Use this overview as support when creating an IT security concept for a planned application. It does not replace the other publications that are available for the selected router.
| Verify all information regarding IT security of the own application due to the individual nature of each single application. |
Another important publications are:
-
Inline and Online Help in the web interface of the router
1. Application concept designed to IT security
Consider already during conceptual design of the application these questions regarding IT security, which have been identified by the BSI as the top ten of dangerous threads.
2. IT security functions of the router and default settings
Overview of different security functions of the router and its default settings
3. Guide for securing the router
Use this Guide for securing the router to increase the IT security of your router. Depending on the nature of the application, other measures might be necessary. The concept phase of the application should be finished at this time already. These measures make no claim to be complete.
If your application has particularly high requirements to IT security, e.g. for the use in critical infrastructure, use the Secure Configuration Guide. This demonstrates you how to configure the device in compliance with the accelerated security certification of the German Federal Office for Information Security (BSI).
4. IT security checklist
Use this checklist to protect the application.
5. KRITIS requirements
Critical infrastructures (as per BSI KritisV) are organizational and physical structures and facilities of such vital importance to a nation’s society and economy that their failure or degradation would result in sustained supply shortages, significant disruption of public safety and security, or other dramatic consequences. INSYS icom has many years of experience in CI (KRITIS) applications and thousands of devices in use in critical infrastructures, such as energy, health, information technology/telecommunications, media/culture, water and food. Do you need helpful material for an audit by the BSI or other IT security authority? Refer to our information regarding IT security an. The Secure Configuration Guide demonstrates you how to configure the device in compliance with the accelerated security certification of the German Federal Office for Information Security (BSI).
6. Interfaces
The INSYS routers provide different types of interfaces, physical interfaces, communication interfaces, user interfaces and service interfaces. The existing interfaces differ depending on type and variant of the router.
The physical interfaces contain the digital and analogue inputs and outputs of the router.
The communication interfaces contain the Ethernet switch, the modems for LTE, DSL and glass fiber as well as the serial interfaces.
The web interface and access to the command line (CLI) or the REST interface are available as user interfaces. Moreover, it is possible to dispatch messages via SMS, e-mail, SNMP or MCIP as well as receive and evaluate them
7. Maintaining the security
A secure configured router requires regular actions for maintaining the security. These include:
-
Regular certificate updates and maintaining certificate revocation lists (CRLs) - manually or via EST
-
Regular update of the router with the latest firmware
-
using the icom Router Management
-
by manual updates
-
Subscribe to our Release Note Newsletter to be informed about the release of new firmware
-
-
Regular review of our Security Advisories, subscribe to our Security Newsletter for this
-
Regular review of the used cryptographic methods for up-to-dateness and use of more up-to-date methods in case of weakening security; recommended reference of the BSI for this: TR-02102
-
Regular review of the relevant log files for irregularities in order to detect them at an early stage
-
Setting up messages (via SMS, E-Mail, SNMP trap or MCIP) upon IT security-relevant events such as login attempts, configuration changes, changes at the switch, etc. to alert users in due time
8. Safe decommissioning
After using the router in a safety-critical application, delete all data on it. If you only reset the device to default settings, the data will not be completely deleted, but only the allocation table, so that the data could be recovered with appropriate effort and tools if there is physical access to the router. Therefore, a router reset to default settings, must not be sold or passed on.
For this reason, use the function for Safe decommissioning of the router (available from icom OS version 6.1). This will also delete the complete firmware from the router. Only a rudimentary rescue system will remain on the router, which can be accessed via the address http://192.68.1.1 and enables the router to be restored.
-
Open for this the user interface of the router in a browser: insys.icom [1] and click for this in the Administration → Reset menu on the Enable safe decommissioning slider and then on the NOW SAFELY TAKE DECOMMISSIONING button
9. Secure disposal
Please note the following points before disposing of a router:
-
Safely remove the router from its operating environment and do not leave it unattended while it still contains secrets. To remove all secrets and potentially confidential information, first use the function for Safe decommissioning of the router (see previous section).
-
Never sell a router for which a Safe decommissioning has not been completed.
-
Pass the router on to a certified disposal company that also meets the requirements for data protection and data security.
10. FAQs
The FAQs contain frequently asked questions and their answers.
11. Reporting security vulnerabilities
If you suspect that one of our products has a security vulnerability, please report your suspicion to us using the form provided on our page Security Advisories page.