless routers, or Security CPs for SIMATIC.
Initial risk assessment and information on the Internet
You want to know now how good the security of your industrial
plant is? We can provide you with detailed information about the
special security issues in your industry. Use the opportunity to
contact our consulting team about any open issues. Our experts
will gladly prepare a security concept that is adapted to the
needs of your production plant or process infrastructure. You
can download the additional "Operational Guidelines" with many
recommendations for protecting your production plant from our
Internet site.
Siemens IK PI · 2015 8/3
 © Siemens AG 2014

Industrial Security
Security Integrated
Introduction

■ Overview (continued)
Plant Security

Physical protection
Security management

Office Network DMZ

GPRS/ SCALANCE
Domain PC with Server Server
UMTS M874-3
Controller CP 1628
SIMATIC
S7-1200 with
CP 1243-1
Network Security

Internet
SSC
Router
SCALANCE Central
S623 WEB Archiving
Server SIMATIC Field PG
Server
Internet with SOFTNET
Security Client

SCALANCE
M812-1
SCALANCE SCALANCE
S627-2M S627-2M SCALANCE
p•‹œš›™ˆ“Gl›Œ™•Œ›
S623

Sync connection

Production 1 Production 2 Production 3

Production n
Industrial Ethernet
(Fiber optic) SCALANCE
MRP ring X308-2M
SIMATIC SIMATIC
S7-400 with SIMATIC S7-300 with
CP 443-1 S7-1200 with CP 343-1
SCALANCE Ring redundancy SCALANCE Advanced CP 1243-1 Advanced
X204-2 manager X204-2
8 SCALANCE
X308-2M
System Integrity

PROFINET PROFINET PROFINET

SIMATIC
TP700

SIMATIC S7-400
with CP 443-1 SIMATIC
Advanced SIMATIC S7-1200
ET ET 200 SIMATIC
200SP TP1200
vzGwith lzGwith Comfort
G_IK10_XX_10370

jwGX]Y_ jwGX]Y_

SINAMICS SIMATIC SIMATIC SIMOTION D4x5 with

{Œ™”•ˆ“‰œš {Œ™”•ˆ“‰œš
G120 TP700 TP700 SINAMICS S120 (Booksize)
Factory Automation

Secure communication, network access protection and network segmentation with Security Integrated products

8/4 Siemens IK PI · 2015

 © Siemens AG 2014

Industrial Security
Security Integrated
Introduction

■ Overview (continued)
Security Integrated
Cell protection concept
Industrial communication is a key factor for corporate success –
as long as the network is protected. As your partner, Siemens
provides its customers with Security Integrated components,
which not only have communication functions but also include
special security functions such as firewall and VPN functionality,
in order to implement the cell protection concept. With the cell
protection concept, a plant network is subdivided into protected
automation cells within which all devices are able to communi-
cate with each other securely. The individual cells are connected
to the plant network protected by a VPN and firewall. Cell protec-
tion reduces the susceptibility to failure of the entire production
plant and thus increases its availability. Security Integrated prod-
ucts such as SCALANCE S, SCALANCE M and SIMATIC S7/PC
communications processors can be used for implementation.
The following Security Integrated products are available:
SIMATIC S7-1200 / S7-1500:
• Protection of the controller by access protection (authenti-
cation) via the S7-1200/S7-1500 CPU:
- Know-how protection
- Manipulation protection
- Copy protection
- Graded security concept for HMI connection
• Expandable access protection (firewall and VPN )
for S7-1200/S7-1500 with Security CP 1243-1/CP 1543-1
by means of
- Integrated firewall (monitoring of the data flow)
- Protection against data manipulation and espionage by
means of a VPN
SIMATIC S7-300 and S7-400
• Protection of controllers by CP 343-1 Advanced and
CP 443-1 Advanced communications processors, which
contain both firewall and VPN (virtual private network)
functionality.
SCALANCE S security modules
SCALANCE S modules protect industrial networks and automa-
tion systems by means of security-related segmentation (cell
protection) with a firewall against authorized access and protect
data transmission with VPN against manipulation and espio-
nage.
SCALANCE M router
Mobile radio router
SCALANCE M industrial router for secure access to plants via
mobile radio, e.g. GPRS or UMTS, with integral security func-
tions – firewall for protection against unauthorized access and
VPN for protection of the data transmission.
DSL routers
The SCALANCE M DSL routers are ADSL routers (M812-1 and
M816-1) for the secure connection of Ethernet-based subnets
and automation devices to hard-wired DSL networks or SHDSL
routers (M826) for connection via existing wire-pairs or multi-wire
cables. They have integral security functions – firewall for pro-
tection against unauthorized access and VPN for protection of
the data transmission.
Industrial PCs
• Via the CP 1628 communications processor, the industrial
PCs are protected by firewall and VPN – for secure communi-
cation without special operating system settings. This means
that computers equipped with the module can be connected
to protected cells.
Software
• The SOFTNET Security Client software enables VPN access
via the Internet or a company intranet to automation cells or
PCs protected by SCALANCE S or another security
component with VPN functionality.

8
S7-1200 CPU 1)

Security Client
SCALANCE S

CP 343-1 Adv
CP 443-1 Adv

S7-1500 CPU
SCALANCE M

CP 1243-1 1)
CP 1543-1

SOFTNET
CP 1628
family

family

Configurable copy protection ●

Access protection (authentication) ●

Extended access protection (Firewall) ● ● ● ● ●

Virtual Private Network with IPSec ● ● ● ●

Manipulation protection (communication, configuration) ● ● ● ● ● ● ●

● applies 1) from CPU firmware V4.0

from STEP 7 Professional V13 (TIA Portal)

Security Integrated products for industrial use with special security functions to improve the standard of security

Siemens IK PI · 2015 8/5


Industrial Security
Security Integrated
Introduction
■ Ordering data
Security Integrated devices
SCALANCE S Industrial Security
Modules
For protecting programmable
controllers and automation
networks and for securing industrial
communication;
Security Modules protect network
segments against unauthorized
access by means of Stateful
Inspection Firewall;
connection of more than
10/100/1 000 Mbit/s ports;
configuring tool and electronic
manual on CD ROM;
English, German, French, Italian,
Spanish;
SCALANCE S602
SCALANCE S612
up to 128 VPN tunnels
simultaneously
SCALANCE S623
up to 128 VPN tunnels
simultaneously;
additional RJ45 DMZ port
SCALANCE S627-2M
up to 128 VPN tunnels
simultaneously;
additional RJ45 DMZ port;
two additional slots for one 2-port
media module each
SOFTNET Security Client V4 HF1
Software for designing secure
IP-based VPN connections from a
programming device/PC to network
segments which are secured by
SCALANCE S, SCALANCE M,
CP 343-1 Advanced, CP 443-1
Advanced, or CP 1628;
Single License for 1 installation,
runtime software (German/English),
configuration tool (German/
English), and electronic manual
on CD-ROM (German/English/
French/Spanish/Italian) for
8
Windows 7 Professional, Ultimate,
Windows XP Professional (32-bit)
+ SP3
8/6 Siemens IK PI · 2015
© Siemens AG 2014
Article No.
6GK5602-0BA10-2AA3
6GK5612-0BA10-2AA3
6GK5623-0BA10-2AA3
6GK5627-2BA10-2AA3
6GK1704-1VW04-0AA0
Article No.
SCALANCE M industrial modems and routers
SCALANCE M874 mobile radio
router
Mobile radio router for wireless
IP communication from Industrial
Ethernet-based subnets and
programmable controllers via UMTS
or GSM mobile radio networks;
with integrated firewall and VPN
with IPsec;
2 x RJ45 ports,
1 x antenna connection
• SCALANCE M874-31) 6GK5874-3AA00-2AA2
• SCALANCE M874-21) 6GK5874-2AA00-2AA2
SCALANCE M875 UMTS Router
UMTS router for wireless
IP communication from Industrial
Ethernet-based programmable
controllers via UMTS/GSM mobile
radio networks;
EGPRS Multislot Class 12;
with integrated firewall and VPN
with IPsec;
2 x RJ45 ports,
2 x antenna connections
• SCALANCE M8751) 6GK5875-0AA10-1AA2
• SCALANCE M8751) 6GK5875-0AA10-1CA2
for Japan
SCALANCE M81x-1 ADSL router
DSL router for wired
IP communication from Industrial
Ethernet-based subnets and
programmable controllers
via telephone or DSL networks;
with integrated firewall and
VPN with IPsec;
1 x or 4 x RJ45 ports for Industrial
Ethernet;
1 x RJ45 port for DSL
• SCALANCE M812-1 (Annex A) 6GK5812-1AA00-2AA2
• SCALANCE M812-1 (Annex B) 6GK5812-1BA00-2AA2
• SCALANCE M816-1 (Annex A) 6GK5816-1AA00-2AA2
• SCALANCE M816-1 (Annex B) 6GK5816-1BA00-2AA2
SCALANCE M826-2 SHDSL router
DSL router for wired
IP communication from Industrial
Ethernet-based subnets and
programmable controllers
via telephone or DSL networks;
with integrated firewall and
VPN with IPsec;
1 x or 4 x RJ45 ports for Industrial
Ethernet;
1 x RJ45 port for DSL
• SCALANCE M826-2 (Annex A) 6GK5826-2AB00-2AB2

■ Ordering data
Communications processors for SIMATIC S7
CP 1243-1
communication processor;
for connection of SIMATIC S7-1200
to Industrial Ethernet via TCP/IP,
ISO and UDP, Telecontrol Server
Basic and security functions
Stateful Inspection Firewall
and VPN;
1 x RJ45 interface
with 10/100 Mbit/s
CP 1543-1
communication processor;
for connection of SIMATIC S7-1500
to Industrial Ethernet via TCP/IP,
ISO and UDP and security functions
Stateful Inspection Firewall
and VPN;
1 x RJ45 interface
with 10/100/1 000 Mbit/s;
CP 343-1 Advanced
communications processor;
For connection of SIMATIC S7-300
to Industrial Ethernet over ISO
and TCP/IP;
PROFINET IO Controller or
PROFINET IO Device, MRP,
integrated 2-port switch ERTEC;
S7 communication, open communi-
cation (SEND/RECEIVE),
FETCH/WRITE, with and without
RFC1006, multicast, DHCP,
CPU clock synchronization via
SIMATIC procedure and NTP,
diagnostics, SNMP, access
protection through IP access list,
initialization over LAN
10/100 Mbit/s;
as well as IT communication
(web, e-mail, FTP);
PROFINET CBA;
security (firewall/VPN);
PROFIenergy;
with electronic manual on DVD
CP 443-1 Advanced
communications processor;
For the connection of
SIMATIC S7-400
to Industrial Ethernet;
PROFINET IO Controller with RT
and IRT, MRP, PROFINET CBA,
TCP/IP, ISO and UDP;
S7 communication, open communi-
cation (SEND/RECEIVE) with
FETCH/WRITE, with and without
RFC1006, diagnostics expansions,
multicast, clock synchronization
with SIMATIC mode or NTP,
access protection by IP access list,
FTP client/server, HTTP server,
HTML diagnostics, SNMP, DHCP,
e-mail, data storage on C-PLUG;
PROFINET connector:
4xRJ45 (10/100 Mbit/s) via switch;
Gigabit connector:
1xRJ45 (10/100/1 000 Mbit/s);
with integrated stateful inspection
firewall and VPN appliance
© Siemens AG 2014
Article No.
6GK7243-1BX30-0XE0
6GK7543-1AX00-0XE0
6GK7343-1GX31-0XE0
6GK7443-1GX30-0XE0
Industrial Security
Security Integrated
Introduction
Article No.
Communications processors for PG/PC/IPC
CP 1628 6GK1162-8AA00
communications processor;
PCI Express x1 card for
connection to Industrial Ethernet
(10/100/1 000 Mbit/s),
with 2-port switch (RJ45) and
integrated security (firewall, VPN)
via HARDNET-IE S7 and
S7-REDCONNECT.
For operating system support,
see SIMATIC NET Software
Accessories
IE FC TP Standard Cable GP 2 x 2 6XV1840-2AH10
(Type A)
4-core, shielded TP installation
cable for connecting to IE FC RJ45
outlet / IE FC RJ45 plug;
PROFINET-compliant;
with UL approval;
sold by the meter;
max. length 1 000 m,
minimum order 20 m
IE FC RJ45 Plug 180
RJ45 plug-in connector
for Industrial Ethernet with a rugged
metal enclosure and integrated
insulation displacement contacts
for connecting Industrial Ethernet
FC installation cables;
with 180° cable outlet;
for network components and
CPs/CPUs with Industrial Ethernet
interface
• 1 pack = 1 unit 6GK1901-1BB10-2AA0
• 1 pack = 10 units 6GK1901-1BB10-2AB0
• 1 pack = 50 units 6GK1901-1BB10-2AE0
IE FC stripping tool 6GK1901-1GA00
Preadjusted stripping tool for
fast stripping of Industrial Ethernet
FC cables
SITOP compact 24 V/ 0.6 A 6EP1331-5BA00
1-phase power supply with
8
wide-range input
85 – 264 V AC/110 – 300 V DC,
stabilized output voltage 24 V,
rated output current value 0.6 A,
slim design
C-PLUG 6GK1900-0AB00
Swap medium for simple replace-
ment of devices in the event of a
fault; for storing configuration or
application data;
can be used for SIMATIC NET
products with C-PLUG slot
1)
Please note national approvals under
http://www.siemens.com/wireless-approvals
Note:
Check the current country list:
http://support.automation.siemens.com/WW/view/en/66627157
Siemens IK PI · 2015 8/7
 © Siemens AG 2014
Industrial Security
Security Integrated
SCALANCE S
■ Overview
• Security modules for the protection of automation networks
and security during data exchange between automation
systems.
• Checking and filtering of data traffic by integrated firewall and
thus:
- Protection against operator mistakes
- Prevention of unauthorized access
- Prevention of faults and communications overload
• Authentication of the communication partners and encryption
of the transmitted data with VPN and thus protection of
communication against espionage and manipulation.
• Rugged, industry-compatible design of the devices
• Easy and clear configuration:
Using the Security Configuration Tool (SCT), all SIMATIC NET
security products can be configured and diagnosed from a
central position.
• No changes or adaptations necessary in the existing network
topology, applications or network stations since SCALANCE S
can also be used as a bridge and not just as a router.
• Securing of communication is independent of the protocol
8 (e.g. PROFINET or other Ethernet-based fieldbus solutions)
• Secure remote access via the Internet possible without restric-
tions and with any providers
• Increased availability is possible by means of redundant
protection of automation cells or ring topologies
8/8 Siemens IK PI · 2015
Product versions:
SCALANCE S602;
• Uses the stateful inspection firewall to protect network
segments against unauthorized access.
• "Ghost mode" for protection of individual, even alternating,
devices by dynamically taking over the IP address.
• Connection via 10/100/1 000 Mbit/s ports.
SCALANCE S612;
• Uses the stateful inspection firewall to protect network
segments against unauthorized access.
• Up to 128 VPN tunnels can be operated simultaneously.
• Connection via 10/100/1 000 Mbit/s ports.
SCALANCE S623;
• Uses the stateful inspection firewall to protect network
segments against unauthorized access.
• Up to 128 VPN tunnels can be operated simultaneously.
• Connection via 10/100/1 000 Mbit/s ports.
• Additional RJ45 DMZ port (DMZ: "demilitarized zone") for
secure connection from, for example, remote maintenance
modems, laptops, or an additional network. This yellow port
protected by firewalls from the red and green ports and can
also terminate VPNs.
• Redundant protection of automation cells by means of router
and firewall redundancy and stand-by linking of the redundant
device via the yellow port.
SCALANCE S627-2M;
• Uses the stateful inspection firewall to protect network
segments against unauthorized access.
• Up to 128 VPN tunnels can be operated simultaneously.
• Connection via 10/100/1 000 Mbit/s ports.
• Additional RJ45 DMZ port (DMZ: "demilitarized zone") for
secure connection from, for example, remote maintenance
modems, laptops, or an additional network. This yellow port
protected by firewalls from the red and green ports and can
also terminate VPNs.
• Redundant protection of automation cells by means of router
and firewall redundancy and stand-by mode of the redundant
device; status matching of the firewall by means of a synchro-
nization cable between the yellow ports.
• Two additional slots for one 2-port media module each
(see SCALANCE X-300) for direct integration in ring structures
and FO networks with two additional switched red or green
ports per module.
• Bridging of longer cable runs or use of existing 2-wire cables
(e.g. PROFIBUS) by deploying MM992-2VD media modules
(variable distance).
 © Siemens AG 2014

Industrial Security
Security Integrated
SCALANCE S

■ Benefits ■ Application
The security modules of the SCALANCE S range can be used
to protect all devices of an Ethernet network against unauthor-
ized access. In addition, SCALANCE S612 or SCALANCE S623
also protect the data transmission between devices or network
• Protection of industrial automation networks against segments (e.g. automation cells) against data manipulation and
unauthorized access and setup of a DMZ (protected zone) espionage; they can also be used for secure remote access
possible for data exchange with other networks without having over the Internet.
to grant direct access to the production network.
The security modules can be operated not only in bridge mode
• Through implementation of the cell protection concept: but also in router mode, and can thus also be used direct at
- Protection of any Ethernet-based programmable controllers IP subnetwork borders.
and automation systems which do not have their own
security functions Secure remote access over the Internet or GPRS/UMTS is
- Protecting several devices simultaneously possible with the SCALANCE M875 GPRS/UMTS router.
- Reduction in risk by means of network segmenting SCALANCE S is optimized for use in automation and industrial
(by generating secure communication islands) environments, and meets the specific requirements of auto-
- Securing of communication to and from the automation cells mation systems, such as easy upgrades of existing systems,
is possible simple installation and minimal downtimes in the event of a fault.
• User-specific firewall rules can be used to assign specific
access privileges to users and not just to devices.
• System-wide network diagnostics thanks to integration into
IT infrastructures and network management systems by
means of SNMP
• Securing of remote access via the Internet. Using PPPoE and
DynDNS, dynamic IP addresses can also be applied.
• Problem-free integration into existing networks without
reconfiguring terminal nodes or setting up new IP subnet-
works
• Module replacement without the need for a programming
device, using the C-PLUG swap media for backing up the
configuration data
• Direct integration in ring structures and FO networks is
possible (SCALANCE S627-2M)

Company network
Local
service PC Remote
service PC
with SOFTNET
SCALANCE Internet Security Client
S623
8
Industrial Ethernet
Service access

Internet Internet
Router Router
G_IK10_XX_10303

Plant network/
secure automation cell

Connection of a local or remote service PC (by means of Internet access) via the DMZ port of the SCALANCE S623

Siemens IK PI · 2015 8/9

 © Siemens AG 2014

Industrial Security
Security Integrated
SCALANCE S

■ Design
SCALANCE S602
• Checking of data traffic and protection against unauthorized
access by means of stateful inspection firewall.
• Simple and fast configuration of the firewall through global
firewall rules and symbolic names for IP addresses.
• Specific access privileges for users in accordance with user-
specific firewall rules.
• 10/100/1 000 Mbit/s ports for the connection and operation of
SCALANCE S in Gigabit networks as well
• In addition to bridge mode, can also be operated in router
mode and can therefore also be used directly at IP subnet
limits
• Address translation
- NAT (Network Address Translation) permits the use of private
IP addresses in the internal network in that public IP
addresses are converted to private ones
- NAPT (Network Address and Port Translation) permits the
use of private IP addresses in the internal network in that
frames are converted to private IP addresses depending on
the communications port used
• Internal network nodes can receive their IP addresses from
the integral DHCP server
• Log files can also be evaluated by the Syslog server
• Enhanced integration in IT infrastructures and network
management systems by means of SNMP
• Protection of individual, even alternating, devices by dynami-
cally taking over the IP address (ghost mode)
SCALANCE S612
As SCALANCE S602; additionally:
• Encryption of data transmission with VPN (IPSec)
- Protection against espionage
- Protection against unauthorized manipulation
• Secure remote access over the Internet, e.g. in conjunction
with the SOFTNET Security Client and the SCALANCE M
UMTS router (with IPSec VPN function)
SCALANCE S623
8 As SCALANCE S612; additionally:
• DMZ port with which a protected zone (DMZ = demilitarized)
■ Function
Security functions
VPN (Virtual Private Network)
(only for SCALANCE S612, S623 and SCALANCE S627-2M);
for reliable authentication (identification) of the network stations,
for encrypting data and checking data integrity.
• Authentication;
All incoming data traffic is monitored and checked. As IP
addresses can be falsified (IP spoofing), checking the IP
address (of the client access) is not sufficient. In addition,
Client PCs may have changing IP addresses. For this reason
the authentication is performed by means of tried and tested
VPN mechanisms.
• Data encryption;
Secure encryption is necessary in order to protect data
communication from espionage and unauthorized manipu-
lation. This means that the data traffic remains incomprehen-
sible to any eavesdropper in the network. The SCALANCE
Security Module establishes VPN tunnels to other Security
Modules for this purpose.
The firewall
can be used as an alternative or to supplement VPN with flexible
access control.
The firewall filters data packets and disables or enables
communication links in accordance with the filter list and stateful
inspection. Both incoming and outgoing communication can be
filtered, either according to IP and MAC addresses as well as
communication protocols (ports) or user-specific.
• Logging;
access data are saved by the Security Module in a log file.
Detection of how, when and by whom it has been accessed is
as important as detecting access attempts, to ensure that
appropriate preventative measures can be taken.
Configuration
Configuration is carried out using the Security Configuration Tool
(SCT). Therefore all SIMATIC NET security products can be
configured and diagnosed from a central position. All the config-
uration data can be saved on the optional C-PLUG swap media
(not included in scope of supply) so that the Security Module
can be replaced quickly in the event of a fault and without the
need of a programming device.

can be set up between two networks. The DMZ is used to

provide data for other networks without granting direct access
to the automation network, thus increasing security. The DMZ
port can also be used to protect remote maintenance access,
where, for example, only access to lower-level automation
cells is possible and no access to the plant network is
required.
• Secure, redundant connection of automation cells through
router and firewall redundancy
SCALANCE S627-2M
As SCALANCE S623; additionally:
• Two media module slots for two additional switched red or
green ports each.
- Direct integration in line or ring topologies is possible
- Integration into redundant rings (MRP, HRP) is possible
- Secure, redundant connection of automation cells or rings
- Direct integration in FO networks is possible through the use
of FO media modules
- Bridging of longer cable runs or use of existing 2-wire cables
(e.g. PROFIBUS) by deploying the MM992-2VD media
modules (variable distance).

8/10 Siemens IK PI · 2015

 © Siemens AG 2014

Industrial Security
Security Integrated
SCALANCE S

■ Function (continued)
Configuration

Automation plant

Automation Applications Remote stations

SCALANCE
M874-3

SIMATIC
Plant network VPN S7-1200
tunnel
Industrial Ethernet

GPRS/UMTS

SCALANCE Internet
M812-1 Router SSC
Security Security
Module Module SCALANCE
SCALANCE S SCALANCE S S623 VPN SIMATIC
tunnel Internet Field PG with
PROFINET PROFINET ... PROFINET
SOFTNET
Security
Client

G_IK10_XX_10339
Automation Cell n Automation Cell n-1 Automation Cell 1

Secure remote access without direct connection to the automation network with SCALANCE S623

Office Network Untrusted Zone

8
Domain
Controller

Server with web DMZ Zone

application

SCALANCE
S623

p•‹œš›™ˆ“Gl›Œ™•Œ› Trusted Zone

G_IK10_XX_10340

Data base
server

permitted access blocked access limited access

Demilitarized zone (DMZ) for remote maintenance or access to data server with SCALANCE S623

Siemens IK PI · 2015 8/11

 © Siemens AG 2014

Industrial Security
Security Integrated
SCALANCE S

■ Function (continued)

SCALANCE SCALANCE
S612 M812-1
VPN tunnel 2
S7-300 with
CPU 315-2 DP
VPN and CP 343-1
tunnel 1 Lean
Service Center

SCALANCE
M874-2 PROFIBUS
Internet
Industrial Ethernet
Mobile radio Remote Station 2

S7-1500 with
IP camera CP 1543-1 Service PC with
Software SOFTNET
Security Client
SCALANCE

G_IK10_XX_30188
M874-3
Smartphone or
tablet
Industrial Ethernet
Remote Station 1

Secure remote access over Internet with SCALANCE S and SCALANCE M

Ring redundancy
manager

8
MRP ring A

SCALANCE S627-2M SCALANCE S627-2M CU or fiber optic

Sync connection

MRP ring B
G_IK10_XX_10366

Industrial Ethernet
Industrial Ethernet
Ring redundancy
(Fiber optic)
manager

Secure, redundant connection between two MRP rings with SCALANCE S627-2M

8/12 Siemens IK PI · 2015

 © Siemens AG 2014

Industrial Security
Security Integrated
SCALANCE S

■ Function (continued)
Ring redundancy manager

MRP ring

CU or fiber optic
SCALANCE S627-2M SCALANCE S627-2M
Industrial Ethernet
Automation Cell Sync connection Industrial Ethernet
(Fiber optic)

Ring redundancy manager

MRP ring

MRP-Switch
CU

G_IK10_XX_10367
SCALANCE S627-2M SCALANCE S627-2M

Automation Cell Sync connection CU or fiber optic

Secure, redundant connection of an automation cell to a redundant ring with SCALANCE S627-2M

SCALANCE S627-2M SCALANCE S627-2M CU or fiber optic

Sync connection

MRP ring 8

Ring redundancy manager

Industrial Ethernet
MRP-Switch Industrial Ethernet
(Fiber optic)
CU

SCALANCE S627-2M SCALANCE S627-2M

CU or fiber optic

Sync connection

MRP ring
G_IK10_XX_10368

Ring redundancy manager

Secure, redundant connection of a redundant ring to a plant network with SCALANCE S627-2M

Siemens IK PI · 2015 8/13

 © Siemens AG 2014

Industrial Security
Security Integrated
SCALANCE S

■ Technical specifications
Article No. 6GK5602-0BA10-2AA3 6GK5612-0BA10-2AA3 6GK5623-0BA10-2AA3
Product-type designation SCALANCE S602 SCALANCE S612 SCALANCE S623
Transmission rate
Transfer rate 1 10 Mbit/s 10 Mbit/s 10 Mbit/s
Transfer rate 2 100 Mbit/s 100 Mbit/s 100 Mbit/s
Transfer rate 3 1 000 Mbit/s 1 000 Mbit/s 1 000 Mbit/s
Interfaces
Number of electrical/optical 2 2 3
connections for network components
or terminal equipment maximum
Number of electrical connections
• for internal network 1 1 1
• for external network 1 1 1
• for DMZ 0 0 1
• for signaling contact 1 1 1
• for power supply 1 1 1
• for redundant power supply 1 1 1
Design of the electrical connection
• for internal network RJ45 port RJ45 port RJ45 port
• for external network RJ45 port RJ45 port RJ45 port
• for DMZ - - RJ45 port
• for signaling contact 2-pole terminal block 2-pole terminal block 2-pole terminal block
• for power supply 4-pole terminal block 4-pole terminal block 4-pole terminal block
Design of the removable storage Yes Yes Yes
C-PLUG
Signal-Inputs/outputs
Operating voltage of signaling 24 V 24 V 24 V
contacts at DC rated value
Operating current of signaling 0.1 A 0.1 A 0.1 A
contacts at DC maximum
Supply voltage,
current consumption, power loss
Type of supply voltage DC DC DC
Supply voltage external 24 V 24 V 24 V
• minimum 19.2 V 19.2 V 19.2 V
• maximum 28.8 V 28.8 V 28.8 V
Consumed current maximum 0.5 A 0.5 A 0.6 A

8 Product component fusing at

power supply input
Yes Yes Yes

Type of fusing at input Non-replaceable melting fuse Non-replaceable melting fuse Non-replaceable melting fuse
for supply voltage (F 3 A / 32 V) (F 3 A / 32 V) (F 3 A / 32 V)
Active power loss at 24V 6.72 W 6.72 W 6.96 W
for DC typical
Permitted ambient conditions
Ambient temperature
• during operating -40 … +60 °C -40 … +60 °C -40 … +60 °C
• during storage -40 … +80 °C -40 … +80 °C -40 … +80 °C
• during transport -40 … +80 °C -40 … +80 °C -40 … +80 °C
Relative humidity at 25 °C without 95 % 95 % 95 %
condensation during operating
maximum
Protection class IP IP20 IP20 IP20

8/14 Siemens IK PI · 2015

 © Siemens AG 2014

Industrial Security
Security Integrated
SCALANCE S

■ Technical specifications (continued)

Article No. 6GK5602-0BA10-2AA3 6GK5612-0BA10-2AA3 6GK5623-0BA10-2AA3
Product-type designation SCALANCE S602 SCALANCE S612 SCALANCE S623
Design, dimensions and weight
Design compact compact compact
Width 60 mm 60 mm 60 mm
Height 125 mm 125 mm 125 mm
Depth 124 mm 124 mm 124 mm
Net weight 0.8 kg 0.8 kg 0.81 kg
Mounting type
• 35 mm DIN rail mounting Yes Yes Yes
• S7-300 rail mounting Yes Yes Yes
• wall mounting Yes Yes Yes
Mounting type Screw mounting on horizontal and Screw mounting on horizontal and Screw mounting on horizontal and
vertical surfaces vertical surfaces vertical surfaces
Product properties, functions,
components general
Product function DynDNS client Yes Yes Yes
Protocol is supported PPPoE Yes Yes Yes
Product functions management,
configuration
Product function symbolic names Yes Yes Yes
for IP addresses
Protocol is supported
• SNMP v1 Yes Yes Yes
• SNMP v3 Yes Yes Yes
Type of configuration SCT: Security Configuration Tool SCT: Security Configuration Tool SCT: Security Configuration Tool
(included in scope of delivery) (included in scope of delivery) (included in scope of delivery)
Product functions Diagnosis
Product function
• SysLog Yes Yes Yes
• Packet Filter Log Yes Yes Yes
• Audit Log Yes Yes Yes
• System Log Yes Yes Yes
Product functions DHCP
Product function DHCP server - Yes Yes Yes
internal network

8
Product functions Routing
Product function static IP routing Yes Yes Yes
Product functions Security
Design of the firewall Stateful inspection Stateful inspection Stateful inspection
Product function with VPN connection - IPSec IPSec
Type of encryption algorithms - AES-256, AES-192, AES-128, AES-256, AES-192, AES-128,
with VPN connection 3DES-168, DES-56 3DES-168, DES-56
Type of authentication procedure - Preshared key (PSK), Preshared key (PSK),
with VPN connection X.509v3 certificates X.509v3 certificates
Type of hashing algorithms - MD5, SHA-1 MD5, SHA-1
with VPN connection
Number of possible connections 0 128 128
for VPN connection
Number of network stations
• maximum 0 128 128
• note - Limitation only applies in bridge mode. Limitation only applies in bridge mode.
No limitation in routing mode No limitation in routing mode
Product function
• Password protection Yes Yes Yes
• bandwidth limiting Yes Yes Yes
• NAT/NAPT Yes Yes Yes

Siemens IK PI · 2015 8/15

 © Siemens AG 2014

Industrial Security
Security Integrated
SCALANCE S

■ Technical specifications (continued)

Article No. 6GK5602-0BA10-2AA3 6GK5612-0BA10-2AA3 6GK5623-0BA10-2AA3
Product-type designation SCALANCE S602 SCALANCE S612 SCALANCE S623
Product functions Time
Product function pass on Yes Yes Yes
time synchronization
Protocol is supported NTP Yes Yes Yes
Product component Yes Yes Yes
Hardware real-time clock
Product property battery-backed Yes Yes Yes
hardware real-time clock
Standards, specifications,
approvals
Standard
• for EMC from FM FM 3611 FM 3611 FM 3611
• for hazardous zone EN 60079-0: 2006, EN60079-15: 2005, EN 60079-0: 2006, EN60079-15: 2005, EN 60079-0: 2006, EN60079-15: 2005,
II 3 G Ex nA IIT.., II 3 G Ex nA IIT.., II 3 G Ex nA IIT..,
KEMA 07 ATEX 0145 X KEMA 07 ATEX 0145 X KEMA 07 ATEX 0145 X
• for security of CSA and UL UL 60950 / CSA C22.2 No. 60950-00, UL 60950 / CSA C22.2 No. 60950-00, UL 60950 / CSA C22.2 No. 60950-00,
UL 508 / CSA C22.2 No. 142 UL 508 / CSA C22.2 No. 142 UL 508 / CSA C22.2 No. 142
• for emitted interference EN 61000-6-4 : 2007 EN 61000-6-4 : 2007 EN 61000-6-4 : 2007
• for interference immunity EN 61000-6-2 : 2005 EN 61000-6-2 : 2005 EN 61000-6-2 : 2005
Verification of suitability AS/NZS 2064 (Class A), EN 61000-6-2, AS/NZS 2064 (Class A), EN 61000-6-2, AS/NZS 2064 (Class A), EN 61000-6-2,
EN 61000-6-4, marine classification EN 61000-6-4, marine classification EN 61000-6-4, marine classification
pending pending pending
• CE mark Yes Yes Yes
• C-Tick Yes Yes Yes
Marine classification association
• American Bureau of Shipping Eu- No No No
rope Ltd. (ABS)
• Bureau Veritas (BV) No No No
• Det Norske Veritas (DNV) No No No
• Germanische Lloyd (GL) No No No
• Lloyds Register of Shipping (LRS) No No No
• Nippon Kaiji Kyokai (NK) No No No
• Polski Rejestr Statkow (PRS) No No No
Accessories
Product expansion optional C-PLUG Yes Yes Yes

Article No. 6GK5627-2BA10-2AA3 Article No. 6GK5627-2BA10-2AA3

8 Product-type designation SCALANCE S627-2M Product-type designation SCALANCE S627-2M
Transmission rate Signal-Inputs/outputs
Transfer rate 1 10 Mbit/s Operating voltage of signaling 24 V
contacts at DC rated value
Transfer rate 2 100 Mbit/s
Operating current of signaling 0.1 A
Transfer rate 3 1 000 Mbit/s contacts at DC maximum
Interfaces Supply voltage,
Number of electrical/optical 7 current consumption, power loss
connections for network components Type of supply voltage DC
or terminal equipment maximum
Supply voltage external 24 V
Number of electrical connections
• minimum 19.2 V
• for internal network 3
• maximum 28.8 V
• for external network 3
• for DMZ 1 Consumed current maximum 0.7 A
• for signaling contact 1 Product component fusing at Yes
• for power supply 1 power supply input
• for redundant power supply 1 Type of fusing at input Non-replaceable melting fuse
Design of the electrical connection for supply voltage (F 3 A / 32 V)
• for internal network Active power loss at 24V 12 W
• for external network for DC typical
• for DMZ RJ45 port
• for signaling contact 2-pole terminal block
• for power supply 4-pole terminal block
Design of the removable storage Yes
C-PLUG

8/16 Siemens IK PI · 2015

 © Siemens AG 2014

Industrial Security
Security Integrated
SCALANCE S

■ Technical specifications (continued)

Article No. 6GK5627-2BA10-2AA3 Article No. 6GK5627-2BA10-2AA3
Product-type designation SCALANCE S627-2M Product-type designation SCALANCE S627-2M
Permitted ambient conditions Product functions Security
Ambient temperature Design of the firewall Stateful inspection
• during operating -40 … +60 °C Product function with VPN connection IPSec
• during storage -40 … +70 °C
• during transport -40 … +70 °C Type of encryption algorithms AES-256, AES-192, AES-128,
with VPN connection 3DES-168, DES-56
Relative humidity at 25 °C without 95 %
condensation during operating maxi- Type of authentication procedure Preshared key (PSK),
mum with VPN connection X.509v3 certificates

Protection class IP IP20 Type of hashing algorithms MD5, SHA-1

with VPN connection
Design, dimensions and weight
Number of possible connections 128
Design Compact for VPN connection
Width 120 mm Number of network stations
Height 125 mm for internal network
with VPN connection
Depth 124 mm
• maximum 128
Net weight 1.3 kg • note Limitation only applies in bridge
Mounting type mode.
No limitation in routing mode
• 35 mm DIN rail mounting Yes
• S7-300 rail mounting Yes Product function
• wall mounting Yes • Password protection Yes
• bandwidth limiting Yes
Mounting type Screw mounting on horizontal and
vertical surfaces • NAT/NAPT Yes

Product properties, functions, Product functions Time

components general Product function pass on time syn- Yes
Product function DynDNS client Yes chronization

Protocol is supported PPPoE Yes Protocol is supported NTP Yes

Product functions management, Product component Hardware real- Yes

configuration time clock

Product function symbolic names Yes Product property battery-backed Yes

for IP addresses hardware real-time clock

Protocol is supported Standards, specifications,

approvals
• SNMP v1 Yes
• SNMP v3 Yes Standard
• for EMC from FM FM 3611
Type of configuration SCT: Security Configuration Tool
(included in scope of delivery) • for hazardous zone EN 60079-0: 2006, EN60079-15:
2005, II 3 G Ex nA IIT.., KEMA 07

8
Product functions Diagnosis ATEX 0145 X
Product function • for security of CSA and UL UL 60950 / CSA C22.2 No. 60950-00,
UL 508 / CSA C22.2 No. 142
• SysLog Yes
• for emitted interference EN 61000-6-4 : 2007
• Packet Filter Log Yes
• for interference immunity EN 61000-6-2 : 2005
• Audit Log Yes
• System Log Yes Verification of suitability AS/NZS 2064 (Class A),
EN 61000-6-2,
Product functions DHCP EN 61000-6-4, marine classification
Product function DHCP server - Yes pending
internal network • CE mark Yes
• C-Tick Yes
Product functions Routing
Marine classification association
Product function static IP routing Yes
• American Bureau No
of Shipping Europe Ltd. (ABS)
• Bureau Veritas (BV) No
• Det Norske Veritas (DNV) No
• Germanische Lloyd (GL) No
• Lloyds Register of Shipping (LRS) No
• Nippon Kaiji Kyokai (NK) No
• Polski Rejestr Statkow (PRS) No
Accessories
Product expansion optional C-PLUG Yes

Siemens IK PI · 2015 8/17

 © Siemens AG 2014

Industrial Security
Security Integrated
SCALANCE S

■ Ordering data Article No. Article No.

SCALANCE S SOFTNET Security Client

industrial security modules
Software for designing secure
For protecting programmable con- IP-based VPN connections from a
trollers and automation networks programming device/PC to network
and for securing industrial commu- segments which are secured by
nication; Security Modules protect SCALANCE S;
network segments against unau- single license for 1 installation,
thorized access by means of state- runtime software (German/English),
ful inspection firewall; connection of configuring tool (German/English)
more than 10/100/1 000 Mbit/s and electronic manual on CD-ROM
ports; configuring tool and elec- (German/English/French/Spanish/
tronic manual on CD ROM; Italian)
English, German, French, Italian,
Spanish; SOFTNET Security Client 6GK1704-1VW02-0AA0
Edition 2008
SCALANCE S602 6GK5602-0BA10-2AA3
For 32-bit Windows,
SCALANCE S612 6GK5612-0BA10-2AA3 XP Professional + SP1, SP2, SP3
up to 128 VPN tunnels
simultaneously SOFTNET Security Client V3 6GK1704-1VW03-0AA0
SCALANCE S623 6GK5623-0BA10-2AA3 For 32-bit Windows 7 Professional,
up to 128 VPN tunnels Ultimate, Windows XP Professional
simultaneously; + SP3
additional RJ45 DMZ port
SOFTNET Security Client V4 6GK1704-1VW04-0AA0
SCALANCE S627-2M 6GK5627-2BA10-2AA3
For 32/64-bit Windows 7
up to 128 VPN tunnels
Professional/Ultimate
simultaneously;
additional RJ45 DMZ port;
two additional slots for one 2-port
media module each
Accessories
IE FC TP Standard Cable GP 2 x 2 6XV1840-2AH10
(Type A)
4-core, shielded TP installation
cable for connecting to IE FC RJ45
outlet / IE FC RJ45 plug;
PROFINET-compliant;
with UL approval;
sold by the meter;
max. length 1 000 m,
minimum order 20 m
IE FC RJ45 Plug 180
RJ45 plug-in connector for
Industrial Ethernet with a rugged
metal enclosure and integrated
insulation displacement contacts
for connecting Industrial Ethernet
8 FC installation cables;
with 180° cable outlet; for network
components and CPs/CPUs with
Industrial Ethernet interface
• 1 pack = 1 unit 6GK1901-1BB10-2AA0
• 1 pack = 10 units 6GK1901-1BB10-2AB0
• 1 pack = 50 units 6GK1901-1BB10-2AE0
IE FC stripping tool 6GK1901-1GA00
Preadjusted stripping tool for
fast stripping of Industrial Ethernet
FC cables
SITOP compact 24 V/ 0.6 A 6EP1331-5BA00
1-phase power supply
with wide-range input
85 – 264 V AC/110 – 300 V DC,
stabilized output voltage 24 V,
rated output current value 0.6 A,
slim design
C-PLUG 6GK1900-0AB00
Swap medium for simple
replacement of devices in the event
of a fault; for storing configuration Note:
or application data; can be used
for SIMATIC NET products Check the current country list:
with C-PLUG slot http://support.automation.siemens.com/WW/view/en/66627157

■ More information
You will find more information on the topic of Industrial Security
on the Internet at:
http://www.siemens.com/industrialsecurity

8/18 Siemens IK PI · 2015

 © Siemens AG 2014

Industrial Security
Security Integrated
SCALANCE M

■ Overview
The SCALANCE M874-3 is a mobile wireless router for cost-
effectively and securely connecting Ethernet-based subnets
and programmable controllers via the 3rd generation mobile
wireless network (UMTS) and it supports HSPA+ (High Speed
Packet Access). Thus, it allows high transfer rates of up to
14.4 Mbit/s in the downlink and up to 5.76 Mbit/s in the uplink
(depending on the infrastructure of the mobile wireless
provider).
The SCALANCE M874-2 is a mobile wireless router for cost-
effectively and securely connecting Ethernet-based subnets
and programmable controllers via the 2nd generation mobile
wireless network (GSM) and it supports GPRS (General Packet
Radio Service) and EDGE (Enhanced Data Rates for GSM
Evolution).
The security of access and communication is ensured by the
security functions of the integrated firewall and by VPN tunnels
(end-to-end connection encryption through IPsec tunneling).
SCALANCE M875 is a UMTS router for wireless IP communi-
cation between Industrial Ethernet-based programmable
controllers via mobile radio networks of the 3rd generation
(UMTS) and the 2nd generation (GSM)
• High data transfer rate thanks to HSDPA
• Integrated security functions with firewall
• Use as VPN end point (IPsec)
• Approved for railway applications
SCALANCE M812-1 and SCALANCEM816-1 are DSL routers
for the low-cost and secure connection of Ethernet-based
subnets and automation devices to wired telephone or DSL
networks that support ASDL2+ (Asynchronous Digital Sub-
scriber Line). This allows the devices to have high downlink data
rates of up to 25 Mbit/s and uplink data rates of up to 3.5 Mbit/s.
The security of access and communication is ensured by the
security functions of the integrated firewall and by VPN tunnels
(end-to-end connection encryption through IPsec tunneling).
The SCALANCE M826-2 is an SHDSL modem for low-cost, se-
cure connection of Ethernet-based subnets and programmable
controllers via existing two-wire or stranded cables and supports
the ITU-T standard G.991.2 as well as SHDSL.biz (single-pair
high-speed digital subscriber line). This gives the device high
symmetrical data rates of up to 15.3 Mbit/s per wire pair. 8
The security of access and communication is ensured by the se-
curity functions of the integrated firewall and by VPN tunnels
(end-to-end connection encryption through IPsec tunneling).
Note:
Further information on SCALANCE M can be found in Chapter 7,
Industrial Remote Communication, under "Remote networks/
IP-based modems and routers".

Siemens IK PI · 2015 8/19

 © Siemens AG 2014

Industrial Security
Security Integrated
CP 1243-1 and CP 1543-1

■ Overview
CP 1243-1
The CP 1243-1 communication processor securely connects
the SIMATIC S7-1200 controller to Ethernet networks. With its
integrated security functions of firewall (Stateful Inspection) and
VPN protocol (IPSec), the communications processor protects
S7-1200 stations and lower-level networks against unauthorized
access, and protects the data transmission against manipulation
and espionage by means of encryption. Furthermore, the CP
can also be used for integrating the S7-1200 station into the
TeleControl Server Basic control center software via IP-based
remote networks.

CP 1543-1
The SIMATIC CP 1543-1 communications processor securely
connects the new SIMATIC S7-1500 controller to Industrial
Ethernet networks. With its integrated security functions of fire-
wall (Stateful Inspection), VPN protocol (IPSec) and protocols for
data encryption such as FTPS and SNMPv3, the communica-
tions processor protects S7-1500 stations and lower-level net-
works against unauthorized access, as well as protecting data
transmission against manipulation and espionage by means of
encryption.
Note:
Further information on CP 1243-1 and CP 1543-1 can be
found Chapter 2, PROFINET/Industrial Ethernet, under
"System connection for SIMATIC S7/communication for
SIMATIC S7-1500".

TIA Portal Field PG

Industrial Ethernet

Automation Cell Automation Cell

SIMATIC SIMATIC S7-1200
S7-1500 with with CP 1243-1
CP 1543-1
PROFINET PROFINET
Industrial Industrial
Ethernet Ethernet
G_IK10_XX_10377

S7-300 with S7-300 with

CP 343-1 Lean CP 343-1 Lean
ET 200S ET 200S
SINAMICS SINAMICS

Segmentation of networks and protection of the S7-1500 with CP 1543-1 or S7-1200 with CP 1243-1

8/20 Siemens IK PI · 2015

 © Siemens AG 2014

Industrial Security
Security Integrated
CP 343-1 Advanced and CP 443-1 Advanced

■ Overview
CP 343-1 Advanced
Communications processor for connecting the SIMATIC S7-300/
SINUMERIK 840D powerline to Industrial Ethernet networks,
also as PROFINET IO controller and IO device.
The CP supports:
• PG/OP communication
• S7 communication
• Open communication (SEND/RECEIVE)
• PROFINET communication
• IT communication
• Security functionality, firewall and VPN

CP 443-1 Advanced
Communications processor for connecting a SIMATIC S7-400 to
Industrial Ethernet networks, also as PROFINET IO controller or
in SIMATIC H systems.
The CP supports:
• PG/OP communication
• S7 communication
• Open communication (SEND/RECEIVE)
• PROFINET communication
• IT communication
• Security functionality, firewall and VPN
Note:
Further information on the CP 343-1 Advanced and CP 443-1
Advanced can be found in Chapter 2, PROFINET/Industrial
Ethernet, under "System connection for SIMATIC S7 communica-
tion for SIMATIC S7-300 or S7-400".
Alongside the familiar communication functions (integrated
switch and Layer 3 routing functionality) the CP 343-1 Advanced
and CP 443-1 Advanced Industrial Ethernet communications 8
processors also contain the "Security Integrated" function
Stateful Inspection Firewall and a VPN gateway to protect the
controller and lower-level networks against security risks.

Siemens IK PI · 2015 8/21

 © Siemens AG 2014

Industrial Security
Security Integrated
CP 343-1 Advanced and CP 443-1 Advanced

■ Overview (continued)

Field PG PC with management system

and database (e.g. Oracle)

p•‹œš›™ˆ“Gl›Œ™•Œ›

SIMATIC SIMATIC
S7-300 with S7-400 with
CP 343-1 CP 443-1
Advanced Advanced

ET ET
200S 200S

G_IK10_XX_10337
PROFINET PROFINET
Industrial Ethernet Industrial Ethernet

Segmentation of networks and protection of the S7-300 or S7-400 controllers with CP 343-1 Advanced or CP 443-1 Advanced

8/22 Siemens IK PI · 2015

 © Siemens AG 2014

Industrial Security
Security Integrated
CP 1628

■ Overview
• PCI Express card (PCIe x1) with its own microprocessor
and integrated 2-port switch (2 x RJ45 connection,
10/100/1 000 Mbit/s) for the connection of a PG/PC to
Industrial Ethernet
• Integrated security mechanisms (e.g. Firewall, VPN)
• ISO and TCP/IP transport protocol on board
• Communications services via
- Open IE communication (TCP/IP and UDP)
- ISO transport protocol
- PG/OP communication
- S7 communication
- Open communication (SEND/RECEIVE)
• Integration into network management systems through the
support of SNMP (V1/V3)
Note:
Further information on the CP 1628 can be found in Chapter 2,
PROFINET/Industrial Ethernet, under "System connection for
PG/PC/IPC/communication for PC-based systems".
Industrial PCs are protected by firewall and VPN via the CP 1628
Industrial Ethernet communications processor – for secure
communication without special operating system settings.
This means that computers equipped with the module can be
connected to protected cells. The CP 1628 makes it possible to
connect SIMATIC PG/PC and PCs with PCI Express slots to
Industrial Ethernet (10/100/1 000 Mbit/s).
Additional field devices can be flexibly connected to Industrial
Ethernet via the integrated switch. Along with the automation
functions familiar from CP 1623, the communications processor
also contains "Security Integrated", i.e. a Stateful Inspection
Firewall and a VPN gateway to protect the PG/PC system against
security risks.

Control center
SIMATIC PCS 7 Client

Terminalbus (Ethernet)

8
PC with 4 x CP 1628 and
HARDNET-IE S7-REDCONNECT
(ISO on TCP)

Internet
Industrial Ethernet router Internet router

Industrial Ethernet
VPN tunnel
Internet

S7-400H with S7-400H with S7-400H with S7-400H with

CP 443-1 CP 443-1 CP 443-1 CP 443-1
Advanced Advanced Advanced Advanced
G_IK10_XX_10354

PROFINET PROFIBUS

Secure redundant connection to CP 1628 and CP 443-1 Advanced

Siemens IK PI · 2015 8/23

 © Siemens AG 2014

Industrial Security
Security Integrated
SOFTNET Security Client

■ Overview
• The SOFTNET Security Client is a component of the Industrial
Security concept for protecting programmable controllers and
for security during data exchange between automation
systems.
• It is a VPN client for programming devices, PCs and
notebooks in industrial environments and supports secure
client access via LAN or even WAN (e.g. for remote mainte-
nance via the Internet) to automation systems protected by
Security Integrated devices with VPN functionality
• Data transmission is protected against operator error,
eavesdropping/espionage and manipulation; communication
can only take place between authenticated and authorized
devices
• Use of field-proven IPsec mechanisms for setting up and
operating VPNs.

PC/IPC with IPC SCALANCE PC/PG/Notebook

SOFTNET W788-1RJ45 with SOFTNET
Security Client access point Security Client software
software

PROFINET VPN tunnel

Industrial Ethernet

Security Module
SCALANCE S

SIMATIC S7-400 SIMATIC S7-300

with CP 443-1 Advanced with CP 343-1
Secure access (VPN tunnel)

PROFINET PROFINET

Industrial Ethernet Industrial Ethernet

G_IK10_XX_10254
ET 200S S7-300 with ET 200S ET 200M
CP 343-1 Lean

8 Automation cell 1 Automation cell 2

Secure access to automation cells protected by Security Integrated devices with VPN functionality with the SOFTNET Security Client

■ Benefits
• Avoidance of system disruptions through exclusive access to
programmable controllers or complete automation cells using
approved programming devices or notebooks
• High flexibility when used on mobile PCs as no hardware is
required for securing the communication
• Uniform configuration and integrated security concept for
automation engineering with SCALANCE S, the security
S7-CPs (CP 1243-1, CP 1543-1, CP 343-1 Adv.,
CP 443-1 Adv.), the PC-CP 1628, the CP 1543-1,
the CP 1243-1 and the SOFTNET Security Client without
special IT know-how
• Protection of data transmission against espionage and
manipulation based on certified standards
• Considerable savings when used as a remote maintenance
solution together with SCALANCE S and SCALANCE M
compared to expensive service callouts
■ Application
The security modules of the SCALANCE S family are provided
specially for use in automation, yet connect seamlessly with
the security structures of the office and IT world. They provide
security and meet the specific requirements of automation
technology, such as simple upgrades of existing systems,
simple installation and minimum downtimes if a fault occurs.
Depending on the particular security needs, various
different security measures can be combined. The SOFTNET
Security Client allows programming devices, PCs, and note-
books access to devices with IPSec VPN functionality
(e.g. SCALANCE S, SCALANCE M, CP 1243-1, CP 1543-1,
CP 343-1/CP 443-1 Advanced, CP 1628), protected network
stations or automation systems.

8/24 Siemens IK PI · 2015

 © Siemens AG 2014

Industrial Security
Security Integrated
SOFTNET Security Client

■ Function ■ Ordering data

Authentication SOFTNET Security Client V4 HF1 6GK1704-1VW04-0AA0
Since IP addresses can be falsified (IP spoofing), checking the Software for designing secure
IP address (of the client access) is not sufficient for reliable IP-based VPN connections from a
programming device/PC to network
authentication. In addition to this, Client PCs may have changing segments which are secured by
IP addresses. For this reason, the authentication is performed SCALANCE S, SCALANCE M,
using tried and tested VPN mechanisms. CP 1243-1, CP 1543-1,
CP 343-1 Advanced,
Data encryption CP 443-1 Advanced, CP 1628,
CP 1543-1 or CP 1243-1;
Secure encryption is necessary to protect data traffic from single license for 1 installation,
espionage and manipulation. This means that the data traffic runtime software (German/English),
remains incomprehensible to any eavesdropper in the network. configuration tool (German/English),
To achieve this, the SOFTNET Security Client establishes con- and electronic manual on CD-ROM
(German/English/French/Spanish/
nections on IPSec based VPN tunnels to other SCALANCE S, Italian) for Windows 7 Professional,
SCALANCE M, the S7 Security CPs or the PC-CP 1628. Ultimate, Windows XP Professional
(32 bit) + SP3
Performance data
SCALANCE S Industrial Security Modules
System requirements (please note the descriptions under
For protection of programmable
"Ordering data"): controllers and automation networks,
Windows 7 Professional or Ultimate 32/64-bit and for securing of industrial commu-
Windows XP Professional (32-bit) + SP3 nication; configuration tool and elec-
tronic manual on CD-ROM
Configuration German, English, French, Italian,
Spanish
Using the associated configuration tool it is possible to create
and manage security rules even without special security knowl- SCALANCE S612 6GK5612-0BA10-2AA3
edge. In the simplest case, only the SCALANCE S modules or Up to 128 VPN tunnels
SOFTNET Security Clients that will communicate with each other simultaneously
are created and configured. As soon as SOFTNET Security SCALANCE S623 6GK5623-0BA10-2AA3
Client knows the programmable controllers to be accessed,
up to 128 VPN tunnels
communication can be established. simultaneously;
additional RJ45 DMZ port
SCALANCE S627-2M 6GK5627-2BA10-2AA3
up to 128 VPN tunnels
simultaneously;
additional RJ45 DMZ port;
two additional slots for one 2-port
media module each
SCALANCE M industrial modems and routers
SCALANCE M874
mobile radio router
Mobile radio router for wireless IP
communication from Industrial
Ethernet-based subnets and pro- 8
grammable controllers via UMTS or
GSM mobile radio networks;
with integrated firewall and VPN
with IPsec;
2 x RJ45 ports,
1 x antenna connection
• SCALANCE M874-31) 6GK5874-3AA00-2AA2
• SCALANCE M874-21) 6GK5874-2AA00-2AA2
SCALANCE M875 UMTS router
UMTS router for wireless IP
communication from Industrial
Ethernet-based programmable
controllers via UMTS/GSM mobile
radio networks;
EGPRS Multislot Class 12;
with integrated firewall and VPN
with IPsec;
2 x RJ45 ports,
2 x antenna connections
• SCALANCE M8751) 6GK5875-0AA10-1AA2
• SCALANCE M8751) 6GK5875-0AA10-1CA2
for Japan

Siemens IK PI · 2015 8/25


Industrial Security
Security Integrated
SOFTNET Security Client
■ Ordering data
SCALANCE M industrial modems and routers (continued)
SCALANCE M81x-1 ADSL router
DSL router for wired
IP communication from Industrial
Ethernet-based subnets and
programmable controllers via
telephone or DSL networks;
with integrated firewall and VPN
with IPsec;
1 x or 4 x RJ45 ports
for Industrial Ethernet;
1 x RJ45 port for DSL
• SCALANCE M812-1 (Annex A)
• SCALANCE M812-1 (Annex B)
• SCALANCE M816-1 (Annex A)
• SCALANCE M816-1 (Annex B)
SCALANCE M826-2 SHDSL router
DSL router for wired
IP communication from Industrial
Ethernet-based subnets and
programmable controllers
via telephone or DSL networks;
with integrated firewall and VPN
with IPsec;
1 x or 4 x RJ45 ports
for Industrial Ethernet;
1 x RJ45 port for DSL
• SCALANCE M826-2 (Annex A)
Communications processors for SIMATIC S7
CP 1243-1
communication processor;
for connection of SIMATIC S7-1200
to Industrial Ethernet via TCP/IP, ISO
and UDP, Telecontrol Server Basic
and security functions Stateful
Inspection Firewall and VPN;
1 x RJ45 interface
with 10/100 Mbit/s
CP 1543-1
communication processor;
for connection of SIMATIC S7-1500
to Industrial Ethernet via TCP/IP, ISO
and UDP and security functions
Stateful Inspection Firewall and
VPN; 1 x RJ45 interface
8 with 10/100/1 000 Mbit/s;
CP 343-1 Advanced
communications processor;
For connection of SIMATIC S7-300
to Industrial Ethernet over ISO
and TCP/IP;
PROFINET IO Controller or
PROFINET IO Device, MRP,
integrated 2-port switch ERTEC;
S7 communication, open communi-
cation (SEND/RECEIVE), FETCH/
WRITE, with and without RFC1006,
multicast, DHCP,
CPU clock synchronization via
SIMATIC procedure and NTP,
diagnostics, SNMP, access protec-
tion through IP access list,
initialization over LAN 10/100 Mbit/s;
as well as IT communication
(web, e-mail, FTP); PROFINET CBA;
security (firewall/VPN);
PROFIenergy;
with electronic manual on DVD
8/26 Siemens IK PI · 2015
© Siemens AG 2014
Article No.
6GK5812-1AA00-2AA2
6GK5812-1BA00-2AA2
6GK5816-1AA00-2AA2
6GK5816-1BA00-2AA2
6GK5826-2AB00-2AB2
6GK7243-1BX30-0XE0
6GK7543-1AX00-0XE0
6GK7343-1GX31-0XE0
Article No.
Communications processors for SIMATIC S7 (continued)
CP 443-1 Advanced 6GK7443-1GX30-0XE0
communications processor;
For the connection of
SIMATIC S7-400 to Industrial
Ethernet;
PROFINET IO Controller with RT and
IRT, MRP, PROFINET CBA, TCP/IP,
ISO and UDP;
S7 communication, open communi-
cation (SEND/RECEIVE) with
FETCH/WRITE, with and without
RFC1006, diagnostics expansions,
multicast, clock synchronization
with SIMATIC mode or NTP,
access protection by IP access list,
FTP client/server, HTTP server,
HTML diagnostics, SNMP, DHCP,
e-mail, data storage on C-PLUG;
PROFINET connector:
4xRJ45 (10/100 Mbit/s) via switch;
Gigabit connector:
1xRJ45 (10/100/1 000 Mbit/s);
with integrated stateful inspection
firewall and VPN appliance
Communications processors for PG/PC/IPC
CP 1628 6GK1162-8AA00
communications processor;
PCI Express x1 card for connection
to Industrial Ethernet
(10/100/1 000 Mbit/s),
with 2-port switch (RJ45) and
integrated security (firewall, VPN)
via HARDNET-IE S7 and
S7-REDCONNECT.
For operating system support,
see SIMATIC NET Software
Accessories
IE FC RJ45 Plug 180
RJ45 plug connector for Industrial
Ethernet with a rugged metal
enclosure and integrated insulation
displacement contacts for connect-
ing Industrial Ethernet FC installation
cables; with 180° cable outlet;
for network components and
CPs/CPUs with Industrial Ethernet
interface
• 1 pack = 1 unit 6GK1901-1BB10-2AA0
• 1 pack = 10 units 6GK1901-1BB10-2AB0
• 1 pack = 50 units 6GK1901-1BB10-2AE0
ANT794-4MR antenna 6NH9860-1AA00
Omnidirectional antenna for GSM
(2G) and UMTS (3G) networks;
weather-resistant for indoor and
outdoor use;
5 m cable with fixed connection
to antenna;
SMA connector;
including mounting bracket, screws,
wall plugs
Note:
Check the current country list:
http://support.automation.siemens.com/WW/view/en/66627157
 © Siemens AG 2014

Industrial Security
Security Integrated
Industrial Security Services

■ Overview

Step 1: Step 2: Step 3:

Assess Implement Operate &
Manage

Know your security Engineering, design and Provide continuous protection

posture and develop implementation of a holistic through proactive defense
a security roadmap cyber security program

Vulnerability assessment Cyber security training Global threat intelligence

G_IK10_XX_10376
Threat assessment Development of security Incident detection and
Risk analysis policies and procedures remediation
Implementation of security Timely response to the
technology changing threat landscape

The merge of data systems in the production and office environ-
ments has made many processes faster and easier, while the
use of the same data processing programs creates synergies.
These developments, however, have also increased the security
risk.
Today it is no longer just the office environment that is under
threat from viruses, trojans and hackers - production plants are
also at risk of malfunctions and data loss. Many weak spots in
security are not obvious at first glance. For this reason, it is
advisable to check existing plants in regard to security and to
optimize them in order to maintain a higher level of plant avail-
ability. To enhance the security of a plant against cyber attacks,
a multi-level service concept for Industrial Security is available
from Siemens Industry.
The first step involves "assessment" – the initial examination of
the existing plant. This identifies weak spots or deviations from
standards. The result of this examination is a detailed report
about the actual status of the plant with a description of the weak
points and an assessment of the risks. The report also contains
suggested actions for improving the level of security.
In the second "implementation" stage - the measures defined in
the assessment are implemented, i.e.:
• Training:
Personnel are given specific training so that they understand
what IT and infrastructure security means in the industrial
environment.
• Process improvement:
Security-relevant regulations and guidelines relating to the
existing plant requirements are drawn up and implemented.
• Security technologies:
Protective measures are implemented for hardware and
software, as well as in the plant network; in addition, long-term
protection through monitoring is available.
The measures defined and implemented in the first two phases
are continuously developed in the third phase of "operation and
8
management", i.e. monitoring the security status of the plant,
checking the security level, redefining and optimizing actions,
as well as regular reports and functions such as updates,
backup and restore. Even if changes are made to the plant net-
work, the software environment or the administration of access
rights for users and administrators, services increase the secu-
rity level so that the corresponding data remains in the plant and
attackers are given minimal opportunities to compromise the
plant. The phases of implementation, operation and manage-
ment are tailored precisely to meet the existing needs.

Siemens IK PI · 2015 8/27

 © Siemens AG 2014

Industrial Security
Security Integrated
Industrial Security Services

■ Benefits ■ Ordering data Article No.

Customer benefits Security assessment 9AS1411-1AA11-1AA1

• Determination of the security level and, based on this, drawing for complete plants
up a plan of action for reducing the risks Risk and Vulnerability On request
Assessment
• Specific training for building up technical knowledge
Customized analyses, projects On request
• Increasing plant security through tailored processes and and advice
specifications
• Implementation of a comprehensive security solution for
protecting the automation system ■ More information
• Connection to a Managed Service Center for continuous Further information can be found at:
monitoring of the security status of the plant www.siemens.com/industrialsecurity
• Continuous monitoring of the security status of the plant
• Detection of incidents and adaptation of the environment to
the threat
• Keeping the system up to date (pattern, patches, signatures).

8/28 Siemens IK PI · 2015