BECKHOFF IPC User Manual
Documentation about
IPC Security
Version: 2.0.2
Date: 2015-01-22
Contents
1. Foreword 4
1.1. Notes on the documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1.1. Disclaimer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1.2. Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1.3. Patent Pending . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1.4. Copyright . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.1.5. Delivery conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.2. Documentation status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2. Introduction 7
2.1. Abstract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.2. Target audience and goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.3. Structure of this document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.4. Further information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.5. Addressing security concerns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3. Direct Local Access 10
3.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3.1.1. Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3.1.2. Software components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3.1.3. Potential threat scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3.2. Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3.2.1. BIOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3.2.2. Windows CE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
3.2.3. Windows XP / Windows 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
3.3. Complementary Hardware mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.3.1. Locked cabinets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.3.2. Video surveillance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
4. Indirect Local Access 20
4.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
4.1.1. Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
4.1.2. Software components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
4.1.3. Potential threat scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
4.2. Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
4.2.1. Windows CE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
4.2.2. Windows XP / Windows 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
4.3. Complementary Hardware mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
4.3.1. Hardware appliances for Anti-Virus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
4.4. Complementary Software mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
4.4.1. Anti-Virus software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
5. Remote Access 26
5.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
5.1.1. Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
5.1.2. Software components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
5.1.3. Potential threat scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
5.1.4. Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
2
5.2. Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
5.2.1. Windows CE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
5.2.2. Windows XP / Windows 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
A. Appendix 32
A.1. Remote Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
A.1.1. Notes about the Remote Desktop Protocol (RDP) . . . . . . . . . . . . . . . . . . . . 32
A.1.2. Remote maintenance from inside the organization . . . . . . . . . . . . . . . . . . . . 33
A.1.3. Remote maintenance via central VPN server . . . . . . . . . . . . . . . . . . . . . . . 33
A.1.4. Remote maintenance via VPN server on IPC . . . . . . . . . . . . . . . . . . . . . . . 34
A.2. TwinCAT ADS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
A.2.1. ADS routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
A.2.2. ADS network ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
A.2.3. ADS via gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
A.2.4. ADS via NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
A.3. Third-Party connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
A.3.1. ADS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
A.3.2. ADS-WCF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
A.3.3. OPC-UA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
A.3.4. Modbus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
A.4. Step-by-Step . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
A.4.1. General information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
A.4.2. Windows CE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
A.4.3. Windows XP / Windows 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
B. Contact Information 71
B.1. Support and Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
B.2. Beckhoff Headquarters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
B.2.1. Beckhoff Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
B.2.2. Beckhoff Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
B.2.3. Product security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
IPC Security 3
1. Foreword
1.1. Notes on the documentation
This description is only intended for the use of trained specialists in control and automation technology who
are familiar with the applicable national standards. It is essential that the following notes and explanations
are considered when installing and commissioning these components. The responsible staff must ensure
that the application or use of the products described satisfy all the requirements for safety, including all the
relevant laws, regulations, guidelines and standards.
1.1.1. Disclaimer
This documentation has been prepared with care. The security measures described, as well as methods
of third parties to attack computers are, however, constantly changing. For that reason it is possible that
the security measures described in this documentation are not sufficient to wholly protect computer against
illegal attacks. For the most effective security for your Industrial PCs and Embedded PCs you are obliged
to engage always the most current security applications available on the market. This documentation can
only provide a basis for security and does not release you from your own liability. In the event that the
documentation contains technical or editorial errors, we retain the right to make alterations at any time and
without warning.
1.1.2. Trademarks
Beckhoff®, TwinCAT®, EtherCAT®, Safety over EtherCAT®, TwinSAFE®, XFC® and XTS® are registered
trademarks of and licensed by Beckhoff Automation GmbH. Other designations used in this publication may
be trademarks whose use by third parties for their own purposes could violate the rights of the owners.
Information is subject to change without notice and warranted only to the extent agreed in the terms of
contract.
1.1.3. Patent Pending
The EtherCAT Technology is covered, including but not limited to the following patent applications and
patents: EP1590927, EP1789857, DE102004044764, DE102007017835 with corresponding applications
or registrations in various other countries. The TwinCAT Technology is covered, including but not limited to
the following patent applications and patents: EP0851348, US6167425 with corresponding applications or
registrations in various other countries.
4
1.1.4. Copyright
© Beckhoff Automation GmbH, Germany. The reproduction, distribution and utilization of this document as
well as the communication of its contents to others without express authorization are prohibited. Offenders
will be held liable for the payment of damages. All rights reserved in the event of the grant of a patent, utility
model or design.
1.1.5. Delivery conditions
In addition, the general delivery conditions of the company Beckhoff Automation GmbH apply.
IPC Security 5
1.2. Documentation status
Version Comment
2.0.2
▪ Layout changes
2.0.1
▪ Revision of the document
2.0.0
▪ New structure for content
▪ Moved step-by-step articles to appendix for bet-
▪ Re-design of tables
New content:
▪ New chapter: 2 Introduction
▪ New introductory areas for every major chapter
ter reading experience
▪ Added “Potential threats” article to every major
chapter
▪ New chapter: TwinCAT (Indirect local access)
▪ New chapter: Checklists for specific scenarios
1.1.0 New content:
▪ New chapter: 3.1.2 Deactivating the Webserver
▪ New chapter: 3.2.6 Deactivating the Webserver
▪ New chapter: 4.1 Windows CE
▪ New chapter: 4.1.1 Notes about Updates
▪ New chapter: 7.3 TwinCAT remote control
▪ New chapter: 7.3.1 ADS connection through a
firewall
▪ New chapter: 7.3.2 ADS Routing via Gateway-
PC
▪ Updated chapter 7.1.1 Notes about the Remote
Desktop Protocol (RDP)
▪ Updated chapter 3.2.4 Whitelisting
▪ Updated chapter 6.1: Network-ports and fire-
walls
1.0.0 First version
6
2. Introduction
2.1. Abstract
Beckhoff Industrial PCs and Embedded PCs provide a platform based on a standardized and wellsupported
operating system to provide a high level of flexibility for developing and executing applications. The Documentation for IPC-Security provides a list of potential security threats and how to protect against them.
The documentation is structured according to different attacker models and countermeasures for the arising
potential threats. This documentation is far from being complete but will be frequently updated and maintained in the future. Please note that, depending on the scenario, it may not make sense to activate all of the
listed countermeasures. Sometimes it may even prove to be unnecessary. In any case the reader should
make sure to fully understand his/her scenario before planning to implement any security mechanisms.
Security is just another view on risk-management, so there definitely is no completely secure state, just as
there is no completely risk-free automation process.
However the documentation provides a good baseline protection, which may be sufficient for most applications.
2.2. Target audience and goals
The primary purpose of this documentation is to give customers an overview about standard security measures and strategies on Industrial-PCs (IPC) and Embedded-PCs (EPC) that are based on Microsoft Windows.
In this context, it is important for customers to understand that Microsoft Windows already includes many
features to enhance security on an IPC or EPC, e.g. the so-called “Application Whitelist”. Those features
can greatly increase the protection of industrial controllers. Because many people are not aware of them,
they sometimes dread choosing Microsoft Windows on their automation systems.
Furthermore it is also important to differentiate the IPC/EPC we use in an automation scenario with the PC
we use in a consumer scenario as an engineering computer or at home. Both scenarios have different
security requirements and entirely different workflows, e.g. system maintenance and the deployment of
Windows Updates.
2.3. Structure of this document
This documentation is split into three main areas.
IPC Security 7
General overview and content
Chapter 2 provides the reader with an overview about security in industrial automation and describes the
content of this documentation.
Security of an industrial controller
Chapters 3, 4 and 5 are based on three different views on a system’s security from the perspective of an
attacker. Does the attacker have direct access to the industrial controller, e.g. via mouse/keyboard/monitor
→ chapter 3. Does the attacker have indirect access to the industrial controller, e.g. because he infiltrated
the system via a virus→ chapter 3. Or is the attacker located somewhere in the network and tries to infiltrate
or even break the network communication between industrial controller and some other network device→
chapter 5. Every chapter provides an overview about corresponding security measures and will occasionally
reference to chapter A.
Step-by-Step and checklists
Chapter A provides step-by-step articles for security mechanisms that were discussed in earlier chapters.
The checklists mentioned in this chapter should give the reader a better overview about which security
mechanisms are important to activate in different scenarios. The chapter also provides more information
about third-party connectivity, e.g. how to connect 3rd party products with the TwinCAT PLC runtime, and
discusses common solutions from a security point-of-view.
2.4. Further information
A secure IPC can only be effectively achieved when the technical and organizational environment is providing a suitable support.
There are several frameworks to analyze and measure the technical and organizational structures. The
following list is not complete but covers the most relevant frameworks.
IEC 62443 is the upcoming standard for industrial communication systems. The documents are still in
progress, however there are usable parts already describing both, organizational and technical concepts
and measurements for systems and components.
ISO/IEC 27001 standardizes information security management systems in general. The series is targeting standard Information Technology (IT). However the concepts, best practices and processes are also
applicable in part for industrial IT.
NIST SP800-82 Guide to Industrial Control Systems (ICS) Security [12] is concretely targeting the measurement and analysis of threats in industrial control systems.
Another applicable guideline is the IT-Grundschutz-Kataloge [5].
8
2.5. Addressing security concerns
To address security-related concerns, or security-issues with our products, you may contact us at product-secinfo@
beckhoff.com. We will react to your inquiry as soon as possible.
IPC Security 9
3. Direct Local Access
3.1. Overview
This chapter deals with the scenario that a cyber criminalhas direct, local access to the industrial controller. The term “direct local access” means that the attacker can physically “grasp” the computer and interact with it via attached input devices, e.g. mouse and/or keyboard. A regrettably common scenario would be a machine hall in which the industrial controller is simply located on a desk instead of a locked cabinet and therefore in an exposed location. A potential cyber criminal can then interact with the device via its keyboard and/or mouse, attach USB sticks or even damage the device.
3.1.1. Devices
The following table provides an overview about common devices that play an important part in this scenario.
Device Category Description
IPC/EPC Industrial Controller Beckhoff Industrial-/Embedded-
PC
Keyboard Input devices Device used to input data
Mouse Input devices Device used to interact with on-
screen data
Touchscreen Input devices Device used to interact with on-
screen data
USB storage Mass storage devices USB devices used to store data
3.1.2. Software components
The following table provides an overview about software packages that play an important part in this scenario.
Software Category Description
BIOS
Microsoft Windows XP System software Operating System
Microsoft Windows 7 System software Operating System
Microsoft Windows Embedded System software Operating System
Microsoft Windows CE System software Operating system
10
Firmware
Firmware interface of a com-
puter
3.1.3. Potential threat scenarios
The following chapter gives a short overview about possible threat scenarios, which may or may not be
representative in your environment. We assume that an attacker is able to gain local access to the device
itself, just as this may be the case for a regular user. Please take the following chapters as a means to gain
a better awareness for this scenario.
3.1.3.1. Manipulated boot device
An attacker is able to attach and mount a prepared storage media and is able to boot from this device.
Alternatively, the attacker could also boot from network, if the device is equipped with such a feature. This
may either result from default BIOS settings where the boot priority is set accordingly or from the attacker
being able to access and change BIOS settings himself. Due to this, the attacker could gain access to the
whole system, including reading/writing unprotected information, e.g. passwords, configurations or business
know-how. From this point on, the operating system cannot be assumed to be secure anymore.
3.1.3.2. Manipulated USB storage device
By manipulating USB storage devices, an attacker could execute malware during system runtime if no further
security measures are taken. Due to this, an attacker gains access to the operating system with at least the
same privileges as the currently logged on user account.
3.1.3.3. Abusing password recovery mechanisms
An attacker is able to boot from other storage devices, as described in 3.1.3.1, gaining access to regular or
3rd party password recovery mechanisms. If the same Administrator password is used on several systems,
it is sufficient for the attacker to infiltrate one system to gain administrative privileges to all.
3.1.3.4. Guessing passwords
The attacker may execute brute force or dictionary attacks to guess short, weak or default passwords. Due
to this, an attacker could gain access to the affected user account and use its privileges to further infiltrate
or manipulate the system.
3.2. Hardening
This chapter explains some common strategies that can be deployed to actively secure components that
are part of the scenario. Because the operating system architecture of Windows CE differs from Windows
XP, Windows 7 or Windows Embedded, each operating system family is represented by an own chapter.
3.2.1. BIOS
It is recommended to set a password for the system’s BIOS to ensure that no changes to critical system
functions can be made, for example:
IPC Security 11
▪ Changing boot priority
▪ Resetting BIOS settings
▪ Changing CPU speed (critical for real-time applications)
▪ Disabling USB input devices (critical for Control Panel touchscreen)
▪ Deleting drive content (Low-Level format)
3.2.2. Windows CE
3.2.2.1. Setting a password
By default, Windows CE boots into a modified Microsoft Windows CE shell (Windows CE6 and above). This
modified shell helps to protect the device by letting the Administrator to configure the following features:
▪ [Optional] Configure a device password to avoid that users are able to switch to the Microsoft shell
and do configurations on their own.
▪ [Optional] Configure applications to start automatically.
Please see chapter A.4.2.1 for a Step-by-Step guide.
3.2.2.2. Webserver
Beckhoff Windows CE images are delivered with an integrated Webserver. This Webserver hosts different
web-based services, for example, the Beckhoff IPC-Diagnostics website. As it may be sufficient to just
close the corresponding firewall ports (as explained in chapter 6.4), you should deactivate the Webserver
completely if you do not require or do not use these services.
Please see chapter A.4.2.2 for a Step-by-Step guide and A.4.1.1 for a tabular overview about all webbased
services in a Beckhoff operating system image.
3.2.2.3. User accounts
Windows CE implements four different user account types: System User, SMB User, RAS User, FTP User.
Each account type has its own scope – meaning it is used in a different scenario.
System user account
Windows CE only implements one local user account that is used for system logon. You should set a
password for this user account to ensure that no undesired personnel can access the device. Chapter
A.4.2.3 shows how to set or change this password.
12
SMB and FTP user accounts
These user accounts are needed to use the integrated FTP Server or to share files and folders via the
integrated SMB Server. Beckhoff Windows CE devices include a small management program that allows
you to manage SMB and FTP User accounts. Please make sure to change the default password for the
guest and webguest user accounts as soon as possible. Chapter A.4.2.4 shows how to set or change this
password.
RAS user accounts
Beckhoff Windows CE devices are equipped with an integrated RAS server to allow remote dialin connections to the embedded device. The RAS Server is deactivated by default so you do not need to worry about
changing some kind of default password here as long as you do not activate the RAS server. However, if
you would like to use remote dialin functionalities and therefore activate the RAS server, you should change
its default passwords as explained in chapter A.4.2.5.
3.2.3. Windows XP / Windows 7
3.2.3.1. Default passwords
Beckhoff Industrial- and Embedded-PCs are delivered with a default password for the local Administrator
account. You should change this password as soon as possible and also keep in mind to use strong passwords. Please see chapter A.4.3.1 for a Step-by-Step guide and A.4.1.2 for more information about strong
passwords.
3.2.3.2. Audit Policies
You can audit access to a file or folder by configuring an Audit Policy. Each time a user accesses the
specified file or folder with a so-called Audit Event (e.g. Read or Write access), a new entry will be created
in the Windows Eventlog. Please see chapter A.4.3.2 for a Step-by-Step guide.
3.2.3.3. Password policies
Password policies should be used to ensure the usage of strong passwords on your system. It is possible
to configure the following password settings:
IPC Security 13
Setting Description
Enforce Password
history
Maximum password
age
Minimum password
age
Password must
meet complexity
requirements
Store password using reversible encryption
Additionally, you can configure settings that will automatically lock the user account, if a user repeatedly
enters a wrong password. All of these settings can be made in the Local Security Settings.
Please note: The complexity requirements defined by older version of Microsoft Windows define a minimum
count of 6 characters. Today, many sources recommend using at least 8 characters. Please see chapter
A.4.3.3 for a Step-by-Step guide and A.4.1.2 for more information about strong passwords.
3.2.3.4. Security templates
Remembers the n last used passwords so that you cannot set them again
Sets the amount of days a password may be used before the system forces the user
to change it
Sets the amount of days that a password must be used before the user can change it
Complexity requirements are described in chapter A.4.1.2.
This option shouldn’t be used because a reversible encryption always means that the
password can be re-calculated according to some decryption algorithm. However, in
some scenarios this needs to be possible, for example when using CHAP with Remote
Access
Microsoft Windows deploys a set of pre-defined security templates with every Windows XP or Windows 7
installation. These templates can be customized to meet different security requirements. As soon as you
apply a template to your system, it will automatically configure the system according to the security settings
defined in the template. There are four different template categories:
14
Category Description
Default Security This template represents the default security settings that are applied during installa-
tion of the operating system, including file permissions for the root of the system drive.
You can use this template to re-create the default installation settings.
Compatible This template re-configures your system according to the user groups: Administrator,
Power Users and Users. Administrators have the most privileges while Users have the
least, which is, of course, not surprising. However, what the template really accomplishes, is, that the system will be reconfigured so that members of the Users group
may also execute non-certified applications, meaning applications which don’t take
part in the Certified for Windows program. That means: If you want members of the
Users group to execute non-certified applications, and you don’t want to add them to
the Power Users because this would mean too much privileges, you can apply this
template and leave them in the Users group. The template therefore relaxes security
for this particular group.
Secure This template defines enhanced security settings that are least likely to impact appli-
cation compatibility. It defines the following things:
▪ Stronger password, lockout and audit settings
▪ It limits the use of LAN Manager and NTLM authentication protocols by allow-
ing only NTLMv2 responses from Clients. Clients which don¡¦t support NTLMv2
won’t be able to authenticate to the system anymore
▪ It prevents anonymous users from enumerating account names and shares
▪ It prevents anonymous users from performing SID-to-name or the corresponding
reverse functions
▪ It enables SMB packet signing, which is disabled by default
Highly Secure The Highly Secure template is a superset of the Secure template that impose further
restrictions on the levels of encryption and signing that are required for authentication
and for the data that flows over secure channels and between SMB clients and servers.
Please see chapter A.4.3.4 for a Step-by-Step guide.
3.2.3.5. Application Whitelist
The so-called “Software Restriction Policy” (or “Application Whitelist”) enables Administrators to specify
exactly which applications may be executed on a system. All other applications will be blocked by the
Operating System upon program execution. The configuration is easy and straight-forward and can be
performed via a Local Security Policy. The following documentation will give a short overview about the
different settings.
General information
When using Software Restriction Policies, you can identify and specify the software that is allowed to be executed on the system. This helps to protect your computer environment from untrusted or malevolent code.
You can define a default security level (template) of Disallowed, Basic User or Unrestricted for a security
policy object but you can also add exceptions to these templates.
IPC Security 15
Template Description
Disallowed Software will not run, regardless of the access rights of the user. Blocks users from
executing an application by default – other specific rules (exceptions, see below) may
override this one.
Basic User Allows users to execute applications that do not require administrative privileges – to
allow users to run applications with administrative privileges a specific rule must be
created.
Unrestricted (default) Users are able to execute any application by default – other specific rules (exceptions,
see below) may override this one.
To create an exception for a security level, you need to create a rule for a specific software. You can create
the following rule types:
Exception Type Description
Hash rule Sets the exception to the hash value of a given file. This ensures that only the spec-
ified file with its unique hash value can be used for this exception. It is important to
understand that this hash value can change, for example when updating the application (TwinCAT Update!!).
Certificate rule Specifies a certificate for this exception type. This rule degrades the execution of
applications as the certificate validity must be checked every time the application is
executed.
Path rule The path can either be a path in the file system or in the Windows registry
Network zone rule Uses zones as defined in Internet Explorer
Please note that you may use wildcards for a path rule, for example to create an exception for all executable
files under C:\Windows\System32. Other important settings include the Enforcement and Designated file
types setting. Enforcement settings allow you to select whether to restrict software execution for ALL user
accounts or only for non-Administrators.
The Designated File types setting lets you specify which file types should be treated as executable files.
Please see chapter A.4.1.3 for an overview about all Beckhoff software products and their corresponding
path to the executable file.
3.2.3.6. Windows AppLocker
Windows AppLocker is a feature in Windows 7 (not included in Windows Embedded Standard 7) that further
enhances the functionality of Software Restriction Policies (see chapter A.4).
This section of the IPC-Security Whitepaper will be updated in a future release.
3.2.3.7. Autorun
One of the main reasons an industrial controller is infected by a computer virus is through USB drives or
other mass-storage devices. Viruses that have been written to spread via attached storage devices often
use the Autorun feature of Microsoft Windows to install themselves on the target system. You should disable
this feature.
Please see chapter A.4.3.5 for a Step-by-Step guide.
16
3.2.3.8. Webserver
Beckhoff images that are based on Windows XP or Windows 7, are delivered with an activated IIS Webserver
that hosts different web-based services. As it may be sufficient to just close the corresponding firewall ports
of these services (as explained in chapter 6.4), you should deactivate the Webserver completely if you do
not require or do not want to use the corresponding services.
Please see chapter A.4.3.6 for a Step-by-Step guide.
3.2.3.9. Windows Registry
The Windows Registry provides many critical system settings. Therefore access to registry tools like regedit.exe
should be blocked.
Please see chapter A.4.3.7 for a Step-by-Step guide.
3.2.3.10. Windows Command Prompt
Access to the Windows Command Prompt (cmd.exe) should be blocked.
Please see chapter A.4.3.8 for a Step-by-Step guide.
3.2.3.11. Network environment
Access to the network environment icon should be blocked to constrict users to browse network computers.
Please note that this only hides the network environment icon from the Windows Explorer’s view but does
not block access to it. Other restrictions might be needed.
Please see chapter A.4.3.9 for a Step-by-Step guide.
3.2.3.12. Map network drive
Users should not be able to add or remove network drives. You should therefore block access to these
features.
Please see chapter refsec:disallowingUsersToAddNetworkDrives for a Step-by-Step guide.
3.2.3.13. Drive letters
If you do not want users to access a local CDROM or Floppy Disk drive, you can restrict access to specific
drive letters by altering the Windows registry. You can either block access to specific drive letters or just
make them disappear from the Windows Explorer’s view.
Please see chapter A.4.3.11 for a Step-by-Step guide.
IPC Security 17
3.2.3.14. The Encrypting File System (EFS)
With EFS, Windows XP gives you the opportunity to encrypt files and folders on your industrial controller. It
uses a certificate to sign and encrypt these resources. You should use this feature if you have critical project
files (e.g. TwinCAT project files) stored on your industrial controller.
Please see chapter A.4.3.12 for a Step-by-Step guide.
3.2.3.15. Write Filters
The Write Filter technology in Windows Embedded operating systems provides some advantages compared
to the desktop operating systems. A Write Filter minimizes write requests to a storage media by redirecting
all writes targeted for a protected volume to a RAM or disk cache called an overlay. This ensures longevity
of the used storage media, e.g. Compact Flash cards. However, this chapter gives an overview about
Write Filters and how they can also be used to enhance security on your industrial controller because, once
activated, all changes to a storage media will be reversed upon system reboot.
Beckhoff Windows Embedded Images (version 1.35 and higher) have both filters (EWF and FBWF) installed,
but it is not recommended to use both filters at the same time. EWF catches all writing actions allowed by
FBWF, so files will be lost after rebooting the system. We recommend to activate EWF.
For more up-to-date information about this technology please visit [4].
Enhanced Write Filter (EWF)
The Enhanced Write Filter (EWF) is a component on Windows Embedded Operating Systems (not Windows
CE). EWF filters write commands to another medium instead of being physically written to the volume itself.
It allows write commands to be discarded or committed to the physical volume at a later time. As this
minimizes writes to a specified hard disk, EWF and FBWF (see below) have become very popular as a way
to decrease wear of drives or security because EWF protects the whole partition from write access. These
write accesses will be redirected into the RAM to protect your Flash medium. This also means that, after a
reboot, the changes will be reversed and any potential security threat will be deleted. The Enhanced Write
Filter is a default component in Beckhoff operating system images for Beckhoff embedded computers and
can be activated/deactivated/configured via the Beckhoff EWF Manager.
File-Based Write Filter (FBWF)
The File-based Write Filter (FBWF) differs from the Enhanced Write Filter by protecting files directly on file
level instead of protecting a whole partition. With FBWF it is possible to define exclusions to the protection,
e.g. you could allow write access to single files on the storage medium. The File-Based Write Filter is
a default component in Beckhoff operating system images for Beckhoff embedded computers and can be
activated/deactivated/configured via the Beckhoff FBWF Manager.
3.2.3.16. USB drives
Even if the IPC is located in a secure location, e.g. a locked cabinet, there could be situations in which
USB ports are extended to the cabinet’s outside and therefore at an unsecure location. This could be the
case because of maintenance reasons or simply because of an USB port that is integrated directly into the
18
Control Panel. You should control access to these USB ports and also control which USB sticks can be
attached to the industrial controller.
Please see chapter A.4.3.14 for a Step-by-Step guide.
3.3. Complementary Hardware mechanisms
It is important to understand that the first layer of security is the physical security of your industrial controller.
Questions like “Who has physical access to the controller” and “How can I protect the controller from direct
physical access?” should be taken into account. The question about how much physical security you actually
need depends on your situation and environment. You also need to differentiate a typical consumer scenario
(home user) from an industrial environment where hundreds or thousands of employees work day-in and
day-out, often in shift-work. Securing physical access in such a scenario can be a time-consuming task and
you need to consider all aspects of your environment to cover all physical security threats.
3.3.1. Locked cabinets
A locked cabinet should be the default way to place an industrial controller. Depending on your environment,
this cabinet should be perhaps equipped with additional features like for example climate control, anti-theft
alarm, etc. To ensure that only a minimum of people may access the cabinet, an advanced access control
system should be used in accordance with the locking mechanism, for example smartcard or fingerprint
readers. This also ensures that employees leaving the company can be restricted from accessing the
cabinet in a timely manner.
3.3.2. Video surveillance
Video surveillance is often used in environments where employees are organized by shift-work or where the
field of work is decentralized and covers a large area. As video cameras can be a good and necessary step
to acquire more information about an occurred security issue, they do not actively prevent a security issue
and therefore should always be used together with other mechanisms, for example a locked cabinet.
IPC Security 19
4. Indirect Local Access
4.1. Overview
This chapter is based on the scenario that a cyber criminal has only indirect access to the industrial controller.
The term “indirect local access” means that the attacker cannot directly interact with the device but has
instead infiltrated the system, e.g. via some kind of malwarethat could jam specific functionalities or even
cause the system to crash, or by exploiting faulty software components.
4.1.1. Devices
The following table provides an overview about devices that play an important part in this scenario.
Device Category Description
IPC/EPC Industrial Controller Beckhoff Industrial-/Embedded-
PC
4.1.2. Software components
The following table provides an overview about software packages that play an important part in this scenario.
Software Category Description
Microsoft Windows XP System software Operating System
Microsoft Windows 7 System software Operating System
Microsoft Windows Embedded System software Operating System
Microsoft Windows CE System software Operating system
Windows Update Client Update Software Used to receive Windows Up-
dates from a central Windows
Update Server
Windows Update Server Update Software Used to distribute Windows Up-
dates from a central location to
network clients
4.1.3. Potential threat scenarios
The following chapter gives a short overview about possible threat scenarios, which may or may not be
representative in your environment. We assume that an attacker is able to gain local access to the device
20
itself, just as this may be the case for a regular user. Please take the following chapters as a means to gain
a better awareness for this scenario.
4.1.3.1. Manipulated USB storage device
By manipulating USB storage devices, an attacker could use USB storage devices to distribute malware
which is then executed by authorized users.
Due to this, an attacker gains access to the operating system with the same privilegesas the currently logged
on user account.
4.1.3.2. Handling untrusted E-Mails
By sending out malware via E-Mail and fooling the user to believe that the content can be trusted, an attacker
could spread malware to industrial controllers and gain access to the operating system.
Due to this, an attacker gains access to the operating system with the same privileges as the currently
logged on user account.
4.2. Hardening
This chapter explains some common strategies that can be deployed to actively secure components that
are part of the scenario. Because the operating system architecture of Windows CE differs from Windows
XP, Windows 7 or Windows Embedded, each operating system family is represented by an own chapter.
4.2.1. Windows CE
4.2.1.1. Windows Updates
To apply updates on an Embedded-PC or Industrial-PC running Windows CE, Beckhoff periodically releases
new images and publishes them on its public FTP Server. Please check ftp.beckhoff.com/software/
embpc-control/ to see if there is a new Windows CE image available for your Embedded- or Industrial-PC.
To determine the installed version simply browse to the folder \Hard Disk\. This folder contains a file that is
named after the currently installed image version.
The Beckhoff Information System provides an article about the update procedure. See [3] for more information.
IPC Security 21
4.2.2. Windows XP / Windows 7
4.2.2.1. Windows Updates
It is important to understand the different update scenarios from an IT infrastructure point-of-view. Depending
on the size of your IT infrastructure, one of the following scenarios could exist in your network environment.
Please note that there may be variations or even combinations of these scenarios.
Scenario 1: Industrial network separated from IT network with no access to the Internet
This scenario is probably one of the most commonly used setups in an industrial environment. Both, the
IT network and the industrial network, are separated by a firewall. The industrial network is not allowed to
access the IT network or the Internet and therefore cannot access any external Microsoft Update Servers.
However, there may be own Update Servers located in the IT network to distribute Windows Updates which
have been approved by the company’s IT department. For more information about these update servers,
please view the Microsoft documentation about WSUS.
22
Loading...