Danfoss keeps the focus on IT Security

Start to split your network into zones/segments. To have Danfoss devices placed on a separate network will reduce the attack surface.

This is in general a practice to consider in your network, independently of which devices you use.

The segmentation could even be extended to micro segmentation, so in case, one device is compromised, it will not spread to the rest of the network.

See below typical Segmented Network example:

Always place Danfoss systems and devices behind firewalls and other security protection appliances that limit access to only authorized remote connections. Building a highly protected network that helps prevent outside access is the most critical line of defence against cyberattacks.

We recommend that you follow these guidelines:

• Limit access to the networks on which Danfoss devices are placed.
• Ensure that Danfoss systems and devices are not accessible from the internet, unless placed behind firewalls and other security protection appliances.
• Restrict external network connectivity to your systems and devices.
• Continually monitor for events that might indicate attempted unauthorized access.
• Limit access to internal networks where devices reside.
• Isolate control and safety system networks and remote devices from the business network.

For a secure connection/access you can also use a VPN connection.

Implement secure methods for remote users to access your network. Require all remote users to connect and authenticate through a single, managed interface before conducting software upgrades, maintenance, and other system support activities.

Access to industrial networks, should be performed via authentication/audit logs, e.g., VPN or firewalls, so that access can be audited, and thus security events can be investigated if one occurs. Minimize the chances of data breaches by monitoring and auditing system events 24/7. Use intrusion detection systems, intrusion prevention systems, antivirus software, and usage logs to detect data breaches or incidents in their earliest stages.

As a good practice we suggest the use of networking monitoring software for any unusual traffic alerts, unsuccessful access attempts etc. Guidelines are vast right from general IT requirements covered in ISO 27001 to specifics in IEC 62443 and can be found in these international Standards.

A plant or machinery is usually operated by more than one person, so central user administration is therefore recommended.

Change default passwords at commissioning and use the product to create user access levels.

This is particularly important for administrator accounts and control system devices. Use role-based access with multifactor authentication to help prevent security breaches and provide a log of access activity.

Users should avoid sharing passwords, as this can help with auditing of access, and prevents passwords from being leaked out to the population in general. A shared password usually ends up being known by everyone and prevents auditing of security issues.

Consider adding password security features, such as an account lockout that activates when too many incorrect passwords are entered.

Basics:

• Whitelisting mechanisms provide additional protection against undesired applications or malware, as well as unauthorized changes to installed applications.

• Whitelisting software creates or contains a list of programs and applications that are allowed to run on the PC.

Use whitelisting to define what Apps, IPs etc. are allowed, as whitelisting is the strongest form of security control as it blocks attempts to by-pass it. However, if for any reason whitelisting is not a viable option, then if possible, implement a blacklist to block known security issues, but knowing that blacklists can be circumvented easily.

Blacklisting is a basic access control mechanism that allows blocking unwanted elements (email addresses, users, passwords, URLs, IP addresses, domain names, file hashes, etc.), except those explicitly mentioned. Those items on the list are denied access.

Blacklisting can help prevent known viruses, spyware, Trojans, worms, and other kinds of malware from accessing your system.

Often, using blacklisting and whitelisting together is the ideal option. You can use different approaches at different levels of your infrastructure and even use both within the same level.

Many organizations use both blacklisting and whitelisting for different parts of their security strategies. For example, controlling access to a computer or an account using a password is whitelisting. Only those with the password are allowed access, and all others cannot get in. Many of those same organizations also run anti-malware programs that use a blacklist of known malware to block harmful programs.

Provide cybersecurity training to your employees to help keep your organization secure. Explain phishing emails, infected attachments, malicious websites, and other methods that attack them directly.

While this is not just a cybersecurity issue, it is important to put physical controls in place so that no unauthorized person can access your equipment. Keep all controllers in locked cabinets and limit access to any connected devices.