Siemens Version: 1.2 User Manual
2. Security Services
2.2.4 Firmware Update
The firmware of the security device can be updated. For this purpose, Siemens
supplies an encrypted and digitally signed firmware. The user has to authenticate
to the security module before loading new firmware. The new firmware is
transferred to the security module via HTTPs. The signature of the firmware update
is verified. If the verification is successful, the new firmware is decrypted and stored
as plain data. A security module accepts only new firmware holding a correct
signature. Hence, it is guaranteed that no manipulated flash software is loaded into
the security module but only authentic software. The private key for computing the
signature is only known to Siemens and stored in a secure way such that new
firmware can only be distributed by Siemens. The corresponding public key for the
verification is stored in the EEPROM of each security module. The signature of a
firmware is checked at updating it, while at booting time only a checksum of the
stored firmware is verified. The confidentiality of the firmware is not a security
target but only a barrier if someone wants to reconstruct the firmware.
2.3 Configuration
Management
Before the security module can start the work and protect an automation network, it
has to be configured. A tool is used to set the parameters for the configuration of
the security module including switches for the firewall, VPN, and logging. A module
needs at least the IP parameters which are set automatically in the standard
settings. It is possible to configure more than one module at the same time. This
configuration software runs on an external PC and the configuration information is
sent to the modules via HTTPs.
The configuration data is stored in the internal flash memory. The data is stored as
plain data. However, during the data transmission between the configuration PC
and the security module the data is securely communicated. If a C-Plug is put in
the module, the data is stored encrypted in the C-Plug. They are deleted from the
memory of the module after they were stored on the C-Plug.
Users with restricted rights have only a few choices to configure the module. Even
non-IT-Experts are able to configure the module in such a way that failures are
almost impossible. The administrator can configure the module manually in a more
detailed way.
19-Aug-05 escrypt
GmbH
9