dl-breadcrumbs__homedl-breadcrumb-item__separatorConfiguration and programmingdl-breadcrumb-item__separator...dl-breadcrumb-item__separatorCyber securitydl-breadcrumb-item__separatorGeneral
dl-pagination__prev-inactivedl-pagination__prev-activedl-pagination__next-inactivedl-pagination__next-active
General

Cyber security disclaimer

This product is designed to be connected to and to communicate information and data via a network interface. It is your sole responsibility to provide and continuously ensure a secure connection between the product and your network or any other network (as the case may be). You shall establish and maintain any appropriate measures (such as but not limited to the installation of firewalls, application of authentication measures, encryption of data, installation of anti-virus programs, etc.) to protect the product, the network, its system and the interface against any kind of security breaches, unauthorized access, interference, intrusion, leakage and/or theft of data or information. ABB Ltd and its affiliates are not liable for damages and/or losses related to such security breaches, any unauthorized access, interference, intrusion, leakage and/or theft of data or information.

Although ABB provides functionality testing on the products and updates that we release, you should institute your own testing program for any product updates or other major system updates (to include but not limited to code changes, configuration file changes, third party software updates or patches, hardware exchanges, etc.) to ensure that the security measures that you have implemented have not been compromised and system functionality in your environment is as expected. This also applies to the operating system. Security measures (such as but not limited to the installation of latest patches, installation of firewalls, application of authentication measures, installation of anti-virus programs, etc.) are in your responsibility. You have to be aware that operating systems provide a considerable number of open ports that should be monitored carefully for any threats.

It has to be considered that online connections to any devices are not secured. It is your responsibility to assure that connections are established to the correct device (and e.g. not to an unknown device pretending to be a known device type). Furthermore you have to take care that confidential data exchanged with the PLC is either compiled or encrypted.

Security related deployment guidelines for industrial automation

Security details for industrial automation is provided on ABB website in a ‎⮫ whitepaper.

Signed firmware updates

The firmware update files for the PLC are digitally signed releases by ABB. During the update process, these signatures are validated by a hardware security component in the PLC. This way, the PLC will only update with valid, authentic firmware, signed by ABB.

Open ports and services

As part of the ABB security concept the PLC comes with minimal services opened by default. Only the services needed for initial setup and programming are open before any user application is downloaded⮫ Ethernet protocols and ports”.

Only used services/ports should be enabled (e.g. to enable the functionality of an FTPS server).

Encrypted and signed applications

An application can be encrypted and signed in order to protect a running application in a PLC and to protect a configured project. How to set-up the user management, the communication and the boot application in order to prevent unauthorized access is explained in an ‎⮫ application note.

Encrypted communication between devices

An ‎⮫ application note explains how an encrypted and secured communication between devices can be established by using an TLS (Transport Layer Security) handshake or by signing certificates for a trusted communication.

Secure communication

Whenever possible, use an encrypted communication between AC500 devices and third party devices, such as HMI devices. This is necessary to protect passwords and other data.

Secure shell access for ABB service

The PLC contains a secure shell service to access core logging data in case of problems which need a deeper analysis. This service is inactive by default, which means that no one can access this privileged shell in the normal operating state.

To activate this service, local access to the PLC is necessary and activation is only valid until the next power cycle of the PLC. Once activated, the service run on TCP port 22. Each PLC also protects the secure shell access by an individual password.

Active user management

Enable the user management in Automation Builder.

With the help of the integrated user management, user groups with different access rights and authorizations can be defined. Configuration and handling of the user management in Automation Builder and a PLC is decribed in an ‎⮫ application note.

Frequently asked questions

For more information around cyber security please see our AC500 cyber security ‎⮫ FAQ.