User Manual
System Security
Protected System Configuration
2
A6V11917735_en_b_41
15 | 28
2.1.2 Access Through Untrusted Networks
Communication over untrusted networks between remote clients and the PACE
zone must be protected with a highly secure communication channel.
● The PACE zone must always be protected by a firewall.
● Use VPN technology for the communication channel.
VPN technology does not require to be integrated with every component. It is
enough that one VPN endpoint configured firewall is used to set the PACE zone in
front of a unprotected trusted network.
If an authorized user or device uses a non-trusted network to communicate with
PACE zone devices, a VPN connection must be created with the firewall at the
PACE zone boundary.
If the use of VPN is not possible, the plant operator must create a connection
equally secured.
Figure 4: Access Through Untrusted Networks Diagram
Remote Client with Remote Maintenance Tool
SC
Highly secure communication channel
UTNW
Untrusted network
ZBP
Zone Boundary Protection
PACE-NET
Voice and evacuation system network
PACE
PACE components