Firmware signatureEvery CPU firmware is signed by Siemens. The CPU checks this signature at every firmwareupdate. If the firmware signature verification fails, the firmware is not uploaded to the CPU. Thisensures protection against manipulated firmware updates.2.5 Additional CPU protection measuresThe following measures additionally increase the protection against unauthorized access tofunctions and data on the S7 CPU, both externally as well as over the network:• Disable or restrict the web server• Disable PUT/GET communication (S7-1200(V4)/S7-1500)• Disable time synchronization via NTP serverNote These functions are disabled by default in the modules' default configurations.Security functions for the web serverThe web server allows you to remotely control and monitor the CPU via a company's internalintranet. This allows evaluation and diagnostics to be carried out remotely.However, enabling the web server can increase the risk of unauthorized access to the CPU.If you wish to enable the web server, the following measures are recommended for protectingthe CPU:• Access via the secure transmission "https" transmission protocol• Configurable user and function privileges via user list– Create users– Define execution rights– Assign passwordsUser management grants users exclusively the options that are assigned to executionrights. If a user is configured, the user's password grants access to the web pages inaccordance with the user's access rights.A user with the name "Jeder" [German: Everyone] has been preconfigured. This user hasminimal access permissions (write-protected access to Intro and Start page). The "Jeder"user has been set without a password and cannot be modified.Disable PUT/GET communication (S7-1200(V4)/S7-1500)The CPU can act as a server for a number of communication services. Other communicationparticipants can access CPU data even if you do not configure or program any CPUconnections. This renders the local CPU, in its role as a server, incapable of controllingcommunication with the clients.You can use the "Connection mechanisms" parameter in the "Protection" area of the CPUparameters to set whether this type of communication is permissible for the local CPU while inoperation.By default, the option "Allow access via PUT/GET communication from remote partners" isdisabled. Read and write access to CPU data is only possible with communication connectionsthat require configuration/programming not only for the local CPU but also for thecommunication partner. Access operations, such as those via BSEND/BRCV instructions, arepossible.Connections for which the local CPU is only a server (i.e. for the local CPU, noconfiguration/programming has been carried out for the communication to the communicationpartner) are this not possible when the CPU is in operation. Examples of such connectionsinclude:2 Security mechanisms on the S7 CPUSecurityArticle ID: 90885010, V3.0, 11/2022 26© Siemens AG 2022 All rights reserved• PUT/GET, FETCH/WRITE or FTP access operations via communication modules.• PUT/GET access from other S7 CPUs• HMI access operations implemented via PUT/GET communicationIf you wish to allow client-side access to CPU data, i.e. if you do not wish to restrict the CPU'scommunication services, then enable the option "Allow access via PUT/GET communicationfrom remote partners".3 Security mechanisms on the S7 CPsSecurityArticle ID: 90885010, V3.0, 11/2022 27© Siemens AG 2022 All rights reserved3 Security mechanisms on the S7 CPsThe chapters below show which security mechanisms are offered by the SIMATIC S7 CPs (CPx43-1 Advanced V3 and CP 1x43-1).NoteThe functions in the CP 1543-1 are configurable as of STEP 7 Professional V12 incl. Update1.The CP 1243-1 requires at least STEP 7 Professional V13 Update 3.Figure 3-1 Types of CPsCP 1543-1 CP 1243-1 CP 343-1AdvancedCP 443-1Advanced3.1 Stateful inspection firewallDescriptionThe filtering performance of a packet filter can be greatly improved by checking the IP packetsin their respective context. For example, it is desirable to let in a UDP packet inbound from anexternal computer only if another UDP packet was recently sent out to the same computer (e.g.in the event of a DNS query sent from a client in the internal network to an external DNSserver). To enable this feature, the packet filter on all current connections must be able tomanage a status. Packet filters with this capability are thus referred to as "stateful".PropertiesStateful inspection firewalls have the following properties:• With TCP connections: Emulation of status inspection of a full TCP/IP protocol stack.• With UDP connections: Simulation of virtual connections.• Generation and deletion of dynamic filter rules.3 Security mechanisms on the S7 CPsSecurityArticle ID: 90885010, V3.0, 11/2022 28© Siemens AG 2022 All rights reserved3.2 Data encryption via VPNDescriptionA VPN (virtual private network) refers to a private network that uses a public network (e.g.the internet) as a transit network to transmit private data to a private destination network.The networks do not need to be compatible with one another for this.While VPNs use the addressing mechanisms of the transit network to work, they use theirown network packets to separate the transport of private data packets from the others. Thisfact allows the private networks to appear as a contiguous logical (virtual) network.IPSecAn important aspect of data communication across network boundaries is IPSec (IPsecurity). It is a standardized protocol suite that allows for vendor-agnostic, secure andprotected data exchange over IP networks. The essential aim of IPSec is to secure andsafeguard data during transmission into an unsecure network. All known vulnerabilities,such as eavesdropping and modification of data packets, can be prevented using thissecurity standard. This is made possible through encrypted data packets and authenticationof participants.3.3 NAT/NAPT (address translation)DescriptionNetwork Address Translation (NAT) and Network Address Port Translation (NAPT) areprotocols for translating private IP addresses into public IP addresses.Address translation with NATNAT is a protocol for translating between two address spaces. Its primary function is to translatepublic addresses, that is, IP addresses used and routed in the public internet, into private IPaddresses and vice versa.This technique allows for addresses in the internal network to be hidden from the outside in theexternal network. The internal nodes are only visible in the external network via the external IPaddresses defined in the address translation list (NAT table).Traditional NAT is a 1:1 translation, i.e. one private IP address is translated to one public one.The address by which an internal node is reached is thus an external IP address.The NAT table contains a mapping between private and public IP addresses, and is configuredand managed in a gateway or router.Address translation with NAPTNAPT is a variant of NAT and the two are often equated with one another. The difference tonAT is that with this protocol, ports can also be translated.There is no longer a 1:1 translation of IP addresses. Rather, there is only one public IP addresswhich is translated into a series of private IP addresses through the addition of port numbers.The address by which an internal node is reached is an external IP address with a port number.The NAPT table contains a mapping from external ports to the private IP addresses, includingport number; it is configured and managed in a gateway or router.3 Security mechanisms on the S7 CPsSecurityArticle ID: 90885010, V3.0, 11/2022 29© Siemens AG 2022 All rights reserved3.4 Secure IT functions3.4.1 File Transfer Protocol (FTP)DescriptionThe File Transfer Protocol is a specific network protocol used for data transmission between anFTP server and FTP client or, when client-driven, between two FTP servers.FTP allows data to be exchanged and folders created, renamed or deleted. Communicationbetween an FTP client and FTP server takes place in the form of an exchange of text-basedcommands. Each command sent by the FTP client induces a response from the FTP server inthe form of a status code and a message in cleartext.FTP creates two logical connections for this purpose: one control channel via port 21 fortransmitting FTP commands (and the responses thereto), and one data channel via port 20 fortransmitting data.With passive FTP, both channels are initiated by the FTP client, while with active FTP one of thechannels is initiated by the FTP server.Solution for secure FTPTo protect data during transmission, FTP also has the capability of data encryption andauthentication.The simplest method of implementing a secure FTP connection is Transport Layer Security, orTLS (formerly Secure Sockets Layer, or SSL). TLS is located on the Presentation Layer of theOSI layer model. Here, the data stream is encrypted with a key at the lowest bit level at the startof a connection.The TLS handshake protocol is used for identification and authentication of the participants.Negotiation of an encryption key takes place through the public key method. To this end, theFTP server sends the FTP client a certificate with its public key. The public key to the certificatemust be certified before the fact by a certificate authority and provided with a digital signature.FTPSThe explicit FTP for secure data transmission is a combination of FTP and the TLS protocols. Ituses the same ports as in normal FTP mode (port 20/21).The key for TLS is a certificate that is generated and shipped with the configuration of thesecurity CPs.Secure FTP data transfer with the CP x43-1 Advanced V3 and CP 1x43-1 is only possible withsecurity function enabled, and is explicitly required in the CP configuration.3 Security mechanisms on the S7 CPsSecurityArticle ID: 90885010, V3.0, 11/2022 30© Siemens AG 2022 All rights reserved3.4.2 Network Time Protocol (NTP)DescriptionThe Network Time Protocol (NTP) is a standardized protocol for time synchronization onmultiple computers/modules via the network. Its accuracy is in the millisecond range.The clock time is provided to NTP clients by an NTP server.NTP (secure)Secure NTP allows for secure and authenticated time synchronization utilizing authenticationmethods and a shared encryption code. The NTP server and the NTP clients must support thisfunction.Secure time synchronization is supported by the CP x43-1 Advanced V3 and CP 1x43-1 as longas the security function and the advanced NTP configuration are explicitly enabled in the CP'sconfiguration in STEP 7.3.4.3 Hypertext Transfer Protocol (HTTP)DescriptionThe Hypertext Transfer Protocol (HTTP) belongs to the family of internet protocols and is astandardized method of transmitting data on a network. HTTP is preferred for loading webpages from a web server on a web browser.HTTPSData transmitted over HTTP are readable as cleartext and can be eavesdropped by thirdparties.Today more than ever – in the age of online banking, online shopping and social networks – it isimportant that confidential and private data be transmitted safely and away from the eyes ofunauthorized parties.The easiest method of tap-proof transmission is Hypertext Transfer Protocol Secure (HTTPS).HTTPS is structured like HTTP, but it always uses the TLS protocol for encryption.3 Security mechanisms on the S7 CPsSecurityArticle ID: 90885010, V3.0, 11/2022 31© Siemens AG 2022 All rights reserved3.4.4 Simple Network Management Protocol (SNMP)DescriptionSNMP (Simple Network Management Protocol) is a UDP-based protocol that was definedspecifically for the administration of data network. It has become established as the de factostandard in TCP/IP devices. The individual nodes in the network (network components or enddevices) are equipped with a so-called SNMP agent that provides information in structured form.This structure is called MIB, or Management Information base. The agent in the network node istypically implemented as a firmware functionality.Management Information base – MIBAn MIB (Management Information base) is a standardized data structure made up of differentSNMP variables and written in a language that is independent of the target system. Thanks tothe cross-vendor standardization of MIBs and the access mechanisms, even a heterogeneousnetwork with components from different manufacturers can be monitored and controlled. Ifcomponent-specific data and non-standardized data are needed for the network monitoring,these can be described by manufacturers in so-called "Private MIBs".Secure SNMP (SNMPv3)SNMP is available in different versions: SNMPv1, SNMPv2 and SNMPv3. SNMPv1 areSNMPv2 still in use to some extent. However, SNMPv1 and SNMPv2 should not be usedbecause these versions implement limited or no security mechanisms unless other securitymechanisms have been implemented (e.g. the cell security concept). From version 3 onward,SNMP additionally offers user management with authentication as well as optional encryption ofdata packets. This aspect greatly increased the security of SNMP. Secure SNMP is supportedby the CP x43-1 Advanced V3 and CP 1x43-1 if the security function and SNMPv3 have beenexplicitly enabled in the configuration of the CP in STEP 7.4 AppendixSecurityArticle ID: 90885010, V3.0, 11/2022 32© Siemens AG 2022 All rights reserved4 Appendix4.1 Service and supportIndustry online SupportDo you have any questions or need assistance?Siemens Industry online Support offers round the clock access to our entire service and supportknow-how and portfolio.The Industry online Support is the central address for information about our products, solutionsand services.Product information, manuals, downloads, FAQs, application examples and videos – allinformation is accessible with just a few mouse clicks:support.industry.siemens.comTechnical SupportThe Technical Support of Siemens Industry provides you fast and competent support regardingall technical queries with numerous tailor-made offers– ranging from basic support to individual support contracts. Please send queries to TechnicalSupport via Web form:siemens.com/SupportRequestSITRAIN – Digital Industry AcademyWe support you with our globally available training courses for industry with practicalexperience, innovative learning methods and a concept that’s tailored to the customer’s specificneeds.For more information on our offered trainings and courses, as well as their locations and dates,refer to our web page:siemens.com/sitrainService offerOur range of services includes the following:• Plant data services• Spare parts services• Repair services• On-site and maintenance services• Retrofitting and modernization services• Service programs and contractsYou can find detailed information on our range of services in the service catalog web page:support.industry.siemens.com/cs/scIndustry online Support appYou will receive optimum support wherever you are with the "Siemens Industry online Support"app. The app is available for iOS and Android: