Reduce Risk Replace default access settings, restrict management access and limit unnecessary services.
Strengthen Access Use stronger passwords, account lockout, automatic logout and trusted access controls.
Access control Replace default credentials, restrict management access and ensure inactive sessions are closed automatically.
Authentication protection Apply password complexity rules and login failure lockout policies to help reduce the risk of brute-force or guessing attacks.
Monitoring and resilience Send logs to monitoring systems, disable unnecessary services and protect exported backups with configuration file encryption.
1 Change Default Credentials & SNMP Community Strings Default administrator credentials and SNMP community strings are widely known and should be replaced during device provisioning to prevent easy unauthorised access. Path Password: System > Account Management > User Accounts SNMP: System > Management Interface > SNMP Action Create a new administrator account with a strong password, remove or rename the default account, replace default SNMP community strings, and use SNMPv3 where possible.
2 Configure SNMP Traps or a Syslog Server Sending event, fault and security logs to a separate monitoring server improves visibility and helps ensure suspicious activity is detected and investigated. Path SNMP Trap: Diagnostics > Event Logs and Notifications > SNMP Trap/Inform Syslog: Diagnostics > Event Logs and Notifications > Syslog Action Configure the device to send SNMP traps and/or Syslog messages to an approved central monitoring or logging server.
3 Enable Trusted Access Trusted access restricts device management access to approved IP addresses or subnets, reducing the chance of unauthorised systems reaching the management interface. Path Security > Device Security > Trusted Access Action Define the permitted management hosts or subnets and block access from all other network addresses.
4 Enable Automatic Logout Automatic logout closes inactive management sessions, reducing the risk of unattended or forgotten sessions being used by unauthorised users. Path Security > Device Security > Login Policy Action Keep auto logout enabled and set an appropriate inactivity timeout; do not set the timeout value to 0.
5 Enforce Password Strength & Complexity Password complexity rules help protect the device against weak passwords and reduce the effectiveness of brute-force and guessing attacks. Path System > Account Management > Password Policy Action Enforce strong password requirements, including a minimum length of 12 characters with uppercase, lowercase, numeric and special characters.
6 Enable Login Failure Lockout Login failure lockout limits repeated authentication attempts and helps prevent attackers from making unlimited password guesses. Path Security > Device Security > Login Policy Action Configure a lockout policy, such as locking access after three failed login attempts for a defined period, and ensure the device time is correct.
7 Disable Unused & Insecure Services Unused ports and insecure management services increase the device attack surface and should be disabled unless they are required for operation. Path Physical ports: Network Configuration > Ports > Port Settings Management interfaces: System > Management Interface > User Interface Action Disable unused ports and turn off insecure management interfaces such as HTTP and Telnet, using secure alternatives such as HTTPS and SSH where available.
8 Set a Login Banner Message A login message informs users that the device is protected, identifies authorised use requirements and provides a clear warning before access. Path Security > Device Security > Login Policy Action Configure a login banner stating system ownership, authorised-use conditions and that unauthorised access is prohibited.
9 Enable Configuration File Encryption Encrypting exported configuration files helps protect sensitive device settings and credentials if a backup file is lost, copied or stolen. Path System > System Management > Configuration Backup and Restore Action Enable configuration file encryption and protect exported backups with a strong encryption password.
Commissioning Apply the hardening baseline before the device is connected to the operational network.
Maintenance Check that passwords, trusted hosts, logging destinations and backup protection are still appropriate.
Audit Use the checklist as part of periodic security reviews or IEC 62443-aligned documentation work.
Does hardening a device make it IEC 62443-4-2 certified? Hardening helps support IEC 62443-4-2 alignment, but it is not the same as product certification. Certification depends on the device, its implemented security capabilities, configuration, documentation and the assessment process. These steps provide a practical baseline for more secure deployment.
Why should default credentials and SNMP strings be changed? Default credentials and community strings are often widely known or easy to obtain. Replacing them reduces the risk of simple unauthorised access and should be one of the first steps during device provisioning.
Why are Syslog and SNMP traps important? Sending events and security logs to a central monitoring system helps improve visibility. It also makes it easier to investigate suspicious activity, faults or unexpected changes without relying only on local device logs.
Should HTTP and Telnet always be disabled? Insecure management interfaces such as HTTP and Telnet should be disabled unless there is a specific operational reason to keep them enabled. Where available, secure alternatives such as HTTPS and SSH should be used instead.
How often should hardened settings be reviewed? Hardening settings should be reviewed during commissioning, after configuration or firmware changes, and as part of regular maintenance or audit activity. This helps ensure the device remains aligned with the intended security baseline over time.