Best Practices

In the case of software installations on Windows machines, a firewall in the network (it is best if the firewall is a hardware firewall) should be configured so that all connections from the Internet to the machine are blocked. Only one outgoing port should be used by FactoryTalk Remote Access (TCP port 443, 80 or 5935) and kept open from the machine to the Internet.

Windows machines should only run controlled and safe software.

The FactoryTalk Remote Access software should be updated in case security improvements are released.

Given the suggestions made earlier, and given a proper, static and controlled industrial environment, an antivirus software can be avoided.

A strong administrator password change per IEC 62443-3-3 is enforced to register a Router to an organization. Keep the administrator password safe and do not share it with unauthorized personnel.

FactoryTalk Remote Access Routers can be connected to the Internet through its WAN port. FactoryTalk Remote Access Routers don’t enable any service through that port and will only need an outgoing connection through to the configured outgoing port (TCP port 443, 80 or 5935). They basically don’t expose any surface to known attacks from the outside. We periodically test the latest version of the firmware stack against new kinds of attacks. However, for the best security, an additional specialized firewall hardware would achieve the best protection from the outside.