- Do business targets in terms of IT security (i.e. network structures, patch management, etc) exist?
- What are the requirements for the password management system (password complexity, lifecycle, storing, allocation, ...)?
- Should there be opportunities for Offline Access and how should this be secured against misuse?
- Which files and which network communications should be encrypted? Which mechanism should be used?
- Which user groups with which access rights are needed?
- Which strategy (whitelisting, blacklisting) for protection against and removal of malicious software should be used?
- What are the requirements for the use of removable media?
- How should the update of virus signatures be organized?
- How should the patching of the operating system and MES application software be organized?
- Should the recommendations of the Namur AK4.18 Automation Security according to AK-PRAXIS patch management be taken into account?
- Should security patches and critical updates for the operating system of the MES system be applied as soon as possible after release?
- Do you want to use tools for software distribution?
- Is it specified who instructs the patches for installation and who installs them? Is there any instruction available?
- Should a compatibility check be carried out in the operating environment, e.g. on appropriate test systems before the patch is installed? Alternatively, a test can be performed "in operation", in which the patches are initially only applied to non-critical systems.
- Do you want to create a backup before the patch is actually applied?
- Do you want to check the function and integrity of the system after installing the patches? How?
- Is it known how and when the manufacturer of the MES software is aware of vulnerabilities and patches?
- Do you want to install all security patches released by the software manufacturer?
- What are the requirements for the network architecture of the MES system?
- Should the recommendations of the Namur AK4.18 Automation Security according to AK-PRAXIS Planungs- und Implementierungsaspekte für eine sichere Netzwerk Architektur be taken into account?
- Do you want to build a minimum two-stage security architecture in which the components of the MES level are decoupled from the production-external world (ERP) and plant control by a firewall?
- Has a further separation into several zones been considered within the MES level, where communication between systems in different zones is controlled via firewalls?
- What are the requirements for monitoring of network communications?
- What requirements for access control (ACL) on / for service programs and files should be used?
- Do you want to use firewalls that only allow legitimate traffic (between the levels or zones of a layer)?
- Should legitimate traffic be prevented or routed depending on the source, destination and protocol (packet filter function)?
- Should proxy systems be provided at the MES level that avoid direct communication between systems at the plant control level with systems at the ERP level?
- Do you want to create documentation of the respective communication (communication matrix) between the communication participants in the network (systems, protocols)? How, automatically or manually?
- Should a directory of all components that participate in the network communication be available (asset inventory)?