LinkedIn

IT-Security (Level 3)

  • Do business targets in terms of IT security (i.e. network structures, patch management, etc) exist?
  • What are the requirements for the password management system (password complexity, lifecycle, storing, allocation, ...)?
  • Should there be opportunities for Offline Access and how should this be secured against misuse?
  • Which files and which network communications should be encrypted? Which mechanism should be used?
  • Which user groups with which access rights are needed?
  • Which strategy (whitelisting, blacklisting) for protection against and removal of malicious software should be used?
  • What are the requirements for the use of removable media?
  • How should the update of virus signatures be organized?
  • How should the patching of the operating system and MES application software be organized?
    • Should the recommendations of the Namur AK4.18 Automation Security according to AK-PRAXIS patch management be taken into account?
    • Should security patches and critical updates for the operating system of the MES system be applied as soon as possible after release?
    • Do you want to use tools for software distribution?
    • Is it specified who instructs the patches for installation and who installs them? Is there any instruction available? 
    • Should a compatibility check be carried out in the operating environment, e.g. on appropriate test systems before the patch is installed? Alternatively, a test can be performed "in operation", in which the patches are initially only applied to non-critical systems. 
    • Do you want to create a backup before the patch is actually applied?
    • Do you want to check the function and integrity of the system after installing the patches? How? 
    • Is it known how and when the manufacturer of the MES software is aware of vulnerabilities and patches?  
    • Do you want to install all security patches released by the software manufacturer?
  • What are the requirements for the network architecture of the MES system?
    • Should the recommendations of the Namur AK4.18 Automation Security according to AK-PRAXIS Planungs- und Implementierungsaspekte für eine sichere Netzwerk Architektur be taken into account?
    • Do you want to build a minimum two-stage security architecture in which the components of the MES level are decoupled from the production-external world (ERP) and plant control by a firewall? 
    • Has a further separation into several zones been considered within the MES level, where communication between systems in different zones is controlled via firewalls? 
  • What are the requirements for monitoring of network communications? 
  • What requirements for access control (ACL) on / for service programs and files should be used?
    • Do you want to use firewalls that only allow legitimate traffic (between the levels or zones of a layer)? 
    • Should legitimate traffic be prevented or routed depending on the source, destination and protocol (packet filter function)?
    • Should proxy systems be provided at the MES level that avoid direct communication between systems at the plant control level with systems at the ERP level? 
  • Do you want to create documentation of the respective communication (communication matrix) between the communication participants in the network (systems, protocols)? How, automatically or manually? 
  • Should a directory of all components that participate in the network communication be available (asset inventory)? 
     
loading...