About the Document

In recent years, the growing number of networked machines and production plants has seen a corresponding increase in the potential for cyber threats, such as unauthorized access, data breaches, and operational disruptions. You must, therefore, consider all possible cybersecurity measures to help protect assets and systems against such threats.

To help keep your Schneider Electric products secure and protected, it is in your best interest to implement the cybersecurity best practices as described in the Cybersecurity Best Practices document.

Schneider Electric provides additional information and assistance:

• Subscribe to the Schneider Electric security newsletter.

• Visit the Cybersecurity Support Portal web page to:

  • Find Security Notifications.

  • Report vulnerabilities and incidents.

• Visit the Schneider Electric Cybersecurity and Data Protection Posture web page to:

  • Access the cybersecurity posture.

  • Learn more about cybersecurity in the cybersecurity academy.

  • Explore the cybersecurity services from Schneider Electric.

To enhance the security of your controller, consider the following best practices:

1. Network security:

   • Set up network security at an appropriate level.

   • Ensure that your controller is part of a secure network with limited access.

   • If connected to the Internet, strictly recommend using either a VPN or an HTTPS communication.

2. Secure protocol access:

   • Use the secure protocol HTTPS://IP:Port to access your controller.

3. Security measures:

   • Evaluate the security capabilities of other network elements, such as firewalls and protection against viruses and malware threats.

   • Store backup files in a safe location inaccessible to unauthorized individuals.

4. Public IP address:

   • Verify that your controller does not have a publicly accessible IP address.

   • Avoid using port forwarding to access your controller from the public Internet.

5. Network segmentation:

   • Place your controller on its own network segment.

   • If your router supports a guest network or VLAN, consider locating controller there.

6. Cybersecurity incidents and vulnerabilities:

   • Report any cybersecurity incidents or vulnerabilities through this page: https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp.

7. HTTP communication warning:

   • If HTTP communication is detected, switch to HTTPS (encrypted mode).

   • Note that your controller comes with a self-signed SSL certificate, which encrypts information. Web browsers may display a warning message when confirming the exception to proceed.

8. KNX installation security:

   • When accessing the KNX installation via the Internet, be aware that data traffic can be read by third parties.

   • Always use a VPN connection with secure encryption for all data packets.

   • Hardware requirements for VPN routers and features offered by mobile service providers may vary significantly.

9. KNX data secure: If you have data secure devices in your KNX installation and need your controller to communicate directly with these devices (sending and receiving data secure telegrams), follow these steps:

   1. Add the controller secure dummy device:

      • Integrate the controller secure dummy device into your KNX installation.

      • You can use the SpaceLogic KNX Secure Dummy device provided by Schneider Electric available in the ETS catalogue.

      • Connect the individual group addresses of the data secure device to your controller dummy device.

   2. Controller as a router:

      • If your controller functions as a router (facilitating communication between KNX devices), you do not need the controller secure dummy device for secured KNX communication.

For additional details on system hardening, refer to Schneider Electric’s document: System Hardening Guidelines for Wiser for KNX and spaceLYnk Controllers.

The document is available in these languages:

• English

• German