Automation & Controls Programmable Control Products PACSystems* PACSystems* PROFINET IO Devices Secure Deployment Guide GFK-2904D PROFINET IO Devices Secure Deployment Guide GFK-2904D July 2018 For Public Disclosure...
Changes, modifications, and/or improvements to equipment and specifications are made periodically and these changes may or may not be reflected herein. It is understood that GE may make changes, modifications, or improvements to the equipment referenced herein or to the document itself at any time. This document is intended for trained personnel familiar with the GE products referenced herein.
Online technical support and GlobalCare www.geautomation.com/support Additional information www.geautomation.com Solution Provider firstname.lastname@example.org Technical Support If you have technical problems that cannot be resolved with the information in this manual, please contact us by telephone or email, or on the web at www.geautomation.com/support...
This document provides information that can be used to help improve the cyber security of systems that include PROFINET I/O devices from GE Automation & Controls. It is intended for use by control engineers, integrators, IT professionals, and developers responsible for deploying and configuring PROFINET I/O products.
Chapter 1. About this Guide 1.1 Revisions in this Manual Date Description Jul- • Updated for IC695PNS101, IC695CEP001. 2018 Feb- • Updated for replacement IC695PNS001 (-Bxxx implementation). 2017 Jun- • Updated Internet Layer Protocols table to include IGMP 2016 • Added section 5.2, Genius Gateway.
Field Agents Upgrade Guide GFK-3017 In addition to these manuals, datasheets and product update documents describe individual modules and product revisions. The most recent PACSystems documentation is available on the GE Automation & Controls support website www.geautomation.com/support. GFK-2904D July 2018...
Availability: Ensure the system or data is available for use. GE Automation & Controls recognizes the importance of building and deploying products with these concepts in mind and encourages customers to take appropriate care in securing their GE Automation & Controls products and solutions.
Harden system configurations by enabling/using the available security features, and by disabling unnecessary ports, services, functionality, and network file shares. • Apply all of the latest product security updates from GE Automation & Controls, SIMs, and other recommendations. • Apply all of the latest operating system security patches to control systems computers.
(whether disabled or not) that does not need to pass from one network/segment to another. GE Automation & Controls recommends limiting the protocols allowed by the network infrastructure to the minimum set required for the intended application. Successfully doing this requires knowing which protocol is needed for each system-level interaction.
Chapter 3. Communication Requirements 3.1 Supported Protocols ETHERNET Protocols This section indicates which Ethernet protocols are supported, and by which PROFINET I/O Devices. Note that some of the supported protocols may not be required in a given system, since the installation may only be using a subset of the available protocols.
SNP between those two nodes. Firmware Update: The SNP protocol is often used in PROFINET I/O Devices from GE Automation & Controls to support updating the firmware on products or on an installed module that supports having its firmware updated over the backplane.
Chapter 3. Communication Requirements 3.3 PROFINET This section describes the communication paths needed to support common operations on a PROFINET network. Installing an I/O Device Commissioning, adding, or replacing an I/O device requires that the device be assigned a unique name to use on the PROFINET network.
Chapter 3. Communication Requirements Using an I/O Device Using PROFINET I/O as part of the control application requires that all of the following communication paths be supported throughout the life of the application. Protocol I/O Controller I/O Devices DCE/RPC Client Server DCE/RPC Server...
Chapter 3. Communication Requirements 3.4 Ethernet Firewall Configuration Network-based and host-based firewalls should be configured to only allow expected and required network traffic. This section identifies the EtherTypes and the TCP/UDP ports used by the protocols supported on PROFINET I/O Devices. This information should be used to help configure network firewalls, in order to support only the required communications paths for any particular installation.
Chapter 3. Communication Requirements Application Layer Protocols PROFINET devices are capable of acting as a server, responding to requests sent via any of several different protocols. They are also capable of acting as a client, sending requests to other servers using any of several different protocols.
GE Automation & Controls PROFINET I/O Devices, however, do not provide such a facility – there is no support for creating User IDs. In many cases, a User ID does not even have to be specified to authenticate on a particular protocol.
HTTPS Anonymous Specifying Access Rights For each subject, PROFINET I/O Devices from GE Automation & Controls provide predefined access rights. Predefined Access Rights Using the SNP Slave Application Protocol to update firmware on a PROFINET I/O Device, the Anonymous Subject is granted the same Service Request PRIV Level as the highest PRIV Level user that currently has no password.
Recommendations GE Automation & Controls strongly recommends that authentication be used for every enabled protocol that supports authentication, that all default passwords be changed, and that access be appropriately restricted to any computer-based file that includes a plaintext password.
Chapter 4. Security Capabilities Physical Security Perimeter Protection 1) All ICS hardware should be placed in locked cabinets, with policies and procedures to restrict access to the key. 2) Network equipment such as switches, routers, firewalls, and Ethernet cabling should be physically protected in locked enclosures such as cabinets or closets with policies and procedures to restrict access to these enclosures.
Chapter 4. Security Capabilities 4.4 Password Management As described in Section 4.2.1, Authorization Framework, each instance of a server has its own instances of the predefined subjects. As a result, passwords for each subject must be separately managed for each instance of a given kind of server.
SNP Slave Firmware Signatures Some PROFINET I/O Devices supplied by GE Automation & Controls may have digitally signed firmware images to provide cryptographic assurance of the firmware’s integrity. For PROFINET I/O Devices that support this feature, a digital signature is used to verify that any firmware being loaded onto the module was supplied by the General Electric Company, and has not been modified.
Configuration Hardening should be considered in addition to enabling and using security features such as Authentication, Access Control, and Authorization. GE Automation & Controls recommends disabling, on each PROFINET I/O Device, all ports, services, and protocols that are not required for the intended application.
Chapter 5. Configuration Hardening 5.2 Genius Gateway This section provides information to use when hardening the configuration of and access to a Genius Communications Gateway. Service How to Disable Set Gateway IP Address to 0.0.0.0 in the hardware configuration and IP Routing download to the PROFINET I/O controller.
This section provides security recommendations for deploying PROFINET I/O Devices from GE Automation & Controls in the context of a larger network. 6.1 Reference Architecture The Figure 1 shows a reference deployment of components supplied by GE Automation & Controls. Figure 1: Reference Architecture GFK-2904D...
Chapter 6. Network Architecture and Secure Deployment The Manufacturing Zone networks (which include the Manufacturing Operations, Supervisory Control, and Process Control networks) are segregated from other untrusted networks such as the enterprise network (also referred to as the business network, corporate network, or intranet) and the internet using a Demilitarized Zone (DMZ) architecture.
Chapter 6. Network Architecture and Secure Deployment 6.4 Access and PROFINET Networks Commissioning and maintaining the devices on the PROFINET network requires the ability to communicate from a computer to the I/O devices on that network. For example, if a PROFINET I/O device fails and needs to be replaced, the replacement I/O device will need to be assigned a name.
Chapter 7 Other Considerations 7.1 Patch Management A strategy for applying security fixes, including patches, firmware updates, and configuration changes, should be included in a facility’s security plan. Applying these updates will often require that an affected PROFINET I/O Device be temporarily taken out of service. Some installations require extensive qualification be performed before changes are deployed to the production environment.