Frontpage \ Technical Systems Requirements (non-ISA) \ IT-Security

• Do business targets in terms of IT security (i.e. network structures, patch management, etc) exist?
• What are the requirements for the password management system (password complexity, lifecycle, storing, allocation, ...)?
• Should there be opportunities for Offline Access and how should this be secured against misuse?
• Which files and which network communications should be encrypted? Which mechanism should be used?
• Which user groups with which access rights are needed?
• Which strategy (whitelisting, blacklisting) for protection against and removal of malicious software should be used?
• What are the requirements for the use of removable media?
• How should the update of virus signatures be organized?
• How should the patching of the operating system and MES application software be organized?
  • Should the recommendations of the Namur AK4.18 Automation Security according to AK-PRAXIS patch management be taken into account?
  • Should security patches and critical updates for the operating system of the MES system be applied as soon as possible after release?
  • Do you want to use tools for software distribution?
  • Is it specified who instructs the patches for installation and who installs them? Is there any instruction available? 
  • Should a compatibility check be carried out in the operating environment, e.g. on appropriate test systems before the patch is installed? Alternatively, a test can be performed "in operation", in which the patches are initially only applied to non-critical systems. 
  • Do you want to create a backup before the patch is actually applied?
  • Do you want to check the function and integrity of the system after installing the patches? How? 
  • Is it known how and when the manufacturer of the MES software is aware of vulnerabilities and patches?  
  • Do you want to install all security patches released by the software manufacturer?
• What are the requirements for the network architecture of the MES system?
  • Should the recommendations of the Namur AK4.18 Automation Security according to AK-PRAXIS Planungs- und Implementierungsaspekte für eine sichere Netzwerk Architektur be taken into account?
  • Do you want to build a minimum two-stage security architecture in which the components of the MES level are decoupled from the production-external world (ERP) and plant control by a firewall? 
  • Has a further separation into several zones been considered within the MES level, where communication between systems in different zones is controlled via firewalls? 
• What are the requirements for monitoring of network communications? 
• What requirements for access control (ACL) on / for service programs and files should be used?
  • Do you want to use firewalls that only allow legitimate traffic (between the levels or zones of a layer)? 
  • Should legitimate traffic be prevented or routed depending on the source, destination and protocol (packet filter function)?
  • Should proxy systems be provided at the MES level that avoid direct communication between systems at the plant control level with systems at the ERP level? 
• Do you want to create documentation of the respective communication (communication matrix) between the communication participants in the network (systems, protocols)? How, automatically or manually? 
• Should a directory of all components that participate in the network communication be available (asset inventory)?