Managing Endpoint Security Solutions

Cybersecurity information 1

Preface 2
Managing Endpoint
Security 3
SIMATIC
Practical Information 4
Process Control System PCS 7
Process Control System PCS neo
Managing Endpoint Security
Solutions
Function Manual

10/2023
A5E52386975-AA
Legal information
Warning notice system
This manual contains notices you have to observe in order to ensure your personal safety, as well as to prevent
damage to property. The notices referring to your personal safety are highlighted in the manual by a safety alert
symbol, notices referring only to property damage have no safety alert symbol. These notices shown below are
graded according to the degree of danger.

DANGER
indicates that death or severe personal injury will result if proper precautions are not taken.

WARNING
indicates that death or severe personal injury may result if proper precautions are not taken.

CAUTION
indicates that minor personal injury can result if proper precautions are not taken.

NOTICE
indicates that property damage can result if proper precautions are not taken.
If more than one degree of danger is present, the warning notice representing the highest degree of danger will
be used. A notice warning of injury to persons with a safety alert symbol may also include a warning relating to
property damage.
Qualified Personnel
The product/system described in this documentation may be operated only by personnel qualified for the specific
task in accordance with the relevant documentation, in particular its warning notices and safety instructions.
Qualified personnel are those who, based on their training and experience, are capable of identifying risks and
avoiding potential hazards when working with these products/systems.
Proper use of Siemens products
Note the following:

WARNING
Siemens products may only be used for the applications described in the catalog and in the relevant technical
documentation. If products and components from other manufacturers are used, these must be recommended
or approved by Siemens. Proper transport, storage, installation, assembly, commissioning, operation and
maintenance are required to ensure that the products operate safely and without any problems. The permissible
ambient conditions must be complied with. The information in the relevant documentation must be observed.

Trademarks
All names identified by ® are registered trademarks of Siemens AG. The remaining trademarks in this publication
may be trademarks whose use by third parties for their own purposes could violate the rights of the owner.
Disclaimer of Liability
We have reviewed the contents of this publication to ensure consistency with the hardware and software
described. Since variance cannot be precluded entirely, we cannot guarantee full consistency. However, the
information in this publication is reviewed regularly and any necessary corrections are included in subsequent
editions.

Siemens AG A5E52386975-AA Copyright © Siemens AG 2023.

Digital Industries Ⓟ 10/2023 Subject to change All rights reserved
Postfach 48 48
90026 NÜRNBERG
GERMANY
Table of contents

1 Cybersecurity information ..................................................................................................................... 5

2 Preface ................................................................................................................................................... 7
2.1 Additional documents .......................................................................................................... 7
2.2 Special notes ....................................................................................................................... 7
2.3 Introduction in endpoint security ......................................................................................... 9
3 Managing Endpoint Security ............................................................................................................... 11
3.1 General information .......................................................................................................... 11
3.2 Signature based virus scanners .......................................................................................... 12
3.2.1 Signature based virus scanners .......................................................................................... 12
3.2.2 Basic virus scanner architecture.......................................................................................... 13
3.2.3 Strategy for distributing virus signatures/definitions ........................................................... 16
3.2.4 Approved virus scanners for DCS ........................................................................................ 16
3.2.5 Virus scanner test options .................................................................................................. 16
3.3 Endpoint Detection and Response (EDR) solutions .............................................................. 17
4 Practical Information ........................................................................................................................... 19
4.1 Project specific support ...................................................................................................... 19
4.2 Additional information ....................................................................................................... 19
4.3 Abbreviations .................................................................................................................... 20

Managing Endpoint Security Solutions

Function Manual, 10/2023, A5E52386975-AA 3
Table of contents

Managing Endpoint Security Solutions

4 Function Manual, 10/2023, A5E52386975-AA
Cybersecurity information 1
Siemens provides products and solutions with industrial cybersecurity functions that support
the secure operation of plants, systems, machines and networks.
In order to protect plants, systems, machines and networks against cyber threats, it is
necessary to implement – and continuously maintain – a holistic, state-of-the-art industrial
cybersecurity concept. Siemens’ products and solutions constitute one element of such a
concept.
Customers are responsible for preventing unauthorized access to their plants, systems,
machines and networks. Such systems, machines and components should only be connected
to an enterprise network or the internet if and to the extent such a connection is necessary
and only when appropriate security measures (e.g., firewalls and/or network segmentation)
are in place.
For additional information on industrial cybersecurity measures that may be implemented,
please visit
https://www.siemens.com/global/en/products/automation/topic-areas/industrial-
cybersecurity.html.
Siemens’ products and solutions undergo continuous development to make them more
secure. Siemens strongly recommends that product updates are applied as soon as they are
available and that the latest product versions are used. Use of product versions that are no
longer supported, and failure to apply the latest updates may increase customer’s exposure to
cyber threats.
To stay informed about product updates, subscribe to the Siemens Industrial Cybersecurity
RSS Feed under
https://new.siemens.com/global/en/products/services/cert.html.

Managing Endpoint Security Solutions

Function Manual, 10/2023, A5E52386975-AA 5
Cybersecurity information

Managing Endpoint Security Solutions

6 Function Manual, 10/2023, A5E52386975-AA
Preface 2
2.1 Additional documents
• Security Concept SIMATIC PCS 7 & WinCC basic document provides an overview and is a
guidance through the basic principles and security strategies for a SIMATIC PCS 7 or WinCC
based process control / SCADA system. For more information, refer to
Security Concept SIMATIC PCS 7
(https://support.industry.siemens.com/cs/document/109780811).
• SIMATIC PCS 7 Compendium, Part F: Compendium F describes in detail how the different
security measures and solutions can be implemented in the SIMATIC PCS 7 environment.
For more information, refer to Compendium, Part F
(https://support.industry.siemens.com/cs/document/109815443).
• Security Concept SIMATIC PCS neo basic document provides an overview and is a guidance
through the basic principles and security strategies for a SIMATIC PCS neo based process
control / SCADA system. For more information, refer to Security Concept SIMATIC PCS neo
(https://support.industry.siemens.com/cs/de/de/view/109802560/en).
• Industrial Security in SIMATIC PCS neo describes in detail how the different security
measures and solutions can be implemented in the SIMATIC PCS neo environment. For
more information, refer to Industrial Security SIMATIC PCS neo
(https://support.industry.siemens.com/cs/de/de/view/109814845/en).

2.2 Special notes

Scope of this document

The focus of this document is to provide recommendations to ensure plant availability. It is
the customer's responsibility to implement and enforce the configurations for endpoint
security solutions described in this document.
This document contains generic recommendations regarding the usage of endpoint security
solutions for DCS. The recommendations are separated into signature based anti-virus
solutions and modern endpoint security solutions (e.g., EDR/XDR).

Managing Endpoint Security Solutions

Function Manual, 10/2023, A5E52386975-AA 7
Preface
2.2 Special notes

For approved endpoint security solutions (signature based anti-virus and allow-list) in DCS,
refer to "Compatibility Tool (https://support.industry.siemens.com/cs/document/64847781)"
and to the chapter "Approved virus scanners for DCS (Page 16)". Support for the usage of
alternative EDR/XDR solutions not tested on compatibility by DCS is provided by our customer
service department, refer to the chapter "Project specific support (Page 19)".

Note
The provided information is focusing on DCS and their related computers. Other computers,
like infrastructure computers in the perimeter network, can be configured in a different way
regarding endpoint protection to recognize, e.g., attacks early.

The recommendations provided in this document are intended to support responsible plant
owners in evaluating an alternative anti-virus solution / endpoint security solution.
An evaluation carried out by the customer does not lead to a released solution for DCS.

Required Knowledge
This documentation affects everyone who is involved in configuring, commissioning and
operating DCS. It is assumed that the reader has appropriate knowledge regarding installing,
configuring and managing the described security solutions in the own process control
environment.

Validity
For the usage of this document the currently valid DCS manuals must be used.

SIMATIC PCS 7: SIMATIC PCS 7 all Manuals (https://www.siemens.com/pcs7-manuals)

SIMATIC PCS neo: SIMATIC PCS neo Manual Hardware (https://sieportal.siemens.com/su/bi8H5),

SIMATIC PCS neo Manual Software (https://sieportal.siemens.com/su/bi8Iy),
SIMATIC PCS neo Overview (https://support.industry.siemens.com/cs/us/en/view/109762327)

Abbreviations/terminologies used in this document are listed in the chapter "Abbreviations

(Page 20)".

Managing Endpoint Security Solutions

8 Function Manual, 10/2023, A5E52386975-AA
 Preface
2.3 Introduction in endpoint security

2.3 Introduction in endpoint security

The SIMATIC PCS 7 security concept
(https://support.industry.siemens.com/cs/document/109780811) and the SIMATIC PCS neo
security concept (https://support.industry.siemens.com/cs/de/de/view/109802560/en)
describe measures for creating a holistic and consistent security concept. Protection of
endpoints is to be considered as part of such a holistic security concept.
Malware can infiltrate the industrial system during data transmission from external,
untrusted sources into the system environment, e.g., via updates, portable media, downloads
and unsecured network connections. As a consequence of a malware attack, the availability
and operation of the plant can be influenced. To protect against malware, endpoint security
products can be used.
Traditional anti-virus solutions are reactive and detect potential security threats by matching
known signatures and attack patterns. Such a procedure requires regular updates (at least
once a day) so that new signatures can be used by the anti-virus solutions to detect current
known malware.
Modern endpoint security solutions are more flexible and go beyond the signature-based
approach.
EDR/XDR solutions are predictive and focus on identifying advanced persistent threats and
new malware, which was unknown up to this point in time. EDR solutions can combine cyber
threat intelligence, machine learning capabilities, application behavior and advanced file
analysis to help detect advanced threats. Additionally, EDR/XDR solutions record and store
queries and security events to detect and analyze suspicious activities over time.
In the following chapters, general recommendations and examples are made for DCS.

Managing Endpoint Security Solutions

Function Manual, 10/2023, A5E52386975-AA 9
Preface
2.3 Introduction in endpoint security

Managing Endpoint Security Solutions

10 Function Manual, 10/2023, A5E52386975-AA
Managing Endpoint Security 3
Using endpoint security solutions in a process control system is only effective when they are
part of a comprehensive and holistic security concept. An endpoint security solution alone
generally cannot protect a process control system against possible security threats.
In the following chapters, recommendations are provided that should be considered for the
use of different endpoint security solutions. An endpoint security solution can be a signature
based anti-virus software or a more modern EDR/XDR solution.
Based on this, exemplary architectures are shown that pursue the goal of ensuring that the
integration of the respective security solution does not weaken the recommendations made
in the SIMATIC PCS 7 security concept
(https://support.industry.siemens.com/cs/document/109780811) and the SIMATIC PCS neo
security concept (https://support.industry.siemens.com/cs/de/de/view/109802560/en).

Note
The provided information needs to be understood as examples. The recommendations and
information can be used for evaluation and implementation of a chosen 3rd party solution in
conjunction with the plant specific conditions.

3.1 General information

The use of an endpoint security solution, such as anti-virus, should never inhibit the runtime
operation of a system.
The following topics show possible issues that could arise in an automation system because
of their usage:
• An endpoint security solution must not shut down a computer that is compromised by
malware if there is any risk of losing control of the production process or if the system can
no longer be brought into a safe state.
• In general, a distinction should be made between computers and systems that are
necessary to control the process and infrastructure computers and systems. The
infrastructure is assigned to computers and systems that are not required to control the
process and may be switched off in the event of an attack such as malware (for example:
WSUS, Web Server, Front Firewall Next Generation).
• If data must be exchanged with the endpoint security solution vendor, it needs to be
ensured that this does not violate data protection guidelines (for example: GDPR) or
customer internal company guidelines.
• Data with a high availability requirement that are compromised by malware must not be
moved, blocked or deleted automatically to ensure if such actions prevent the traceability
of important measuring values.

Managing Endpoint Security Solutions

Function Manual, 10/2023, A5E52386975-AA 11
Managing Endpoint Security
3.2 Signature based virus scanners

• System and application files that are compromised by malware must not be moved,
blocked or deleted automatically if such actions could influence the stable operation of
the production process or as long as the process is not brought into a safe state.
• The performance influence of such an endpoint security solution on the process control
system should be checked in advance before it is used inside a productive environment.
For example, to determine the effect of the endpoint security product on the performance
of the process control system, it is recommended to test the process control system before
and after installation of the product as described below:
– Timing behavior on the Engineering Station (ES)
Open an archived project
Archive project data
Load project data to the AS
Load project data to the server of DCS / client of DCS
– Timing behavior in DCS
Restart redundant servers of DCS
Redundancy synchronization of redundant servers of DCS (synchronization start after
restart / synchronization finished)
Switch over time client of DCS
Usual runtime operations, for example: picture change
– General timing behavior
For example: installation of Windows updates
For example: installation of a new DCS server

These test cases are only examples.

3.2 Signature based virus scanners

3.2.1 Signature based virus scanners

The following recommendations apply to the use of signature based virus scanners running
in industrial environments:
• If required, sending of data or reports to the endpoint security vendor manufacturer is
possible, for example, if a malware is found. For this reason, the defense in depth concept
should be considered. The communication from plant computers to the endpoint security
vendor manufacturer should be established by using a proxy/representative computer
located in the perimeter network of the plant to avoid direct internet access of process
control computers.
• Within a centrally managed virus scanner architecture, options can be available for
organizing and configuring the virus scan clients in groups.

Managing Endpoint Security Solutions

12 Function Manual, 10/2023, A5E52386975-AA
 Managing Endpoint Security
3.2 Signature based virus scanners

• It should be possible to disable automatic distribution of virus signatures.

• It should be possible to distribute virus signatures manually and group-based.
• If required, an option should be provided to manually initiate a file and system scan within
selected groups. Neither a manual scan (also known as an "on-demand scan", depending
on the product) nor a time-controller scan (“scheduled scan”, depending on the product)
should be performed on virus scan clients while process mode (runtime) is active. If
necessary, the scan should be initiated manually and at regular intervals, for example,
within a maintenance interval and on all computers of the system.
• When malware is detected, the scanner must always generate a message. To ensure plant
availability for essential functions, it is recommended to configure the scanner and not to
force any file actions, for example, deleting, blocking or moving files.
• The virus scan clients need to be configured to prevent the display of any local malware
alarm messages that could hide more important process information or could allow
breakouts from the graphical runtime interface to the Windows desktop. Alarm messages
should just be displayed on an adequate management system.
• For reasons of performance, the virus scan clients should be configured to scan only
locally new created, copied or changed files, incoming data via network access or data
copied via portable media. This is to prevent overlapping or time and performance
consuming scans.

• The virus scan server or WSUS distributes the virus signatures to the virus scan clients to
ensure that clients do not need direct internet access to receive signature file updates.
• It should be evaluated via a plant and risk based consideration which additional
functionality provided by the anti-virus product is used. It is recommended that only the
basic functionality of signature based anti-virus is used. Additional functionalities like
firewall should be deactivated because the firewall provided by the Windows operating
system has already been configured and is used.

3.2.2 Basic virus scanner architecture

The recommendations provided in the chapter “Signature based virus scanners (Page 12)” can
be applied to different architectures, as shown in the following examples.

Note
The used example figures in this chapter refer to SIMATIC PCS 7, but can also be used for
SIMATIC PCS neo.

Managing Endpoint Security Solutions

Function Manual, 10/2023, A5E52386975-AA 13
Managing Endpoint Security
3.2 Signature based virus scanners

1. Server / Client Architecture

A virus scan server receives its virus signatures from the update server of the respective virus
scan vendor in the Internet or from an upstream virus scan server and manages its virus scan
clients. A web console or similar can be used for administrative purposes on the virus scan
server.
Depending on the vendor, you can implement several virus scan servers to operate in
parallel or within a hierarchical structure.

Example figure for SIMATIC PCS 7: server / client architecture

2. Decentralized architecture with update server

The requirement that updates can be obtained from the manufacturer via the Internet
remains unchanged.
The following architecture is based on Microsoft Defender Antivirus. This virus scanner is
supplied as part of the Windows operating system. Microsoft offers definition updates
(Security Intelligence Updates) and “Updates for Microsoft Defender Antivirus antimalware

Managing Endpoint Security Solutions

14 Function Manual, 10/2023, A5E52386975-AA
 Managing Endpoint Security
3.2 Signature based virus scanners

platform” via WSUS. In addition, Microsoft offers different configuration options for the
Microsoft Defender Antivirus:
– Local group policies
– Active Directory (Windows Domain) for the central administration of group policies
– Microsoft Endpoint Configuration Manager
– PowerShell commandlets
– Windows Management Instrumentation (WMI)

Example figure for SIMATIC PCS 7: decentralized architecture with update server

Managing Endpoint Security Solutions

Function Manual, 10/2023, A5E52386975-AA 15
Managing Endpoint Security
3.2 Signature based virus scanners

For more information about the specific configuration and use of Microsoft Defender
Antivirus in SIMATIC PCS 7, refer to:

SIMATIC PCS 7: Compendium, Part F

(https://support.industry.siemens.com/cs/document/109815443)

SIMATIC PCS neo: Industrial Security SIMATIC PCS neo

(https://support.industry.siemens.com/cs/de/de/view/109814845/en)
DCS: Microsoft (https://docs.microsoft.com/en-us/microsoft-365/security/defender-
endpoint/configure-microsoft-defender-antivirus-features?view=o365-worldwide)

3.2.3 Strategy for distributing virus signatures/definitions

To exclude any risk for a stable process operation using a virus scanner and to take
precautions against the minor risk of receiving "harmful" virus signatures/definitions (false
positives, virus signatures/definitions which incorrectly interpret automation software or
relevant operating system files as malware), we recommend performing the following
procedure when updating virus signatures:
1. Download the virus signatures.
The virus scan server downloads the virus signatures from the update server of the virus
scan vendor on the Internet or from a virus scan server on the intranet.
2. To detect any negative impact on system operation, configure a small-scale test system that
can simulate the vital functions of the existing productive system.
3. Start by loading the new virus signatures inside such a test system.
4. If no fault has occurred on the test system after a defined period of time and the virus scan
vendor has not reported any problems in terms of compatibility issues with the virus
signatures, the signatures can be uploaded to the productive system.
This procedure enables only minor effects on productive system operation.
5. If supported by the used a virus scan product, deploy the updated signatures group wise.

3.2.4 Approved virus scanners for DCS

Further information about virus scanners which are tested on compatibility for the usage with
SIMATIC PCS 7 and SIMATIC PCS neo are published via the compatibility tool, refer to
"Compatibility Tool for Automation and Drive Technology
(https://support.industry.siemens.com/cs/document/64847781)".
If a corporate standard for anti-virus and/or endpoint security is established by the plant
owner, which is not SIMATIC PCS 7 or SIMATIC PCS neo compatibility tested by Siemens, you
can follow the recommendations provided with this document and adapt or configure your
specific anti-virus/endpoint security solution product accordingly.

Managing Endpoint Security Solutions

16 Function Manual, 10/2023, A5E52386975-AA
 Managing Endpoint Security
3.3 Endpoint Detection and Response (EDR) solutions

3.2.5 Virus scanner test options

Virus scanner test files are available at "Eicar (https://www.eicar.org/download-anti-malware-
testfile/)".

They can be used to run a simple malware detection and reporting test and to test the
corresponding reaction of the virus scanners.
If you require further support, you will find additional information on this in the chapter
"Project specific support (Page 19)".

3.3 Endpoint Detection and Response (EDR) solutions

The following recommendations apply to the use of EDR/XDR solutions used in industrial
environments. They should be evaluated in advance of the use of such a product by
considering the information described in the chapter "General information (Page 11)":
• By using additional functionality provided by cloud-based services it should be ensured
that process-relevant computers do not have direct internet access. Relevant cloud based
communication should take place via a suitable representative, for example, a proxy in the
perimeter network (DMZ), protected by an up-to-date firewall. This will ensure that
Defense in Depth concept, especially in the area of segmented networks, is fulfilled.
• It is necessary to ensure that the protection and runtime operation of protected computers
do not fail completely, even if the internet connection is temporarily interrupted.
• The configuration of the EDR solution should be performed by using an EDR console which
is located in the perimeter network (DMZ) of the plant. The configuration of the EDR
solution from the cloud should be prevented to ensure that there is no negative
impact/effect to the plant and runtime operation of the involved process control systems
• It should be clarified with the vendor of the used EDR/XDR solution which data is collected
from the configured process control systems and forwarded to the cloud of the endpoint
security vendor for further analysis. It should be ensured that these do not violate data
protection guidelines (for example, GDPR) or customer internal company guidelines.
• It should be ensured that the EDR/XDR solution provides a lightweight agent with
reasonable performance usage of CPU, memory, hard disk, network bandwidth and so on.
The agent and the solution at all is not allowed to influence in any negative way the stable
operation of the process control systems monitored. This applies to all possible conditions
occurring in a plant (for example, trip of the process, archiving of huge amounts of data,
OPC data exchange with 3rd party systems).

Managing Endpoint Security Solutions

Function Manual, 10/2023, A5E52386975-AA 17
Managing Endpoint Security
3.3 Endpoint Detection and Response (EDR) solutions

Example figure for SIMATIC PCS 7: EDR based solution

Managing Endpoint Security Solutions

18 Function Manual, 10/2023, A5E52386975-AA
Practical Information 4
4.1 Project specific support
This document provides recommendations to be applied to customer-specific endpoint
security products used in cooperation with DCS. These recommendations can result in the
need for a detailed evaluation of the installation and configuration of the system
combination, as well as a comprehensive test in a test lab to reflect the customer’s plant
environment and use cases. This will provide timely indication of possible negative impact on
later productive operation of the system.
It should also be considered that initially performed tests need to be repeated regularly, for
example, based on product updates or changes in the configured plant environments.
These actions require extensive expertise. Siemens offers professional support through its
customer service department, which can support the plant owner on a specific security
solution within DCS.
For further information regarding services for 3rd party endpoint protection solutions, refer
to:

SIMATIC PCS 7: Siemens internet page

(https://support.industry.siemens.com/cs/document/109810527).
SIMATIC PCS neo: Siemens internet page
(https://support.industry.siemens.com/cs/document/109823998)

4.2 Additional information

Software setup routines usually represent a serious modification of the local system and
should always be run from a malware-free and trusted storage source via a file server, a DVD
or a write-protected USB medium provided with the software/system; a virus scanner should
not unnecessarily obstruct or corrupt such installations. To achieve this goal, you should
select so-called file transfer / installation servers or virus scan configuration settings that do
not interfere with setup procedures, without having to completely disable the virus scanner.

Managing Endpoint Security Solutions

Function Manual, 10/2023, A5E52386975-AA 19
Practical Information
4.3 Abbreviations

4.3 Abbreviations
The abbreviations/terminologies used in this document and their meanings are listed here.

abbreviation / terminology Description

DCS The abbreviation refers to the two Distributed
Control Systems (DCS) SIMATIC PCS 7 and
SIMATIC PCS neo.
Example figure for SIMATIC PCS 7 The used example figures refer to SIMATIC PCS 7,
but can also be used for
SIMATIC PCS neo.
DMZ Demilitarized Zone
EDR Endpoint Detection and Response
GDPR General Data Protection Regulation
IDS Intrusion Detection System
IPS Intrusion Prevention System
OT Operational Technology
WSUS Windows Server Update Services
XDR Extended Detection and Response

Managing Endpoint Security Solutions

20 Function Manual, 10/2023, A5E52386975-AA