FactoryTalk Remote Access Manager Best Practices

• In the case of software installations on Windows machines, configure a firewall in the network (best if a hardware firewall) so that all connections from the Internet to the device are blocked. Only one outgoing port should be used by Factory Talk Remote Access (TCP port 443, 80 or 5935) and kept open from the device to the Internet.

• Windows devices should only run controlled and safe software.

• Update the Factory Talk Remote Access software in case security improvements are released.

• Given a given proper, static and controlled industrial environment, an antivirus software can be avoided.

• A strong administrator password change per IEC 62443-3-3 is enforced to register a Router to an organization. Keep the administrator password safe and do not share it with unauthorized personnel.

• Factory Talk Remote Access routers can be connected to the Internet through their WAN port. Factory Talk Remote Access routers do not enable any service through that port and will only need an outgoing connection through to the configured outgoing port (TCP port 443, 80 or 5935). They do not expose any surface to known attacks from the outside. The latest version of the firmware stack against new kinds of attacks is periodically tested. However, for best security, an additional specialized hardware firewall provides the best protection from the outside.