ICE11-8IOL-G60L-V1D
Cybersecurity Information
2023-11
7
2 Cybersecurity Information
The ICE11-8IOL-G60L-V1D is secure for the area of application defined here in accordance
with IEC 62443-4-1. The operator must implement the measures defined in this section to
ensure the secure operation and protection of the device while online.
Security Context
The ICE11-8IOL-G60L-V1D is intended for use in an automation network. This is a secure net-
work with known and trusted participants that is separated (physically or logically) from the
company network.
A firewall must be configured so that only defined ports are forwarded to other subnets.
The device uses the following ports:
•Ports 49152, 34964 for PROFINET
•Port 2222 and port 44818 for EtherNet/IP
•Port 68 DHCP client
•Port 80 for the administration website using HTTPS
•Port 1883 (factory default, changeable) for MQTT if enabled
•Port 4840 (factory default, changeable) for OPC UA if enabled
•Port 514 (factory default, changeable) for syslog if enabled
•Port 5683 for CoAP if enabled
To avoid losing packets, we recommend limiting the network load to < 5 % of the bandwidth.
We recommend operating the gateway behind a network switch.
The device must be physically secured against unauthorized access and operated in a lock-
able switch cabinet or room that is only accessible to authorized personnel. Otherwise, there is
a risk that some of the device settings can be changed via the "X3" service interface and the
password1 printed on the gateway.
The device contributes to the "defense-in-depth" strategy with the following security functions:
1.if left unchanged
Security function Addressed threat
Access control with single-factor authentica-
tion (SFA) and automatic time-based login
lock in the event of incorrect authentication.
Protection against unauthorized access,
brute-force attacks.
Deletion of all information stored in the device
using the "Reset to factory settings" function. Protection against information being subject to
spying by physical access to the device after
decommissioning and disposal by the system
operator.
The access data is hashed by the SHA1 cryp-
tographic hash function with salt and pepper. Protection against reading and recalculation
of a password or finding a collision, e.g., with
"Rainbow table."
Even in the unlikely event that this would be
possible, this would have to be repeated for
each individual device, since results cannot
be transferred to other devices, even if the
same password is used.