FTP Server

Introduction

Any FTP client can be used to transfer files to and from the data storage area of the controller.

NOTE: Schneider Electric adheres to industry best practices in the development and implementation of control systems. This includes a "Defense-in-Depth" approach to secure an Industrial Control System. This approach places the controllers behind one or more firewalls to restrict access to authorized personnel and protocols only.

WARNING
	UNAUTHENTICATED ACCESS AND SUBSEQUENT UNAUTHORIZED MACHINE OPERATION Evaluate whether your environment or your machines are connected to your critical infrastructure and, if so, take appropriate steps in terms of prevention, based on Defense-in-Depth, before connecting the automation system to any network. Limit the number of devices connected to a network to the minimum necessary. Isolate your industrial network from other networks inside your company. Protect any network against unintended access by using firewalls, VPN, or other, proven security measures. Monitor activities within your systems. Prevent subject devices from direct access or direct link by unauthorized parties or unauthenticated actions. Prepare a recovery plan including backup of your system and process information. Failure to follow these instructions can result in death, serious injury, or equipment damage.

WARNING

UNAUTHENTICATED ACCESS AND SUBSEQUENT UNAUTHORIZED MACHINE OPERATION

Evaluate whether your environment or your machines are connected to your critical infrastructure and, if so, take appropriate steps in terms of prevention, based on Defense-in-Depth, before connecting the automation system to any network.
Limit the number of devices connected to a network to the minimum necessary.
Isolate your industrial network from other networks inside your company.
Protect any network against unintended access by using firewalls, VPN, or other, proven security measures.
Monitor activities within your systems.
Prevent subject devices from direct access or direct link by unauthorized parties or unauthenticated actions.
Prepare a recovery plan including backup of your system and process information.

Failure to follow these instructions can result in death, serious injury, or equipment damage.

For more information on organizational measures and rules covering access to infrastructures, refer to ISO/IEC 27000 series, Common Criteria for Information Technology Security Evaluation, ISO/IEC 15408, IEC 62351, ISA/IEC 62443, NIST Cybersecurity Framework, Information Security Forum - Standard of Good Practice for Information Security and refer to Cybersecurity Guidelines for EcoStruxure Machine Expert, Modicon and PacDrive Controllers and Associated Equipment.

FTP Access

Access to the FTP server is controlled by User Rights when they are enabled in the controller. For more information, refer to section Users Rights.

To access the FTP server, you must first connect to the controller with EcoStruxure Machine Expert or Controller Assistant and activate the user rights or create the user for the first login.

Using the Secured FTP Server of the Controller

When you initially connect using the FTP client on your computer, the controller as the FTP server provides a certificate that you need to trust to establish the connection. You can visualize the certificate on the tab Security Screen in the folder Own Certificates in order to verify whether you want to trust it.

You can download the certificate from the controller and copy the certificate to a single or to multiple controllers so that there is no necessity to repeat the trusting process for the clients. To do so, select the entry CmpElauFtpsServerCertProvider in the folder Own Certificates and then click the button Download Certificate.

Instead of using the FTP server certificate provided, you can also upload your own certificate. To do so, select the entry CmpElauFtpsServerCertProvider in the folder Own Certificates and then click the button Upload Certificate.

Configuring the Firewall for the Secured FTP Server

If you update to the latest version of EcoStruxure Machine Expert from a version less than V2.2, and if you have not modified the firewall rules in the previous version, the firewall rules are automatically updated. However, the previous version of the firewall rules is kept using a modified file name.

If you have modified the firewall rules before having updated to the latest version of EcoStruxure Machine Expert from a version less than V2.2, the firewall rules are not automatically updated. You need to modify the firewall rules file in order for the secured FTP server to run:

Delete the row for port 20:

pass in quick proto tcp from any to me port = 20 keep state

Add the following line to the end of the firewall rules file:

pass in quick proto tcp from any to me port >= 65000 keep state

Alternatively, you can delete the firewall rules file and reboot the controller. This procedure creates a new default firewall rules file.

For further details refer to the user guide How to Configure the Firewall for PacDrive LMC Controllers.