Industrial Security Appliance SCALANCE S...S7-1500 HMI Máquina 1/Cliente 1 S615 Máquina1/ Cliente2 M874-3 S7-1500 Máquina 2/Cliente 2 M816-1 S7-1500 3/ 3 SINEMA REMOTE CONNECT Arquitectura

Unrestricted © Siemens SA 2020

Industrial Security Appliance – SCALANCE S

https://siemens.com/scalance-s

https://siemens.com/scalance-s


Industrial security appliances – SCALANCE S

Design and housing variants

Page 2

SC632-2C SC636-2C S615 SC642-2C SC646-2C

Industrial security appliance SCALANCE S


Concepto de seguridad en Siemens

Estrategia de “Defensa en profundidad”

Detección y prevención de Malware

Gestión de parches

Gestión de cuentas de usuario- Administración de usuarios (control de acceso basado en roles)

Robustez del sistema- Reducción de vulnerabilidades de un sistema informático

Comunicación segura- Protección de la comunicación en redes no seguras

Protección de los puntos de acceso- Implementación de firewalls

Segmentación en zonas / Células seguras- Segmentación del sistema

Políticas y procedimientos- Gestión del riesgo, evaluaciones y auditorías

- Compliance

- Recuperación del sistema ante desastres (resiliencia)

Atacante potencial

Seguridad física- Medidas de control en los edificios

- Video vigilancia, control de acceso

Page 3


Network Security – Scalance SC

Segmentación de célula

• Segmentación para

evitar propagación de fallos

• Firewall para controlar

las comunicaciones

• Enmascaramiento para estandarizar

• Acceso remoto seguro

• Gran Ancho de banda

• Integración TIA Portal

Page 4


SCALANCE S Portfolio – Overview

Interfaces 10/100 Mbps 10/100/1000 Mbps

Firewall/Routing 100 Mbps 600 Mbps

VPN 35 Mbps 120 Mbps

Firewall

NAT

VPN

S615

Limits:

128 Rules

20 VPN

SC642-2C, SC646-2C

Limits:

1000 Rules

200 VPN

Firewall

NAT

SC632-2C, SC636-2C

Limits:

1000 Rules

Page 5


SCALANCE S

Hardware – functions in comparison

Page 6

SC632-2C SC636-2C S615 SC642-2C SC646-2C

Number of electrical/optical ports

(max.)2 6 5 2 6

Port characteristics, electrical (max.) 2x RJ45 6x RJ45 5x RJ45 2x RJ45 6x RJ45

Port characteristics, optical (max.) 2x SFP 2x SFP - 2x SFP 2x SFP

Data rate, electrical 10/100/1000 Mbps 10/100/1000 Mbps 10/100 Mbps 10/100/1000 Mbps 10/100/1000 Mbps

Data rate, optical 100/1000 Mbps 100/1000 Mbps - 100/1000 Mbps 100/1000 Mbps

Housing Metal/plastic Metal/plastic Metal Metal/plastic Metal/plastic

Degree of protection IP20 IP20 IP20 IP20 IP20

MountingDIN rail, S7-300/S7-1500

profile rail, wall

DIN rail, S7-300/S7-1500

profile rail, wall

DIN rail, S7-300/S7-1500

profile rail, wall

DIN rail, S7-300/S7-1500

profile rail, wall

DIN rail, S7-300/S7-1500

profile rail, wall

Dimensions WxHxD [mm] / Weight [g] 60x145x125 / 580 60x145x125 / 580 35x147x127 / 400 60x145x125 / 580 60x145x125 / 580

Power supply (redundant) 24 V DC 24 V DC 24 V DC 24 V DC 24 V DC

Ambient temperature (operation) -40 to 70 °C -40 to 70 °C -40 to 70 °C -40 to 70 °C -40 to 70 °C

Digital input 2-pin terminal block 2-pin terminal block 2-pin terminal block 2-pin terminal block 2-pin terminal block

Digital output - - 2-pin terminal block - -

Signaling contact 2-pin terminal block 2-pin terminal block - 2-pin terminal block 2-pin terminal block

Console port Yes Yes - Yes Yes

PLUG slot Yes Yes Yes Yes Yes

Main characteristics


SCALANCE S

Software – functions in comparison

Page 7

SC632-2C SC636-2C S615 SC642-2C SC646-2C

Type of configurationWBM / CLI / SNMP /

TIA Portal

WBM / CLI / SNMP /

TIA Portal

WBM / CLI / SNMP /

TIA Portal

WBM / CLI / SNMP /

TIA Portal

WBM / CLI / SNMP /

TIA Portal

Execution of firewallStateful packet inspection

L3 / L4

Stateful packet inspection

L3 / L4


L3 / L4


L3 / L4


L3 / L4

Maximum data rate firewall/routing 600 Mbps 600 Mbps 100 Mbps 600 Mbps 600 Mbps

Maximum number of firewall rules 1000 1000 64 1000 1000

Type of VPN connectionsOpenVPN

(client to SINEMA RC)

OpenVPN(client to SINEMA RC)

IPsec(client + server)






Number of possible IPsec-VPN

connections- - 20 200 200

Type of hashing algorithms - -MD5, SHA1, SHA256,

SHA384 or SHA512

MD5, SHA1, SHA256,

SHA384 or SHA512

MD5, SHA1, SHA256,

SHA384 or SHA512

Maximum data rate IPsec-VPN - - 35 Mbps 120 Mbps 120 Mbps

NAT / NAPT Yes Yes Yes Yes Yes

Main characteristics



Protection of industrial networks with SCALANCE S615

Feature / function Benefit

Firewall and VPN

(IPsec and OpenVPN to SINEMA RC)

• Protection against unauthorized

access from outside and associated

data transmission

Variable security zones via VLAN

• High degree of flexibility for firewall

configuration

Digital input for controlled tunnel

creation

• Communication via unprotected

networks only if required

Auto-configuration interface for

SINEMA Remote Connect

• Time and cost savings

• No expert knowledge necessary

TIA Portal1) and SINEC NMS2)

integration

• Network management and end-to-end

engineering in the TIA Portal

Page 8

1) TIA Portal V15 or higher2) Planned start of delivery in 9/2018



Structure of SCALANCE S615

Page 9

Status LED: VPN ( )

SET button

Status LED: Line (L)

Redundant voltage feed

Status LED: Fault (F)

Fast Ethernet 5-port switch

with retaining collars

Security zones configurable

via VLAN

Status LED for DI/DO

Digital input

(electrically isolated)

PLUG slot

(on the back)

Mounting to

- Wall

• DIN rail

• SIMATIC S7-300 profile rail

• SIMATIC S7-1500 profile rail

QR code (EAN, MLFB)

Digital output

(electrically isolated)

Grounding connection



Structure of SCALANCE SC-600 shown with SC646-2C

Page 10

SELECT/SET button

Signaling contact

Clear LED field

• Port status

• Data rate

• Fault LED

Redundant voltage feed

PLUG slot

Console port

Digital input

- 6x RJ45 Gigabit Ethernet (GE) of

which 2 are combo ports (SFP);

- RJ45 ports with Fast Connect

retaining collars

Mounting to

- Wall

- DIN rail

- SIMATIC S7-300 profile rail

- SIMATIC S7-1500 profile rail

Robust IP20 housing, plastic front

Housing back made of die-cast

aluminum

Grounding screw

Unrestricted © Siemens SA 2020 1) TIA Portal V15 or higher2) Planned start of delivery in 9/2018


Protection of industrial networks with SCALANCE SC-600

Feature / function Benefit

Firewall or encryption performance approx.

600 Mbps or 120 Mbps respectively

High data throughput and the best possible data

security in the network

Virtual Private Network: VPN (IPsec)

only SC642-2C and SC646-2C

Eavesdropping and integrity protection

• Up to 6 ports

• 2 of them designed as combo port

• Configurable ports – depending on

requirements and quantity structure

• Combo port can be equipped with SFPs for

FO topologies

• Stateful inspection firewall

• NAT/NAPT

• Protection against unauthorized network

access

• Integration of networks with identical IP

addresses

(e.g., standardized machines)

Implementation of a flexible security zone

concept

Network separation, DMZ

(e.g., for secured remote maintenance)

TIA Portal1) and SINEC NMS2) integration

Network management and end-to-end

engineering in the TIA Portal

Integration into SINEMA Remote Connect

Secured remote access to machinery and

equipment

Page 11


Page 12


Ordering data of industrial security appliances

Product name Order number Description

SCALANCE SC632-2C 6GK5632-2GS00-2AC22x 10/100/1000 Mbps RJ45 port, 2x 100/1000 Mbps SFP

combo port, firewall, SINEMA RC device license integrated

SCALANCE SC636-2C 6GK5636-2GS00-2AC26x 10/100/1000 Mbps RJ45 port, 2x 100/1000 Mbps SFP

combo port, firewall, SINEMA RC device license integrated

SCALANCE S615 6GK5615-0AA00-2AA25x 10/100 Mbps RJ45 port, firewall, VPN, SINEMA RC

device license optionally via KEY-PLUG

SCALANCE SC642-2C 6GK5642-2GS00-2AC2

2x 10/100/1000 Mbps RJ45 port, 2x 100/1000 Mbps SFP

combo port, firewall, VPN, SINEMA RC device license

integrated

SCALANCE SC646-2C 6GK5646-2GS00-2AC2

6x 10/100/1000 Mbps RJ45 port, 2x 100/1000 Mbps SFP

combo port, firewall, VPN, SINEMA RC device license

integrated



Approvals for SCALANCE SC-600

CE, RCM (formerly C-Tick), cULus1), cULus HazLoc1), FM1)

EMC (electromagnetic compatibility)

Emitted interference EN 61000-6-4: 2007

Interference immunity EN 61000-6-2: 2005

2011/65/EU (RoHS)

EN 50581

2014/34/EU (ATEX explosion protection directive)

ATEX classification:

II 3 G Ex nA IIC T4 Gc, KEMA 07ATEX0145 X

IECEx classification: Ex nA IIC T4 Gc, DEK 14.0025X

The products meet the requirements of the standards:

• EN 60079-15

• EN 60079-0

Marine approvals

ABS (American Bureau of Shipping, USA)

BV (Bureau Veritas, France)

DNV GL (Det Norske Veritas Germanischer Lloyd, Norway and Germany)

LRS (Lloyd's Register of Shipping, GB)

PRS (Polski Rejestr Statkow, Poland)

RINA (Registro Italiano Navale, Italy)

Page 13

1) Planned for 2018


Network Security – Scalance SC

Segmentación de célula

• Segmentación para

evitar propagación de fallos

• Firewall para controlar

las comunicaciones

• Enmascaramiento para estandarizar

• Acceso remoto seguro

• Gran Ancho de banda

• Integración TIA Portal

Page 14



Use case “Demilitarized zone (DMZ)”

Task

The security concept of an industrial network is to be

divided into several security zones.

Solution

A flexible security zone concept can be implemented with

the industrial security appliance SCALANCE S.

Benefit

• Different security zones such as DMZ, network

separation, etc., can be implemented

• Remote access only to specific, selected sections of

the industrial network

• Firewall with 600 Mbps and VPN with 120 Mbps

• NAT/NAPT support (serial machines)

Page 15



Use case “Secured remote maintenance via rendezvous server”

Task

Secured, remote access to production sites distributed

around the world is to be possible.

Solution

The industrial security appliance SCALANCE S is

integrated into the management platform of remote

networks (SINEMA Remote Connect). A high data

throughput with maximum data security at the same time

allows service technicians to quickly and securely access

machinery and equipment.

Benefit


• NAT/NAPT support (standardized machines)

• Integration into SINEMA Remote Connect

Page 16


S7-1500

HMI

Máquina 1/Cliente 1

S615


S7-1500

HMI

M874-3


M816-1 S7-1500

HMI


SINEMA REMOTE CONNECT

Arquitectura

INTERNET

Ethernet

Router

ADSL

ESTACIÓN DE INGENIERÍA CLIENTE 2

Cliente SINEMA RC

Herramientas de ingeniería

Conexión con el

concentrador

Túnel VPN

CONCENTRADORTÚNELES VPN

Servidor SINEMA RC

Router ADSL

IP pública estática

o DNS

ESTACIÓN DE INGENIERÍA CLIENTE 1

Cliente SINEMA RC

Herramientas de ingeniería



Use case “Direct, secured access”

Task

Direct, secured access to machinery and equipment of a

production site is to be made possible.

Solution

A VPN tunnel to the automation plants secured via the

industrial security appliance SCALANCE S is established

via the SOFTNET Security Client.

Benefit


• NAT/NAPT support (standardized machines)

• Direct, secured connection establishment via a client-

server VPN connection

Page 18



Use case “End-to-end engineering”

Page 19

Task

The security components employed in the network are to

be configurable via standard engineering methods as well

as from a central location.

Solution

The industrial security appliance SCALANCE S supports

common standard methods such as WBM and SNMP, and

can also be centrally engineered via the TIA Portal1).

Benefit

• Standard methods such as WBM, SNMP, MIB are

supported

• End-to-end engineering with the TIA Portal1)

• Integration into network management systems such as

SINEMA Server and SINEC NMS2)

1) TIA Portal V15 or higher2) Planned start of delivery in 9/2018

Network

view

Setting of

firewall rules

Creation of VPN

connections


SCALANCE SC-600

Use case “Secured communication in process automation”

Page 20

Task

Depending on the requirements, different, secured

communication channels must be established to the

secured automation networks in the process automation.

Solution

A flexible security zone concept can be implemented with

the industrial security appliance SCALANCE S. Thus, for

example, the communication between cells can be

secured.

Benefit

• Different security zones such as DMZ, network

separation, etc., can be implemented


• Release of SCALANCE SC-600 in PCS 7 planned1)

1) SIMATIC PCS 7 release of SCALANCE SC-600 planned for 2018

SCALANCE

SC646-2C

SCALANCE

SC642-2C

SCALANCE

SC642-2C


SCALANCE SC-600

Outlook: Use case “Service bridge”1)

Page 21

Task

For reasons of security and availability, the plant bus and fieldbus

are set up separately in typical process industry plants.

Solution

The service bridge is a specially configured switch that allows

dedicated temporary access from the plant bus to the fieldbus while

ensuring the logical separation between the fieldbuses.

Security is provided by the industrial security appliance

SCALANCE SC-600 between the plant bus and the service bridge.

Benefit

• Manual addressing, naming of PN devices

• Use of the scan/online function of the STEP 7 topology editor

• Use of commissioning tools (e.g., PRONETA)

• Enhanced network diagnostics (e.g., SINEMA Server)

• Access to the web servers of PROFINET devices

• Installation of firmware updates

• Access to up to 23 separate PN subnets

See also FAQ in SIOS: https://support.industry.siemens.com/cs/ww/de/view/109747975

1) Requires layer 2 firewall, which is planned for firmware version 2.0 in 2018

SCALANCE

SC642-2C

SCALANCE

XC208

(service bridge)

https://support.industry.siemens.com/cs/ww/de/view/109747975


Seite 22

https://siemens.com/network-security

Gracias por su atención!

https://siemens.com/network-security

Documents

Industrial Security Appliance SCALANCE S...S7-1500 HMI Máquina 1/Cliente 1 S615 Máquina1/ Cliente2 M874-3 S7-1500 Máquina 2/Cliente 2 M816-1 S7-1500 3/ 3 SINEMA REMOTE CONNECT Arquitectura