Siemens SENTRON 7KN POWERCENTER 3000 Manual page 66

Application examples
6.1 Network environments
The 7KN Powercenter 3000 should only be operated in a well-defined intranet. The intranet
is connected to the Ethernet interface X1P1.
An intranet is characterized by the fact that only trusted network nodes are connected or
should be connected. Trustworthiness is supported by various security measures (see
chapter Security features (Page 38)). Options directly connected to the
7KN Powercenter 3000 are presented here.
①
7KN Powercenter 3000 is connected to a router via the external Ethernet interface X1P1. This router, e.g.
SCALANCE XM408-4C, represents the intranet.
②
SENTRON powermanager and many third-party applications, e.g. SCADA systems, today communicate with
SENTRON devices in the intranet via Modbus TCP and will continue to do so. These applications can still be used
and expanded with 7KN Powercenter 3000. Communication via the Modbus TCP gateway should only be permitted
to nodes whose IP address/address range is entered in the IP filter (= firewall whitelist).
③
If access via wireless LAN (WLAN, WiFi) is enabled, e.g. for SENTRON powerconfig, this WLAN should only be
used for this purpose and a restricted range of nodes.
④
Communication with MindSphere is established by the 7KN Powercenter 3000. The target address is taken from the
onboarding key of MindSphere. Connection to port 443 for the https communication protocol is enabled by default in
most firewalls. Because of the https protocol, the data stream is encrypted and cannot therefore be decoded by third
parties.
⑤
Alongside all other communication paths, access for an optional powerconfig makes sense as long as the security
risks are within reason. In this case, too, the IP filter with the firewall whitelist is recommended.
⑥ Multiple Web user interfaces can be operated on the external Ethernet interface of the 7KN Powercenter 3000.
Because the behavior and the setup of the 7KN Powercenter 3000 are accessible via a Web user interface, protec-
tion via an IP filter is offered here, too. On no account, must the Web user interface of the 7KN Powercenter 3000
be accessible from the Internet without protection.
⑦ 7KN Powercenter 3000 can communicate with partners in the Internet. For this, the operator must apply the
measures in chapter Further recommended security measures. In particular, activation of the write protection for the
Web user interface is advisable.
You will find more information in chapter Security features (Page 38).
Note
At the external interface, all services, e.g. Web user interface, are deactivated by default and
have to be activated to be used. We recommend that only the services that are actually
required are activated (= hardening). See Settings → Actions → Services.
See also
Further recommended security measures (Page 40)
64
7KN POWERCENTER 3000
Manual, 10/2019, L1V30579222003-01