firmware signatureevery cpu firmwareis signed by siemens. the cpu checks this signature at everyfirmwareupdate. if the firmware signature verification fails, thefirmware is not uploaded to the cpu. thisensures protection againstmanipulated firmware updates.2.5 additional cpu protectionmeasuresthe following measures additionally increase the protectionagainst unauthorized access tofunctions and data on the s7 cpu,both externally as well as over the network:• disable or restrictthe web server• disable put/get communication(s7-1200(v4)/s7-1500)• disable time synchronization via ntpservernote these functions are disabled by default in the modules'default functions for the web serverthe webserver allows you to remotely control and monitor the cpu via acompany's internalintranet. this allows evaluation and diagnosticsto be carried out remotely.however, enabling the web server canincrease the risk of unauthorized access to the cpu.if you wish toenable the web server, the following measures are recommended forprotectingthe cpu:• access via the secure transmission "https"transmission protocol• configurable user and function privilegesvia user list– create users– define execution rights– assignpasswordsuser management grants users exclusively the options thatare assigned to executionrights. if a user is configured, theuser's password grants access to the web pages inaccordance withthe user's access rights.a user with the name "jeder" [german:everyone] has been preconfigured. this user hasminimal accesspermissions (write-protected access to intro and start page). the"jeder"user has been set without a password and cannot bemodified.disable put/get communication (s7-1200(v4)/s7-1500)the cpucan act as a server for a number of communication services. othercommunicationparticipants can access cpu data even if you do notconfigure or program any cpuconnections. this renders the localcpu, in its role as a server, incapable of controllingcommunicationwith the can use the "connection mechanisms" parameterin the "protection" area of the cpuparameters to set whether thistype of communication is permissible for the local cpu default, the option "allow access via put/getcommunication from remote partners" isdisabled. read and writeaccess to cpu data is only possible with communicationconnectionsthat require configuration/programming not only for thelocal cpu but also for thecommunication partner. access operations,such as those via bsend/brcv instructions, arepossible.connectionsfor which the local cpu is only a server (i.e. for the local cpu,noconfiguration/programming has been carried out for thecommunication to the communicationpartner) are this not possiblewhen the cpu is in operation. examples of such connectionsinclude:2security mechanisms on the s7 cpusecurityarticle id: 90885010,v3.0, 11/2022 26© siemens ag 2022 all rights reserved• put/get,fetch/write or ftp access operations via communication modules.•put/get access from other s7 cpus• hmi access operationsimplemented via put/get communicationif you wish to allowclient-side access to cpu data, i.e. if you do not wish to restrictthe cpu'scommunication services, then enable the option "allowaccess via put/get communicationfrom remote partners".3 securitymechanisms on the s7 cpssecurityarticle id: 90885010, v3.0, 11/202227© siemens ag 2022 all rights reserved3 security mechanisms on thes7 cpsthe chapters below show which security mechanisms are offeredby the simatic s7 cps (cpx43-1 advanced v3 and cp 1x43-1).notethefunctions in the cp 1543-1 are configurable as of step 7professional v12 incl. update1.the cp 1243-1 requires at least step7 professional v13 update 3.figure 3-1 types of cpscp 1543-1 cp1243-1 cp 343-1advancedcp 443-1advanced3.1 stateful inspectionfirewalldescriptionthe filtering performance of a packet filter canbe greatly improved by checking the ip packetsin their respectivecontext. for example, it is desirable to let in a udp packetinbound from anexternal computer only if another udp packet wasrecently sent out to the same computer ( the event of a dnsquery sent from a client in the internal network to an externaldnsserver). to enable this feature, the packet filter on allcurrent connections must be able tomanage a status. packet filterswith this capability are thus referred to as"stateful".propertiesstateful inspection firewalls have thefollowing properties:• with tcp connections: emulation of statusinspection of a full tcp/ip protocol stack.• with udp connections:simulation of virtual connections.• generation and deletion ofdynamic filter rules.3 security mechanisms on the s7cpssecurityarticle id: 90885010, v3.0, 11/2022 28© siemens ag 2022all rights reserved3.2 data encryption via vpndescriptiona vpn(virtual private network) refers to a private network that uses apublic network (e.g.the internet) as a transit network to transmitprivate data to a private destination network.the networks do notneed to be compatible with one another for this.while vpns use theaddressing mechanisms of the transit network to work, they usetheirown network packets to separate the transport of private datapackets from the others. thisfact allows the private networks toappear as a contiguous logical (virtual) network.ipsecan importantaspect of data communication across network boundaries is ipsec(ipsecurity). it is a standardized protocol suite that allows forvendor-agnostic, secure andprotected data exchange over ipnetworks. the essential aim of ipsec is to secure andsafeguard dataduring transmission into an unsecure network. all knownvulnerabilities,such as eavesdropping and modification of datapackets, can be prevented using thissecurity standard. this is madepossible through encrypted data packets and authenticationofparticipants.3.3 nat/napt (address translation)descriptionnetworkaddress translation (nat) and network address port translation(napt) areprotocols for translating private ip addresses intopublic ip addresses.address translation with natnat is a protocolfor translating between two address spaces. its primary function isto translatepublic addresses, that is, ip addresses used and routedin the public internet, into private ipaddresses and viceversa.thisue allows for addresses in the internal networkto be hidden from the outside in theexternal network. the internalnodes are only visible in the external network via the externalipaddresses defined in the address translation list (nattable).traditional nat is a 1:1 translation, i.e. one private ipaddress is translated to one public one.the address by which aninternal node is reached is thus an external ip address.the nattable contains a mapping between private and public ip addresses,and is configuredand managed in a gateway or router.addresstranslation with naptnapt is a variant of nat and the two areuated with one another. the difference tonat is that with thisprotocol, ports can also be translated.there is no longer a 1:1translation of ip addresses. rather, there is only one public ipaddresswhich is translated into a series of private ip addressesthrough the addition of port numbers.the address by which aninternal node is reached is an external ip address with a portnumber.the napt table contains a mapping from external ports to theprivate ip addresses, includingport number; it is configured andmanaged in a gateway or router.3 security mechanisms on the s7cpssecurityarticle id: 90885010, v3.0, 11/2022 29© siemens ag 2022all rights reserved3.4 secure it functions3.4.1 file transferprotocol (ftp)descriptionthe file transfer protocol is a specificnetwork protocol used for data transmission between anftp serverand ftp client or, when client-driven, between two ftp servers.ftpallows data to be exchanged and folders created, renamed ordeleted. communicationbetween an ftp client and ftp server takesplace in the form of an exchange of text-basedcommands. eachcommand sent by the ftp client induces a response from the ftpserver inthe form of a status code and a message in cleartext.ftpcreates two logical connections for this purpose: one controlchannel via port 21 fortransmitting ftp commands (and the responsesthereto), and one data channel via port 20 fortransmittingdata.with passive ftp, both channels are initiated by the ftpclient, while with active ftp one of thechannels is initiated bythe ftp server.solution for secure ftpto protect data duringtransmission, ftp also has the capability of data encryptionandauthentication.the simplest method of implementing a secure ftpconnection is transport layer security, ortls (formerly securesockets layer, or ssl). tls is located on the presentation layer oftheosi layer model. here, the data stream is encrypted with a keyat the lowest bit level at the startof a connection.the tlshandshake protocol is used for identification and authentication ofthe participants.negotiation of an encryption key takes placethrough the public key method. to this end, theftp server sends theftp client a certificate with its public key. the public key to thecertificatemust be certified before the fact by a certificateauthority and provided with a digital signature.ftpsthe explicitftp for secure data transmission is a combination of ftp and thetls protocols. ituses the same ports as in normal ftp mode (port20/21).the key for tls is a certificate that is generated andshipped with the configuration of thesecurity ftp datatransfer with the cp x43-1 advanced v3 and cp 1x43-1 is onlypossible withsecurity function enabled, and is explicitly re the cp configuration.3 security mechanisms on the s7cpssecurityarticle id: 90885010, v3.0, 11/2022 30© siemens ag 2022all rights reserved3.4.2 network time protocol (ntp)descriptionthenetwork time protocol (ntp) is a standardized protocol for timesynchronization onmultiple computers/modules via the network. itsaccuracy is in the millisecond range.the clock time is provided tontp clients by an ntp server.ntp (secure)secure ntp allows forsecure and authenticated time synchronization utilizingauthenticationmethods and a shared encryption code. the ntp serverand the ntp clients must support timesynchronization is supported by the cp x43-1 advanced v3 and cp1x43-1 as longas the security function and the advanced ntpconfiguration are explicitly enabled in the cp'sconfiguration instep hypertext transfer protocol (http)descriptionthehypertext transfer protocol (http) belongs to the family ofinternet protocols and is astandardized method of transmitting dataon a network. http is preferred for loading webpages from a webserver on a web browser.httpsdata transmitted over http arereadable as cleartext and can be eavesdropped by thirdparties.todaymore than ever – in the age of online banking, online shopping andsocial networks – it isimportant that confidential and private databe transmitted safely and away from the eyes ofunauthorizedparties.the easiest method of tap-proof transmission is hypertexttransfer protocol secure (https).https is structured like http, butit always uses the tls protocol for encryption.3 securitymechanisms on the s7 cpssecurityarticle id: 90885010, v3.0, 11/202231© siemens ag 2022 all rights reserved3.4.4 simple networkmanagement protocol (snmp)descriptionsnmp (simple networkmanagement protocol) is a udp-based protocol that wasdefinedspecifically for the administration of data network. it hasbecome established as the de factostandard in tcp/ip devices. theindividual nodes in the network (network components or enddevices)are e with a so-called snmp agent that provides informationin structured form.this structure is called mib, or managementinformation base. the agent in the network node istypicallyimplemented as a firmware information base– miban mib (management information base) is a standardized datastructure made up of differentsnmp variables and written in alanguage that is independent of the target system. thanks tothecross-vendor standardization of mibs and the access mechanisms,even a heterogeneousnetwork with components from differentmanufacturers can be monitored and controlled. ifcomponent-specificdata and non-standardized data are needed for the networkmonitoring,these can be described by manufacturers in so-called"private mibs".secure snmp (snmpv3)snmp is available in differentversions: snmpv1, snmpv2 and snmpv3. snmpv1 aresnmpv2 still in useto some extent. however, snmpv1 and snmpv2 should not beusedbecause these versions implement limited or no securitymechanisms unless other securitymechanisms have been implemented(e.g. the cell security concept). from version 3 onward,snmpadditionally offers user management with authentication as well asoptional encryption ofdata packets. this aspect greatly increasedthe security of snmp. secure snmp is supportedby the cp x43-1advanced v3 and cp 1x43-1 if the security function and snmpv3 havebeenexplicitly enabled in the configuration of the cp in step 7.4appendixsecurityarticle id: 90885010, v3.0, 11/2022 32© siemens 