Danfoss keeps the focus on IT Security
Danfoss Electronic Controllers is following secure development towards IEC-62443 in their Development Teams
Recommendations for Customers
To help keeping your Danfoss products secure and protected, we recommend that you implement below cybersecurity best practices.
Following these recommendations may help significantly reduce your company’s cybersecurity risk.
Start to split your network into zones/segments. To have Danfoss devices placed on a separate network will reduce the attack surface.
This is in general a practice to consider in your network, independently of which devices you use.
The segmentation could even be extended to micro segmentation, so in case, one device is compromised, it will not spread to the rest of the network.
See below typical Segmented Network example:
Always place Danfoss systems and devices behind firewalls and other security protection appliances that limit access to only authorized remote connections. Building a highly protected network that helps prevent outside access is the most critical line of defence against cyberattacks.
We recommend that you follow these guidelines:
- Limit access to the networks on which Danfoss devices are placed.
- Ensure that Danfoss systems and devices are not accessible from the internet, unless placed behind firewalls and other security protection appliances.
- Restrict external network connectivity to your systems and devices.
- Continually monitor for events that might indicate attempted unauthorized access.
- Limit access to internal networks where devices reside.
- Isolate control and safety system networks and remote devices from the business network.
For a secure connection/access you can also use a VPN connection.
Implement secure methods for remote users to access your network. Require all remote users to connect and authenticate through a single, managed interface before conducting software upgrades, maintenance, and other system support activities.
Access to industrial networks, should be performed via authentication/audit logs, e.g., VPN or firewalls, so that access can be audited, and thus security events can be investigated if one occurs. Minimize the chances of data breaches by monitoring and auditing system events 24/7. Use intrusion detection systems, intrusion prevention systems, antivirus software, and usage logs to detect data breaches or incidents in their earliest stages.
As a good practice we suggest the use of networking monitoring software for any unusual traffic alerts, unsuccessful access attempts etc. Guidelines are vast right from general IT requirements covered in ISO 27001 to specifics in IEC 62443 and can be found in these international Standards.
You can read more about Danfoss’ offerings related to monitoring solutions in the following link.
Our Alsense Cloud solution already complies with OWASP, NIST and of course with General Data Protection Regulation: Alsense IoT solutions and monitoring for HVAC-R | Danfoss
A plant or machinery is usually operated by more than one person, so central user administration is therefore recommended.
Change default passwords at commissioning and use the product to create user access levels.
|As an example: The Danfoss System Manager is a possible product, where you can define the user access level on the device to other possible users.|
This is particularly important for administrator accounts and control system devices. Use role-based access with multifactor authentication to help prevent security breaches and provide a log of access activity.
Users should avoid sharing passwords, as this can help with auditing of access, and prevents passwords from being leaked out to the population in general. A shared password usually ends up being known by everyone and prevents auditing of security issues.
Consider adding password security features, such as an account lockout that activates when too many incorrect passwords are entered.
Whitelisting mechanisms provide additional protection against undesired applications or malware, as well as unauthorized changes to installed applications.
Whitelisting software creates or contains a list of programs and applications that are allowed to run on the PC.
Use whitelisting to define what Apps, IPs etc. are allowed, as whitelisting is the strongest form of security control as it blocks attempts to by-pass it. However, if for any reason whitelisting is not a viable option, then if possible, implement a blacklist to block known security issues, but knowing that blacklists can be circumvented easily.
Blacklisting is a basic access control mechanism that allows blocking unwanted elements (email addresses, users, passwords, URLs, IP addresses, domain names, file hashes, etc.), except those explicitly mentioned. Those items on the list are denied access.
Blacklisting can help prevent known viruses, spyware, Trojans, worms, and other kinds of malware from accessing your system.
Often, using blacklisting and whitelisting together is the ideal option. You can use different approaches at different levels of your infrastructure and even use both within the same level.
Many organizations use both blacklisting and whitelisting for different parts of their security strategies. For example, controlling access to a computer or an account using a password is whitelisting. Only those with the password are allowed access, and all others cannot get in. Many of those same organizations also run anti-malware programs that use a blacklist of known malware to block harmful programs.
Provide cybersecurity training to your employees to help keep your organization secure. Explain phishing emails, infected attachments, malicious websites, and other methods that attack them directly.
|As example: Danfoss IT Department, compliant to ISO 27001, provides every year a mandatory online training to all employees, in order to train people and to understand how everyone from a company can contribute to cybersecurity.|
Cybersecurity can only be efficient when everybody contributes to making the installation system secure.
As shown in above visualization in the family of IEC-62443 standards, it will require a shared effort and activity since security is a shared responsibility. As product supplier Danfoss aims to comply with IEC 62443-4-1 & IEC 62443-4-2.
It will additionally require responsibility and mitigation from System Integrator and Asset Owner.
Check the documentation for product-specific information
Danfoss provides detailed information with every product. Review the product guides on the website or those that accompany your products to find cybersecurity recommendations and best practices directly related to your Danfoss products.
Check also online specific information like the Danfoss FAQ page, where this best practice guide was placed.
For additional information on cybersecurity best practices, review these resources:
- Quick Start Guide: An Overview of the ISA/IEC 62443 Series of Standards
ISA Global Cybersecurity Alliance (ISAGCA)
- Cybersecurity Best Practices
Center for Internet Security
- IEC 62443 Security for Industrial Automation and Control Systems
International Society of Automation (ISA)
THE INFORMATION ON THIS PAGE IS INTENDED TO HELP PROVIDE GENERAL SECURITY RECOMMENDATIONS AND IS PROVIDED ON AN “AS-IS” BASIS WITHOUT WARRANTY OF ANY KIND. DANFOSS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL DANFOSS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF DANFOSS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE USE OF THIS DOCUMENT, INFORMATION CONTAINED HEREIN, OR MATERIALS LINKED TO IT ARE AT YOUR OWN RISK. DANFOSS RESERVES THE RIGHT TO UPDATE OR CHANGE THIS DOCUMENT AT ANY TIME AND IN ITS SOLE DISCRETION.