Chapter 5 Configuration Hardening; Scanner - GE PACSystems RX3i Secure Deployment Manual
Profinet io devices
Hide thumbs
Also See for PACSystems RX3i:
- User manual (169 pages) ,
- Command line interface manual (116 pages) ,
- Application manual (39 pages)
Table of Contents
Advertisement
Chapter 5 Configuration Hardening
This section is intended to assist in reducing the potential attack surface by providing information that can be
used to harden the configuration of the PROFINET I/O Devices that are present in a particular installation.
Configuration Hardening should be considered in addition to enabling and using security features such as
Authentication, Access Control, and Authorization.
GE Automation & Controls recommends disabling, on each PROFINET I/O Device, all ports, services, and
protocols that are not required for the intended application.
5.1 Scanner
This section provides information to use when hardening the configuration of a PROFINET I/O Device Scanner
or it's DAP (Device Access Point). These options should be considered when configuring any PROFINET I/O
Device that supports them.
Service
IP Routing
Ethernet Port Enable
SD Card Identity
Front Panel Ethernet Port
Firmware Update During RUN Mode
GFK-2904D
How to Disable
Set Gateway IP Address to 0.0.0.0 in the hardware configuration and
download to the PROFINET I/O controller.
Set Port Speed of Port submodule to Disabled in the hardware
configuration and download to the PROFINET I/O controller. This will
prevent the port from powering up and establishing a link. This setting is
retained over a power cycle.
Set the name of the Device using a DCP Client with the SD Card inserted.
Remove SD Card and enable the physical Write-Protect feature on the
SD Card. Re-insert the SD Card in the Scanner. This will prevent future
attempts to rename the Scanner from persisting over a power cycle.
Set IP Address, Subnet Mask, and Gateway IP Address to 0.0.0.0 in the
hardware configuration and download to the PROFINET I/O Controller.
No Web Server access or firmware update functionality will be available
through the front panel Ethernet port.
Clear the control bit to disable firmware updates while the unit is
connected to a PROFINET IO Controller that is in RUN mode. Applies to
IC695PNS001-BAxx and IC695PNS101 only.
July 2018
21
Advertisement
Table of Contents
