BECKHOFF IPC-Security User Manual

3.2.3.14. The Encrypting File System (EFS)

With EFS, Windows XP gives you the opportunity to encrypt files and folders on your industrial controller. It
uses a certificate to sign and encrypt these resources. You should use this feature if you have critical project
files (e.g. TwinCAT project files) stored on your industrial controller.

Please see chapter A.4.3.12 for a Step-by-Step guide.

3.2.3.15. Write Filters

The Write Filter technology in Windows Embedded operating systems provides some advantages compared
to the desktop operating systems. A Write Filter minimizes write requests to a storage media by redirecting
all writes targeted for a protected volume to a RAM or disk cache called an overlay. This ensures longevity
of the used storage media, e.g. Compact Flash cards. However, this chapter gives an overview about
Write Filters and how they can also be used to enhance security on your industrial controller because, once
activated, all changes to a storage media will be reversed upon system reboot.

Beckhoff Windows Embedded Images (version 1.35 and higher) have both filters (EWF and FBWF) installed,
but it is not recommended to use both filters at the same time. EWF catches all writing actions allowed by
FBWF, so files will be lost after rebooting the system. We recommend to activate EWF.

For more up-to-date information about this technology please visit [4].

Enhanced Write Filter (EWF)

The Enhanced Write Filter (EWF) is a component on Windows Embedded Operating Systems (not Windows
CE). EWF filters write commands to another medium instead of being physically written to the volume itself.
It allows write commands to be discarded or committed to the physical volume at a later time. As this
minimizes writes to a specified hard disk, EWF and FBWF (see below) have become very popular as a way
to decrease wear of drives or security because EWF protects the whole partition from write access. These
write accesses will be redirected into the RAM to protect your Flash medium. This also means that, after a
reboot, the changes will be reversed and any potential security threat will be deleted. The Enhanced Write
Filter is a default component in Beckhoff operating system images for Beckhoff embedded computers and
can be activated/deactivated/configured via the Beckhoff EWF Manager.

File-Based Write Filter (FBWF)

The File-based Write Filter (FBWF) differs from the Enhanced Write Filter by protecting files directly on file
level instead of protecting a whole partition. With FBWF it is possible to define exclusions to the protection,
e.g. you could allow write access to single files on the storage medium. The File-Based Write Filter is
a default component in Beckhoff operating system images for Beckhoff embedded computers and can be
activated/deactivated/configured via the Beckhoff FBWF Manager.

3.2.3.16. USB drives

Even if the IPC is located in a secure location, e.g. a locked cabinet, there could be situations in which
USB ports are extended to the cabinet’s outside and therefore at an unsecure location. This could be the
case because of maintenance reasons or simply because of an USB port that is integrated directly into the

18