Further information, Addressing security concerns – BECKHOFF IPC-Security User Manual

General overview and content

Chapter 2 provides the reader with an overview about security in industrial automation and describes the
content of this documentation.

Security of an industrial controller

Chapters 3, 4 and 5 are based on three different views on a system’s security from the perspective of an
attacker. Does the attacker have direct access to the industrial controller, e.g. via mouse/keyboard/monitor
→ chapter 3. Does the attacker have indirect access to the industrial controller, e.g. because he infiltrated
the system via a virus→ chapter 3. Or is the attacker located somewhere in the network and tries to infiltrate
or even break the network communication between industrial controller and some other network device→
chapter 5. Every chapter provides an overview about corresponding security measures and will occasionally
reference to chapter A.

Step-by-Step and checklists

Chapter A provides step-by-step articles for security mechanisms that were discussed in earlier chapters.
The checklists mentioned in this chapter should give the reader a better overview about which security
mechanisms are important to activate in different scenarios. The chapter also provides more information
about third-party connectivity, e.g. how to connect 3rd party products with the TwinCAT PLC runtime, and
discusses common solutions from a security point-of-view.

2.4. Further information

A secure IPC can only be effectively achieved when the technical and organizational environment is provid-
ing a suitable support.

There are several frameworks to analyze and measure the technical and organizational structures. The
following list is not complete but covers the most relevant frameworks.

IEC 62443 is the upcoming standard for industrial communication systems. The documents are still in
progress, however there are usable parts already describing both, organizational and technical concepts
and measurements for systems and components.

ISO/IEC 27001 standardizes information security management systems in general. The series is target-
ing standard Information Technology (IT). However the concepts, best practices and processes are also
applicable in part for industrial IT.

NIST SP800-82 Guide to Industrial Control Systems (ICS) Security [12] is concretely targeting the measure-
ment and analysis of threats in industrial control systems.

Another applicable guideline is the IT-Grundschutz-Kataloge [5].

8