4.4
Integrated security concept and security strategies
4.4.1
Comprehensive security concept "Defense in Depth"
With Defense in Depth, Siemens provides a multi-layer security concept that offers industrial
plants comprehensive and far-reaching protection in accordance with the recommendations
of the IEC 62443 international standard.
Productivity and know-how are protected on 3 levels:
Plant security
Plant security uses various methods to safeguard critical components from physical access by
people. This starts with classic building access and extends to securing sensitive areas using
access control (for example, code card, iris scan, fingerprint or access code).
Network security
Automation networks must be protected against unauthorized access. This is achieved
through security measures on the product, but also those in the product-related
environment.
System integrity
Targeted measures must be taken to protect existing know-how or to prevent unauthorized
access to automation processes.
You can find more information on the topics of Defense in Depth, plant security, network
security, and system integrity on the SIEMENS Industrial cybersecurity
(https://www.siemens.com/us/en/company/topic-areas/cybersecurity/industrial-security.html)
Web page.
You can also visit the download center
areas/cybersecurity/industrial-security/downloads.html) to obtain more information on the
topic of industrial cybersecurity. The "Operational Guidelines", for example, provide
recommendations on basic security measures for secure machine and plant operation in an
industrial environment.
4.4.2
Security management
The ISO 27001 and IEC 62443 standards call for a comprehensive approach in IT and OT to
protect against cyber attacks.
Responsibility for cybersecurity and IT security
Every operator of machinery and equipment is responsible for:
• Defining cybersecurity and IT security as an important criterion in the procurement and
selection of machines and software applications
• Use of suitable measures to protect production resources, data, and communication from
manipulation and theft
• Providing all necessary resources and training to employees to fully support these goals
For this purpose, suitable measures must be selected after a risk assessment and a cost-
benefit analysis in order to protect material and intellectual property and prevent damage
from occurring. These measures should be integrated into corporate processes and
procedures, evaluated regularly, and firmly anchored in the corporate culture. In addition to
protecting intellectual property, the protection of personal data must be ensured at all
organizational units and levels.
Distributed I/O system ET 200eco PN M12-L
System Manual, 11/2023, A5E48753295-AG
4.4 Integrated security concept and security strategies
(https://www.siemens.com/us/en/company/topic-
Industrial cybersecurity
25