About the Document

In recent years, the growing number of networked machines and production plants has seen a corresponding increase in the potential for cyber threats, such as unauthorized access, data breaches, and operational disruptions. You must, therefore, consider all possible cybersecurity measures to help protect assets and systems against such threats.

To help keep your Schneider Electric products secure and protected, it is in your best interest to implement the cybersecurity best practices as described in the Cybersecurity Best Practices document.

Schneider Electric provides additional information and assistance:

• Subscribe to the Schneider Electric security newsletter.

• Visit the Cybersecurity Support Portal web page to:

  • Find Security Notifications.

  • Report vulnerabilities and incidents.

• Visit the Schneider Electric Cybersecurity and Data Protection Posture web page to:

  • Access the cybersecurity posture.

  • Learn more about cybersecurity in the cybersecurity academy.

  • Explore the cybersecurity services from Schneider Electric.

KNX Data Secure

The KNX standard has been extended by KNX Data Secure to protect KNX installations from unauthorized access. KNX Data Secure reliably prevents the monitoring of communication and manipulation of the installation. KNX Data Secure describes the encryption at telegram level so that communication via objects is encrypted and therefore secure.

Encrypted telegrams are longer than the previously used unencrypted telegrams. For secure programming via the KNX bus, it is therefore necessary for the interface (e.g. USB) and any line couplers to support these „KNX long frames“.

Special conditions must be observed when using secure devices in the ETS. Please refer to the relevant web pages on the KNX website https://www.knx.org

Protecting your data is a top priority. Use the options in the ETS and KNX Data Secure to protect your data, configuration and installations from unauthorized access.

Protecting the Project Configuration via the ETS

In the ETS, you can define a project password that protects the devices and configuration data from unauthorized access.

1. Find your project in the Overview tab of the ETS.

2. Click the Details > Security > Add device certificate and set your project password.
   
   

   NOTE: A good password should consist of at least 8 characters in the project window, consisting of a number, an upper case letter, a lower case letter and a special character. Never use weak PIN codes, e.g., 1234, 0000.
   
   

3. Scan or enter the device certificates for all devices in your project that you intend to download using secure commissioning > click OK
   
   

   NOTE: The certificate consists of the serial number and the security key FDSK (Factory Default Setup Key). The FDSK is only used for initial commissioning and is replaced by the ETS during the first download. This prevents unauthorized persons from gaining access to the installation despite knowing the FDSK.
   The FDSK is printed on the device label both as a QR code and in text form.

Background information on the encryption process

• Read or enter the FDSK into the ETS.

• The ETS then generates a device-specific tool key.

• When configuring the device, the ETS sends the tool key to the device. The transmission is encrypted and authenticated with the FDSK.

• From this point on, the device only accepts the tool key for communication and the FDSK can only be used to reset the device to the delivery status. All safety-relevant data is deleted during this reset. Therefore, please keep the FDSK in your project documents.

• The ETS then generates runtime keys, which are required for protected group communication. The transmission is encrypted and authenticated with the tool key.

The document is available in these languages:

• English

• French

• German

• Spanish