Chapter 4 Security Capabilities; Capabilities By Product; Access Control And Authorization; Authorization Framework - GE PACSystems RX3i Secure Deployment Manual

Chapter 4 Security Capabilities

This section describes the PROFINET I/O Device capabilities and security features of products supplied by GE
Automation & Controls which can be used as part of a defense-in-depth strategy to secure your control
system.

4.1 Capabilities by Product

This section provides a summary view of the security capabilities supported on each PROFINET module.
Security Capability
Predefined set of Subjects and
Access Rights
Plaintext Login
Access Control List
Firmware Signatures

4.2 Access Control and Authorization

The Access Control process can be divided into two phases:
Definition: Specifying the access rights for each subject (referred to as Authorization), and
Enforcement: Approving or rejecting access requests.
This section describes the Access Control capabilities supported by GE Automation & Controls PROFINET I/O
Devices, which includes its Authorization capabilities.

Authorization Framework

Defining the access rights for each subject implies that the system must have some means to identify each
subject. The most familiar way this is achieved is by assigning a unique User ID to each person who will access
the system.
GE Automation & Controls PROFINET I/O Devices, however, do not provide such a facility – there is no support
for creating User IDs. In many cases, a User ID does not even have to be specified to authenticate on a
particular protocol. In such cases, authorization is based on the functionality being used and the password that
is provided for authentication. Nevertheless, the authentication features supported on PROFINET I/O Devices
implicitly define a fixed set of subjects, which are identified here.
GFK-2904D
IC695CEP001
IC695PNS001-AXXX
✓
July 2018
IC695PNS001-BAxx
IC695PNS101
✓
✓
IC695GCG001
✓
15