Download  Print this page

Advertisement

GE
Automation & Controls
Programmable Control Products
PACSystems*
PACSystems* PROFINET IO Devices Secure
Deployment Guide GFK-2904D
PROFINET IO Devices
Secure Deployment
Guide
GFK-2904D
July 2018
For Public Disclosure

Advertisement

   Related Manuals for GE PACSystems RX3i

   Summary of Contents for GE PACSystems RX3i

  • Page 1 Automation & Controls Programmable Control Products PACSystems* PACSystems* PROFINET IO Devices Secure Deployment Guide GFK-2904D PROFINET IO Devices Secure Deployment Guide GFK-2904D July 2018 For Public Disclosure...
  • Page 2 Changes, modifications, and/or improvements to equipment and specifications are made periodically and these changes may or may not be reflected herein. It is understood that GE may make changes, modifications, or improvements to the equipment referenced herein or to the document itself at any time. This document is intended for trained personnel familiar with the GE products referenced herein.
  • Page 3 Online technical support and GlobalCare www.geautomation.com/support Additional information www.geautomation.com Solution Provider solutionprovider.ip@ge.com Technical Support If you have technical problems that cannot be resolved with the information in this manual, please contact us by telephone or email, or on the web at www.geautomation.com/support...
  • Page 4: Table Of Contents

    Table of Contents PACSystems* PROFINET IO Devices Secure Deployment Guide GFK-2904D Table of Contents ................................i Table of Figures ................................iii About this Guide ............................1 Chapter 1 Revisions in this Manual .......................... 2 PACSystems Documentation......................... 3 Introduction ............................... 5 Chapter 2 Security ...............................
  • Page 5 Contents Enforcement ..............................16 Authentication ............................17 Server Protocols ............................... 17 Authentication Supported by the PROFINET Protocol..............17 Plaintext Login ..............................17 Recommendations ............................17 Password Management ......................... 19 Changing Passwords ............................19 Confidentiality and Integrity ....................... 20 Communication Protocols ..........................20 Firmware Signatures ............................
  • Page 6: Table Of Figures

    Contents Table of Figures Figure 1: Reference Architecture ................................23 GFK-2904D July 2018...
  • Page 8: Chapter 1 About This Guide

    This document provides information that can be used to help improve the cyber security of systems that include PROFINET I/O devices from GE Automation & Controls. It is intended for use by control engineers, integrators, IT professionals, and developers responsible for deploying and configuring PROFINET I/O products.
  • Page 9: Revisions In This Manual

    Chapter 1. About this Guide 1.1 Revisions in this Manual Date Description Jul- • Updated for IC695PNS101, IC695CEP001. 2018 Feb- • Updated for replacement IC695PNS001 (-Bxxx implementation). 2017 Jun- • Updated Internet Layer Protocols table to include IGMP 2016 • Added section 5.2, Genius Gateway.
  • Page 10: Pacsystems Documentation

    Field Agents Upgrade Guide GFK-3017 In addition to these manuals, datasheets and product update documents describe individual modules and product revisions. The most recent PACSystems documentation is available on the GE Automation & Controls support website www.geautomation.com/support. GFK-2904D July 2018...
  • Page 12: Chapter 2 Introduction

    Availability: Ensure the system or data is available for use. GE Automation & Controls recognizes the importance of building and deploying products with these concepts in mind and encourages customers to take appropriate care in securing their GE Automation & Controls products and solutions.
  • Page 13: General Recommendations

    Harden system configurations by enabling/using the available security features, and by disabling unnecessary ports, services, functionality, and network file shares. • Apply all of the latest product security updates from GE Automation & Controls, SIMs, and other recommendations. • Apply all of the latest operating system security patches to control systems computers.
  • Page 14: Chapter 3 Communication Requirements

    (whether disabled or not) that does not need to pass from one network/segment to another. GE Automation & Controls recommends limiting the protocols allowed by the network infrastructure to the minimum set required for the intended application. Successfully doing this requires knowing which protocol is needed for each system-level interaction.
  • Page 15: Supported Protocols

    Chapter 3. Communication Requirements 3.1 Supported Protocols ETHERNET Protocols This section indicates which Ethernet protocols are supported, and by which PROFINET I/O Devices. Note that some of the supported protocols may not be required in a given system, since the installation may only be using a subset of the available protocols.
  • Page 16: Service Requests

    SNP between those two nodes. Firmware Update: The SNP protocol is often used in PROFINET I/O Devices from GE Automation & Controls to support updating the firmware on products or on an installed module that supports having its firmware updated over the backplane.
  • Page 17: Profinet

    Chapter 3. Communication Requirements 3.3 PROFINET This section describes the communication paths needed to support common operations on a PROFINET network. Installing an I/O Device Commissioning, adding, or replacing an I/O device requires that the device be assigned a unique name to use on the PROFINET network.
  • Page 18: Using An I/o Device

    Chapter 3. Communication Requirements Using an I/O Device Using PROFINET I/O as part of the control application requires that all of the following communication paths be supported throughout the life of the application. Protocol I/O Controller I/O Devices DCE/RPC Client Server DCE/RPC Server...
  • Page 19: Ethernet Firewall Configuration

    Chapter 3. Communication Requirements 3.4 Ethernet Firewall Configuration Network-based and host-based firewalls should be configured to only allow expected and required network traffic. This section identifies the EtherTypes and the TCP/UDP ports used by the protocols supported on PROFINET I/O Devices. This information should be used to help configure network firewalls, in order to support only the required communications paths for any particular installation.
  • Page 20: Application Layer Protocols

    Chapter 3. Communication Requirements Application Layer Protocols PROFINET devices are capable of acting as a server, responding to requests sent via any of several different protocols. They are also capable of acting as a client, sending requests to other servers using any of several different protocols.
  • Page 22: Chapter 4 Security Capabilities

    GE Automation & Controls PROFINET I/O Devices, however, do not provide such a facility – there is no support for creating User IDs. In many cases, a User ID does not even have to be specified to authenticate on a particular protocol.
  • Page 23: Specifying Access Rights

    HTTPS Anonymous Specifying Access Rights For each subject, PROFINET I/O Devices from GE Automation & Controls provide predefined access rights. Predefined Access Rights Using the SNP Slave Application Protocol to update firmware on a PROFINET I/O Device, the Anonymous Subject is granted the same Service Request PRIV Level as the highest PRIV Level user that currently has no password.
  • Page 24: Authentication

    Recommendations GE Automation & Controls strongly recommends that authentication be used for every enabled protocol that supports authentication, that all default passwords be changed, and that access be appropriately restricted to any computer-based file that includes a plaintext password.
  • Page 25 Chapter 4. Security Capabilities Physical Security Perimeter Protection 1) All ICS hardware should be placed in locked cabinets, with policies and procedures to restrict access to the key. 2) Network equipment such as switches, routers, firewalls, and Ethernet cabling should be physically protected in locked enclosures such as cabinets or closets with policies and procedures to restrict access to these enclosures.
  • Page 26: Password Management

    Chapter 4. Security Capabilities 4.4 Password Management As described in Section 4.2.1, Authorization Framework, each instance of a server has its own instances of the predefined subjects. As a result, passwords for each subject must be separately managed for each instance of a given kind of server.
  • Page 27: Confidentiality And Integrity

    SNP Slave Firmware Signatures Some PROFINET I/O Devices supplied by GE Automation & Controls may have digitally signed firmware images to provide cryptographic assurance of the firmware’s integrity. For PROFINET I/O Devices that support this feature, a digital signature is used to verify that any firmware being loaded onto the module was supplied by the General Electric Company, and has not been modified.
  • Page 28: Chapter 5 Configuration Hardening

    Configuration Hardening should be considered in addition to enabling and using security features such as Authentication, Access Control, and Authorization. GE Automation & Controls recommends disabling, on each PROFINET I/O Device, all ports, services, and protocols that are not required for the intended application.
  • Page 29: Genius Gateway

    Chapter 5. Configuration Hardening 5.2 Genius Gateway This section provides information to use when hardening the configuration of and access to a Genius Communications Gateway. Service How to Disable Set Gateway IP Address to 0.0.0.0 in the hardware configuration and IP Routing download to the PROFINET I/O controller.
  • Page 30: Chapter 6 Network Architecture And Secure Deployment

    This section provides security recommendations for deploying PROFINET I/O Devices from GE Automation & Controls in the context of a larger network. 6.1 Reference Architecture The Figure 1 shows a reference deployment of components supplied by GE Automation & Controls. Figure 1: Reference Architecture GFK-2904D...
  • Page 31: Remote Access And Demilitarized Zones

    Chapter 6. Network Architecture and Secure Deployment The Manufacturing Zone networks (which include the Manufacturing Operations, Supervisory Control, and Process Control networks) are segregated from other untrusted networks such as the enterprise network (also referred to as the business network, corporate network, or intranet) and the internet using a Demilitarized Zone (DMZ) architecture.
  • Page 32: Access And Profinet Networks

    Chapter 6. Network Architecture and Secure Deployment 6.4 Access and PROFINET Networks Commissioning and maintaining the devices on the PROFINET network requires the ability to communicate from a computer to the I/O devices on that network. For example, if a PROFINET I/O device fails and needs to be replaced, the replacement I/O device will need to be assigned a name.
  • Page 34: Chapter 7 Other Considerations

    Chapter 7 Other Considerations 7.1 Patch Management A strategy for applying security fixes, including patches, firmware updates, and configuration changes, should be included in a facility’s security plan. Applying these updates will often require that an affected PROFINET I/O Device be temporarily taken out of service. Some installations require extensive qualification be performed before changes are deployed to the production environment.
  • Page 35 GE Automation and Controls Additional Resources Information Centers For more information, please visit our web site: Headquarters: 1-800-433-2682 or 1-434-978-5100 www.geautomation.com Global regional phone numbers are available on our web site www.geautomation.com Copyright © 2014-2018 General Electric Company. All Rights Reserved *Trademark of General Electric Company.

Comments to this Manuals

Symbols: 0
Latest comments: