Security with SCALANCE S612 V3, SCALANCE M875, SOFTNET ...

Applications & Tools

Answers for industry.

Cover

Secure Remote Access to SIMATIC Stations with the S612 V3 via Internet and UMTS

Security with SCALANCE S612 V3, SCALANCE M875, SOFTNET Security Client, CP x43-1 Advanced V3

Application Description July 2012

2 RemoteAccess_Radio

V3.0, Entry ID: 24960449

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Siemens Industry Online Support This document is taken from Siemens Industry Online Support. The following link takes you directly to the download page of this document: http://support.automation.siemens.com/WW/view/en/24960449 Caution: The functions and solutions described in this entry are mainly limited to the realization of the automation task. In addition, please note that suitable security measures in compliance with the applicable Industrial Security standards must be taken, if your system is interconnected with other parts of the plant, the company’s network or the Internet. More information can be found under entry ID 50203404. http://support.automation.siemens.com/WW/view/en/50203404 For further information on this topic, you may also actively use our Technical Forum in the Siemens Industry Online Support. Share your questions, suggestions or problems and discuss them with our strong forum community: http://www.siemens.com/forum-applications

http://support.automation.siemens.com/WW/view/en/24960449


http://www.siemens.com/forum-applications

RemoteAccess_Radio V3.0, Entry ID: 24960449 3

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

s

SIMATIC Secure Remote Access Application Description

Task 1

Solution 2

Risk Minimization due to Security

3 Functional Details on FTPS Scenario

4 Installation of the Application

5 Installation of the Application

6 Configuration of the Hardware

7 Configuration of the Example Scenarios

8

Operating the Application 9

Literature 10

History 11

Warranty and Liability


V3.0, Entry ID: 24960449

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Warranty and Liability

Note The application examples are not binding and do not claim to be complete regarding configuration, equipment and any eventuality. The application examples do not represent customer-specific solutions. They are only intended to provide support for typical applications. You are responsible for ensuring that the described products are used correctly. These application examples do not relieve you of your responsibility to use sound practices in application, installation, operation and maintenance. When using these application examples, you recognize that we will not be liable for any damage/claims beyond the liability clause described. We reserve the right to make changes to these application examples at any time and without prior notice. If there are any deviations between the recommendations provided in this application example and other Siemens publications – e.g. catalogs – the contents of the other documents have priority.

We do not accept any liability for the information contained in this document. Any claims against us – based on whatever legal reason – resulting from the use of the examples, information, programs, engineering and performance data etc., described in this Application Example shall be excluded. Such an exclusion shall not apply in the case of mandatory liability, e.g. under the German Product Liability Act (“Produkthaftungsgesetz”), in case of intent, gross negligence, or injury of life, body or health, guarantee for the quality of a product, fraudulent concealment of a deficiency or breach of a condition which goes to the root of the contract (“wesentliche Vertragspflichten”). The damages for a breach of a substantial contractual obligation are, however, limited to the foreseeable damage, typical for the type of contract, except in the event of intent or gross negligence or injury to life, body or health. The above provisions do not imply a change in the burden of proof to your disadvantage. It is not permissible to transfer or copy these application examples or excerpts thereof without express authorization from Siemens Industry Sector.

Preface


Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Preface Objective of this application

This application demonstrates how a secure connection between a control center and one or several remote stations can be implemented and configured using the security components by Siemens. The following security components are available in the Siemens product portfolio: Security Module SCALANCE S The SOFTNET Security Client software PLC-CPs (CP x43-1 Advanced V3) with security functionality PC-CP (CP1628) with security functionality UMTS router SCALANCE M with security functionality EDGE/GPRS router MD741-1 with security functionality

Core topics of this application The following core points are discussed in this application: Introducing the components used regarding use, functionality and configuration Integrating the components in an example: Establishing secure connections

between a central station and several remote stations Step-by step explanation of the required configuration steps for implementing

the example.

Note The projects and documents of the previous versions are located in the archive folder on the HTML page from which you have downloaded this document.

In the application V2.0 the following diagnostic scenarios are demonstrated:

STEP 7 standard diagnostic STEP 7 program upload and download SIMOCODE Pro diagnosis via SIMATIC PDM SIMOCODE configuration via SIMATIC PDM upload and download OPC access HTML access to CP 343-1 advanced pages Smart@Service accesses to a panel via HTTP/VNC SOAP accesses to a panel via HTTP WinCC project download via HTTP/VNC

SCALANCE S612, MD741-1 and the SOFTNET security client are used as security components.

Table of Contents


V3.0, Entry ID: 24960449

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Table of Contents Warranty and Liability..............................................................................................4 Preface......................................................................................................................5 1 Task.................................................................................................................8

1.1 Overview of the automation task ........................................................8 1.2 Description of the automation task .....................................................9

2 Solution.........................................................................................................10 2.1 Overview of the general solution......................................................10 2.2 Detailed hardware setup ..................................................................12 2.3 Description of the core function and scenarios .................................15 2.3.1 Core function...................................................................................15 2.3.2 Scenarios ........................................................................................15 2.4 Hardware and software components used .......................................18

3 Risk Minimization due to Security ...............................................................20 3.1 Conditions and requirements ...........................................................20 3.2 SIEMENS protection concept: Defense-in-Depth..............................21 3.3 Introduction of the Security Modules ................................................22 3.3.1 SCALANCE S612 V3.......................................................................22 3.3.2 CP 343-1 Advanced V3 ...................................................................24 3.3.3 SCALANCE M875 ...........................................................................26 3.3.4 The SOFTNET Security Client .........................................................29 3.4 Security Configuration Tool..............................................................30 3.4.1 Configuration scheme......................................................................30 3.4.2 Management of certificates..............................................................32 3.4.3 User management ...........................................................................35

4 Functional Details on FTPS Scenario..........................................................37 4.1 General overview.............................................................................37 4.2 Functionality scenario A...................................................................38 4.3 Functionality scenario B...................................................................43

5 Installation of the Application......................................................................45 5.1 Hardware installation .......................................................................45 5.2 Software installation.........................................................................47

6 Configuration of the Hardware.....................................................................48 6.1 Networking the components.............................................................48 6.2 Adapting the IP addresses...............................................................49 6.2.1 IP address of the service center.......................................................49 6.2.2 IP address of the components..........................................................50 6.3 Loading of the remote stations.........................................................52 6.3.1 Remote Station 1.............................................................................52 6.3.2 Remote Station 2.............................................................................55 6.4 Commissioning of VPN tunnels........................................................57 6.4.1 Requirements..................................................................................58 6.4.2 Loading and exporting of SCT configuration.....................................59 6.5 Configuration of the SCALANCE M875............................................64 6.6 Configuration of the SCALANCE M873............................................70 6.7 Configuration of the SOFTNET Security Client.................................74 6.8 Configuring the DSL Router.............................................................76 6.9 Final configuration ...........................................................................76

Table of Contents


Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

7 Configuration of the Example Scenarios ....................................................77

7.1 Configuration of FTPS .....................................................................77 7.1.1 Basic configurations.........................................................................77 7.1.2 User-specific configuration...............................................................79 7.2 Configuration of NTP (secure)..........................................................81 7.2.1 Basic configuration ..........................................................................81 7.2.2 User-specific configuration...............................................................84

8 Additional Instructions.................................................................................85 8.1 Time synchronization with the SIMATIC mode .................................85 8.2 Enabling the security function in CP 343-1 Advanced V3 .................88 8.3 Configuration with the Security Configuration Tool ...........................90 8.4 Checking the VPN tunnel status.......................................................96 8.5 Importing/exporting the certificates...................................................98 8.6 Configuration of the FTP connection in NetPro...............................100 8.7 Enabling of FTPS in CP 343-1 Advanced V3..................................103 8.8 Creating a user for FTP .................................................................105 8.9 Changing the FTP parameters in the STEP 7 program................... 109

9 Operating the Application ..........................................................................110 9.1 Requirement..................................................................................110 9.2 Scenario: Standard STEP 7 PG and online functions ..................... 110 9.3 Scenario: HTML-based access to the web servers.........................116 9.4 Scenario: Secure FTP access........................................................118 9.5 Scenario: Secure time synchronization via NTP (secure) ............... 122

10 Literature ....................................................................................................123 11 History ........................................................................................................124

1 Task 1.1 Overview of the automation task


V3.0, Entry ID: 24960449

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

1 Task Introduction

Ethernet connections increasingly extend all the way to the field level. This offers many advantages for plant automation such as, for example, remote maintenance and remote diagnosis. The efficiency is significantly higher than sending service employees around the world regarding the workload and time, and the thus corresponding costs. Error detection and removal occurs is performed much quicker. This reduces machine downtimes and increases their availability. However, this makes production processes that have so far been secured, vulnerable from outside and inside. Reliable security can only be provided by an approach that unites security mechanisms and a comprehensive understanding of automation. Today’s internet access mechanisms (radio, broadband) united with the security components by Siemens are a successful combination.

1.1 Overview of the automation task

A typical remote service scenario is the access from a central station to distributed production plants. If the production plants are in places that are difficult to reach, access must also be guaranteed here. Basis for this are reliable, secured and economical data connections that are always available via cable-based or wireless transmission media. The figure below provides an overview of the automation task. Figure 1-1

Service centerService center

Remote S7-Station 1

Remote S7-Station 1

Remote S7-Station 2

Remote S7-Station 2

Remote S7-Station N

Remote S7-Station N

distributed plants

Internet

EGPRS/UMTS

DSL

secureconnections

1 Task 1.2 Description of the automation task


Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

1.2 Description of the automation task

Several SIMATIC remote stations are connected via a wireless transmission medium with a service center with devices (S7-CPUs, HMI device, Ethernet CPs) that can be reached via Ethernet. Via these connections a PG/PC in the service center is to perform all the functions that a cable-based PG can perform (e.g. all standard diagnostic functions, upload and download of programs, FTP, etc.).

2 Solution 2.1 Overview of the general solution


V3.0, Entry ID: 24960449

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed


Schematic layout Siemens offers the following components with security functionality to secure access to and from production plants: SCALANCE S612 V3 security module, S623 V3 (as of 09/2012) and S602 V3 The SOFTNET Security Client software CP1628 communication modules, CP 343-1 Advanced V3 and CP 443-1

Advanced V3 SCALANCE M875 UMTS router EDGE/GPRS router MD741-1

Apart from the SCALANCE S602 V3 all components are VPN-capable and can establish secure connections with the help of IPSec. The application example below shows the use of this module in a selected remote access scenario. Table 2-1

Module Used in…

SCALANCE S612 V3 Service center SOFTNET Security Client Service CP 343-1 Advanced V3 Remote Station 1 SCALANCE M875 Remote Station 2

Note Instead of a S7-300 station with a CP 343-1 Advanced V3, a S7-400 with CP443-1 Advanced V3 can also be used as an alternative.

The security functions of the two CPs are virtually identical.



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Figure 2-1

Service Station

ISP

Remote Station 1 Remote Station 2

Service center

PG/PC SCALANCE S612 V3

DSLRouter

S7-PN CPU

IE

SCAL

ANC

E M

875

SCALANCE M873

HMI PanelS7-CPU & IE-CP343-1 Adv. V3

UMTSProvider

A

Internet UMTSProvider

B

VPN Tunnel 2VPN Tunnel 1

STEP 7STEP 7 VPN Tunnel 3

PG/PC

IE

IEIE

The service center is the central point here. This is where the configuration files for the controllers are saved and where the VPN connections (VPN tunnel 1/ 2) are initiated to the remote stations. Via this connection, projects are downloaded to the controllers of the external stations, data is monitored and IT functions (FTP, HTTP) are carried out. Service technicians are to be able to connect directly to the remote stations with their PGs/PCs via a secure connection (VPN tunnel 3) or with the service center in order to get access to the external stations via, for example, VNC (Virtual Network Computing).

2 Solution 2.2 Detailed hardware setup


V3.0, Entry ID: 24960449

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

2.2 Detailed hardware setup

The following figures show the setup of this application in detail.

Setup of the service center Figure 2-2

DSL-Router + ModemInternet connection withfixed IP address

SCALANCE S612Security module as VPN router

PC/PG• SIMATIC Manager

• Web browser

• FTP Server/Client

• VNC Server (optional)

xDSLSTEP 7

100MBit/s IE

100MBit/s IE

The control center consists of a standard Window PC/PG. Via the integrated Ethernet interface the PC is connected with the internal (secure) port of the SCALANCE S612 V3 and the DSL router with the external (insecure) port – recognizable by the lock icon. On the PG/PC the STEP 7 software, a standard web browser, a FTP client and a FTP server and optionally a VNC server is installed.



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Setup of the remote station 1 Figure 2-3

SCALANCE M873UMTS router with SIM card of the provider

SIMATIC Station1• PS 307 5A• CPU 315-2 DP• CP 343-1 Advanced V3 (VPN endpoint)

MP277 8‘‘HMI Panel forvisualization

100MBit IE 1GBit IE

PG/PCNTP Server

The remote station 1 consists of a SIMATIC S7-300 station, an HMI operator panel, a PC with NTP server and – as connection to the mobile communication network – a SCALANCE M873. CP 343-1 Advanced V3 is VPN endpoint. The panel and the PG/PC are connected with a (secure) PROFINET port of the CPs, the SCALANCE M873 with the (insecure) gigabit port.

Setup of the remote station 2 Figure 2-4

SCALANCE M875UMTS router and VPN router with SIM card of the mobile communication provider

100MBit/s IE

SIMATIC Station• PS307 2A• CPU 319-3 PN/DP

The remote station 2 consists of a SIMATIC station. VPN endpoint is the SCALANCE M875. The CPU is connected with the SCALANCE M875 via the integrated interface.



V3.0, Entry ID: 24960449

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Setup of the service station Figure 2-5

Any internet

access

PC/PG• SIMATIC Manager

•Web browser

•SOFTNET Security Client

•VNC Client (optional)

IE Standard Cable

ISP

UMTSProvider

The service station is representative for a PG/PC that has to connect to the plant from outside. For this purpose it should be possible to connect with the PGs/PCs via a secured connection directly to the remote stations or the service center in order to get access to the external stations from there. Access to the external stations via the service center requires a routing between the secure connections and the use of remote maintenance software (VNC). The VPN client software SOFTNET Security Client is installed on the PG/ PC as well as optionally a VNC client.

Topics not covered by this application Access of the service technician to the remote stations is not part of this application. For direct access to the remote stations the document „Secure Remote Access to SIMATIC Stations with the SOFTNET Security Client via Internet and UMTS” is available which is located on the same HTML page as this document. More information on access to the remote stations via the service center can be found in the document “Remote Control Concept with SCALANCE S Modules over IPsec secured VPN Tunnel” (see /6/ in chapter 10 (Literature)).

Note A fixed DSL IP address at the control center is a prerequisite for this application.

Assumed knowledge Basic knowledge of automation technology, SIMATIC, Ethernet and configuration with STEP 7 V5.5 SP2 HF1 is assumed. Basics on security terms can be found under /14/ in chapter 10 (Literature).

2 Solution 2.3 Description of the core function and scenarios


Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

2.3 Description of the core function and scenarios

2.3.1 Core function

For remote maintenance or diagnostic via an unsecured network, reliable security for the data transmission has highest priority. Confidential and sensitive information must not be sent in plaintext via the internet and therefore be read and/or manipulated by unauthorized third parties. To guarantee secure and reliable data transmission, this application uses a VPN solution. VPN is the abbreviation for virtual private network and is a combination of two separate networks to one closed, logic network. The configuration of this solution is performed via the security configuration tool.

Figure 2-6

2.3.2 Scenarios

The implementation of a VPN solution makes a secure data transmission between central station and remote stations or service station possible. This application shows the functionality of this solution via selected scenarios: Standard STEP 7 PG and online functions HTML-based access to the web servers in the modules Secure data exchanged via FTP Secure time synchronization via NTP (secure)



V3.0, Entry ID: 24960449

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Standard PG and online functions The service center or the service technician can

– carry out all online system diagnosis functions just as in the cable-based IE-LAN (diagnostic buffer of the CPU, module state, operating state, monitoring/controlling, etc.),

– monitor and control variables (variable table), – monitor program states and – Download of the complete STEP 7 programs and upload of the standard

STEP 7 program (without security parts). Figure 2-7

Central stationRemoteStation

Web access PROFINET CPUs, CPs and SCALANCE M modules are provided with an integrated web server for configuring, monitoring, evaluating and diagnosing. The PG in the central station can access the server via a standard web browser. Figure 2-8


Secure FTP (FTPS) FTP (File Transfer Protocol) is a method for exchanging data between a client and a server. The communication modules CP x43-1 Advanced V3 provide a client and server function for the file management and access to the blocks in the CPU. Figure 2-9


As of version 3 of the CPs the communication modules also support the secure FTP over SSL (explicit mode).



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

In this application, process data simulated by the CPU is sent to the central station (CP as FTP client) or the file system of the CP 343-1 Advanced V3 (CP as FTP server) is accessed from the central station.

NTP (secure) The network time protocol is a method for synchronizing the time of devices in a network. The current time is provided by a server. The CP x43-1 Advanced V3 communication module also supports NTP apart from the SIMATIC process for time synchronization. Figure 2-10

NTP Server (Central station)

CP x43-1 Adv.

(RemoteStation)

As of version 3 of the CPs the communication modules can also synchronize the time via a NTP (secure).

Advantages of this solution Optimized service of remote plants. External stations can be reached world wide. All remote stations can be configured and diagnosed with standard STEP 7

tools.

High communication availability due to standardized mobile communication and internet technology.

UMTS and internet secure short transmission times. Cost-effective data transmission due to payment based on data volumes VPN functionality enables a secure, protected and encrypted data connection

via the standard Ethernet. High degree of security by means of an integrated firewall. Simple and user-friendly configuration of the VPN tunnel with the Security

Configuration Tool.

2 Solution 2.4 Hardware and software components used


V3.0, Entry ID: 24960449

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

2.4 Hardware and software components used

The application document was generated using the following components:

Standard components Table 2-2

Component Qty. MLFB/order number Note

CPU 319-3 PN/DP 1 6ES7 318-3EL00-0AB0 CPU 317-2 PN/DP 1 6ES7 317-2EH14-0AB0 Power supply PS307 5A

3 6ES7 307-1EA00-0AA0

Micro Memory Card 2 6ES7 953-8LF11-0AA0 Min. 1MB PG 1 6ES7 712-XXXXX-XXXX Configurator Multi Panel MP277 8’’ 1 6AV6 643-0CB01-1AX1 SCALANCE M873 1 6GK5 873-0AA10-1AA2

Security Table 2-3

Component Qty MLFB/order number Note

SCALANCE S612 V3 1 6GK5 612-0BA10-2AA3 Software Security Configuration Tool V3

1 - SCT is included in delivery.

Software SOFTNET Security Client V4

1 6GK1 704-1VW04-0AA0

SCALANCE M875 1 6GK5 875-0AA10-1AA2 CP 343-1 Advanced V3 1 6GK7 343-1GX31-0XE0

Software Table 2-4


STEP 7 V5.5 SP2 HF1 1 6ES7810-4CC08-0YA5 Or higher HSP1058 1 Hardware support package for

CP 343-1 Advanced V3; is included with the module.

FTP Client Software 1 With FTP(e)S (secure FTP) support FTP server software With FTP(e)S (secure FTP) support NTP Server 1 With NTP (secure) support

LAN components Table 2-5


IE FC TP STANDARD CABLE 5 6XV1840-2AH10 Connecting line IE Minimum order quantity 20 m

RJ45 plug-in connector 10 6GK1901-1BB10-2AA0 Can be tailored

https://mall.automation.siemens.com/DE/guest/bizLogic/bizGotoMLFB.asp?nodeID=10026479&mlfb=6ES7315%2D2EH13%2D0AB0&siteID=DE&lang=de

https://mall.automation.siemens.com/DE/guest/configurators/ipc/ipcFrameset.asp?urlParams=PROD%5FID%3D6ES7712&MLFB=&proxy=mall%2Eautomation%2Esiemens%2Ecom&retURL=%2FDE%2Fguest%2Findex%2Easp%3FnodeID%3D9990040%26lang%3Dde&lang=en

https://mall.automation.siemens.com/DE/guest/bizLogic/bizGotoMLFB.asp?nodeID=10031216&mlfb=6GK7343%2D1GX21%2D0XE0&siteID=DE&lang=de

2 Solution 2.4 Hardware and software components used


Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Infra structure & accessories Table 2-6


DSL router + modem with VPN passthrough function (port forwarding)

1 Alternatively router with integrated modem or individually

Internet provider 1 Fixed IP address 1 Contract with your Internet provider ANT 794-4MR 2 6NH9860-1AA00 Omnidirectional quad-band antennae

with 5m cable SIM card 2 Station contract with a GSM network

operator; released for UMTS/GPRS

Example files and projects The following list includes all files and projects used in this example.

Table 2-7

Component Note

24960449_S612_RemoteAccess_UMTS_CODE_V30.zip This zip file contains the STEP 7 project.

24960449_S612_RemoteAccess_UMTS_DOKU_V30_e.pdf This document.

3 Risk Minimization due to Security 3.1 Conditions and requirements


V3.0, Entry ID: 24960449

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

3 Risk Minimization due to Security Ethernet-based communication has a central role in the automation environment and has many advantages due to the use of open standardized IT technologies. However, the increasing openness and consistency also increases the risk of undesired manipulation. This is why a security concept is needed that reliably protects industrial communication on one hand but on the other hand also takes the special requirements of automation technology into account.

Note Nobody can guarantee 100 % security. Nevertheless, there are many options, to keep the risk as low as possible.

3.1 Conditions and requirements

Requirements Among others, the requirements to security are: Data confidentiality: user data must be encrypted and protected from

unauthorized access Station authorization: Only defined station must participate in the data

communication. Authentication is required. Packet identification: It must be ensured, that data packets arrive at their target

address unchanged. Secrecy: Networks behind the VPN Gateways should be hidden from third

parties.

Conditions for automation technology The special requirements of automation technology are: taking into account the effectiveness and economy by using the existing

infrastructure reaction-free integration: The existing network infrastructure must not be

changed and existing components must not be reconfigured. conserving data security by protecting from unauthorized access availability: particularly for remote control technology it is essential that the

connection between central station and production plant is robust, secure and reliable.

3 Risk Minimization due to Security 3.2 SIEMENS protection concept: Defense-in-Depth


Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

3.2 SIEMENS protection concept: Defense-in-Depth

Multilevel security concept More and more networking and the use of tried and tested technologies of the “office world” in automation plants require an increased need in security. It is not sufficient only to offer superficial and limited protection, since attacks from outside can take place on several levels. For optimal protection profound security awareness is required. To achieve the demanded security targets Siemens is working according to the defense-in-depth strategy. This strategy pursues the approach of a multi-layer security model: plant security, network security and system integrity.

The advantage is that an attacker has to pass several security mechanisms first and that the security requirements of the individual layers can be taken into account individually.

Instruments of the defense-in-depth strategy To implement this security concept, e.g. two security tools from the network security area should be mentioned: the firewall and the VPN tunnel. The firewall is used to control data traffic. By filtering, packets can be discarded and network accesses can be blocked or granted. To secure communication the tunneling method is a frequent application.

3 Risk Minimization due to Security 3.3 Introduction of the Security Modules


V3.0, Entry ID: 24960449

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

3.3 Introduction of the Security Modules

The modules SCALANCE S612 V3, SCALANCE M875, SOFTNET Security Client, CP1628 and CP x43-1 Advanced V3 are components of the Siemens security concept. They protect automation cells, networks or devices without independent protection from unauthorized accesses, espionage or manipulation. The Security Configuration Tool (SCT) is used to configure the SCALANCE S modules, CP x43-1 Advanced V3, CP1628 and to create the configuration files for the SCALANCE M875 and the SOFTNET Security Client. All nodes can be combined to groups here. These assignments also define which modules communicate via a VPN tunnel.

3.3.1 SCALANCE S612 V3

Description The SCALANCE S product family is used to protect automation cells/networks from unauthorized access. The model S612 can be used as VPN-capable peer to SCALANCE M875, CP x43-1 Advanced V3, SOFTNET Security Client, CP1628 or other SCALANCE S (apart from SCALANCE S602). Figure 3-1



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Properties SCALANCE S612 V3 was provided with a number of functions for the integration of modules to the remote control system. Protection of devices with or without independent security functions through

the integrated firewall: – Check of the data packets based on the source and target address

(stateful packet inspection) – Supporting Ethernet “Non-IP” messages – Band width limitation – Global and local firewall rules – User-specific firewall rules

Highest security: The support by VPN and IPSec makes secure data transmission via a virtual dedicated line possible. SCALANCE S612 V3 can be either server or client and manage up to 128 VPN tunnels.

Protection of several devices at the same time: Through the integration of SCALANCE S as connecting link between two networks, the devices located behind are automatically protected. – Router mode to operate the SCALANCE S in a routed infrastructure.

Internal and external network are each independent subnetworks. – Bridge mode to operate the SCALANCE S module in a flat network. The

internal and external network are located in a subnet. Flexible internet access:

– SCALANCE S612 V3 supports the configuration of a fixed IP address for the DSL access and also the PPPoE.

– The SCALANCE S V3 is dynamic DNS client and can transfer its current IP address to a DNS server.

Interfaces SCALANCE S has two separate Ethernet interfaces. Each port is treated differently and must not be confused: Port 1 - external network: Top RJ45 connector, red marking = insecure network

area (key icon) Port 2 – internal network: Bottom RJ45 connector, green marking = network

protected by SCALANCE S; When swopping the ports, the device loses its protective function.

Note For further information, please refer to the SCALANCE S manual (see /3/ and /6/ in chapter 10 (Literature)).



V3.0, Entry ID: 24960449

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

3.3.2 CP 343-1 Advanced V3

Description Compared to the basis components, the CP 343-1 Advanced modules (as of version 3) offer integrated security functions for the protection of automation cells/networks from unauthorized access. The communication processors can be used as VPN-capable peers for SCALANCE M875, S612, SCALANCE S (apart from S602), SOFTNET Security Client (as of V4 HF1), CP1628 or other CP x43-1 Advanced (as of version 3). Figure 3-2

Function CP 343-1 Advanced V3 acts as its previous modules and was additionally expanded by the following security functions: Protection of devices with or without independent security functions through

the integrated firewall: – Check of the data packets based on the source and target address

(stateful packet inspection) – Supporting Ethernet “Non-IP” messages – Band width limitation – Global and local firewall rules

Highest security: The support by VPN and IPSec makes secure data transmission via a virtual dedicated line possible. The CP supports the VPN server and VPN client role. The module can manage up to 32 VPN tunnels overall.

Secure IT functions: Encryption and authentication guarantee secure data transfer (FTPS), web access (HTTPS) and time synchronization (NTP (secure)).

Protection of several devices at the same time: Through the integration of the CP as connecting link between two networks, the devices located behind are automatically protected.



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Interfaces CP 343-1 Advanced V3 has over 100 Mbit/s PROFINET and a 1000 Mbit/s gigabit interface. Both PROFINET interfaces are designed as IRT-capable 2 port switches and furthermore enable the integration of the CP in a line topology or a ring with media redundancy. Each port can be disabled individually in the configuration. The gigabit interface works independently of the PROFINET interface and can be used as connection for a PG/PC or a superior company network. The gigabit interface enables the secure connection to external insecure networks via firewall and VPN.

Using the CP as IP router The CP can be used for passing on IP messages from a local network (PROFINET interface) to a superior network (gigabit interface) and vice versa. The CP regulates the access permission according to configuration.

Note More information can be found in the manual on CP 343-1 Advanced V3 (see /2/ in chapter 10 (Literature)).



V3.0, Entry ID: 24960449

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

3.3.3 SCALANCE M875

Description SCALANCE M875 provides a secure, wireless IP data connection between remote stations and service center via GSM or UMTS (3G). They can be used as VPN-capable peers to the SCALANCE S (apart from S602), SCALANCE M875, SOFTNET Security Client, CP1628 and CP x43-1 Advanced V3. Figure 3-3

Basic requirements for operation The operation of the SCALANCE M875 is possible from anywhere where a mobile communication network is available that provides packet-oriented data services. Under UMTS these are the data services HSPA data service or UMTS data service. Under GSM these are the data services EGPRS or GPRS. For the wireless data connection a SIM card is needed that is activated for the respective services.

Note Whether the router logs into GSM or UMTS networks depends on the network coverage of the provider. Information on the network coverage of the provider can usually be found on the internet page of the provider.

In the web-based management of the SCALANCE M875 you can see in which network the module dialed itself into.

For further information, please refer to the SCALANCE M875 manual (see /1/ in chapter 10 (Literature)).



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

The GSM/UMTS router SCALANCE M875 together with the quad band antenna ANT 794-4MR covers all four bands of the GSM networks.

– 850 MHz – 900 MHz – 1800 MHz – 1900 MHz

the following frequencies under UMTS: – 800 MHz – 850 MHz – 1700 (AWS) MHz – 1900 MHz – 2100 MHz

Note Please also note the country approvals for the SCALANCE M875 (see /8/ in chapter 10 (Literature))

Function For a secure radio data connection the router provides the following core functions: Protection of devices with or without independent security functions through

the integrated firewall. Example: – Check of the data packets based on the source and target address

(stateful packet inspection) – Anti spoofing (falsifying IP address/identity) – port forwarding

Highest security: The support by VPN and IPSec makes secure data transmission via a virtual dedicated line possible. SCALANCE M875 supports the VPN client and server role. The module can manage 10 VPN tunnels overall.

Radio modem for flexible data communication via UMTS, HSPA, EGPRS or GPRS:

Bi-directional data connection

Cyclic processing of protocol data for maintaining or monitoring the connection (NAT-T Keep Alive, Dead Peer Detection, Rx-Tx-Delay Trigger)

Support by DNS and dynamic DNS.

Note For further information, please refer to the SCALANCE M875 manual (see /1/ in chapter 10 (Literature)).



V3.0, Entry ID: 24960449

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Requirements to the VPN gateway of the remote network In order for an IPSec connection to be established successfully, the VPN peer has to support IPSec with the following configuration: Authentication via X.509 certificates, CA certificates or preshared keys ESP Diffie-Hellman group 1, 2 or 5 3DES or AES encryption MD5 or SHA-1 hash algorithms Tunnel mode Quick mode Main mode SA lifetime (1 second up to 24 hours)

Microsoft Windows 2000 High Encryption Pack or at least service pack 2 has to be installed if the peer is a computer with the operating system Windows 2000. If the peer is located behind a NAT router, the peer has to support NAT-T. Or the NAT router has to know the IPSec protocol (IPSec/VPN passthrough).

Explanation of important terms In this section, the most important features of the SCALANCE M875 are briefly explained.

Table 3-1

Feature Description

Anti-spoofing Anti-spoofing prevents misuse of IP addresses and obscuring of identities. NAT-T Keep Alive The SCALANCE M875 sends UDP packets through tunnel port 4500 within a

fixed cycle (in this example, at 90-second intervals), so as to maintain the connection at the APN. The period after which the provider disconnects a connection without data transfer activities is not defined and must be adapted accordingly. For NAT-T Keep Alive no response is expected from the peer so the existence of the VPN tunnel cannot be proven this way.

Dead Peer Detection (DPD)

The M875 sends (here in this application at the latest after 150 sec) an UDP packet to port 4500. A response from the peer is expected and hence the status of the VPN tunnel is monitored. If a failure of the VPN tunnel is detected, the SCALANCE M875 tries to reestablish the tunnel.



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

3.3.4 The SOFTNET Security Client

Description The SOFTNET security client is a PC software for secure remote accesses from PC/PG to automation devices. The software can be used as VPN-capable peer to SCALANCE S (apart from S602), SCALANCE M875, CP1628 and CP x43-1 Advanced V3 (as of SSC V4 HF1). Figure 3-4

Function By means of the SOFTNET Security Client a PC/PG is automatically configured in a way so that it can established a secure IPSec tunnel communication in the VPN (Virtual Private Network) to one or several VPN servers. Thus, PG/PC applications such as NCM diagnosis or STEP 7 can access devices or networks that are located in a protected, internal network via a secure tunnel connection.

3 Risk Minimization due to Security 3.4 Security Configuration Tool


V3.0, Entry ID: 24960449

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

3.4 Security Configuration Tool

3.4.1 Configuration scheme

Groups With the security configuration tool Siemens offers a convenient software for the configuration of IPSec tunnel connections between modules. All modules that communicate via a VPN tunnel with each other are divided into groups. The figure below shows the logical end points of the VPN connection: Figure 3-5

CP 343-1 Adv.Remote Station1

SCALANCES612 V3

VPN TunnelVPN Tunn

el

SCALANCE M875Remote Station2

- All groups

Group 1

Group 2

SCT

Project display(Security Configuration Tool)

Logic display

In the group properties in the expanded mode it can be selected between the two encryption methods preshared key and certificate.

Authentication For preshared key an own key can be defined. The certificates can be generated by the security configuration tool, distributed to the group members and certified by the group certificate (CA certificate). Alternatively, own certificates can be imported.

Note In this example the authentication occurs via the use of certificates.



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Figure 3-6

M875Remote Station2CP 343-1 Adv.

Remote Station1SCALANCE

S612 V3

Security Configuration

ToolCertificates

Download of certificates

Saving thecertificates

Import of certificates

Certificates= *.p12 –File (public & private key) and *.cer-File

PG/PC

Download of certificates

STEP 7

Note A detailed description of the VPN configuration can be found in chapter 8.3 (Configuration with the Security Configuration Tool).



V3.0, Entry ID: 24960449

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

3.4.2 Management of certificates

Overview of certificates In the certificate manager of the security configuration tools all certificates that are required for the project are managed. All certificates include details on: Applicant Issuer Validity Location of usages in SCT Existence of a private key.

Figure 3-7

NOTICE The validity of the certificates indicates up to what date the certificate may be classified valid.

When using secure communication (e.g. HTTPS, VPN...) make sure that the affected security modules have the current time and the current date. Otherwise the certificates used are not classified valid and the secure communication will not work.

The CA certificate is a certificate that was issued through a certification authority the so called "Certificate Authority", and it always includes a private key. The device certificates can be derived from it.



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Structure of the certificates The certificate manager divides the certificates into different groups: Certification authorities Device certificates Trustworthy certificates and root certification authorities

“Certification authorities” tab All CA certificates are visible in the certification authorities tab. CA certificate of a project:

When creating a new SCT project a CA certificate is created for the project. From this certificate the device certificates for the individual security modules are derived. When using the SCT integrated in STEP 7, creating a new project is performed by the first activation of the security function of the CP x43-1 Advanced V3.

CA group certificates: When creating a new VPN group a CA certificate is created for the group.

Figure 3-8

“Device certificates” tab All device-specific certificates that have been created by SCT for a security module are under this tab. This includes: SSL certificates: For each created security module a SSL certificate is

created that is derived from a CA certificate of the project. SSL certificates are used for the authentication for the communication between PG/PC and security module, when loading the configuration (not for CPs) and for logging in.

Group certificates: Additionally, a group certificate is created for each security module per VPN group in which it is located.



V3.0, Entry ID: 24960449

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Figure 3-9

“Trustworthy certificates and root certification authorities” tab This is where the SCT imported third party certificates are displayed. Imported can be e.g. server certificates from external FTP servers or project certificates from other SCT projects.



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

3.4.3 User management

Overview The configuration of the security functions and the secure IT functions (FTPS, NTP (secure) and HTTPS) can only be performed after logging in with user name and password. In the user administration of the security configuration tool, you can create new users for this purpose who can be assigned system or user defined roles. The module rights can be specified per security module. Figure 3-10

System-defined roles The following roles are pre-defined: administrator standard diagnostics remote access

The roles are assigned certain rights that are the same for all modules and which the administrator cannot change or delete. Information can be found in the security manual (see /3/ in chapter 10 (Literature)).



V3.0, Entry ID: 24960449

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

User-defined role In addition to the system-defined roles, user-defined roles can also be created. For each project used in the security module the respective rights are specified individually and the role of the users is assigned manually. The following screenshot shows the creation of a user-defined role for the FTP data transmission. The ftp_user user is assigned only FTP rights for the CP 343-1 Advanced V3 module.

Figure 3-11

Note For detailed instruction, please refer to chapter 8.8 (Creating a user for FTP).

4 Functional Details on FTPS Scenario 4.1 General overview


Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

4 Functional Details on FTPS Scenario This chapter describes the implementation of the secure FTP data transmission for this example application.

Note CP x43-1 Advanced V3 only uses the explicit FTPS.

If the name "FTPS" is used in the present documentation, “FTPS in explicit mode” is meant (FTPES).

4.1 General overview

Schematic diagram Figure 4-1

FTP Client FTP Server

FTP Server FTP Client

Process data

File structure

Scenario A

Scenario B

Description The FTPS scenario is divided in two transmission directions. In scenario A the CP 343-1 Advanced V3 is the active station as FTP client and sends the process data simulated by the CPU as binary file to a computer to the central station. The reverse way is shown in scenario B. Here, the computer in the central station is the active partner and it accesses the file system of the CP in order to e.g. copy, delete or insert files.

4 Functional Details on FTPS Scenario 4.2 Functionality scenario A


V3.0, Entry ID: 24960449

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

4.2 Functionality scenario A

Description Scenario A shows the secure data transmission from a CP (FTP client) to a PG/PC as FTP server. As an example, process data from the CPU is to be saved on the FTP server. For FTPS a secure connection via SSL is to be established between the communication partners. Figure 4-2


Process data

Scenario A

Secure connectionSSL

Requirement

For secure data access via FTP it is essential that both FTP server and FTP client understand the explicit FTPS. the existing server certificate for the verification of the FTP server is stored by

the FTP client. an unspecified FTP connection is configured in CP. the security function is activated in CP 343-1 Advanced V3. a user is created in the FTP server software that has been assigned the rights

for the FTP functions. In this application ftp_user was used as user name and password.



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Procedure The following steps are required for writing a file to the FTP server: Figure 4-3


Authentication and key exchangethrough certificates

Sending binary fileto the directory released

in the FTP server

Initiating a secure control channel

Transfer of LOGIN data forthe FTP user configured in the

FTP server

Establishing asecure data channel

The processing of these steps is performed in the CP through a programming solution. For the CP 343-1 Advanced V3 in the FTP client mode, special FTP blocks are available in order to process a data transfer via a configured TCP connection with activated FTP option.



V3.0, Entry ID: 24960449

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Program details For the simulation and transfer of the process data a small STEP 7 program was created. The following graphic shows the blocks used and their job: Figure 4-4

OB 1

FB 2(FTP_PROCESS)

FB 183(SIM_Process_Info)

FB 40(FTP_CMD)

SFC 20(BLKMOV)

FC 2(CONCAT)

SFC 1(READ_CLK)

DB 181(FTP_PARAM)

DB 184(PROCESS_

DATA)

DB 185(FTP_SEND_

DATA)

Table 4-1

Block Function

OB 1 Cyclic call of the functions FB 2 (FTP_PROCESS) and FB 183 (SIM_Process_Info).

FB 2 Routine for processing the FTP data transmission. 1. Copying the data from the DB 184 to the DB 185. 2. Establishing a secure connection to the FTP server: the IP address of

the server and the LOGIN data are located in DB 181. 3. Generating a file name in the form <date>file name. 4. Sending of data to the FTP server. The data to be transferred is stored

in DB 185. 5. Disconnection.

FB 183 Simulation of process data. FB 40 Global FTP block from the SIMATIC NET library of STEP 7. FC 2 Function from the standard library of STEP 7 for merging two string

variables. SFC 20 System function for copying a data area. SFC 1 System function for reading out the current time and date. DB 181 In this data block the IP address of the FTP server, the LOGIN data and the

file name are stored. The structure has been preset by FB 40: Address 0.0: IP address STRING[100] Address 102.0: Username STRING[32] Address 136.0: Password STRING[32] Address 170.0: File name STRING[220]



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Block Function

DB 185 This data block contains the data that is to be sent via FTP. The structure has been preset: Section 1: FILE_DB_HEADER with a fixed structure and length of 20 bytes + structure. Section 2: User data

DB 184 In this data block the simulated process data by FB 183 are stored.

FTP block FTP_CMD With the FTP block FTP_CMD from the SIMATIC NET library all FTP commands can be executed. In detail these are the commands (incl. command number): 1: CONNECT (establish connection) 2: STORE (write file) 3: RETRIEVE (read file) 4: DELETE (delete file) 5: QUIT (disconnection) 6: APPEND (attach file) 7: RETR_PART (read file section) 17: CONNECT_TLS_PRIVATE (establish secure connection)

The block is called as follows: Figure 4-5

The parameters have the following meaning: Table 4-2

Parameter Meaning

ID ConnectionID of the TCP connection from NetPro. LADDR The address of the CP from the hardware configuration. CMD The command to be executed. NAME_STR Reference to LOGIN data or file name (depending on command). FILE_DB_Nr The number of the data block that contains the read/write data. OFFSET Only for CMD = 7: Offset in byte, from which the file is to be read. LEN Only for CMD = 7: partial length in byte that is to be read from the value

specified in "OFFSET". DONE True, if command was processed error free. ERROR True, if command was interrupted with error. STATUS Contains the status display.



V3.0, Entry ID: 24960449

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Verifying the SSL connection FTPS requires the use of the SSL protocol to secure and protect data from unauthorized third parties. The encryption of data is based on a joint key that was previously negotiated via public-key cryptography. For verification the FTP server sends its server certificate to the CP 343-1 Advanced V3. Based on the stored certificates it will check the validity of the server certificate. All certificates have been created by the security configuration tool and can be viewed via the certificate manager (see chapter 3.4.2). In order to be able to load the project certificate in the FTP server, it has to be previously exported from the certificate manager (see chapter 8.5 (Importing/exporting the certificates)). Figure 4-6

4 Functional Details on FTPS Scenario 4.3 Functionality scenario B


Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

4.3 Functionality scenario B

Description Scenario B shows the secure data transmission from a PC (FTP client) to CP 343-1 Advanced V3 as FTP server. The file structure of CP 343-1 Advanced V3 is to be shown as an example. For FTPS a secure connection via SSL is to be established between the communication partners. Figure 4-7


File structure

Scenario B

Secure connectionSSL

Requirement For secure data access via FTP it is essential that both FTP server and FTP client understand the explicit FTPS. the security function is activated in CP 343-1 Advanced V3. a user has been created in CP 343-1 Advanced V3 who has been assigned the

rights for FTP functions. In this application ftp_user was used as user name and password.

4 Functional Details on FTPS Scenario 4.3 Functionality scenario B


V3.0, Entry ID: 24960449

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Procedure For access to the file system of CP 343-1 Advanced V3, the following steps are required: Figure 4-8


Authentication and keyexchange through certificates

Access to file structureCP343-1 Adv. via FTP

commands (PWD, LIST etc.)

Initiating asecure control channel

Transfer of LOGIN datafor the FTP user configured

in CP343-1 Adv.

Establishing a secure data channel

Verifying the SSL connection FTPS requires the use of the SSL protocol to secure and protect data from unauthorized third parties. The encryption of data is based on a joint key that was previously negotiated via public-key cryptography. For this purpose, CP 343-1 Advanced V3 sends its SSL certificate that was certified by the certification authority to the FTP client. The certificate has been created by the security configuration tool and can be viewed via the certificate manager (see chapter 3.4.2). The following screenshot shows the properties of the SSL certificate of the CP 343-1 Advanced V3. Figure 4-9

5 Installation of the Application 5.1 Hardware installation


Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

5 Installation of the Application Preliminary remarks

At the beginning we offer you a complete STEP 7 example project for download. This software example supports you in the first steps and tests with this application. It enables a quick function test of hardware and software interfaces between the products described here. The software example is always assigned to the components used in this application and shows their basic principle of interaction. However, it is not a real application in the sense of technological problem solving with definable properties. The following chapters take you step by step through the necessary configuration.

Download The STEP 7 example project is available on the HTML page from which you downloaded this document. http://support.automation.siemens.com/WW/view/en/24960449

5.1 Hardware installation

The figure below shows the hardware setup of the application. Figure 5-1

Fixe

dIP

NetworkID: 192.168.0.0


STEP 7



Dyn

.IPD

yn.IP

NetworkID: 192.168.22.0

UMTS Internet

12

3

4

Remote Station 2

Remote Station 1

Service center


5 Installation of the Application 5.1 Hardware installation


V3.0, Entry ID: 24960449

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

The following table gives you an overview of the IP addresses used. Cells with the same color belong to one subnet respectively. Modules with two addresses (internal/external) act as routers for the respective other subnet.

Table 5-1

Module Subnet mask IP address

Internal External Internal External

Touch Panel TP277 255.255.255.0 255.255.255.0 140.70.0.4 CPU 317-2 PN/DP 255.255.255.0 255.255.255.0 140.70.0.2 CP 343-1 Advanced V3

255.255.255.0 255.255.255.0 140.70.0.3 140.80.0.3

RM

T 1

SCALANCE M873 255.255.255.0 255.255.255.0 140.80.0.1 Dynamic from APN CPU319-3PN/DP 255.255.255.0 255.255.255.0 192.168.22.11

RM

T 2

SCALANCE M875 255.255.255.0 255.255.255.0 192.168.22.1 Dynamic from APN DSL router 255.255.0.0 Depending on

provider 172.16.0.1 Fixed IP from provider

SCALANCE S612 V3 255.255.255.0 255.255.0.0 192.168.0.2 172.16.41.2

Cen

tral

se

rvic

e st

atio

n

PC/ PG 255.255.255.0 255.255.255.0 192.168.0.100

In the following chapters the required configuration steps of the individual components are explained.

Table 5-2

Number Step of configuration Chapter

Configuring the DSL router 6.8

Commissioning of VPN tunnels 6.4

Configuration of the SCALANCE M875 6.5

Configuration of the SCALANCE M873 6.6

3

4

1

2

5 Installation of the Application 5.2 Software installation


Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

5.2 Software installation

Installing the software package The following software packages are required for this configuration: SOFTNET Security Client on the PC/PG of the service technician STEP 7 Security Configuration Tool

Follow the instructions of the corresponding installation program.

Note The Security Configuration Tool V3 can be used in two modes:

As standalone version for the configuration of the security module without the security CPs.

Integrated in STEP 7 for the configuration of all security modules (incl. security CPs). The project is stored in the STEP 7 project directory.

Existing standalone projects cannot be opened with the version integrated in STEP 7.

Installing the hardware support packages In this application the CP343-1 Advanced V3 is used. The use of this module requires the module catalog to be updated in the hardware configuration of STEP 7 with the HSP 1058. The instruction for installing the HSP 1058 can be found under /13/.

Installing example project Start STEP 7 and retrieve the 24960449_S612_RemoteAccess _UMTS_CODE_V30.zip file via “File > Retrieve”.

6 Configuration of the Hardware 6.1 Networking the components


V3.0, Entry ID: 24960449

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

6 Configuration of the Hardware 6.1 Networking the components

Remote Station 1 In the first external station the components are linked with each other as follows: The HMI panel with a PROFINET interface of the CP 343-1 Advanced V3. The PG/PC with the NTP server with a PROFINET interface of the CP 343-1

Advanced V3. The gigabit interface of CP 343-1 Advanced V3 with the local interface of the

SCALANCE M873.

Remote Station 2 In the second external station the components are linked with each other as follows: The CPU via the integrated PROFINET interface with the local interface of the

SCALANCE M875.

Service center In the service center the components are linked with each other as follows: The external port of the SCALANCE S612 V3 with the local interface of the

DSL router. The internal port of the SCALANCE S612 V3 with the network interface of the

PC.

Note For the first commissioning of the individual components it is sometimes necessary to disconnect the network connection.

Pay attention to the respective notes in the configuration instructions.

6 Configuration of the Hardware 6.2 Adapting the IP addresses


Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

6.2 Adapting the IP addresses

6.2.1 IP address of the service center

The figure shows the network settings to which you must change the PG/PC at the end of the configuration (after chapter 6.8 (Configuring the DSL Router). Loading the various modules (SCALANCE S, SCALANCE M87x, CPUs, Multi Panel) requires changing the IP address of the PC/PG frequently.

Table 6-1

No. Action Remarks/Notes

1. Open the Internet Protocol (TCP/IP) Properties by selecting “Start -> Settings -> Network Connection ->Local Connections” Select the option field “Use following IP address” check box and fill out the field as shown in the screenshot on the right. Select the “Use following DNS Server” option field and enter the DNS server according to the screenshot. Close the dialogs with OK.

2. If your PG has an IWLAN interface,

switch it off.



V3.0, Entry ID: 24960449

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

6.2.2 IP address of the components

Requirement In order to change the IP address of the CPU, the CP and the panel, the following points are assumed: A PC with STEP 7 configuration software is required (e.g. the PG/PC of the

service center station). The PC has to be connected directly with the component or via a switch.

Note The SCALANCE S612 V3 is assigned the IP address via the security configuration tool.

The IP addresses of the two SCALANCE M87x are changed via their web-based management.

SIMATIC components For loading the STEP7 project to the CPU, the IP address of the module via which the project is loaded has to be changed. This can be the CPU itself or a CP. Furthermore, the IP address of the HMI panels has to be adjusted to the desired one for loading the WinCC flexible project.

Table 6-2

No. Action Note

1. Open the STEP 7 project in the SIMATIC Manager. In the “PLC” menu (“target system”) select the “Edit Ethernet Node…” option.

2. Click the Browse… button.



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

No. Action Note

3. Select the desired module and acknowledge the selection with the OK button.

4. Enter the IP address according to Table 5-1 in

the “Set IP configurations” window which appears. Click the “Assign IP Configuration” button. Close the dialog with the Close button.

5. This is how you assign the IP address

according to Table 5-1 from the remote station 2 to the CP, the panel and the CPU.

6 Configuration of the Hardware 6.3 Loading of the remote stations


V3.0, Entry ID: 24960449

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

6.3 Loading of the remote stations

Note The IP addresses are already preset in the STEP 7 project included in delivery (see Table 5-1). To use the project your modules have to be configured with the preset addresses.

6.3.1 Remote Station 1

Required PC/PG IP address Table 6-3

No. Action Note

1. For loading the SIMATIC stations please change the IP address of your PC/PG according to the screenshot.

2. Connect your PC/PG with the free PROFINET

interface of the CP 343-1 Advanced V3 or directly with the CPU via a standard Ethernet line.

Now the PC/PG can establish a connection to the CPU317-2 PN/DP, the CP 343-1 Advanced V3 and the panel.

Loading the SIMATIC station Table 6-4

No. Action Note

1. Change the IP address of the CPU and CP according to Table 5-1.

This is described in detail in chapter 6.2.2.

2. Select the first SIMATIC 300 station in the SIMATIC Manager (RemoteStation1) and load it via “PLC > Download” via the CP to the CPU.



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Loading of the HMI panel Table 6-5

No. Action Note

1. Open the SIMATIC HMI-Station(1) in the SIMATIC Manager and select WinCC flexible RT. Via “Right mouse button > Open Object” Open the WinCC flexible project.

2. As soon as WinCC flexible is started you get to

the transfer settings via “Project > Transfer > Transfer Settings” . Change the dialog according to the screenshot. Mode: Ethernet Computer name or IP Address: 140.70.0.4

3. Set your panel to transfer mode. Load the WinCC flexible project to the panel via the “Transfer” button.

NetPro For the FTP scenario a TCP connection has been established via NetPro in CP 343-1 Advanced V3. Figure 6-1

Note Do not change the connectionID of this communication connection. Otherwise you have to adjust the STEP 7 program (see chapter 8.9 (Changing the FTP parameters in the STEP 7 program)).



V3.0, Entry ID: 24960449

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Default router The CP 343-1 Advanced V3 is the connecting link between the insecure wireless network and the internal network. The telegrams are automatically routed through the CP. Figure 6-2

100MBit 1GBit

IP Routing

LAN WAN

For the connection of the remote station 1 to the wireless network, the SCALANCE M873 is used which is connected with the gigabit interface of the CP. Since data communication in the wireless network and internet is routed via several public subnetworks, the gigabit interface of the SCALANCE M873 therefore has to be entered as default router. The following figure shows the entry in the network properties of the gigabit interface of the CP 343-1 Advanced V3: Figure 6-3



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

6.3.2 Remote Station 2

Required PC/PG IP address Table 6-6

No. Action Note

1. For loading the SIMATIC stations please change the IP address of your PC/PG according to the screenshot.

2. Connect the PC/PG via a standard Ethernet

cable with the CPU319-3 PN/DP.

Loading the SIMATIC station Table 6-7

No. Action Note

1. Change the IP address of the CPU according to Table 5-1.

This is described in detail in chapter 6.2.2.

2. Select the second SIMATIC 300 station in the SIMATIC Manager (RemoteStation2) and load it via “PLC > Download” via the CP to the CPU.



V3.0, Entry ID: 24960449

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Default router For the connection of the remote station 2 to the wireless network, the SCALANCE M875 is used which is connected with the PROFINET interface of the CPU. Since data communication in the wireless network and internet is routed via several public subnetworks, the SCALANCE M875 therefore has to be entered as default router in the CPU. The following screenshot shows the entry in the network properties of the CPU: Figure 6-4

6 Configuration of the Hardware 6.4 Commissioning of VPN tunnels


Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

6.4 Commissioning of VPN tunnels

In this example application three VPN tunnels are established.

Figure 6-5

Group 1Group 2

SSC

SCALANCE M875

Remote Station 2

VPN

Tunnel 3

SCALANCE S612 V3

CP 343-1 Adv.

Remote Station 1

Group 3

Service

VPN Tunnel 1VPN Tunnel 2

In the example project included, all tunnel connections have already been configured. Instructions and further information regarding the configuration can be found in chapter 8.2 (Enabling the security function in CP 343-1 Advanced V3) and chapter 8.3 (Configuration with the Security Configuration Tool) as well as in Getting Started. SIMATIC NET Industrial Ethernet Security Setting up security Getting Started under /5/ in chapter 10 (Literature).



V3.0, Entry ID: 24960449

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

6.4.1 Requirements

Updating the time in CP 343-1 Advanced V3 In the switched off state, the CP loses the current time stamp and is set to 01. 01. 1984 by default. However, to establish a VPN tunnel connection to the SCALANCE S612 V3 it is essential that the CP 343-1 Advanced V3 has the current date. After the generation, the certificates required for establishing the tunnel are valid from the current day to a date that is in the future. There are two options to set the current time in CP 343-1 Advanced V3: SIMATIC mode NTP mode:

Note The SIMATIC mode is already set in the CP in this application. More information regarding configuration of this time synchronization can be found in chapter 8.1 (Time synchronization with the SIMATIC mode).

Resetting the SCALANCE S to factory settings In order to delete all already configured VPN connections or other certificates in SCALANCE S, a reset to factory settings is recommended for this module. For this purpose, the SCALANCE S has a RESET button on the back of the device. If it is pressed for more than 5 seconds (until fault flashes yellow-red) the reset process is started. During the reset process the fault display flashes yellow-red. Once the reset process is completed the device automatically restarts. The SCALANCE S loses its configuration and IP address and is set to 0.0.0.0.

Note Make sure that the power supply is not interrupted during the process.

Resetting the SCALANCE M87x to factory settings In order to delete all already configured VPN connections and other certificates in SCALANCE M875 as well as setting the SCALANCE M87x to default settings the resetting to factory settings is also recommended for these modules. For this purpose, the SCALANCE M87x has a SET button at the front of the device. The reset process will start if this button is pressed for more than 5 seconds (with a pointed object). Thus the SCALANCE M87x also loses its configured IP address and can be reached again via the factory set IP address 192.168.1.1.

Note Make sure that the power supply is not interrupted during the process.



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

6.4.2 Loading and exporting of SCT configuration

The security configuration tool is the configuration software for all security modules. Since the example application also uses a security CP, the SCT integrated in STEP 7 is used.

Opening of the integrated SCT in STEP 7 As soon as a security CP is integrated in the hardware configuration and the security functions have been activated, the SCT integrated in STEP 7 can be opened in the hardware configuration of the CP via “Edit > Security Configuration Tool”. The login for the included SCT project is: User name: admin Password: Administrator

Changing the VPN access address The CP 343-1 Advanced V3, the SCALANCE M875 as well as the SOFTNET Security Client actively establish the VPN connection to the SCALANCE S612 V3. The access address is the fixed IP address of the DSL connection in the central station. Below it is explained, how the access address has to be changed in the same way as your DSL connection.

Table 6-8

No. Action Remarks

1. Open the Security Configuration Tool integrated in STEP 7 via the hardware configuration of the CP in the remote station 1 as described above. Select the SCALANCE S612 V3 in the content area and open the properties by doubleclicking.

2. Go to the VPN tab and change

the role to: “Wait for partner” Enter the fixed IP address of your DSL access of the service center as WAN IP address. Close the window with OK. Note: Even if the S612 is waiting for a connection, a WAN IP address has to be entered. This is necessary for the creation of the configuration data of the VPN partners.



V3.0, Entry ID: 24960449

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Loading and exporting configuration files Loading configuration data varies, depending on the security module and is explained step by step in the following sections. Table 6-9

Security Module Procedure

SCALANCE S612 V3 The configuration is directly downloaded from the Security Configuration Tool to the module.

CP 343-1 Advanced V3 The downloading is performed via the hardware configuration in STEP 7.

SCALANCE M875 The security configuration tool creates a text file with an instruction on how the SCALANCE M875 is to be configured via its web-based management. With the text file all required certificates are stored as well.

SOFTNET Security Client

The security configuration tool creates a configuration file that has to be imported to the SOFTNET Security Client. Additionally all required certificates are stored as well.

For saving the configuration data of the SCALANCE M875, proceed as follows: Table 6-10

No. Action Remarks

1. Select All modules in the navigation area and in the content area the SCALANCE M875 (remote2). Start the export of the configuration data via the Transfer to module(s) button.

2. Select the storage folder for the

configuration data. The directory can be selected freely.

3. Assign a password for the private key of the certificate.

4. Enter a password in the entry

field and repeat it. Close the window with OK.

5. The following files are stored in

the selected directory: RemoteAccess.Remote2.txt RemoteAccess.<character>.

Remote2.p12 RemoteAccess.Group2.Cen

tral.cer



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

No. Action Remarks

6. The further configuration of the SCALANCE M875 is performed via its web-based management.

See chapter 6.5 (Configuration of the SCALANCE M875)

For saving the configuration data of the SOFTNET Security Client, proceed as follows:

Table 6-11

No. Action Remarks

1. Select All modules in the navigation area and in the content area the SOFTNET Security Client (Service). Start the export of the configuration data via the Transfer to module(s) button.

2. Select a storage folder for the configuration data.

The directory can be selected freely.

3. Assign a password for the private key of the certificate.

4. Enter the password in the entry

field and repeat it. Close the window with OK.

5. The following files are stored in

the selected directory: RemoteAccess.Service.dat RemoteAccess.<character>.

Service.p12 RemoteAccess.Group3.cer

6. The further configuration is

performed with the SOFTNET Security Client software itself.

See chapter 6.7 (Configuration of the SOFTNET Security Client)



V3.0, Entry ID: 24960449

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

For downloading the configuration data to the SCALANCE S612 V3, proceed as follows:

Table 6-12

No. Action Remarks

1. Please change the IP address of your PC/PGs according to the screenshot.

2. Connect the PC/PG with the

external interface of the SCALANCE S612 V3 via a standard Ethernet line.

3. Select All modules in the navigation area and the SCALANCE S612 V3 (Central) in the content area. Start the download via the Transfer to module(s) button.

4. Start the transfer via Start.

5. If the download was performed

error free, the security module is automatically restarted and the new configuration is activated.

This process may take several minutes.



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

For downloading the configuration data to the CP 343-1 Advanced V3, proceed as follows:

Table 6-13

No. Action Remarks

1. Close the security configuration tool and – if you have performed any changes in the security configuration tool – the security message.

2. Save and compile the hardware

configuration.

3. For the loading of the SIMATIC

stations, you have to change the IP address of the PG accordingly (e.g. 140.70.0.100). Connect your PC/PG with the free PROFINET interface of the CP 343-1 Advanced V3 or directly with the CPU via a standard Ethernet line.

4. Load the changes to the controller.

6 Configuration of the Hardware 6.5 Configuration of the SCALANCE M875


V3.0, Entry ID: 24960449

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

6.5 Configuration of the SCALANCE M875

Note In this chapter it is assumed that the SCALANCE M875 was reset to factory settings and that a SIM card has been inserted.

The SCALANCE M875 is very easily configured with the help of the saved "RemoteAccess.Remote2.txt" text file and its web-based management. Below, the configuration of the SCALANCE M is shown step by step.

Opening web-based management The SCALANCE M875 is setup via the web-based management.

Table 6-14

No. Action Remarks


2. Connect the PC/PG with the

LAN interface of the SCALANCE M875 via a standard Ethernet line.



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

No. Action Remarks

3. Open the web-based management of the SCALANCE M. Enter the address https://192.168.1.1 in an internet browser. You are prompted to enter the user name and the password. Using factory settings are: User name: admin Password: scalance

Entering pin For login to the wireless network the module needs the PIN of the SIM card.

Table 6-15

No. Action

1. Go to “External Network >UMTS/EDGE” Enter the PIN of your SIM card at PIN. Delete all providers that are not used from the provider list via the Delete button or create a new provider via New. Click Save to save the changes.

2. The “Overview” mask shows you information on the connection in the EDGE or UMTS network, the signal strength and the IP address assigned by the provider

https://192.168.1.1/



V3.0, Entry ID: 24960449

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Adjusting IP address: For this example application the SCALANCE M875 communicates with the internal network of the remote station 2 with the NetworkID 192.168.22.0. Below, the device is configured with an IP address from this network.

Table 6-16

No. Action

1. Go to “Local Network > Basic Settings > Local IPs” Change the internal IP address of the device to 192.168.22.1 Accept the settings with Save. Note: You have to adjust the IP address of your PC/PG accordingly (e.g. 192.168.22.100) and then open the web page with the new address again.

Adjusting time In order to guarantee the validity of the certificates, the SCALANCE M875 has to have the current time.

Table 6-17

No. Action

1. Go to “System > System Time” Configure the current time and accept it with Set. Click the Save button to save your setting.



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Configuring the VPN connection For the further configuration, the text file created by the security configuration tool now serves as an aid.

Table 6-18

No. Action

1. Open the RemoteAccess.Remote2.txt text file. It contains a step by step instruction for the configuration of the VPN connection to the SCALANCE S612 V3. The VPN configuration is performed in 3 steps: Download certificates Specify settings Set IKE parameters

2. Download certificates

Go to “IP Sec VPN > Certificates”. Download the two certificates according to the instruction of the text file. Enter the password specified by you in Table 6-10 in the .p12 certificate.

3. The state of the loading process is shown accordingly in the web-based management.



V3.0, Entry ID: 24960449

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

No. Action

4. Specify settings Go to “IPSec VPN > Connections” and create a new connection via New.

5. Enter a name for the connection and enable it. Accept the settings with Save. Subsequently edit the VPN parameters via Edit.

6. Configure the VPN connection according to your text file and subsequently accept the changes with Save.



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

No. Action

7. Set IKE parameters Go to “IPSec VPN > Connections” and select Edit.

8. Configure the IKE settings according to your text file and subsequently accept the changes with Save.

9. VPN connection test As soon as all settings have been transferred to the SCALANCE M875, the router automatically establishes a VPN tunnel to SCALANCE S612 V3. This can be monitored: on the green LED VPN at the module itself and in the web-based management under “IPSec VPN > Status”



V3.0, Entry ID: 24960449

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

6.6 Configuration of the SCALANCE M873

Note In this chapter it is assumed that the SCALANCE M873 was reset to factory settings and that a SIM card has been inserted.

The SCALANCE M873 is the interface of the remote station 1 to the wireless network. Here, the access to the wireless network is also set via the web-based management.

Opening web-based management The SCALANCE M873 is setup via the web-based management.

Table 6-19

No. Action Remarks


Connect the PC/PG with the LAN interface of the SCALANCE M873 via a standard Ethernet line.

2. Open the web-based management of the SCALANCE M. Enter the address https://192.168.1.1 in an internet browser. You are prompted to enter the user name and the password. Using factory settings are: User name: admin Password: scalance

https://192.168.1.1/



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Entering pin For login to the wireless network the module needs the PIN of the SIM card.

Table 6-20

No. Action

1. Go to “External Network >UMTS/EDGE” Enter the PIN of your SIM card at PIN. Enter your APN as well as the login in the entry fields provided for this purpose. Click Save to save the changes.

2. The “Overview” mask shows you information on the connection in the EDGE or UMTS network, the signal strength and the IP address assigned by the provider.



V3.0, Entry ID: 24960449

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Adjusting IP address: The SCALANCE M873 is to communicate with the gigabit interface of the CP 343-1 Advanced V3 in this example application and therefore has to be located in the same network. Below, the internal interface of the router is configured with a suitable IP address.

Table 6-21

No. Action

1. Go to “Local Network > Basic Settings > Local IPs” Change the internal IP address of the device to 140.80.0.1 Accept the settings with Save. Note: You have to adjust the IP address of your PC/PG accordingly (e.g. 140.80.0.100) and then open the web page with the new address again.



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Configuring firewall The SCALANCE M873 has an internal firewall to protect from unauthorized access. The dynamic packet filter checks data packets by means of the source and target address and blocks undesired data traffic. For this example application, only data that reach the SCALANCE M873 from the gigabit interface of the CP 343-1 Advanced V3 should pass.

Table 6-22

No. Action

1. Go to “Security > Packet Filter” Enter a new entry according to the screenshot at Firewall Rules (Outgoing) via the New button. Accept the settings with Save. Note: With this firewall rule only data packets with the source address 140.80.0.3 will pass the SCALANCE M873. If you want to make any other changes in the SCALANCE or monitor the status, you have change the IP address of your PC/PG accordingly.

6 Configuration of the Hardware 6.7 Configuration of the SOFTNET Security Client


V3.0, Entry ID: 24960449

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

6.7 Configuration of the SOFTNET Security Client

Note It is assumed that the PC with the SOFTNET Security Client has an internet connection.

The SOFTNET Security Client is a VPN Client software via which the service technician can connect himself externally with the SCALANCE S612 V3.

Table 6-23

No. Action Remarks

1. In chapter 6.4.2 the required certificates and the configuration file from the security configuration tool was downloaded and stored. Transfer these files o the PC of the service technician.

2. Open the SOFTNET Security

Client on the service PC. The SOFTNET Security Client is configured via Load Configuration.

3. For this purpose navigate to the

configuration file and open the .dat file.

4. Enter the password specified by

you in Table 6-11 in the .p12 certificate.

6 Configuration of the Hardware 6.7 Configuration of the SOFTNET Security Client


Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

No. Action Remarks

5. Activate the statically configured nodes.

6. The SOFTNET Security Client

now tries to establish a VPN tunnel to the SCALANCE S612 V3. The current status can be called via Tunnel Overview.

7. If the tunnel is established the

status changes from red to green.

6 Configuration of the Hardware 6.8 Configuring the DSL Router


V3.0, Entry ID: 24960449

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

6.8 Configuring the DSL Router

No specific router is discussed for the configuration as the operating screens differ from router to router. Most routers have a web page for the configuration.

Required PC/PG IP address For the configuration of the router you must assign an IP address to your PG/PC which is located in the same network as your router.

Configuration Table 6-24

No. Action Remarks/Notes

1. Open the configuration user interface of the router

This may be an additional software, “Telnet” or a web page.

2. Enter the connection data for your internet connection.

The login, password, etc. you have received from your provider.

3. Switch off the dynamic DNS. Your internet access has a fixed IP address.

4. Enter your DNS server. You will receive the address together with your access data.

5. Specify a LAN IP address for the router.

172.16.0.1

6. Switch off the DHCP server. SCALANCE S and the PC are assigned to a fixed address.

7. Allocate the UDP ports 500 and 4500 to the same ports as SCALANCE S.

UDP port 500 to UDP port 500 of 172.16.41.2 UDP port 4500 to UDP port 4500 of 172.16.41.2

Note In some routers there is the “IPSec Pass through” function. Activate this function (if it explicitly exists in your router) in order to support IPSec.

6.9 Final configuration

At the end of the configurations connect the components as described in chapter 6.1 (Networking the components) and adjust the IP address of the service center according to chapter 6.2.1 (IP address of the service center). The security components now start to establish the configured VPN tunnel. Notes on how you can check the status of the VPN connections, can be found in chapter 8.4 (Checking the VPN tunnel status).

7 Configuration of the Example Scenarios 7.1 Configuration of FTPS


Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed


7.1.1 Basic configurations

For the use of FTP with a CP 343-1 Advanced V3 as station, configuration steps have to be made upfront, depending on the operating mode. The PG/PC of the service center with the STEP 7 project serves as configuration computer.

CP-343-1 Advanced V3 as FTP client Creating an unspecified TCP connection

Figure 7-1

CP-343-1 Advanced V3 as FTP server Enabling the security function in CP 343-1 Advanced V3

Figure 7-2

Enabling the FTP server and FTPS

Figure 7-3



V3.0, Entry ID: 24960449

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Creating an FTP user Figure 7-4

All these items have already been configured in the example application. Information and precise instructions can be found in Chapter 8.2 (Enabling the security function in CP 343-1 Advanced V3) Chapter 8.6 (Configuration of the FTP connection in NetPro), Chapter 8.7 (Enabling of FTPS in CP 343-1 Advanced V3) and Chapter 8.8 (Creating a user for FTP).

Note In order for the changed configuration to be accepted when loading, “Save/Compile” has to be selected in the HW Config.

Follow the instructions in chapter 6.3.1 (Remote Station 1).



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

7.1.2 User-specific configuration

For the operation of the FTPS scenarios, the software tools FTP client or FTP server have to be configured accordingly for the use with the CP 343-1 Advanced V3 as communication partner and the use of FTPS. This chapter does not show a step to stop instruction since the configuration masks between the numerous FTP software tools on the market differ. Below, the points you have set in your FTP client or FTP server are mentioned.

Setting for the FTP client For the use of the FTPS scenario B (see chapter 4.3) you have to configure the following items in your FTP client software: The encryption in the FTP client has to be set to “Require explicit FTP over

SSL” (or TLS). Figure 7-5

The IP address of the FTP server is 140.80.0.3 (gigabit interface of the CP

343-1 Advanced V3). The login for the FTP server corresponds to the created user administration

from the FTP of the CP (see chapter 8.8). In this application the CP was configured as follows: User name and password: ftp_user.



V3.0, Entry ID: 24960449

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Setting for the FTP server For the use of the FTPS scenario A (see chapter 4.2) you have to configure the following items in your FTP client software: The encryption in the FTP server has to be set to “Require explicit FTP over

SSL” (or TLS). Figure 7-6

A user has to be created according to the LOGIN from the FTP_PARAM data

block DB181 (see chapter 8.9). In this application the following LOGIN was stored: User name and password: ftp_user.

Figure 7-7

Definition of a directory with respective access rights. Export the project certificate from the certificate manager and import it in the

FTP server (see chapter 8.4).

7 Configuration of the Example Scenarios 7.2 Configuration of NTP (secure)


Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

7.2 Configuration of NTP (secure)

7.2.1 Basic configuration

For the use of the time synchronization via NTP with a CP 343-1 Advanced V3, three configuration steps have to be made upfront: Enabling the security function in CP 343-1 Advanced V3 Enabling the NTP (secure) function in CP 343-1 Advanced V3. Definition of a NTP server. Entering the required encryption method and key.

The PG/PC of the service center with the STEP 7 project serves as configuration computer.

Table 7-1

No. Action Remarks

1. Open the hardware configuration of the first station (RemoteStation1) and select the CP 343-1 Advanced V3.

2. Open the properties of the CP by

doubleclicking. Enable the security function in the Security tab.



V3.0, Entry ID: 24960449

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

No. Action Remarks

3. Go to the Time-of-Day Synchronization tab and enable the NTP and in addition the Expanded NTP configuration. Note: If you are asked the login, enter admin as user and Administrator as password in this example.

4. Via the Run… button you get to

the NTP Configuration. Create a new entry via the NTP server… button.

5. Add a new entry to the list that is

still empty via Add….



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

No. Action Remarks

6. Define a new server. Enter any Name, the IP address of your NTP server and select NTP (secure) as Type. The secure NTP requests an authentication and a joint key for the encryption. The list can be added to via Add….

7. The Key ID, the Authentication

method and the Key have to be identical to the parameters of your NTP server. Enter the values according to the configuration of your NTP server. Close the dialog box with OK.

8. The list of available NTP servers

was expanded by a new entry. Close the dialog box with OK.



V3.0, Entry ID: 24960449

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

No. Action Remarks

9. Back in the NTP configuration select the Time-of-day synchronization with NTP (secure) as Synchronization mode. Integrate the NTP server to the CP 343-1 Advanced V3 via Add….

10. The NTP server just defined will

appear in the reference list. Close the NTP configuration with OK. Close the CP properties and the warning that follows with OK.


configuration.

12. Load the changes to the

controller. Follow the instructions in chapter 6.3.1.

7.2.2 User-specific configuration

For using the secure time synchronization you have to configure the following items in your NTP server: The NTP server has to understand secure NTP. The key ID, the authentication method and the key have to match the NTP

server and the NTP clients.

8 Additional Instructions 8.1 Time synchronization with the SIMATIC mode


Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

8 Additional Instructions The following chapter is provided for information purposes. The time synchronization, the activation of the security and FTPS function, the configuration of the NetPro connection and the configuration of the VPN connection are already configured in the supplied example project.

Note In order for the changed configuration to be accepted when loading, “Save/Compile” has to be selected in the HW Config.

Follow the instructions in chapter 6.3.1 (Remote Station 1).

8.1 Time synchronization with the SIMATIC mode

In order to establish the VPN connection, a valid time in the CP is essential. The following table shows the time synchronization with the SIMATIC mode.

Table 8-1

No. Action Remarks



doubleclicking. Activate the SIMATIC mode in the Time-of-Day Synchronization tab and select From station as option.

3. Close the properties dialog with

OK. Confirm the note also with OK.



V3.0, Entry ID: 24960449

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

No. Action Remarks

4. Select the CPU and open the properties by doubleclicking. Go to the “Diagnostics/Clock” tab. Set As master as synchronization type in the CPU and a time interval of 1 second. Close the dialog box with OK.


configuration.


controller.



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

No. Action Remarks

7. To check the current time in the CPU, select the CPU of RemoteStation 1 in the SIMATIC MANAGER and open the respective dialog via the “PLC > Set Time of Day…” context menu.

8. Change - if required - the time of

the controller.

9. The CP has now been set to the

correct time.

8 Additional Instructions 8.2 Enabling the security function in CP 343-1 Advanced V3


V3.0, Entry ID: 24960449

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

8.2 Enabling the security function in CP 343-1 Advanced V3

In order to use the CP 343-1 Advanced V3 as VPN node and the FTPS and NTP functions (secure), the security function in the hardware configuration of STEP 7 has to be enabled for this module.

Note The security function can only be enabled if the gigabit interface is connected.

Table 8-2

No. Action Remarks




3. You are prompted to create a

login for the configuration. Define a user and password and close the dialog with OK.

8 Additional Instructions 8.2 Enabling the security function in CP 343-1 Advanced V3


Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

No. Action Remarks

4. Close the properties dialog of the CP with OK.

5. Confirm these changes of the

protection level with OK.


configuration.

8 Additional Instructions 8.3 Configuration with the Security Configuration Tool


V3.0, Entry ID: 24960449

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

8.3 Configuration with the Security Configuration Tool

The security configuration tool is the configuration software for all security modules. Since the example application also uses a security CP, the SCT integrated in STEP 7 is used. This section shows the necessary steps in the security configuration tool, to generate three VPN tunnels.

Opening the integrated SCT As soon as a security CP is integrated in the hardware configuration and its security functions have been activated, the SCT integrated in STEP 7 can be opened in the hardware configuration of the CP via “Edit > Security Configuration Tool”.

Integrating the security modules The CP 343-1 Advanced V3 is automatically displayed when opening the SCTs integrated in STEP 7. All other components involved in VPN are now manually integrated in the SCT: SCALANCE S612 V3 SCALANCE M875 SOFTNET Security Client

Table 8-3

No. Action Remarks

1. Open the Security Configuration Tool. The created CP is already displayed in the list of the modules. Note: When you are asked for a login, enter the user and password that you created during enabling the security function in the CP (see chapter 8.2).

2. Create a new security module in the security configuration tool via the “Right mouse button > Insert Module” context menu or via the respective icon.



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

No. Action Remarks

3. For the integration of the SCALANCE S612 V3 change the parameters as follows: Product type: SCALANCE S Module: S612 Firmware release: V3 Name of the module: Central (a different name can also be assigned) MAC address: Enter the MAC address of your module here IP address (ext.): 172.16.41.2 Subnet mask (ext.): 255.255.0.0 Enable the Routing. IP address (int.): 192.168.0.2 Subnet mask (int.): 255.255.255.0 Close the dialog box with OK.

4. The SCALANCE S612 V3 is

displayed in the list of modules. Doubleclick the Standard router column of the SCALANCE S612 V3 and enter the internal IP address of the DSL router (172.16.0.1) here.



V3.0, Entry ID: 24960449

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

No. Action Remarks

5. Repeat step 2 for the configuration of the SCALANCE M875. Change the parameters as follows: Product type: SOFTNET Configuration Module: SCALANCE M87x Name of the module: Remote2 (a different name can also be assigned) IP address (ext.): Default settings Subnet mask (ext.): Default settings IP address (int.): 192.168.22.1 Subnet mask (int.): 255.255.255.0 Close the dialog box with OK.



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

No. Action Remarks

6. Repeat step 2 for the integration of the SOFTNET Security Clients in the configuration. Change the parameters as follows: Product type: SOFTNET Configuration Module: SOFTNET Security Client Firmware release: V4 Name of the module: Service (a different name can also be assigned) Close the dialog box with OK.

7. All modules are now integrated

in the Security Configuration Tool.

Creating the VPN groups Security modules can establish an IPsec tunnel with each other for secure communication if they are assigned to the same group in the project. For this application three groups are intended: Group 1: Communication between SCALANCE S612 V3 and

CP 343-1 Advanced V3. Group 2: Communication between SCALANCE S612 V3 and

SCALANCE M875. Group 3: Communication between SCALANCE S612 V3 and

SOFTNET Security Client.



V3.0, Entry ID: 24960449

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Table 8-4

No. Action Remarks

1. Select VPN groups in the navigation area and create a new group via the “Right mouse button> Insert group” context menu.

2. Create three groups the same

way.

3. Now select All modules in the

navigation area and drag one module each into the respective group via drag&drop. The following assignments apply: Group1: SCALANCE S612 V3 CP 343-1 Advanced V3

Group2: SCALANCE S612 V3 SCALANCE M875

Group3: SCALANCE S612 V3 SOFTNET Security Client

As soon as a module has been assigned to a group, the color of the key icon will change from gray to blue.



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Switching to expanded mode The Security Configuration Tool differentiates two operating views: The standard mode for the use of simple predefined firewall rules and basic

setting options. The expanded mode for defining specific firewall rules with expanded setting

options. For the configuration of the example scenarios FTPS and NTP (secure) it has to be switched to the expanded mode via “View > Advanced Mode".

Note Once the current project has been switched to advanced mode it cannot be undone anymore.

Configuring the VPN parameters The VPN tunnel connection is always initiated via the VPN client. In this application the following roles are specified for the security modules: VPN Client: SOFTNET Security Client, CP 343-1 Advanced V3,

SCALANCE M875 VPN Server: SCALANCE S612 V3

The SOFTNET Security Client can only be VPN client; the CP 343-1 Advanced V3, the SCALANCE M875 and the SCALANCE S612 V3 take on both roles. For assigning the VPN role and the connection address, proceed as follows:

Table 8-5

No. Action Remarks

1. Select the SCALANCE S612 V3 in the content area and open the properties by doubleclicking. Go to the VPN tab and change the role to: “Wait for partner” Enter the fixed IP address of your DSL access of the service center as WAN IP address. Close the window with OK. Note: Even if the S612 is waiting for a connection, a WAN IP address has to be entered. This is necessary for the creation of the configuration data of the VPN partners.

8 Additional Instructions 8.4 Checking the VPN tunnel status


V3.0, Entry ID: 24960449

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Changing the group parameters For a VPN connection with the SCALANCE M875 and SOFTNET Security Client, the VPN group parameters are automatically adjusted by the Security Configuration Tool. The SA lifetime for phase 1 and phase 2 are set to 1440 minutes. Confirm the note that appears when saving the configuration files with OK.

8.4 Checking the VPN tunnel status

As soon as the security modules have been configured or loaded, the active partners will start to establish a connection to the VPN server. The status can be monitored several ways: In the SCALANCE M875:

– at the green LED VPN at the module itself. – in the web-based management under “IPSec VPN > Status”

Figure 8-1

In the SOFTNET Security Client

– If the status changes from red to green. Figure 8-2

In the SCALANCE S612 V3 and CP 343-1 Advanced V3:

– Via the online view in the Security Configuration Tool.

8 Additional Instructions 8.4 Checking the VPN tunnel status


Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Figure 8-3

8 Additional Instructions 8.5 Importing/exporting the certificates


V3.0, Entry ID: 24960449

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

8.5 Importing/exporting the certificates

All certificates created by the security configuration tool and can be managed via the certificate manager (see chapter 3.4.2). Other certificates can be imported but certificates can also be exported for e.g. the FTP server.

Importing certificates Table 8-6

No. Action Remarks

1. Open the Security Configuration Tool. Note: When you are asked for a login, enter the user and password that you created during enabling the security function in the CP (see chapter 8.2).

2. Open the certificate manager via “Options > Certificate manager”

3. Via the Import… button you can

insert your own certificates

8 Additional Instructions 8.5 Importing/exporting the certificates


Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Exporting certificates For the verification of the nodes for secure applications, such as e.g. for FTPS, certificates are required. They are transferred to the CP 343-1 Advanced V3 during loading of the configuration. In order to provide the certificates also to external application, the certificates created by the Security Configuration Tool can be exported.

Table 8-7

No. Action Remarks

1. Select the required certificate in the certificate manager and export it via the Export… button.

2. Select a storage place.

3. If you need the certificate on the

PC you are currently working, you can also install it directly via the “Right mouse button > Install certificate” context menu.

8 Additional Instructions 8.6 Configuration of the FTP connection in NetPro


V3.0, Entry ID: 24960449

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

8.6 Configuration of the FTP connection in NetPro

FTP is based on a TCP connection that is created via NetPro for the CP 343-1 Advanced V3.

Table 8-8

No. Action Remarks

1. Open the hardware configuration of the first station (RemoteStation1) and via the respective NetPro icon.

2. Select the CPU of

RemoteStation1. Click the first line of the connection table and create a new connection via the “Right mouse button > Insert New Connection” context menu



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

No. Action Remarks

3. Select an unspecified connection partner and TCP as connection type. Close this dialog and the appearing message with OK.

4. Make sure that the ID was

specified with “1”. Enable the Use FTP protocol checkbox and close the dialog with OK. Note: If the ID should not be “1”, a change in the STEP 7 program is necessary (see chapter 8.9 (Changing the FTP parameters in the STEP 7 program)).

5. A new TCP connection has been

created for RemoteStation1.



V3.0, Entry ID: 24960449

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

No. Action Remarks

6. Save and compile your configuration in NetPro. If the compilation was without errors, close NetPro.


controller.

8 Additional Instructions 8.7 Enabling of FTPS in CP 343-1 Advanced V3


Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

8.7 Enabling of FTPS in CP 343-1 Advanced V3

The use of the secure FTP has to be enabled in CP 343-1 Advanced V3. Table 8-9

No. Action Remarks




3. Activate the FTP Server

functionality in the FTP tab and the FTPS option. Close the dialog box with OK.

8 Additional Instructions 8.7 Enabling of FTPS in CP 343-1 Advanced V3


V3.0, Entry ID: 24960449

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

No. Action Remarks

4. Save and compile the hardware configuration.


controller.

8 Additional Instructions 8.8 Creating a user for FTP


Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

8.8 Creating a user for FTP

The connection between an FTP client and FTP server may only be used by specified users. Each user can be assigned different rights.

Note Information on user administration can be found in chapter 3.4.3.

Table 8-10

No. Action Remarks

1. In order to open the user administration, click Run… in the properties dialog of the CPs in the FTP tab. Note: You can also open the user administration via the Security Configuration Tool via “Options > User Management”.

2. The start mask lists all already

configured users with their names and roles.



V3.0, Entry ID: 24960449

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

No. Action Remarks

3. Each user can either be assigned a system-defined or a user-defined role. Create a user-defined role in the Roles tab with the Add… button.

4. Select the

CP 343-1 Advanced V3 in the object column. Assign a Name for the role and enable or disable the Rights of the role for the new user in the respective list. Close the window with OK.

5. The new role was created and

appears in the overview table. Go back to User.



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

No. Action Remarks

6. You can create other users via Add.

7. Create a Name and Password.

Select the previously defined role from the selection list. Close the window with OK.

8. The new user is shown in the

overview table. Close the window with OK.

9. Acknowledge the warning with

OK.

10. Close the properties of the CP

343-1 Advanced V3 and the appearing message.



V3.0, Entry ID: 24960449

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

No. Action Remarks

11. Save and compile the hardware configuration.


controller.

8 Additional Instructions 8.9 Changing the FTP parameters in the STEP 7 program


Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

8.9 Changing the FTP parameters in the STEP 7 program

Adjusting the connectionID If you are creating your own TCP connection in NetPro and the connectionID is not “1”, the STEP 7 program has to be adjusted. For this purpose, open the OB 1 of RemoteStation1 and adjust the CONN_ID parameter as previously specified in NetPro: Figure 8-4

Save the block and download it to the CPU.

Changing the file name The data that is sent via FTP to the server is saved under the name <Date>Production.bin (see also chapter 4.2 (Functionality scenario A)). If you want a different name instead of production.bin you can change it in DB 181: Figure 8-5


Changing the LOGIN data for the FTP server In DB 181 you can also adjust the LOGIN data and the IP address for the access to the FTP server according to your wishes. Figure 8-6


9 Operating the Application 9.1 Requirement


V3.0, Entry ID: 24960449

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

9 Operating the Application This chapter shows the following functionalities according to selected scenarios: Standard STEP 7 PG and online functions HTML-based access to the web servers in the modules. Secure data exchanged via FTP. Secure time synchronization via NTP (secure).

All scenarios are offered with the PG/PC of the service center station.

Note For direct access with the PG of the service technician to the remote stations the document „Secure Remote Access to SIMATIC Stations with the SOFTNET Security Client via Internet and UMTS” is available which is located on the same HTML page as this document.

More information on access of the service technician to the remote stations via the service center can be found in the document “Remote Control Concept with SCALANCE S Modules over IPsec secured VPN Tunnel” (see /12/ in chapter 10 (Literature)).

9.1 Requirement

For the operation of these scenarios, the following requirements apply: The IP addresses of the components have to be configured according to

Table 5-1. The final configuration has to be completed as described in chapter 6.9 (Final

configuration). The VPN tunnels have to be established (see chapter 8.4 (Checking the VPN

tunnel status)).

9.2 Scenario: Standard STEP 7 PG and online functions

Description In this scenario the following items are shown: all online system diagnosis functions (diagnostic buffer of the CPU, module

state, operating state, monitoring/controlling, etc.). Controlling and monitoring of variables. Monitoring program states. Download of the complete STEP 7 programs and upload of the standard

STEP 7 program (without security parts).

9 Operating the Application 9.2 Scenario: Standard STEP 7 PG and online functions


Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Online system functions Table 9-1

No. Action Remarks

1. Open the hardware configuration of the first station (RemoteStation1). Go to the online view.

2. If an access address is requested

select 140.80.0.3 (gigabit interface of the CP 343-1 Advanced V3).

3. In the online view the operating

states of the components are displayed by the respective icons.



V3.0, Entry ID: 24960449

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

No. Action Remarks

4. Open the Diagnostic buffer of the components by double clicking the desired module.

5. The CP 343-1 Advanced V3 is

additionally provided with Special diagnostics. You can open the NCM diagnostic in the online mode on the CP and the Special Diagnostics button.

6. This is where you find further

information on operating state, connection status, clock synchronization etc..

Note The operating states, diagnostic functions, topology and further functions can also be found on the web pages of the CPU or the CPs (see chapter 9.3 (Scenario: HTML-based access to the web servers)).



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Monitoring and controlling variables Table 9-2

No. Action Remarks

1. Open the FTP variable table in the block folder of the first station (RemoteStation1).

2. In this table you can see all variables

that are useful for the FTP scenario. Go to the online mode via the respective button. In this mode the variables can be monitored or controlled.



V3.0, Entry ID: 24960449

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Monitoring program Table 9-3

No. Action Remarks

1. Open the SIM_Process_Infos block FB183 in the block folder of the first station (RemoteStation1).

2. It is the program's job to simulate the

process variables. Go to the online mode via the respective button. In this mode you can monitor the program online.



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Upload and download of the STEP 7 program Table 9-4

No. Action Remarks

1. For the program download to the CPU, select the first station (RemoteStation1) and download the STEP 7 project via the Download button to the CPU.

2. If an access address is requested

select 140.80.0.3 (gigabit interface of the CP 343-1 Advanced V3).

3. To upload the project from the CPU

open the “PLC > Upload Station to PG…” menu bar. Note: The security parts cannot be downloaded from the CPU to the PG.

9 Operating the Application 9.3 Scenario: HTML-based access to the web servers


V3.0, Entry ID: 24960449

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

9.3 Scenario: HTML-based access to the web servers Table 9-5

No. Action Remarks

1. Open an internet browser on the PC of the service center.

2. The web server of the RemoteStation2 has been enabled in the hardware configuration and can therefore be opened.

3. Enter the IP address of your CPU

(192.168.22.11) in the address bar. The web page is opened.

4. On the web page you find all

diagnostic and module information, topology (if configured), variable tables and other functions.

9 Operating the Application 9.3 Scenario: HTML-based access to the web servers


Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

No. Action Remarks

5. The web server of the CP of the RemoteStation2 has been enabled in the hardware configuration and can therefore be opened.

6. The web page of the CP 343-1

Advanced V3 of RemoteStation1 can be reached via the IP address https://140.80.0.3. The CP requests a login for access User name and password correspond to the login of the Security Configuration Tool. In this example: User name: admin Password: Administrator Via click on the Login the web page is opened.

7. Apart from standard information you can also find details on security…

https://140.80.0.3/

9 Operating the Application 9.4 Scenario: Secure FTP access


V3.0, Entry ID: 24960449

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

No. Action Remarks

8. … Media redundancy…

9. …and an updating center for

firmware updates, IP access tables etc.

9.4 Scenario: Secure FTP access

The FTPS scenario is divided in two transmission directions. In scenario A the CP 343-1 Advanced V3 is the active station as FTP client and sends the process data simulated by the CPU as binary file to a computer to the central station. The reverse way is shown in scenario B. Here, the computer in the central station is the active partner and it accesses the file system of the CP in order to e.g. copy, delete or insert files.

Requirements For operating these scenarios the respective requirements (see chapter 4.2 (Functionality scenario A) and chapter 4.3 (Functionality scenario B)) have to be provided. Depending on the scenario the FTP server or FTP client has to be started on the PC.



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Scenario A The file transfer from CP 343-1 Advanced V3 to a remote computer can be started in two ways: Via the FTP variable table and the START variable Via the HMI panel

Table 9-6

No. Action Remarks

1. Open the FTP variable table in the block folder of the first station (RemoteStation1).

2. In this table you can see all variables

that are useful for the FTP scenario. Go to the online mode via the respective button. In this mode the variables can be monitored or controlled.

3. Select the first variable

“iDB_FTP_PROCESS”.START and control it via “Right mouse button > Modify Address to 1”.



V3.0, Entry ID: 24960449

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

No. Action Remarks

4. Alternatively you can also start the FTP transfer via the panel.

5. The FTP transfer is started and a

binary file is stored on the PC once the FTP routine has been performed. The target directory was defined by the FTP server configuration.



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Scenario B Table 9-7

No. Action Remarks

1. Open the FTP client on the PC and connect with the FTP server on the CP 343-1 Advanced V3.

2. Once you are asked for a password, enter ftp_user.

3. By confirming the certificate with OK you categorize the CP as trustworthy.

4. The file system of the CP 343-1

Advanced V3 is shown and can be processed (add, delete, copy files, etc.).

9 Operating the Application 9.5 Scenario: Secure time synchronization via NTP (secure)


V3.0, Entry ID: 24960449

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

9.5 Scenario: Secure time synchronization via NTP (secure)

For operating these scenarios the requirements from chapter 7.2 (Configuration of NTP (secure)) have to be fulfilled.

Table 9-8

No. Action Remarks

1. Start the NTP server. The PC with the NTP server should be in the same LAN as the CP.

2. You can follow the status of the time synchronization via the special diagnostic of the CP 343-1 Advanced V3.

10 Literature


Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

10 Literature The following lists are by no means complete and only provide a selection of appropriate sources.

Bibliographic References Table 10-1

Topic Title

/1/ SCALANCE M875 UMTS router SCALANCE M875 operating instructions http://support.automation.siemens.com/WW/view/en/58122394

/2/ CP 343 -1 Advanced

Manual part B CP 343-1 Advanced http://support.automation.siemens.com/WW/view/en/61199572

/3/ SIMATIC NET Security

SIMATIC NET Industrial Ethernet Security Basics and application Configuration Manual http://support.automation.siemens.com/WW/view/en/56577508

/4/ SCALANCE M873 System manual SCALANCE M873 http://support.automation.siemens.com/WW/view/en/49507278

/5/ Getting Started SIMATIC NET Industrial Ethernet Security Setting up security Getting Started http://support.automation.siemens.com/WW/view/en/61630590

/6/ SCALANCE S V3 SIMATIC NET Industrial Ethernet Security SCALANCE S V3.0 Commissioning and Hardware Installation Manual http://support.automation.siemens.com/WW/view/en/56576669

Internet links Table 10-2

Topic Title

/7/ Siemens Industry Online Support http://support.automation.siemens.com /8/ Country approval for M875 http://www.automation.siemens.com/mcms/industrial-

communication/en/support/ik-info/Documents/Online_CountryApprovals_GSM_UMTS_products.pdf

/9/ How do you integrate an HMI operator panel into a local network?


/10/ What firewall rules have to be configured for the SCALANCE S in order to get to the internet with the PG/PC via the SCALANCE S and router?


/11/ What firewall rules have to be configured for the EGPRS router MD741-1 in order to get to the internet with the PG/PC from the LAN of the MD741-1?


/12/ Remote Control Concept with SCALANCE S Modules over IPsec-secured VPN Tunnel


/13/ How do I proceed if the required modules are missing in the module catalog of the hardware configuration of STEP 7?


/14/ Security with SIMATIC NET http://support.automation.siemens.com/WW/view/en/27043887







http://support.automation.siemens.com/

http://www.automation.siemens.com/mcms/industrial-communication/en/support/ik-info/Documents/Online_CountryApprovals_GSM_UMTS_products.pdf
















11 History


V3.0, Entry ID: 24960449

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Topic Title

/15/ Information on Industrial Security http://support.automation.siemens.com/WW/view/en/50203404

11 History Table 11-1 History

Version Date Revisions

V1.0 04.04.2007 First issue V2.0 11.09.2008 Update to EGPRS router MD741-1 and SCT V2.2

Expanding the scenarios on process devices that can be configured via SIMATIC PDM

V2.1 14.02.2011 Notes and corrections have been added. V2.2 07.09.2011 Chapter 4.8.2 and 4.8.3 have been added. V3 01.07.2012 Complete revision of the documentation

Integration of the new Security Module CP 343-1 Advanced V3, SCALANCE M875 and SCALANCE S V3

New scenarios FTPS and NTP (secure)



Security with SCALANCE S612 V3, SCALANCE M875, SOFTNET ...

Documents

Transcript of Security with SCALANCE S612 V3, SCALANCE M875, SOFTNET ...