SIBERprotect® -

A PLC-based realtime
solution for cyber-
physical monitoring
and defense

SIMATIC S7-1500 / SCALANCE S / RUGGEDCOM /

Siemens
Nozomi Networks / Claroty / Fortinet Industry
Online
https://support.industry.siemens.com/cs/ww/en/view/109810533 Support
 Legal information

Legal information
Use of application examples
Application examples illustrate the solution of automation tasks through an interaction of several
components in the form of text, graphics and/or software modules. The application examples are
a free service by Siemens AG and/or a subsidiary of Siemens AG (“Siemens”). They are non-
binding and make no claim to completeness or functionality regarding configuration and
equipment. The application examples merely offer help with typical tasks; they do not constitute
customer-specific solutions. You yourself are responsible for the proper and safe operation of the
products in accordance with applicable regulations and must also check the function of the
respective application example and customize it for your system.
Siemens grants you the non-exclusive, non-sublicensable and non-transferable right to have the
application examples used by technically trained personnel. Any change to the application
examples is your responsibility. Sharing the application examples with third parties or copying the
application examples or excerpts thereof is permitted only in combination with your own products.
The application examples are not required to undergo the customary tests and quality inspections
of a chargeable product; they may have functional and performance defects as well as errors. It is
your responsibility to use them in such a manner that any malfunctions that may occur do not
result in property damage or injury to persons.

Disclaimer of liability
Siemens shall not assume any liability, for any legal reason whatsoever, including, without
limitation, liability for the usability, availability, completeness and freedom from defects of the
application examples as well as for related information, configuration and performance data and
any damage caused thereby. This shall not apply in cases of mandatory liability, for example
under the German Product Liability Act, or in cases of intent, gross negligence, or culpable loss of
life, bodily injury or damage to health, non-compliance with a guarantee, fraudulent
non-disclosure of a defect, or culpable breach of material contractual obligations. Claims for
damages arising from a breach of material contractual obligations shall however be limited to the
© Siemens AG 2023 All rights reserved

foreseeable damage typical of the type of agreement, unless liability arises from intent or gross
negligence or is based on loss of life, bodily injury or damage to health. The foregoing provisions
do not imply any change in the burden of proof to your detriment. You shall indemnify Siemens
against existing or future claims of third parties in this connection except where Siemens is
mandatorily liable.
By using the application examples you acknowledge that Siemens cannot be held liable for any
damage beyond the liability provisions described.

Other information
Siemens reserves the right to make changes to the application examples at any time without
notice. In case of discrepancies between the suggestions in the application examples and other
Siemens publications such as catalogs, the content of the other documentation shall have
precedence.
The Siemens terms of use (https://support.industry.siemens.com) shall also apply.

Security information
Siemens provides products and solutions with industrial security functions that support the secure
operation of plants, systems, machines and networks.
In order to protect plants, systems, machines and networks against cyber threats, it is necessary
to implement – and continuously maintain – a holistic, state-of-the-art industrial security concept.
Siemens’ products and solutions constitute one element of such a concept.
Customers are responsible for preventing unauthorized access to their plants, systems, machines
and networks. Such systems, machines and components should only be connected to an
enterprise network or the internet if and to the extent such a connection is necessary and only
when appropriate security measures (e.g. firewalls and/or network segmentation) are in place.
For additional information on industrial security measures that may be implemented, please visit
https://www.siemens.com/industrialsecurity.
Siemens’ products and solutions undergo continuous development to make them more secure.
Siemens strongly recommends that product updates are applied as soon as they are available
and that the latest product versions are used. Use of product versions that are no longer
supported, and failure to apply the latest updates may increase customer’s exposure to cyber
threats.
To stay informed about product updates, subscribe to the Siemens Industrial Security RSS Feed
under https://www.siemens.com/cert.

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 2
 Table of contents

Table of contents
Legal information ......................................................................................................... 2
1 Introduction ........................................................................................................ 5
1.1 Overview............................................................................................... 5
1.2 SIBERprotect® ...................................................................................... 6
1.3 Application examples for SIBERprotect ............................................... 7
1.4 Components used ................................................................................ 8
2 Principle of operation ...................................................................................... 12
2.1 Next generation firewalls (NGFW) ..................................................... 13
2.2 Intrusion detection systems (IDS) ...................................................... 14
2.3 Structure of the SIBERprotect S7-1500 ............................................. 15
2.4 Detection, processing and response to cyberthreats ......................... 18
2.5 Third-party software for industrial cybersecurity ................................ 19
2.5.1 Nozomi Networks company profile ..................................................... 19
2.5.2 Claroty company profile...................................................................... 20
2.5.3 Fortinet company profile ..................................................................... 21
2.5.4 Vendor comparison ............................................................................ 22
2.5.5 RUGGEDCOM platform ..................................................................... 23
© Siemens AG 2023 All rights reserved

3 Engineering ...................................................................................................... 24
3.1 SIBERprotect® actions ....................................................................... 24
3.2 Detecting a cyberthreat ...................................................................... 25
3.3 Cyberthreat analysis ........................................................................... 33
3.4 Responding to cyberthreats ............................................................... 39
3.4.1 Cell protection with SCALANCE S cell firewall .................................. 44
3.5 Firewall settings .................................................................................. 46
3.5.1 IP address .......................................................................................... 46
3.5.2 Firewall settings .................................................................................. 49
3.5.3 Email notification in case of threat ..................................................... 53
3.5.4 Indicator light column ......................................................................... 55
3.5.5 Alarm .................................................................................................. 56
4 Using the application ...................................................................................... 57
4.1 Commissioning the example project .................................................. 57
4.2 Operating the example project ........................................................... 57
5 Useful information ........................................................................................... 61
5.1 Syslog ................................................................................................. 61
5.1.1 Description ......................................................................................... 61
5.1.2 The transmission mechanism............................................................. 64
5.2 Security features of the S7-1500 PLC................................................ 65
5.3 NIST compliance ................................................................................ 65
6 Glossary ........................................................................................................... 66
7 Appendix .......................................................................................................... 67
7.1 Service and support ........................................................................... 67

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 3
 Table of contents

7.2 Industry Mall ....................................................................................... 68

7.3 Links and literature ............................................................................. 68
7.4 Change documentation ...................................................................... 68
© Siemens AG 2023 All rights reserved

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 4
 1 Introduction

1 Introduction
1.1 Overview
Cybersecurity is a critical issue. Cyberattacks can damage plants, injure personnel,
cause production downtimes and damage market reputation, leading to financial
losses.
Figure 1-1
© Siemens AG 2023 All rights reserved

Protecting operational technology (OT) associated with manufacturing and

production is extremely important.

One of the main targets of OT-related cyberattacks are critical infrastructures

(KRITIS). Critical infrastructures are organizational and physical structures and
facilities of such vital importance to a nation's society and economy that their failure
or degradation can result in sustained supply shortages, significant disruption of
public safety and security, or other dramatic consequences.

More information regarding critical infrastructure can be found at the following link:
https://www.bsi.bund.de/EN/Themen/KRITIS-und-regulierte-
Unternehmen/Kritische-Infrastrukturen/Allgemeine-Infos-zu-KRITIS/allgemeine-
infos-zu-kritis_node.html

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 5
 1 Introduction

1.2 SIBERprotect®
SIBERprotect® is a cyberphysical protection system based on an S7-1500
controller. Cyberphysical refers to measures taken to protect devices. Physical
measures include, for example, sending a digital signal that causes a SCALANCE
S device to change its firewall rules, setting a digital input signal on a SIPROTEC
circuit breaker to block network control of the switch, locking down injection pumps
to prevent overdosing of chemicals, activating emergency cooling systems, or
similar measures. SIBERprotect® aims to prevent cyberattacks, impede their
spread, and shorten the response time before defensive actions are taken, all while
preventing damage to plants and ensuring uninterrupted production during and
after an attack. SIBERprotect® contains function blocks for receiving a cyberthreat,
processing it and responding to it. SIBERprotect® uses multiple solutions
simultaneously to detect threats, thus increasing the likelihood that an attack will be
detected. In responding to a threat by changing firewall rules, or by modifying
visual and acoustic signals, it is possible to quickly detect security threats.

In the example below, the access to the OT network is restricted to a single access
point which enables isolation of the IT network and the production cell in critical
situations ("island mode").
Figure 1-2
© Siemens AG 2023 All rights reserved

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 6
 1 Introduction

1.3 Application examples for SIBERprotect

SIBERprotect® can be customized using rule sets, both for threat detection as well
as for threat defense. Customer plants and their defense requirements are virtually
never identical. SIBERprotect® can be customized to suit every individual case. A
selection of applications are described below as examples.

A cyberthreat with high priority is detected:

• In a power plant, SIBERprotect® triggers an interlock signal to the circuit

breaker to prevent Malware from controlling the circuit breaker via the network.
The circuit breakers can be controlled locally in the plant with the front control
panel.
• In a drydock where a nuclear-powered ship is being worked on, SIBERprotect®
immediately quarantines critical systems and at the same time activates
separate emergency cooling systems and their associated emergency pumps.
• In a beverage factory, SIBERprotect® immediately modifies firewall rules that
isolate systems so that operations can be resumed independently. Meanwhile,
it quarantines dependent systems such as filling and palletizing systems in
order to finish packaging of a batch that is in progress.
• In an embassy, SIBERprotect® triggers physical security systems by blocking
© Siemens AG 2023 All rights reserved

access ways or closing gates, for example.

• On a ship inbound to a heavily trafficked port, SIBERprotect® causes an
immediate machine shutoff command, spins up a backup generator powering
the bow and port thrusters, and takes over control of the thrusters to prevent a
collision.
• In a pharmaceutical factory, SIBERprotect® triggers an immediate shutoff of a
production line or shipping plant to prevent unapproved products from reaching
the market.
• In a water-treatment plant, SIBERprotect® locks off injection pumps to prevent
overdosing of chemicals into the water supply.

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 7
 1 Introduction

1.4 Components used

This application example was created with the following hardware and software
components:
Table 1-1
Component Quantity Item number Note
RUGGEDCOM RX1510 1 6GK6015-1AM23-3EC0-Z
Customized cybersecurity solution 1 6GK6000-1AM02-0AA3
with FortiGate
Customized cybersecurity solution 1 6GK6000-1AM01-0AA3
with Nozomi Guardian
RUGGEDCOM RX1500PN LM 1 6GK6015-0AL20-0NB0
6TX01 Line Module 6x 10/100TX
RJ45
RUGGEDCOM RX1500PN LM CG01 1 6GK6015-0AL20-0FC0
Line Module 2x 10/100/1000TX RJ45
RUGGEDCOM RX1500PN PS HI 1 6GK6015-0AL13-0AA0
power supply 88-300VDC or
85-264 VAC
RUGGEDCOM RX1500PN PS HI 1 6GK6015-0AL13-0AA0
power supply 88-300VDC or 85-
264VAC
© Siemens AG 2023 All rights reserved

SCALANCE SC646-2C 1 6GK5646-2GS00-2AC2

Memory Card, 256 MB
CPU 1516F-3 PN/DP
DQ 32x24VDC/0.5A ST
TP1200 Comfort
TP 700 Comfort
SITOP PSU6200, 24 V DC / 5A
1 6ES7954-8LL03-0AA0
1 6ES7 516-3FNO1-0AB0
1 6ES7 522-1BL00-0AB0
1 GAV2 124-0MC01-0AX0
1 6AV2 124-0GC01-0AX0
1 6EP3333-7SB00-0AX0

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 8
 1 Introduction

Siemens RUGGEDCOM Claroty CTD Sensor - parts list

Table 1-2
Component Quantity Item number Note
Claroty CTD sensor 1 6GK6015-0AL20-1AA0 perpetual license
with perpetual license
Claroty CTD sensor 1 6GK6015-0AL20-1AB0 Subscription license, 1 year
with 1-year
subscription
Claroty CTD sensor 1 6GK6015-0AL20-1AD0 Subscription license, 3 years
with 3-year
subscription
Claroty CTD sensor 1 6GK6015-0AL20-1AF0 Subscription license, 5 years
with 5-year
subscription
Claroty CTD sensor 1 6GK6015-0SA00-0AA0
with annual
subscription license
© Siemens AG 2023 All rights reserved

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 9
 1 Introduction

Siemens RUGGEDCOM Fortinet parts list

Table 1-3
Component Quantity Item number Note
Fortinet cybersecurity 1 6GK6000-1AM02-0AA3 Hardware specification:
solution FG APE1808LNX = Application
Processing Engine, Atom
x5-E3940, 8GB RAM, 64 GB
eMMC, DisplayPort, uSD,
USB, Linux
Software specification for
the Fortinet firewall:
FortiGate-FG-VM02V-
FortiGate-VM, Virtual
Appliance for all supported
platforms, two vCPU cores
and (up to) 4 GB RAM
Preconfigured for APE
Fortinet VM02 1 6GK6000-1BC47-0AC6 FortiGuard Service, 3 years
FortiGuard IPS
Service
Fortinet VM02 1 6GK6000-1BC47-0AC6 FortiGuard Industrial
FortiGuard Industrial Security, 3 years
Security Service
© Siemens AG 2023 All rights reserved

Contract, Fortinet 1 6GK6000-1BC47-0AC5 Contract, 8x5 FortiCare, 3

VM02 8x5 FortiCare years
Fortinet Cybersecurity 1 6GK6000-1AM02-1AA3 FMG-VM-BASE – Basic
Solution FM license for stackable
FortiManager VM. Manages
up to ten Fortinet devices /
virtual domains, 1 GB/day in
protocols and 100 GB
storage capacity. For all
supported FortiManager VM
virtual appliance platforms.
Contract, Fortinet 1 6GK6000-1BC47-0AC8 Contract, 8x5 FortiCare (1 to
FortiManager 10 devices / virtual
FortiCare domains), 3 years

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 10
 1 Introduction

Siemens RUGGEDCOM Nozomi Networks parts list

Table 1-4
Component Quantity Item number Note
Nozomi Cybersecurity 1 6GK6000-1AM01-0AA3 Hardware specification:
Solution NG APE1808LNX = Application
Processing Engine, Atom
x5-E3940, 8GB RAM, 64 GB
eMMC, DisplayPort, uSD,
USB, Linux
Software specification:
V100-SCAU-CE – Siemens
V100 Virtual Appliance
SGA-CE
Nozomi 8x5 Standard 1 6GK6000-1BC47-0AB7 Nozomi V100 3-year support
Support Guardian 8x5
Nozomi OT Threat 1 6GK6000-1BC47-0AC3 Nozomi OT Threat Feed, 3-
Feed - subscription year subscription
On-site configuration 1 6GK6000-1AB40-2CC1 • Update for network
including travel configuration in the
expenses (2 days) RX1500 for linking to
NGFW/IDS components
and mirrored traffic
• IDS baselining
© Siemens AG 2023 All rights reserved

• Test for whether IDS

detects network events
and anomalies in traffic
patterns
• Querying of security
protocols and statistics

This application example consists of the following components:

Table 1-5
Component File name Note
Documentation 109810533_SIBERprotect_DOC_V_1_0_en.pdf
Application 109810533_Application_V1_0.zip
Library 109810533_Library_V1_0.zip

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 11
 2 Principle of operation

2 Principle of operation
Organizations today must have multiple security measures at their disposal. With
its Defense in depth concept, Siemens offers multi-layered protection for plants.
The following examples demonstrate how you can improve your network security
with additional security mechanisms.

Examples include:
• Intrusion Detection Systems (IDS)
• Deep Packet Inspection (DPI)
• Intrusion Prevention Systems (IPS)
• Next generation firewalls (NGFW)
• …

The defense methods differ in how they function.

Figure 2-1

IDS DPI IPS NGFW

© Siemens AG 2023 All rights reserved

An intrusion detection Deep Packet An intrusion prevention The RUGGEDCOM

system offers Inspection (DPI) system (IPS) responds switching and
early warning checks data to threats with routing platform
notifications in case packets, both in preventative can be
of sophisticated header information measures. IPS equipped with
cyberthreats. and data payload Systems can a leading next
of packets. DPI helps in refuse data generation
combatting traffic or firewall. The
spam, viruses and discard data integrated appliance
other undesired packets. offers DPI/IPS
content. The focus here lies features. This
on OT protocols aids security
(Modbus, etc.). in IT networks
and OT networks.

Applications for complex OT requirements

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 12
 2 Principle of operation

2.1 Next generation firewalls (NGFW)

A Next Generation Firewall filters data traffic to guard an enterprise from external
and internal threats. A Next Generation Firewall combines multiple technologies
from appropriate security mechanisms.
This generation of firewall can provide the following technologies:
• Packet filter
• Stateful Packet Inspection (SPI) firewalls
• Application Firewall
• Intrusion prevention systems (IPS)
• Deep packet inspection (DPI)
• Malware defense
• Sandboxing
• TLS and SSL inspection
• …

Deep packet inspection inspects both the header as well as the content of data
packets. Viruses, spam and other undesired content can be blocked in this
manner. Through detection of the OSI layer-7 layer, it is possible, for example, to
detect a Start, Stop, Read or Write in the S7 protocol. Next generation firewalls are
© Siemens AG 2023 All rights reserved

an essential component of secure IT/OT integration.

Figure 2-2
Why should you choose a next generation firewall (NGFW)?

Continuous protection against

known and unknown
threats

Multi-level security
concept against
cyberthreats

Excellent price-to-
performance ratio

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 13
 2 Principle of operation

2.2 Intrusion detection systems (IDS)

An intrusion detection system (IDS) is a security technology that detects
unauthorized intrusion into a network, for instance when malware uses so-called
"exploit" codes to take advantage of security holes in a system.

The following examples illustrate intrusion into a system:

• A worm (malware) spreads to all hosts on the network.
• An unusually high number of login attempts is registered on the system.
• An unusual amount of data is downloaded from a development server.
• …

An intrusion detection system (IDS) can complement the firewall functionality and
thus increase security. An intrusion detection system is deployed in software form
and can run on different hardware. The system is distributed across various points
in the network. These sensors collect and analyze possible attacks on these points.
Collected attacks are collated in central analytics software and provided for
evaluation. If attack patterns are detected, an intrusion detection system will report
them. An intrusion detection system creates transparency about your automation
devices and their data traffic, increasing security thanks to continuous and
proactive detection of anomalies in the system.
© Siemens AG 2023 All rights reserved

Figure 2-3
Why should you choose an intrusion detection system (IDS)?

Transparency over
data traffic in
industrial networks

Early detection of
anomalies and
cyberthreats

Transparency over assets

and vulnerabilities

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 14
 2 Principle of operation

2.3 Structure of the SIBERprotect S7-1500

From a high-level view, SIBERprotect® consists of two functional components:
threat detection and threat defense. The diagram below shows a high-level view of
the principle of operation of SIBERprotect®. Threats are detected with technologies
such as an NGFW or IDS.

Figure 2-4
Threat detection devices
NGFW
IPS IDS

DPI Honeypot

Threat data
© Siemens AG 2023 All rights reserved

WannaCry Emergency
Stuxnet Alarm
Heartbleed Warning
… …
physical measures

Interlock Shut down Change

circuit breaker valve firewall rules
Plant protection devices for responding to threats

The selection of suitable protection for system (threat defense) depends on the
system itself. If the system in question is a circuit breaker in a power plant,
SIBERprotect® can transmit a digital signal to the switch to lock it, which can only
be unlocked locally. This prevents malware from the network from tripping the
switch or disabling it. A simple chemical injection pump can be locked down with a
relay to switch off the pump or prevent it from being switched on. System protection
can take many forms and must be defined as part of an on-site review.

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 15
 2 Principle of operation

Integration of SIBERprotect® into a SIEM system

A core element of responding to cyberattacks is forensics. SIBERprotect® offers a
secure connection to a SIEM system (Secure Information Event System) to support
forensics in the wake of a cyberattack. The SIEM system also offers realtime
analysis of security alarms from sources such as applications or network
components.

Forensics logging
After a cyberattack, forensics are vital in ascertaining the cause of an attack. With
this in mind, SIBERprotect® recommends having incoming threat alerts sent to a
forensics server in parallel. SIBERprotect® also sends its security events to the
server via secure firewall traffic. When analyzing the event, threats and responses
can be seen in chronological order.

Note Detailed information regarding support and consulting on security solutions can
be found at the following link:
https://new.siemens.com/global/en/products/services/digital-enterprise-
services/industrial-security-services.html
© Siemens AG 2023 All rights reserved

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 16
 2 Principle of operation

Example of an OT architecture
The Figure shows an example architecture of a SIBERprotect® system in an OT
environment.

Figure 2-5
Industrial datacenter
IT network WinCC SINEC NMS SINEC INS MES TIA Portal SIEM

Data diode Email Internet

RX1510 with S7-1500
NGFW and IDS SIBERprotect

Industrial
Ethernet
HMI
SIBERprotect

Digital I/O.
© Siemens AG 2023 All rights reserved

Cell 1 Cell 2 Cell n

SCALANCE S SCALANCE S SCALANCE S

S7-1200 HMI S7-1200 HMI S7-1200

In this architecture, the RUGGEDCOM RX1510 layer-3 switch mirrors all network
traffic to the two RUGGEDCOM Application Productivity Engines (APE cards) that
run a Fortigate Next Generation Firewall Engine from Fortinet and the IDS software
for the intrusion detection system from Nozomi. All network traffic is mirrored via
the backplane of the RX1510. Threats are sent via the internally isolated port of the
APE card that runs the Nozomi IDS software. In this example, threats are sent in
Common Event Format.

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 17
 2 Principle of operation

2.4 Detection, processing and response to cyberthreats

Figure 2-6

Detect Process Respond

We present the defense-in-depth concept for a company in the following example.
The network concept has multiple layers of defense. The graphic below shows the
sequence that begins with detection of a threat, then processing, and ending with
response actions.
Figure 2-7
Systems Normal state Danger state

IT
network

Next
Generation Detect
© Siemens AG 2023 All rights reserved

Firewall (NGFW) threats

Intrusion
Detection
Processing
System (IDS)

S7-1500
Siberprotect

Stateful
Packet Q0.1 Q0.1
False True
Inspection (SPI)
Firewall Measures

Production
Network (cell)

PROFINET / IE PROFINET / IE

The IT network and the OT network are secured with a next generation firewall
(NGFW) and an intrusion detection system (IDS). When a threat is detected, the
S7-1500 SIBERprotect® is able to isolate the cells from the higher-level network
so that production is not degraded. Once the attack is over, communication to the
higher-level system can be restored.

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 18
 2 Principle of operation

2.5 Third-party software for industrial cybersecurity

A key characteristic of SIBERprotect® is the ability to receive threat detection
information from multiple sources. The theoretical probability of detection increases
if more than one threat detection solution is used. Another example of the prudent
use of multiple threat detection solutions lies in employing one of the solutions to
monitor the IT environment for threats. If a threat in the IT environment is detected,
the OT environment should be protected immediately so that production can
continue.

2.5.1 Nozomi Networks company profile

Nozomi Networks is one of the leading companies in the fields of OT, ICS and
industrial IoT cybersecurity. Nozomi Networks supports monitoring, detection and
response to threats in industrial networks within trusted zones. Nozomi Networks
uses a span port to analyze data traffic. The full-service solution with Nozomi
Networks Guardian and Central Management Console supplies security personnel
with smart, context-based warnings. This enables rapid response in realtime when
threats appear, so as to keep the production environment in a secure and
operational state at all times. Nozomi Networks' solution encompasses an intrusion
detection system (IDS) with deep packet inspection (DPI). The products are
available either as an appliance (hardware-based), a VM, or a container (software-
based) solution.
© Siemens AG 2023 All rights reserved

For further information on Nozomi Networks, please refer to:

https://www.nozominetworks.com/

You can find more information about anomaly-based intrusion detection at:
https://new.siemens.com/global/en/products/automation/industrial-
communication/industrial-ethernet/local-processing.html

Nozomi Networks supports the following IT, OT and IoT protocols: For a full list,
see the manufacturer site at:
https://www.nozominetworks.com/downloads/US/Nozomi-Networks-Protocol-
Support-List.pdf?utm_source=guardian-ce-
microsite&utm_medium=website&utm_campaign=gce

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 19
 2 Principle of operation

2.5.2 Claroty company profile

Claroty is an industrial cybersecurity company. Claroty helps its customers reveal

their OT, IoT and IIoT systems (asset identification), protect them and manage
them. The company offers a wide portfolio of industrial cybersecurity solutions for
creating transparency in communication and data traffic, detecting threats,
managing risks and weak points, as well as for secure remote access. The
company is headquartered in New York City.

Continuous threat detection software from Claroty

Continuous threat detection entails automatic asset identification and full
transparency about communication and data traffic within the plant network.
Continuous threat detection offers control over asset management, network
segmentation, threat and anomaly detection, as well as weak point management.
Anomalies in the network can be detected by correlating present data traffic with a
reference data value. Claroty's continuous threat detection can monitor data traffic
with a SPAN port or a mirror port; or it can run on existing network infrastructure.
The use of machine learning continuously improves the hit rate. A powerful, user-
friendly dashboard enables monitoring and event management.

More information about Claroty can be found at:

https://claroty.com/
© Siemens AG 2023 All rights reserved

For more information about industrial anomaly detection with Siemens

components, please refer to:
https://support.industry.siemens.com/cs/de/en/sc/4987

https://security.claroty.com/siemens-integration

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 20
 2 Principle of operation

2.5.3 Fortinet company profile

Fortinet (NASDAQ: FTNT) protects the most valuable resources of some of the
largest companies, service providers and government agencies in the world.
Fortinet equips its customers with intelligent, seamless security mechanisms
against the rapidly intensifying cyberthreat environment and makes it possible to
address ever-increasing performance requirements. The solution from Fortinet and
Siemens combines the FortiGate next generation firewall (NGFW) from Fortinet
with the switches and routers of the Ruggedcom series. It makes it easy to deploy
cybersecurity at locations with challenging environments such as substations. The
solution is deployed in a single integrated device. The Ruggedcom hardware runs
a FortiGATE VM. This integrated solution offers first-class protection for OT
networks. It includes complete firewall functions, malware blocking, application
controls and Secure Sockets Layer (SSL) / Transport Layer Security (TLS)
inspection for encrypted data traffic flowing through the Ruggedcom hardware.
Thanks to the use of FortiGuard Labs and the FortiGate intrusion prevention
system (IPS) technology to detect unknown threats, this integrated platform offers
the capability to search data traffic for protocols and vulnerabilities.

For further information on Fortinet, please refer to:

https://www.fortinet.com/

Fortinet supports the following protocols. For a full list, see the manufacturer site at:
© Siemens AG 2023 All rights reserved

https://www.fortinet.com/content/dam/fortinet/assets/white-papers/wp-operational-
technology-design-guide.pdf

The FortiGuard Industrial Security Service continuously update signatures to

identify and monitor the most common OT protocols. This guarantees full
transparency and control. Weak points in applications and devices from OT
vendors are likewise covered.

https://www.fortinet.com/support/support-services/fortiguard-security-
subscriptions/industrial-control-systems

FortiGuard IPS protects against the latest intrusion threats for networks. Threats
are detected and blocked before they reach the network device.

https://www.fortinet.com/support/support-services/fortiguard-security-
subscriptions/intrusion-prevention

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 21
 2 Principle of operation

2.5.4 Vendor comparison

The following Table gives you an overview of the different technologies. For a
complete and up-to-date overview, please visit the vendor websites.

Table 2-1
Nozomi Networks Claroty Fortinet
Technology Intrusion Detection Intrusion Detection Next generation
System (IDS) with System (IDS) with firewalls (NGFW)
Deep Packet Deep Packet
Inspection (DPI) Inspection (DPI)
IDS detection Anomaly-based, Anomaly-based Signature-based
methods capable of when equipped with
supporting IDS functions
signatures
DPI Support for OT Support for OT Support for OT
protocols protocols protocols
Firewall functions not available not available Packet & application
filtering
IPSec VPN
NAT and more
IPS not available not available available
Siemens Platform APE1808, APE1808, IPC APE1808
© Siemens AG 2023 All rights reserved

SCALANCE LPE

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 22
 2 Principle of operation

2.5.5 RUGGEDCOM platform

The RUGGEDCOM RX1500 is a multi-service platform for layer 2 and layer 3 switches and
routers. With its locally swappable performance modules, the RX1500 has been designed
for rough environments.

Figure 2-8
© Siemens AG 2023 All rights reserved

The RUGGEDCOM APE1808 is a member of the RUGGEDCOM RX1500 product family.

The new RUGGEDCOM APE1808 is ideally suited for leading third-party cybersecurity
software. It enables operation of intrusion detection systems (IDS), intrusion prevention
systems (IPS), deep packet inspection (DPI) and next generation firewalls (NGFWs). You
have the option of selecting solutions that suit your facility and threat model and that meet
the regulations in your country or region.

Figure 2-9

The RUGGEDCOM platform lets you bundle all the different systems under one hardware
platform.

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 23
 3 Engineering

3 Engineering
3.1 SIBERprotect® actions

The Figure below shows the ways of detecting, evaluating and responding to a
cyberthreat in the SIMATIC S7-1500 controller. The following chapter presents the
individual components in more detail.

Figure 3-1

Syslog Cyberthreat detected

Receive UDP

Process
Syslog
Cyberthreat analysis
Message
© Siemens AG 2023 All rights reserved

Threat
Notification
Response to cyberthreat

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 24
 3 Engineering

3.2 Detecting a cyberthreat

Figure 3-2

A cyberthreat is detected, for example with a next generation firewall (NGFW) or an

intrusion detection system (IDS). This makes it possible to scan for threats from
multiple sources.

Figure 3-3

RX1510 with next generation firewall S7-1500 SIBERprotect

and intrusion detection system
Syslog client Syslog server

Industrial Ethernet
© Siemens AG 2023 All rights reserved

The next generation firewall (NGFW) or the intrusion detection system (IDS) sends
a Syslog message to the S7-1500 SIBERprotect. The latter receives the message
and analyzes it.

The following function blocks are used for receiving a Syslog message. The block
utilizes Open User Communication, a protocol for transmitting data between two
stations connected to the Ethernet subnet. Networking can be carried out either
with the integrated CPU interface or with a communication processor (CP). The
block uses the TCON, TDISCON and TURCV communication functions to establish
and clear down a connection.

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 25
 3 Engineering

Figure 3-4: UDP

Syslog Receive UDP

Bool enable valid Bool

TCON_IP_v4 connParam done Bool

ndr Bool

busy Bool

error Bool

status Word

diagnostics "typeDiagnostics"

rcvdLen UDInt
rcvdData
Array[*] of Byte Array[*] of Byte

Table 3-1
Name Declaration Data type Comment
enable Input Bool Enable signal for connection setup and
data exchange
© Siemens AG 2023 All rights reserved

connParam Input TCON_IP_v4 Connection parameters

valid Output Bool TRUE: The block executes its function
without error
done Output Bool TRUE: The send job was successfully
executed
ndr Output Bool TRUE: New data has been received
busy Output Bool TRUE: The block is executed
error Output Bool TRUE: An error has occurred
status Output Word Status and error codes
diagnostics Output "typeDiagnostics" Advanced diagnostic information
rcvdLen Output UDInt Length in bytes of the received data
rcvdData InOut Array[*] of byte Receive data range

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 26
 3 Engineering

Troubleshooting
Specific status and error codes are listed below.

Table 3-2
Code Meaning
16#0000 Job completed successfully.
16#7000 No job active.
16#7001 First call of the instruction.
16#7002 Follow-up call of the instruction.
16#8408 Time-out: The job could not be completed within the specified time.
Possible reasons for a time-out:
• Partner is not available
16#8600 The FB is in an invalid state.
16#8601 Error in subordinate command "TCON"
The error code of the command is output to "diagnostics.subfunctionStatus".
For the meaning of the respective error code, refer to the TIA Portal
information system or the STEP 7 online help.
16#8603 Error in subordinate command "TURCV"
The error code of the command is output to "diagnostics.subfunctionStatus".
For the meaning of the respective error code, refer to the TIA Portal
information system or the STEP 7 online help.
© Siemens AG 2023 All rights reserved

16#8604 Error in subordinate command "TDISCON"

The error code of the command is output to "diagnostics.subfunctionStatus".
For the meaning of the respective error code, refer to the TIA Portal
information system or the STEP 7 online help.

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 27
 3 Engineering

Integration into the PLC program

1. Download the library from the article page of the application example
109810533.
2. Insert the function block "Syslog Receive UDP" into your user program from
your library.

Figure 3-5

3. Add the PLC data type "typeDiagnostics" to your controller.

© Siemens AG 2023 All rights reserved

Figure 3-6

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 28
 3 Engineering

4. Create a global data block. Give the data block the name "Internal Variables".
Acknowledge the dialog with "OK".
Figure 3-7
© Siemens AG 2023 All rights reserved

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 29
 3 Engineering

5. Open the data block. Define the following control tags in the data block.
Double-click "<Add new>" in an empty row to do this.

Figure 3-8

The tags below, each with their own data types, serve to interconnect the function block
© Siemens AG 2023 All rights reserved

"Syslog Receive UDP". For a description of the functionality, please refer to Table 3-1
on the function block.

Table 3-3
Name Data type Input/output at the block
syslog_receive_execute Bool Input enable
syslog_receive_connParam TCON_IP_V4_SEC Input connParam
syslog_receive_message Array[0..2047] of Byte InOut rcvdData
syslog_receive_valid Bool Output valid
syslog_receive_done Bool Output done
syslog_receive_busy Bool Output busy
syslog_receive_error Bool Output error
syslog_receive_ndr Bool Output ndr
syslog_receive_status Word Output status
syslog_receive_diagnostics typeDiagnostics Output diagnostics
syslog_receive_rcvdLen UDInt Output rcvdLen

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 30
 3 Engineering

6. Assign the following parameters for the connection partners. They are needed
for the internal blocks TCON, TDISCON and TURCV.

Table 3-4
Name Data type Start Description
value
InterfaceId HW_ANY 64 You can find the hardware identifier in
TIA Portal on the next page.
ID CONN_OUC 100 Connection reference.
ConnectionType Byte 19 Connection type:
• 11: TCP
• 17: TCP
• 19: UDP
ActiveEstablished Bool false Identifier for the manner in which the
connection is established:
• FALSE: passive connection
establishment
• TRUE: active connection
establishment
RemoteAddress IP_V4 16#C0 IP address of the partner endpoint
Array[1..4] of 16#A8 (e.g. 192.168.0.2)
Byte 16#0
© Siemens AG 2023 All rights reserved

16#2
RemotePort UInt 0 Port number of the remote connection
partner
LocalPort UInt 514 Port number of the local connection
partner

Interconnect the inputs and outputs of the instruction with the parameters from
the data block "Internal Variables".

Figure 3-9

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 31
 3 Engineering

Ascertain hardware identifier of the CPU or CP/CM interface

In the parameter data record "TCON_IP_V4" it is necessary to enter the correct

hardware identifier of the interface used. To determine the hardware identifier of
the interface, proceed according to the following instructions:
1. In the Network view or Device view, select the CPU or CP/CM interface whose
hardware ID you want to determine.
2. The properties of the CPU or CP/CM interface are displayed in the Inspector
window.
3. Open the "System constants" tab to display the hardware identifier of the
interface.
Figure 3-10
© Siemens AG 2023 All rights reserved

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 32
 3 Engineering

3.3 Cyberthreat analysis

Figure 3-11

A cyberthreat can be analyzed in 2 different ways.

Figure 3-12

Analysis of a Syslog message

Numerically, using
Text-based, using
the severity level of the
the message itself
message
© Siemens AG 2023 All rights reserved

The example below is intended to illustrate the possible analysis methods, taking
the case of a Syslog message. The intrusion detection system (IDS) has sent the
following Syslog message to the S7-1500 SIBERprotect® for analysis:

Figure 3-13

<137>Jun 29 2019 13:18:56 nozomi-n2os2.ProductionArea.local n2osevents[0]:

CEF:0|Nozomi Networks|N2OS|20.0.4-06301000_FCECF|SIGN:MALWARE-
DETECTED|Malware detection|9|app=smb dvc=192.168.10.6 dvchost=nozomi-
n2os2.ProductionArea.local cs1=9.0 cs2=true cs3=94746962-088f-4143-9362-
d62bed01a67d cs4={trigger_type: yara_rules, trigger_id: RANSOM_MS17-
010_Wannacrypt.yar} cs5=["d776a283-2952-4acf-9e9f-fc3581906439"] cs6=1
cs1Label=Risk cs2Label=IsSecurity cs3Label=Id cs4Label=Detail cs5Label=Parents
cs6Label=n2os_schema dst=192.168.1.33 dmac=00:ff:9e:e0:87:77 dpt=445
msg=Suspicious transferring of malware named 'WannaCry_Ransomware' was detected
involving resource
'\\192.168.1.33\NOZOMI_LOCALSHARE\ed01ebfbc9eb5bbea545af4d01bf5f10716618404
80439c6e5babe8e080e41aa.exe' by user 'NAS_NOZOMI\Nozomiers' after a 'write'
operation [yara file name: RANSOM_MS17-010_Wannacrypt.yar] src=192.168.2.26
smac=78:4f:43:67:89:dd spt=61983 proto=TCP start=1561832336651

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 33
 3 Engineering

We can glean the following information from the message:

Figure 3-14

Priority
Time

<137>Jun 29 2019 13:18:56 nozomi-n2os2.ProductionArea.local n2osevents[0]:

CEF:0|Nozomi Networks|N2OS|20.0.4-06301000_FCECF|SIGN:MALWARE-
DETECTED|Malware detection|9|app=smb dvc=192.168.10.6 dvchost=nozomi-
n2os2.ProductionArea.local cs1=9.0 cs2=true cs3=94746962-088f-4143-9362-
d62bed01a67d cs4={trigger_type: yara_rules, trigger_id: RANSOM_MS17-
010_Wannacrypt.yar} cs5=["d776a283-2952-4acf-9e9f-fc3581906439"] cs6=1
cs1Label=Risk cs2Label=IsSecurity cs3Label=Id cs4Label=Detail cs5Label=Parents
cs6Label=n2os_schema dst=192.168.1.33 dmac=00:ff:9e:e0:87:77 dpt=445
msg=Suspicious transferring of malware named 'WannaCry_Ransomware' was detected
involving resource
'\\192.168.1.33\NOZOMI_LOCALSHARE\ed01ebfbc9eb5bbea545af4d01bf5f10716618404
80439c6e5babe8e080e41aa.exe' by user 'NAS_NOZOMI\Nozomiers' after a 'write'
operation [yara file name: RANSOM_MS17-010_Wannacrypt.yar] src=192.168.2.26
smac=78:4f:43:67:89:dd spt=61983 proto=TCP start=1561832336651

Message Source
© Siemens AG 2023 All rights reserved

Table 3-5
Information Evaluation
Priority The priority value is calculated as follows:
Priority value = Facility * 8 + Severity

As an example, a priority value of 137 was received from a

Syslog message,

resulting in the following calculation:

17 * 8 + 1 = 137.

The Facility value in this example is: 17

The Severity value is 1 (alarm).

Using the Severity value, we can determine whether we are

dealing with an alarm (see Table 3-6).
Time: The time is stamped with date and clock time.
Message: The message tells us that the program in question is the
"WannaCry" malware. This is a ransomware attack.
Source: The source is given via the IP address.

We can evaluate the message with the 2 methods described:

• Numerically, using the Severity value: "1 = Alarm", or
• a text-based comparison with the "WannaCry" malware.

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 34
 3 Engineering

The processing logic of SIBERprotect® uses the Syslog severity model in reacting
to threats. The final 3 bits of the Severity field around Priority contain a numerical
value between 0 and 7, where 0 is the most critical or urgent level.

Table 3-6
Value Severity Description
0 "Emergency" The system is unusable.
1 "Alert" Immediate measures must
be taken.
2 "Critical" Critical conditions
3 "Error" Error states
4 "Warning" Warning states
5 "Notice" Normal but noteworthy state
6 "Informational" Informational messages
7 "Debug" Debug-level
messages

By default, SIBERprotect® activates protection for Severity levels 0 to 2 and

triggers warnings only at warning levels above 2. This behavior can be changed by
modifying a setpoint value input on the block.
© Siemens AG 2023 All rights reserved

The following function block analyzes the message and filters the individual data
points from the outputs of the block.

Note A Syslog message can be structured differently depending on the vendor.

Therefore, the analysis algorithm must be customized to each vendor.

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 35
 3 Engineering

Integration into the PLC program

1. Add the function block "Process Message Nazomi Networks" to your user
program from your library.

Figure 3-15

2. In the global data block "Internal Variables", add the following tags from the
graphic. Double-click "<Add new>" in an empty row to do this.
Figure 3-16
© Siemens AG 2023 All rights reserved

The tags below, each with their own data types, serve to interconnect the function block
"Process Message Nazomi Networks". For a description of the functionality, please refer
to Table 3-8 on the function block.
Table 3-7
Name Data type Input/output at the block
syslog_receive_execute Bool Input enable
syslog_receive_ndr Bool Input ndr
syslog_receive_rcvdLen UDInt Input rcvdLen
syslog_receive_message Array[0..2047] of Byte INOut rcvdData
syslog_process_done Bool Output done
syslog_process_busy Bool Output busy
syslog_process_error Bool Output error
syslog_process_threat Struct Output threat data
data

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 36
 3 Engineering

3. Interconnect the inputs and outputs of the instruction with the parameters from
the data block "Internal Variables".
Figure 3-17

Figure 3-18: Syslog

Process Message Nazomi Networks

Bool enable done Bool

Bool ndr busy Bool

© Siemens AG 2023 All rights reserved

Int rcvdLen error Bool

threat data Struct

rcvdData
Array[*] of Byte Array[*] of Byte

Table 3-8
Name P type Data type Comment
enable IN Bool Enable signal for analysis of the Syslog
message.
ndr IN Bool A rising edge indicates new data have
been received. They are processed in this
block.
rcvdLen IN Int Length in bytes of the received data.
done OUT Bool TRUE: Job successfully executed. The
received data are available at the threat
data parameter.
busy OUT Bool TRUE: Job is being executed.
error OUT Bool TRUE: An error has occurred.
threat data OUT Struct Structure for classifying a Syslog
message that requires a response.
threat_time OUT DTL Point in time when the Syslog message
was received in the controller.
source OUT String Origin of the Syslog message
priority OUT INT Classification of priority value
facility OUT INT Classification of the Syslog message by
way of origin
severity OUT INT Classification of the Syslog message by
way of severity

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 37
 3 Engineering

Name P type Data type Comment

severity OUT String Severity level output as String.
message
threat OUT String Syslog message output.
message
rcvdData IN_OUT Array[*] of byte Receive data range of the Syslog
message.
© Siemens AG 2023 All rights reserved

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 38
 3 Engineering

3.4 Responding to cyberthreats

Figure 3-19

The following block gives an overview of how it is possible to respond to

cyberthreats.

Threat level
A limit at the blocks makes it possible to determine the threshold past which a
Syslog message is treated as a critical threat or as a warning. To do this, the block
compares the limit with the Severity value. All values less than or equal to this
value are classified as critical threats and all others as warnings. By default,
SIBERprotect® activates protection for Severity levels 0 to 2 and triggers warnings
only at warning levels above 2. This behavior can be changed by modifying a
setpoint value input on the block.
© Siemens AG 2023 All rights reserved

Automatic/manual response
In some cases, the SIBERprotect® user may not desire an automatic response to
a critical threat or warning. For such cases, SIBERprotect® allows for manual
activation of the desired threat response.

SIBERprotect® actions
SIBERprotect® is capable or responding in the event of critical threats or warnings.
Taking the example of the block, digital outputs are activated to change firewall
rules, turn on an indicator light, issue an audible alarm or send an email
notification.

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 39
 3 Engineering

Integration into the PLC program

1. Create a new tag table "Digital Outputs".
Figure 3-20

2. Create 4 digital outputs for yellow and red indicator lights, the acoustic alarm
and the firewall.
Figure 3-21
© Siemens AG 2023 All rights reserved

3. Add the "Threat Notification" function block to your user program from your
library.

Figure 3-22

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 40
 3 Engineering

4. In the global data block "Internal Variables", add the following tags from the
graphic. Double-click "<Add new>" in an empty row to do this.

Figure 3-23

The tags below, each with their own data types, serve to interconnect the function block
"Threat Notification". For a description of the functionality, please refer to Table 3-10 on
the function block.

Table 3-9
© Siemens AG 2023 All rights reserved

Name Data type Input/output at the

block
syslog_receive_execute Bool Input enable
syslog_receive_ndr Bool Input ndr
syslog_process_threat data Struct Input threat_message
HMI_manuell_automatic Bool Input mode automatic /
manual
HMI_acknowledge_critical_threat Bool Input critical threat
acknowledgement
HMI_acknowledge_warning_threat Bool Input warning threat
acknowledgement
syslog_threat_notification_done Bool Output done
syslog_threat_notification_busy Bool Output busy
syslog_threat_notification_error Bool Output error
HMI_warning_threat Struct Output warning threat
message
HMI_critical_threat Struct Output critical threat
message

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 41
 3 Engineering

5. Interconnect the inputs and outputs of the instruction with the parameters from
the data block "Internal Variables".

Figure 3-24
© Siemens AG 2023 All rights reserved

Figure 3-25: Notification

Notification

Bool enable done Bool

Bool ndr busy Bool

threat
Struct error Bool
message
threshold warning_thre
Byte Struct
severity at_message
Mode
critical_threat
Bool automatic Struct
_message
manuell
critical_threat
Bool acknowledgm
ent
warning_
Bool threat_ackno
wledgment
warning threat
Bool yellow light Bool

critical threat
Bool red light Bool

critical threat
Bool horn Bool

critical threat
Bool Firewall Bool

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 42
 3 Engineering

Table 3-10
Name P type Data Comment
type
enable IN Bool Enable signal for processing of the
Syslog message.
ndr IN Bool A rising edge indicates new data
have been received. They are
processed in this block.
threat message IN Struct Structure containing the filtered
data such as time stamp, Severity,
Facility, etc. These data come from
the Process Message block.
thresholdseverity IN Byte Sets the threshold past which a
message is considered critical or a
warning.
mode IN Bool Sets the mode for whether a
message will be processed
manually or automatically.
critical_threat_acknowledgment IN Bool Acknowledges a critical threat.
warning_threat_acknowledgment IN Bool Acknowledges a warning.
done OUT Bool TRUE: Job successfully executed.
The received data are available at
the parameter
warning_threat_message or
© Siemens AG 2023 All rights reserved

busy
error
warning_threat_message
critical_threat_message
warning threat yellow light
critical threat red light
critical threat horn
critical threat firewall
critical_threat_message.
OUT Bool TRUE: Job is being executed.
OUT Bool TRUE: An error has occurred.
OUT Struct Structure containing the data from
a warning such as time stamp,
Severity, Facility, etc.
OUT Struct Structure containing the data from
a critical threat such as time stamp,
Severity, Facility, etc.
IN_OUT Bool TRUE: Activates the indicator light
in the event of a warning.
IN_OUT Bool TRUE: Activates the indicator light
in the event of a critical threat.
IN_OUT Bool TRUE: Activates the acoustic alarm
in the event of a critical threat.
IN_OUT Bool TRUE: Activates dynamic firewall
rules in the event of a critical threat.

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 43
 3 Engineering

3.4.1 Cell protection with SCALANCE S cell firewall

The example below is intended to demonstrate how data traffic between multiple
cells can be interrupted by SIBERprotect®. The purpose of this is to isolate the
cells from one another. An OPC UA connection that sends outbound
communication to an MES or SCADA system from the cell will serve as our
example. The aim is to demonstrate how the SCALANCE S is configured in order
to fulfil the requirements on connection setup in the event of danger. The decision
on the part of the SCALANCE S regarding connection setup or cleardown is made
via the digital input.

Table 3-11
Service Source Destination Destination port
OPC UA 192.168.1.2 192.168.0.2 TCP, 4840

Normal data traffic allowed

OPC UA client Industrial datacenter

MES SCADA

OPC UA
connection
© Siemens AG 2023 All rights reserved

RX1510 S7-1500

Industrial Ethernet
/PROFINET

Q0.1 DO =0
Digital I/O.

Q0.2

Cell 1 Cell 2

SCALANCE S SCALANCE S
Rule set Rule set
DROP OPC UA – DROP OPC UA –
Disabled Disabled

DI = 0 DI = 0

OPC UA server OPC UA server

S7-1200 HMI S7-1200 HMI

DO (Digital Output)
DI (Digital Input)

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 44
 3 Engineering

When SIBERprotect® implements physical safeguards, it provides digital inputs to

the device for the interlock.

In our scenario, the data traffic is blocked due to one of the following scenarios:
• Malware or virus detected
• Ransomware detected

The SCALANCE S devices support this safeguard through the use of a digital input
for reconfiguring their firewall. This prevents communication to a device, network or
group of devices. These devices are placed under quarantine. The following
example shows a SCALANCE S firewall controlled by a digital input. In this case, a
user configuration with the name " SIBERprotect® " is configured and activated
when the digital input of the SCALANCE S is switched on. When the digital input is
turned on, the communication between the internal and external ports of the
SCALANCE S is halted.

OPC UA client Industrial datacenter

MES

OPC UA
connection Syslog alarm
RX1510 IDS S7-1500
© Siemens AG 2023 All rights reserved

Industrial Ethernet

Q0.1 DO =1
Digital I/O.

Q0.2

Cell 1 Cell 2

SCALANCE S SCALANCE S
Rule set Rule set
DROP OPC UA – DROP OPC UA –
Activated Activated
DI =1 DI =1

OPC UA server OPC UA server

S7-1200 HMI S7-1200 HMI

DO (Digital Output)
DI (Digital Input)

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 45
 3 Engineering

3.5 Firewall settings

The following steps show the firewall settings for an OPC UA connection.

3.5.1 IP address

The following options are available for assigning an IP address:

• USB console interface
• DHCP
• SINEC PNI (Article ID: 109804190)
• PRONETA (Article ID: 67460624)

The following Figures describe configuration with SINEC PNI.

1. Make sure that the client PC is connected with the SCALANCE S.

2. Click "Start network scan".
3. Select the SCALANCE S.
4. Click the "Device Management" button.
Figure 3-26
© Siemens AG 2023 All rights reserved

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 46
 3 Engineering

5. Click "Change Device Configuration".

Figure 3-27

6. Assign an IP address and subnet mask. Click the "Load" button

Figure 3-28
© Siemens AG 2023 All rights reserved

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 47
 3 Engineering

Result:
The IP address and subnet mask have been assigned.
Figure 3-29
© Siemens AG 2023 All rights reserved

Note The diagnostic tool "ping" lets you check whether a connection is active and
communication is possible.

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 48
 3 Engineering

3.5.2 Firewall settings

1. Open the Web Based Management. To do this, enter https://(IP address of the
SCALANCE S) in a browser.
2. To the initial logon, enter the name "admin" and the password "admin".
3. Enter the current user password, "admin". Assign a new password.
Figure 3-30

4. Configure the internal and external interface as follows. Go to the menu "Layer
3 > Subnets".
Figure 3-31
© Siemens AG 2023 All rights reserved

The internal interface of the SCALANCE S receives a static IP address. The

internal interface is assigned in SINEC PNI.

Figure 3-32

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 49
 3 Engineering

The external interface of the SCALANCE S receives a static IP address.

Assign an IP address and a subnet mask. Click the "Set Values" button.
Figure 3-33

5. Switch to the menu "Security > Firewall > General". "Activate Firewall". To
confirm your settings in the Web Based Management, click on the "Set Values"
button.

Figure 3-34
© Siemens AG 2023 All rights reserved

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 50
 3 Engineering

6. Switch to the menu "Security > Firewall > IP Services". The IP service
definitions allow you to define firewall rules that can be applied to specific
services. In this case, you will assign a name and ascribe the service
parameters to it. The IP service for OPC UA is being set up in this example.
Enter a name for the IP service in the field. To create a table row in the Web
Based Management, click the "Create" button. To apply your settings, click on
the "Set Values" button.
Figure 3-35

7. Navigate to the menu "Security > Firewall > IP Rules". In order for the S7-1200
to communicate from the inside out without restriction, you will need to define
some IP rules. They limit communication to the following service: OPC UA.
© Siemens AG 2023 All rights reserved

Click "Create" to generate a new table row. Create the following service,
shown in the Table. To apply your settings, click on the "Set Values" button.

Table 3-12
Column Entered value
Action Accept
From Vlan2 (external)
To Vlan1 (internal)
Source (Range) 192.168.1.2
Destination (Range) 192.168.0.2
Service OPC UA

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 51
 3 Engineering

Figure 3-36

The OPC UA connection between client and server is active. In order to

neutralize this risk, it is necessary to create dynamic firewall rules.

8. Navigate to the menu "Firewall > Dynamic Rules". A rule set lets you bundle
firewall rules together, for example those required at a digital input. Assign the
rule set a name. In our case, the rule set is called "SIBERprotect". Assign the
SIBERprotect rule set to the digital input. Enter an IP address or an IP address
range that will be blocked as a consequence of the digital input signal.
Figure 3-37
© Siemens AG 2023 All rights reserved

9. Create a new rule to block data traffic. Link the IP rule with the SIBERprotect
rule set. To do this, click the "Assign to" button.
Figure 3-38

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 52
 3 Engineering

3.5.3 Email notification in case of threat

Figure 3-39

One element lacking in today's cyber landscape is rapid notification in case of a

cyberattack. In some cases it can take months before an attack is uncovered.
SIBERprotect® sets itself apart from these solutions by reporting from the scene of
the crime when a cyberattack is underway. The SIBERprotect® solution can
provide electronic notifications for detected threats. Because the SIMATIC S7-1500
is used for threat defense, the firmware also allows for an email function. If a
serious threat is detected, an email can be sent with time and details on the
detected threat. Most mobile phone providers offer an email address for text
messages. When a message reaches the email address, the message is converted
to an SMS and sent to the mobile number specified in the email. The email address
is unique for each mobile provider, but the context is always the same:
<Mobile_number> @mobile_service_email_address.
Example: To send a text to an AT&T mobile phone with the mobile number 123-
456-7890, use the email address [email protected]. In the event of a
coordinated cyberattack, it can be helpful to exchange information on threats
between locations. When one location receives a threat, suitable protection for
© Siemens AG 2023 All rights reserved

other locations can be triggered. A good example is a pipeline that is connected

with multiple transfer stations. One problem with electronic notifications is that the
external communication path itself can be a point of attack. Therefore, it is
recommended to use a data diode to prevent this eventuality.

The Figure below shows an architecture that includes a data diode. The data diode
is responsible for electronic notification in case of a threat.

Figure 3-40

S7-1500 Data diode Email Internet

SIBERprotect

More information on sending emails with a SIMATIC S7-1500 can be found at the
following article ID: 46817803.

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 53
 3 Engineering

Data diode
Unlike firewalls, data diodes use a different approach to isolate two networks. A
data diode ("Data Capture Unit", or DCU) only allows communication to flow in one
direction. This makes it possible to allow communication from the production plant
to the internet in the outbound direction only. Meanwhile, the data diode prevents
communication in the inbound direction. This network component guarantees
reliable physical (galvanic) isolation. This prevents the critical and public networks
from interacting. There is no direct power connection between the two networks.
Data transfer takes place inductively.

A plant with a data diode is able to send information to security personnel on the
outside without putting the plant at risk.

Figure 3-41
© Siemens AG 2023 All rights reserved

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 54
 3 Engineering

3.5.4 Indicator light column

Cyberprotect uses an signal light to signal that a cyberattack is in progress.

Figure 3-42

The Table below shows the meaning of the signals from the signal light.

Table 3-13
Light Off On Description
Green SIBERprotect is in SIBERprotect is in The green light
operation operation means that the
SIBERprotect® is
running code in the
S7-1500 PLC for
© Siemens AG 2023 All rights reserved

threat defense.
Yellow No minor threats Minor threat The yellow light
detected detected illuminates when a
minor threat has
been detected. The
threat must be
acknowledged
before the light goes
out.
Red No severe threats A severe threat has The red light
detected been detected and illuminates when a
physical security minor threat has
measures have been detected. The
been initiated. threat must be
acknowledged
before the light goes
out.

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 55
 3 Engineering

3.5.5 Alarm

Cyberprotect uses an acoustic alarm to signal that a cyberattack is in progress.

Figure 3-43

The Table below explains the meanings of the acoustic alarm.

Table 3-14
Off On Description
No severe threats Severe threat The acoustic alarm sounds at the same
detected detected time as the red indicator lamp is turned on.
The sound can be switched off on the
HMI.
© Siemens AG 2023 All rights reserved

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 56
 4 Using the application

4 Using the application

Before you put the configuration into operation, make sure that the clock times in
the CPU and in WinCC have the same settings (UTC time or local time). The
solution in the example below has been implemented with Nozomi Networks.

4.1 Commissioning the example project

1. Unzip the file "109810533_SIBERprotect.zip".
2. Launch TIA Portal.
3. Open the project.
4. Change the IP address to match your controller and your HMI.
5. Download the project to your controller.
6. Start WinCC Runtime.

4.2 Operating the example project

1. Press "Activate SIBERprotect" to activate SIBERprotect®. The blocks are
activated in the PLC.
© Siemens AG 2023 All rights reserved

Figure 4-1

2. Send a cyberthreat with Nozomi Networks, in our case with WannaCry.

You can also simulate cyberthreats. To do this, use the "LSyslog_Send" blocks
from the Library for Communication (Article ID: 109780503). In the simulation,
make sure that the message matches the vendor's format (see Figure 3-13).

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 57
 4 Using the application

Figure 4-2

3. In manual mode, you must click the corresponding button for the response to
© Siemens AG 2023 All rights reserved

the cyberthreat. You can undo the action with another click.

Figure 4-3

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 58
 4 Using the application

4. A response to a cyberthreat in automatic mode activates all actions at once.

Figure 4-4
© Siemens AG 2023 All rights reserved

5. Cyberthreats can be acknowledged with the "Acknowledge" button.

Figure 4-5

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 59
 4 Using the application

6. The only consequence of a warning is that the yellow warning light illuminates.
You can acknowledge with the "Acknowledge" button.
Figure 4-6
© Siemens AG 2023 All rights reserved

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 60
 5 Useful information

5 Useful information
5.1 Syslog
5.1.1 Description

Syslog is a logging system for the transmission of messages in an IP network and

has since become a standard (RFC 5424) in the field of logging.
There are now many applications (routers, switches, firewalls, printers, scanners,
etc.) that are able to generate Syslog entries. A big advantage of Syslog is its clear
structure and its use in distributed systems. In principle, Syslog entries from
different computers can be sent via the network to a central computer and collected
there.
Generating a Syslog entry is quite simple:
A UDP packet is sent to port 514 on a machine running a Syslog server. The
content must be defined in the US7 - ASCII character set and should be formatted
accordingly. If necessary, the following information can be transferred to the server
via formatting:
• Priority and type of package
• Time of generation
• Name of the source computer
• Different identification numbers
© Siemens AG 2023 All rights reserved

If packages are formatted incorrectly, they will also be accepted. However, the
complete content is interpreted as message text. For unrecognized parameters
(such as the time of generation), corresponding default values are used.
The Syslog protocol has a simple structure and can be divided into three main
blocks: the header and the actual message.

PRI (Priority value)

Header (identification information)
Message (the actual message)

Figure 5-1

PRI Header Message

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 61
 5 Useful information

Structuring
The Syslog protocol prescribes a specified order and structure of the parameters
for the header. If these rules are disregarded, the information from the Syslog
server cannot be interpreted as such.
In detail, the structure is as follows:
PRI VERSION TIMESTAMP HOSTNAME APP-NAME PROCID MSGID

A Syslog message does not necessarily have to contain all elements.

Unrecognized parameters are given default values.

Note All elements and parameters must be entered in ASCII format (7 bits) in the
header.

The parameters have the following meanings:

Table 5-1: Parameters of a Syslog message
Parameter Meaning
PRI The PRI range must be delimited by the characters "<" and ">" and
has a size of 3 to 5 characters.
The PRI encodes the priority of the Syslog message; this is divided
into a severity and facility field.
VERSION The VersionID has a size of up to 2 bytes and may only contain the
© Siemens AG 2023 All rights reserved

characters from 1 to 9. This field can be used to specify the version

number of the Syslog specification.
TIMESTAMP This area includes the time stamp and has its own structure.
HOSTNAME HOSTNAME references the source computer with its name and IP
address. The length can be from 1 to 255 characters.
APP-NAME APP-NAME contains the application name. The length can be from 1
to 48 characters.
PROCID PROCID carries the ProcessID as information. The length can be
from 1 to 128 characters.
MSGID This parameter is used to identify the message and provides a length
of 1 to 32 characters.

Note Additional information on the meaning of the parameters can be found in RFC
5424.
https://tools.ietf.org/html/rfc5424

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 62
 5 Useful information

The coding for the PRI area

PRI stands for priority and defines the origin (facility field) and the severity (severity
field) of the message. This parameter is the only one that can be modified via the
syslog client.
For the facility field there are 5 bits available which, depending on the numerical
value, indicate the service or component which generated the Syslog message.
An excerpt from RFC 5424 shows the possible value ranges:

Table 5-2 Excerpt from the RFC 5424 – Facility

Number Description of the message type

0 "kernel message"
1 "user-level messages"
2 "mail system"
3 "system daemons"
4 "security / authorization messages"
5 "messages generated internally by syslog"
6 "line printer subsystem"
7 "network news subsystem"
8 "UUCP subsystem"
© Siemens AG 2023 All rights reserved

9 "clock daemon"
10 "security / authorization messages"
11 "FTP daemon"
12 "NTP subsystem"
13 "log audit"
14 "log alert"
15 "clock daemon"
16-23 local use 0 - 7
For the severity field, there are 3 bits that define the severity of the Syslog
message, depending on the numerical value.
An excerpt from RFC 5424 shows the possible value ranges:

Table 5-3 Excerpt from RFC 5424 – Severity

Code Severity Description

0 "Emergency" "system is unusable"
1 "Alert" "action must be
taken immediately"
2 "Critical" "critical conditions"
3 "Error" "error conditions"
4 "Warning" "warning conditions"
5 "Notice" "normal but significant condition"
6 "Informational" "Informational message"
7 "Debug" Debug-level messages
"debug-level message"

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 63
 5 Useful information

The value to be entered between the characters "<[Value of Priority]>" (encoded as

ASCII characters) is calculated as follows:
Priority value = facility value * 8 + severity
Example:
A "local use 4" message (Facility = 20) with a "Notice" severity level (Severity = 5)
has a Priority value of 20*8 + 5 = 165.
This result must be placed between the brackets as ASCII characters. In this case,
the parameter PRI in the header is a total of 5 bytes long and contains as value
"<165>" or in decimal terms "%d60 %d49 %d54 %d53 %d62".

5.1.2 The transmission mechanism

Syslog uses UDP/IP and Ethernet as transmission protocol.

UDP is a connectionless and therefore unreliable transport protocol. A successful
transmission cannot be 100% guaranteed.
For the transmission of the Syslog messages, these are packed into the payload
area of the UDP frame. Theoretically, the Syslog message could take up the full
capacity of the UDP payload (64kbyte). However, since the UDP frame is itself
packed into the payload area of the IP frame, which in turn is in the address of the
Ethernet, the size of a Syslog message is limited to the maximum size of the
Ethernet payload area.
The data field for Ethernet measures 1500 bytes. Because of the overhead of the
© Siemens AG 2023 All rights reserved

headers (IP (20 bytes), UDP (8 bytes) and the Syslog message), the Syslog
message text must not exceed 1024 bytes in size.
Figure 5-2: Telegram structure

UDP Header UDP user data

8 Byte 64KByte

IP Header IP user data

20 Byte max.65.535 Byte
1 Byte
SFD

Preamble Target MAC Source MAC VLAN tag Ethertype Data field CRC
7 Byte 6 Byte 6 Byte 4 Byte 2 Byte 1500 Byte 4 Byte

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 64
 5 Useful information

5.2 Security features of the S7-1500 PLC

The document below contains a list of the security mechanisms that can be used to
protect the SIMATIC S7-1500 PLC with SIBERprotect®.

https://resources.dc.siemens.com/c/cybersecurity?x=LQ_yBh&lx=hCQl8A

5.3 NIST compliance

In the USA, NIST is the National Institute of Standards and Technology. NIST has
a framework for cybersecurity that draws partially on the IEC 62443 standard.
Customers often ask if the products and solutions from Siemens meet NIST
requirements. Products in a vacuum cannot meet the NIST requirements, because
physical security mechanisms are required and these are the responsibility of the
owner or operator of a plant. The engineering involved in the solution is
responsible for setting up security technologies. Lastly, the products used in the
solution must offer security functions.
© Siemens AG 2023 All rights reserved

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 65
 6 Glossary

6 Glossary
This chapter contains a list of the most important terms used in this document,
along with their definitions.

Information technology
Administrative division of a company that typically covers equipment such as office
PCs, servers and network devices.

IT
Short for Information Technology

Operational technology
Operational or production division of a company typically containing industrial
plants that are controlled with process automation and factory automation systems.

OT
Short for Operational Technology
© Siemens AG 2023 All rights reserved

SIBERprotect®
Siemens solution for guarding against cyberthreats

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 66
 7 Appendix

7 Appendix
7.1 Service and support
Industry Online Support
Do you have any questions or need assistance?
Siemens Industry Online Support offers round the clock access to our entire
service and support know-how and portfolio.
The Industry Online Support is the central address for information about our
products, solutions and services.
Product information, manuals, downloads, FAQs, application examples and videos
– all information is accessible with just a few mouse clicks:
support.industry.siemens.com

Technical Support
The Technical Support of Siemens Industry provides you fast and competent
support regarding all technical queries with numerous tailor-made offers
– ranging from basic support to individual support contracts.
Please send queries to Technical Support via Web form:
support.industry.siemens.com/cs/my/src
© Siemens AG 2023 All rights reserved

SITRAIN – Digital Industry Academy

We support you with our globally available training courses for industry with
practical experience, innovative learning methods and a concept that’s tailored to
the customer’s specific needs.
For more information on our offered trainings and courses, as well as their
locations and dates, refer to our web page:
siemens.com/sitrain

Service offer
Our range of services includes the following:
• Plant data services
• Spare parts services
• Repair services
• On-site and maintenance services
• Retrofitting and modernization services
• Service programs and contracts
You can find detailed information on our range of services in the service catalog
web page:
support.industry.siemens.com/cs/sc

Industry Online Support app

You will receive optimum support wherever you are with the "Siemens Industry
Online Support" app. The app is available for iOS and Android:
support.industry.siemens.com/cs/ww/en/sc/2067

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 67
 7 Appendix

7.2 Industry Mall

The Siemens Industry Mall is the platform on which the entire siemens Industry
product portfolio is accessible. From the selection of products to the order and the
delivery tracking, the Industry Mall enables the complete purchasing processing –
directly and independently of time and location:
mall.industry.siemens.com

7.3 Links and literature

Table 7-1
No. Topic
\1\ Siemens Industry Online Support
https://support.industry.siemens.com
© Siemens AG 2023 All rights reserved

\2\ Link to the article page of the application example

https://support.industry.siemens.com/cs/ww/en/view/109810533
\3\ RUGGEDCOM cybersecurity solutions for Industrial Networks
https://youtu.be/ivcBcQk0D2c

7.4 Change documentation

Table 7-2
Version Date Change
V1.0 01/2023 First edition

SIBERprotect®
Article ID: 109810533, V1.0, 01/2023 68