Pilz Pcom sec br2 User manual

PCOM sec br2

Operating Manual-1004534-EN-04

Preface

This document is a translation of the original document.

All rights to this documentation are reserved by Pilz GmbH & Co. KG. Copies may be made

for internal purposes. Suggestions and comments for improving this documentation will be

gratefully received.

Pilz®, PIT®, PMI®, PNOZ®, Primo®, PSEN®, PSS®, PVIS®, SafetyBUS p®,

SafetyEYE®, SafetyNET p®, the spirit of safety® are registered and protected trademarks

of Pilz GmbH & Co. KG in some countries.

SD means Secure Digital

Contents

Operating Manual PCOM sec br2

1004534-EN-04 | 3

1 Introduction ............................................................................................................................ 5

1.1 Validity of documentation.......................................................................................................... 5

1.2 Using the documentation .......................................................................................................... 5

1.3 Definition of symbols................................................................................................................. 5

1.4 Third-party manufacturer licence information ........................................................................... 6

2 Safety ...................................................................................................................................... 7

2.1 Intended use ............................................................................................................................. 7

2.2 Safety regulations ..................................................................................................................... 7

2.2.1 Use of qualified personnel ........................................................................................................ 7

2.2.2 Warranty and liability ................................................................................................................ 8

3 Security ................................................................................................................................... 9

3.1 General guidelines.................................................................................................................... 9

3.2 Defense in depth....................................................................................................................... 9

3.3 Operating environment ............................................................................................................. 10

3.4 Commissioning ......................................................................................................................... 11

3.5 User accounts........................................................................................................................... 11

3.6 Operation .................................................................................................................................. 11

3.7 Decommissioning ..................................................................................................................... 12

4 Overview ................................................................................................................................. 13

4.1 Unit features ............................................................................................................................. 13

4.2 Front view ................................................................................................................................. 14

5 Function description ............................................................................................................. 15

5.1 Block diagram ........................................................................................................................... 16

5.2 VPN tunnel................................................................................................................................ 16

5.3 Input and output........................................................................................................................ 17

5.4 USB memory ............................................................................................................................ 18

6 Installation .............................................................................................................................. 19

6.1 General installation guidelines.................................................................................................. 19

6.2 Dimensions ............................................................................................................................... 19

7 Wiring ...................................................................................................................................... 20

7.1 General wiring guidelines ......................................................................................................... 20

7.2 Connection................................................................................................................................ 20

7.3 Network interfaces .................................................................................................................... 21

8 Configuration ......................................................................................................................... 22

8.1 User interface ........................................................................................................................... 22

8.2 Establish connection to SecurityBridge .................................................................................... 22

8.3 Managing users ........................................................................................................................ 24

8.3.1 Permissions .............................................................................................................................. 24

8.3.2 User groups .............................................................................................................................. 25

8.3.3 Create user ............................................................................................................................... 25

8.3.4 Manage user via RADIUS server.............................................................................................. 25

Contents

Operating Manual PCOM sec br2

1004534-EN-04 | 4

8.4 Create device............................................................................................................................ 27

8.4.1 Forwarding rules for PSS 4000................................................................................................. 27

8.4.2 Access rules for Generic Devices............................................................................................. 28

8.5 Manage certificates................................................................................................................... 28

8.6 Manage logging ........................................................................................................................ 31

8.7 Set operating modes................................................................................................................. 31

8.8 Save and secure the configuration ........................................................................................... 31

8.9 Check sum monitoring .............................................................................................................. 32

9 Access to the system in the protected network ................................................................. 33

9.1 Install client ............................................................................................................................... 33

9.2 Create new client connection.................................................................................................... 33

9.3 Log in to client........................................................................................................................... 34

9.4 Authentication procedure.......................................................................................................... 34

10 Firmware update .................................................................................................................... 37

11 Operation ................................................................................................................................ 38

11.1 LED indicators .......................................................................................................................... 38

11.2 Recovery................................................................................................................................... 39

11.3 Error mode................................................................................................................................ 40

11.4 Take SecurityBridge safely out of operation ............................................................................. 41

12 Application examples ............................................................................................................ 42

12.1 PNOZmulti with fieldbus module............................................................................................... 42

12.2 Release of remote access with a key switch ............................................................................ 43

12.3 PSS 4000 with an external control and OPC server................................................................. 44

13 Technical details .................................................................................................................... 45

14 Network data .......................................................................................................................... 48

15 Security-relevant log messages ........................................................................................... 49

16 Order reference ...................................................................................................................... 50

16.1 Product ..................................................................................................................................... 50

16.2 Accessories .............................................................................................................................. 50

Introduction

Operating Manual PCOM sec br2

1004534-EN-04 | 5

1 Introduction

1.1 Validity of documentation

This documentation is valid for the product PCOM sec br2. It is valid until new documenta-

tion is published.

This operating manual explains the function and operation, describes the installation and

provides guidelines on how to connect the product.

1.2 Using the documentation

This document is intended for instruction. Only install and commission the product if you

have read and understood this document. The document should be retained for future ref-

erence.

1.3 Definition of symbols

Information that is particularly important is identified as follows:

DANGER!

This warning must be heeded! It warns of a hazardous situation that poses

an immediate threat of serious injury and death and indicates preventive

measures that can be taken.

WARNING!

This warning must be heeded! It warns of a hazardous situation that could

lead to serious injury and death and indicates preventive measures that can

be taken.

CAUTION!

This refers to a hazard that can lead to a less serious or minor injury plus

material damage, and also provides information on preventive measures

that can be taken.

NOTICE

This describes a situation in which the product or devices could be dam-

aged and also provides information on preventive measures that can be

taken. It also highlights areas within the text that are of particular import-

ance.

Introduction

Operating Manual PCOM sec br2

1004534-EN-04 | 6

INFORMATION

This gives advice on applications and provides information on special fea-

tures.

1.4 Third-party manufacturer licence information

This product includes Open Source software with various licences.

You can receive further information by calling up the menu Technical Support → Licence

information in the web application of the SecurityBridge.

The relevant source codes can be requested via [email protected].

Your request should include the following: (a) the firmware name, (b) the firmware version,

mail address (if possible).

Pilz can charge a fee for the data medium and for sending.

The request for the source code must be received 3 years at the latest after the receipt of

the relevant GPL or LPGL. Irrespective of this period we will send you a complete, ma-

chine-readable copy of the source code as long as Pilz offers spares or technical support

for this device.

Pilz permits the purchaser of this product to edit proprietary components from Pilz that are

linked to Open Source components under the LGPL. Further, Pilz permits reverse engin-

eering for debugging of the edited, proprietary components. The results of reverse engin-

eering must not be disclosed to any third party and the edited software must not be distrib-

uted to any third party.

This product includes software developed by the OpenSSL Project for use in the OpenSSL

Toolkit (http://www.openssl.org/).

Safety

Operating Manual PCOM sec br2

1004534-EN-04 | 7

2 Safety

2.1 Intended use

The SecurityBridge PCOM sec br2 is used to protect the PSS4000 and PNOZmulti system

from network-based attacks and unauthorised access over the network.

The SecurityBridge PCOM sec br2 may only be connected to a head module from the PSS

4000 system or to a base unit of the configurable system PNOZmulti (please refer to the

document "PNOZmulti System Expansion" for details of the base units that can be connec-

ted).

The following is deemed improper use in particular

}Any component, technical or electrical modification to the product,

}Use of the product outside the areas described in this manual,

}Use of the product outside the technical details (see Technical details [ 45]).

NOTICE

EMC-compliant electrical installation

The product is designed for use in an industrial environment. The product

may cause interference if installed in other environments. If installed in other

environments, measures should be taken to comply with the applicable

standards and directives for the respective installation site with regard to in-

terference.

2.2 Safety regulations

2.2.1 Use of qualified personnel

The products may only be assembled, installed, programmed, commissioned, operated,

maintained and decommissioned by competent persons.

A competent person is a qualified and knowledgeable person who, because of their train-

ing, experience and current professional activity, has the specialist knowledge required. To

be able to inspect, assess and operate devices, systems and machines, the person has to

be informed of the state of the art and the applicable national, European and international

laws, directives and standards.

It is the company’s responsibility only to employ personnel who

}Are familiar with the basic regulations concerning health and safety / accident prevention,

}Have read and understood the information provided in the section entitled Safety

}Have a good knowledge of the generic and specialist standards applicable to the specific

application.

Safety

Operating Manual PCOM sec br2

1004534-EN-04 | 8

2.2.2 Warranty and liability

All claims to warranty and liability will be rendered invalid if

}The product was used contrary to the purpose for which it is intended,

}Damage can be attributed to not having followed the guidelines in the manual,

}Operating personnel are not suitably qualified,

}Any type of modification has been made (e.g. exchanging components on the PCB

boards, soldering work etc.).

Security

Operating Manual PCOM sec br2

1004534-EN-04 | 9

3 Security

3.1 General guidelines

}Please refer to the chapter Operating environment [ 10]. The product is not designed

for connecting a network to the internet.

}Perform a risk analysis and plan the security measures carefully. If necessary, seek ad-

vice from Pilz Customer Support.

}Please note that the product forwards ICMP Echo Request and Response packages

(ping) and ARP requests and responses between the unprotected and the protected net-

work, independent of the configuration. However, the device limits the number of pack-

ages to make flooding attacks more difficult.

}Please report any security problems of the SecurityBridge to the following E-mail ad-

dress: [email protected]

3.2 Defense in depth

Defense in depth is a security design concept. Several different security measures to pro-

tect from attacks are arranged in series and/or in layers. An attack is made difficult because

the attacker has to circumvent different security measures one after the other. This concept

can be illustrated as follows:

Company Firewall

Production Network Firewall

SecurityBridge

PNOZmulti

PSS 4000

Fig.: DefenseInDepth

The product PCOM sec br2 secures the devices in the protected network from network-

based attacks and/or unauthorised access via the network. The product is the last layer in

the Defense in depth concept. To efficiently implement the concept, the measures de-

scribed in the chapter Operating environment [ 10] must be noted.

Security

Operating Manual PCOM sec br2

1004534-EN-04 | 10

3.3 Operating environment

The product has no measures to protect against physical manipulation and/or against read-

ing of memory content during physical access. Further, the product cannot secure the

devices in the protected network when the attacker has physical access to the entire net-

work. Therefore, the product in conjunction with the devices to be protected has to be in-

stalled in a lockable control cabinet. We recommend equipping the control cabinet with a

suitable lock and organising the access to the control cabinet.

Plant network

Client PC

(VPN client)

Internet

Firewall for production

or plant network

SecurityBridge Protected

network

Company network

Client PC

(VPN client)

Unprotected network

Firewall for

company network

Fig.: Network overview

To implement the defense in depth concept provided, the product has to be arranged in the

network as shown in the figure "Network overview". The chapter Network data [ 48] de-

scribes the network protocols that the product uses to communicate with other systems.

Note these protocols when configuring your network environment.

The SecurityBridge cannot protect from network overload or flooding attacks in an unpro-

tected network. When the unprotected network is overloaded, the protected system may

not be accessible. Therefore, measures should be taken to protect the network infrastruc-

ture from flooding attacks or other overload situations.

The computer on which the VPN client and the configuration tool are run will have to be

protected by a firewall or other appropriate measures against attacks from the internet. Fur-

ther we recommend that you use a virus scanner on these computers. Protect the computer

from unauthorised use by assigning passwords, and taking further measures, if required.

We also recommend that the logged in user does not have administrator rights.

This manual suits for next models

Table of contents

Other Pilz Security System manuals

Pilz

Pilz PSEN ml b 1.1 User manual

Pilz

Pilz PSEN opII4B Series User manual

Pilz

Pilz SDD ES PROFIBUS User manual

Popular Security System manuals by other brands

Inner Range

Inner Range Concept 2000 user manual

Climax

Climax Mobile Lite R32 Installer's guide

FBII

FBII XL-31 Series installation instructions

Johnson Controls

Johnson Controls PENN Connected PC10 Install and Commissioning Guide

Aeotec

Aeotec Siren Gen5 quick start guide

IDEAL

IDEAL Accenta Engineering information

Swann

Swann SW-P-MC2 Specifications

Ecolink

Ecolink Siren+Chime user manual

Digital Monitoring Products

Digital Monitoring Products XR150 user guide

EDM

EDM Solution 6+6 Wireless-AE installation manual

Siren

Siren LED GSM operating manual

Detection Systems

Detection Systems 7090i Installation and programming manual

Se-Kure Controls

Se-Kure Controls MicroMini SK-4841 instructions

Siemens

Siemens FDM273 manual

DSC

DSC PC 4010 Programming manual

UniPOS

UniPOS 6202L quick start guide

AJAX

AJAX DoubleButton user manual

Rondish

Rondish Nexus User instructions

Pilz PCOM sec br2 User manual

Popular Security System manuals by other brands