Authentication; Server Protocols; Authentication Supported By The Profinet Protocol; Plaintext Login - GE PACSystems RX3i Secure Deployment Manual

4.3 Authentication

PROFINET I/O Devices from GE Automation & Controls may provide password-based authentication for some,
but not all, of its server protocols. For each unauthenticated protocol that is enabled, compensating controls
may be needed to satisfy a particular installation's security requirements.
Note: The default configuration for all Server protocols except Web Server Firmware Update is
for no authentication, or for authentication using well-known default values.

Server Protocols

This section summarizes the authentication mechanisms supported by PROFINET I/O Devices for each
protocol. It is important to note that some PROFINET I/O Devices only support a subset of the options listed
here. Refer to Section 4.1,
Transport Medium
Serial
Ethernet

Authentication Supported by the PROFINET Protocol

The PROFINET I/O specification does not define an authentication mechanism and so none is supported on
GE Automation & Controls PROFINET I/O Device PROFINET communications.

Plaintext Login

Authentication for a protocol may involve sending a plaintext password to the Server. In some cases these
plaintext passwords cannot be more than seven (7) characters long. When such protocols are required,
additional compensating controls may be needed to satisfy a particular installation's security requirements.

Recommendations

GE Automation & Controls strongly recommends that authentication be used for every enabled protocol that
supports authentication, that all default passwords be changed, and that access be appropriately restricted to
any computer-based file that includes a plaintext password.
Whenever protocols are used with no authentication mechanism, or when authentication is disabled or relies
on sending credentials in plaintext across the network, it is critical to control physical and electronic access to
the network to prevent unauthorized messages from being sent and acted upon.
Below are recommended actions to be taken to mitigate the risk of external or internal entities accessing an
Industrial Control System (ICS) network and sending unauthorized messages.
Personnel Security Protection
1) All individuals with permission to physically access ICS systems should have background checks and
be trained in the proper use and maintenance of ICS systems.
GFK-2904D
Capabilities by Product, for more details.
Functionality
Firmware Update
Web Server
Web Server Firmware Update
Application Protocol
SNP Slave
HTTP
HTTP
July 2018
Chapter 4. Security Capabilities
Subjects Available
None
None
Firmware Updater
17