Security information 1 Preface 2 SIMATIC Configuration 3 Process Control System PCS 7 Configuration Trend Micro OfficeScan Server XG Commissioning Manual Siemens Industrial 03/2018 A5E44395601-AA
Legal information Warning notice system This manual contains notices you have to observe in order to ensure your personal safety, as well as to prevent damage to property. The notices referring to your personal safety are highlighted in the manual by a safety alert symbol, notices referring only to property damage have no safety alert symbol. These notices shown below are graded according to the degree of danger. DANGER indicates that death or severe personal injury will result if proper precautions are not taken. WARNING indicates that death or severe personal injury may result if proper precautions are not taken. CAUTION indicates that minor personal injury can result if proper precautions are not taken. NOTICE indicates that property damage can result if proper precautions are not taken. If more than one degree of danger is present, the warning notice representing the highest degree of danger will be used. A notice warning of injury to persons with a safety alert symbol may also include a warning relating to property damage. Qualified Personnel The product/system described in this documentation may be operated only by personnel qualified for the specific task in accordance with the relevant documentation, in particular its warning notices and safety instructions. Qualified personnel are those who, based on their training and experience, are capable of identifying risks and avoiding potential hazards when working with these products/systems. Proper use of Siemens products Note the following: Trademarks WARNING Siemens products may only be used for the applications described in the catalog and in the relevant technical documentation. If products and components from other manufacturers are used, these must be recommended or approved by Siemens. Proper transport, storage, installation, assembly, commissioning, operation and maintenance are required to ensure that the products operate safely and without any problems. The permissible ambient conditions must be complied with. The information in the relevant documentation must be observed. All names identified by are registered trademarks of Siemens AG. The remaining trademarks in this publication may be trademarks whose use by third parties for their own purposes could violate the rights of the owner. Disclaimer of Liability We have reviewed the contents of this publication to ensure consistency with the hardware and software described. Since variance cannot be precluded entirely, we cannot guarantee full consistency. However, the information in this publication is reviewed regularly and any necessary corrections are included in subsequent editions. Siemens AG Division Process Industries and Drives Postfach 48 48 90026 NÜRNBERG GERMANY A5E44395601-AA P 05/2018 Subject to change Copyright Siemens AG 2018. All rights reserved
Table of contents 1 Security information...5 2 Preface...7 3 Configuration...9 3.1 Introduction...9 3.2 TMOS Functions...9 3.2.1 Installation...10 3.2.2 General information...10 3.2.3 Anti-Virus...10 3.2.4 Behavior Monitoring...12 3.2.5 Device Control...12 3.2.6 Predictive Machine Learning...12 3.2.7 Updates...13 Siemens Industrial Commissioning Manual, 03/2018, A5E44395601-AA 3
Table of contents 4 Commissioning Manual, 03/2018, A5E44395601-AA
Security information 1 Siemens provides products and solutions with industrial security functions that support the secure operation of plants, systems, machines, and networks. In order to protect plants, systems, machines and networks against cyber threats, it is necessary to implement and continuously maintain a holistic, state-of-the-art industrial security concept. Siemens products and solutions constitute one element of such a concept. Customers are responsible for preventing unauthorized access to their plants, systems, machines and networks. Such systems, machines and components should only be connected to an enterprise network or the internet if and to the extent such a connection is necessary and only when appropriate security measures (e.g. firewalls and/or network segmentation) are in place. For additional information on industrial security measures that may be implemented, please visit: https://www.siemens.com/industrialsecurity Siemens products and solutions undergo continuous development to make them more secure. Siemens strongly recommends that product updates are applied as soon as they are available and that the latest product versions are used. Use of product versions that are no longer supported, and failure to apply the latest updates may increase customer s exposure to cyber threats. To stay informed about product updates, subscribe to the Siemens Industrial Security RSS Feed under https://www.siemens.com/industrialsecurity. Siemens Industrial Commissioning Manual, 03/2018, A5E44395601-AA 5
Security information 6 Commissioning Manual, 03/2018, A5E44395601-AA
Preface 2 This documentation describes the settings to be changed for Trend Micro OfficeScan Server (TMOS) for use in an industrial plant. The configuration only includes some of the TMOS settings used in the compatibility test with PCS 7 and WinCC. Important information about this whitepaper Note The recommended settings for these virus scanners have been chosen to ensure that the reliable real-time operation of PCS 7 is not adversely affected by the virus scanner software. These recommendations describe the currently known, best-possible compromise between the objective of maximizing the detection and neutralization of virus software and malware and guaranteeing a highly deterministic time behavior of the PCS 7 process control system in all operating phases. If you choose different settings for the virus scanner, this could have negative effects on the real-time behavior. Purpose of the documentation This documentation describes the recommended settings for virus scanner software in combination with PCS 7 and WinCC, following the installation of the virus scanner. Required knowledge This documentation is aimed at persons involved in the engineering, commissioning, and servicing of automation systems with SIMATIC PCS 7 or WinCC. Knowledge of administration and IT techniques for Microsoft Windows operating systems is assumed. In addition, readers should be familiar with the PCS 7 & WinCC security concept. Additional information is available on the Internet at the following address: Security concept (https://support.industry.siemens.com/cs/ww/en/view/60119725) Siemens Industrial Commissioning Manual, 03/2018, A5E44395601-AA 7
Preface Scope of the documentation The documentation applies to process control systems equipped with the respective product version of PCS 7 or WinCC. Note Note that certain virus scanners are only approved for certain product versions. Additional information is available on the Internet at the following address: Compatibility Tool (http://www.siemens.com/kompatool) 8 Commissioning Manual, 03/2018, A5E44395601-AA
Configuration 3 3.1 Introduction Trend Micro OfficeScan Server (TMOS) activates additional functions going beyond the traditional virus scanner. The following configurations relate to the centrally managed version of TMOS which is configured using the TMOS Web Console. The use of a local, non-managed installation is allowed, but is not described. In addition, only an English installation is referred to. All the configurations described are deviations from the default configurations, i.e. any settings not described are not changed. 3.2 TMOS Functions TMOS provides the following functions (can be configured via the TMOS Web Console) Anti-virus for desktops Anti-virus for servers Ransomware Protection Connected Thread Defence Plug-in Manager and Plug-in Solutions Centralized Management Security Risk Protection Damage Cleanup Services Web Reputation OfficeScan Firewall Data Loss Prevention Device Control Behavior Monitoring The following modules and settings are recommended and are tested for compatibility for use in a PCS 7 and WinCC environment: Anti-virus for desktops Anti-virus for servers Antivirus for desktops Antivirus for servers Web Reputation and Anti-spyware for desktops Web Reputation and Anti-spyware for servers Damage Cleanup Services Siemens Industrial Commissioning Manual, 03/2018, A5E44395601-AA 9
Configuration 3.2 TMOS Functions The following functions are not recommended and are not checked in the compatibility test: Firewall for endpoints Only the Windows Firewall is released for use with PCS 7 and WinCC as this is configured automatically depending on the product installed. Smart Protection / Web reputation Settings File and Web Reputation; exchanging data with third parties is not recommended. Any use of modules and settings which are not recommended is the user's own responsibility. 3.2.1 Installation The following options must be configured during the installation; all other options may retain the default configuration. Installation/Setup Install integrated Smart Protection Server No.... Installation/Setup Enable Trend Micro Smart Feedback Installation/Setup Enable Firewall Installation/Setup Anti Spyware Assessment Feature No.... Installation/Setup Enable web reputation policy 3.2.2 General information All OfficeScan clients must be configured on the server as "Internal Clients". 3.2.3 Anti-Virus The following configurations relate to a default installation. Agents Global Agent Settings Scan Settings Do not scan files in the compressed file if the size exceeds Set to 1000 Scan Settings In compressed file, scan only the first Set to 100000 Scan Settings Alert Settings Clean/Delete infected files within compressed files Display a notification message if the endpoint needs a restart to load a kernel mode driver 10 Commissioning Manual, 03/2018, A5E44395601-AA
Configuration 3.2 TMOS Functions Agents Agent Management Settings -> Scan Settings -> Scan Methods Target-> User Activity on Files Settings -> Scan Settings -> Target-> Scan Settings Target-> Scan Settings Target-> Scan Settings Target-> Scan Settings Conventional scan Created/modified All scannable files Scan the boot sector of the USB storage device after plugging in Scan all files in removable storage device after plugging in Quarantine malware variants detected in memory Select Select Select Check Check Check Target-> Scan Settings Target-> Scan Settings Scan compressed files Set to 6 Scan OLE objects Set to 10 Action-> Virus/Malware Action-> Virus/Malware Action-> Spyware/Grayware Action-> Spyware/Grayware Privileges and other Privileges-> Proxy Settings Privileges and other Privileges-> Component Updates Privileges and other Other Update Settings Privileges and other Other Update Settings Use the same action for all virus/malware types Display a notification on the Endpoints when virus/malware is detected Deny access Display a notification on endpoints when spyware/grayware is detected Allow users to configure proxy settings Perform "Update Now!" OfficeScan agents download updates from the Trend Micro ActiveUpdate Server Enable schedule-based updates on OfficeScan agents Select Set 1st "Clean" Set 2nd "Quarantine" Select Siemens Industrial Commissioning Manual, 03/2018, A5E44395601-AA 11
Configuration 3.2 TMOS Functions Privileges and other Other Web Reputation Settings Privileges and other Other Behavior Monitoring Settings Privileges and other Other C&C Contact Alert Settings Privileges and other Other Predictive Machine Learning Settings Privileges and other Other Restart Notification Display a notification when a web site is blocked Display a notification when a program is blocked Display a notification when a C&C callback is detected Display a notification when a threat is detected Display a notification if the endpoint needs to restart to finish cleaning infected files 3.2.4 Behavior Monitoring The following configurations relate to a default installation. Agents - Agent Management Settings -> Behavior Monitoring Settings -> Rules -> Maleware Behavior Blocking Enable Malware Behavior Blocking 3.2.5 Device Control The following configurations relate to a default installation. The recommendation is only to use Device Control, in order to prevent the use of USB devices, for example. Agents - Agent Management Settings -> Device Control Settings -> Internal Agents-> Notification Display a notification on endpoints when OfficeScan detects unauthorized device access 3.2.6 Predictive Machine Learning The following configurations relate to a default installation. 12 Commissioning Manual, 03/2018, A5E44395601-AA
Configuration 3.2 TMOS Functions Agents - Agent Management Predictive Machine Learning Detection Settings File Set to Log only Predictive Machine Learning Detection Settings Process Set to Log only 3.2.7 Updates The following configurations relate to a default installation. The settings for reaching the Trend Micro Update Server on the Internet or a higher-level update server must be adapted to the relevant network topology. Updates Agents - Automatic Update Event-triggered Update Event-triggered Update Initiate component update on agents immediately after the OfficeScan server downloads a new component Let agents initiate component update after restarting and connecting to the OfficeScan server (independent agents excluded) Since is not possible to deactivate the "Schedule-based Update", select: Schedule-based Update Daily Set to a start time of your choice and set "Update for a period of" to 1 hour. Siemens Industrial Commissioning Manual, 03/2018, A5E44395601-AA 13
Configuration 3.2 TMOS Functions 14 Commissioning Manual, 03/2018, A5E44395601-AA