Access And Profinet Networks - GE PACSystems RX3i Secure Deployment Manual

6.4 Access and PROFINET Networks

Commissioning and maintaining the devices on the PROFINET network requires the ability to communicate
from a computer to the I/O devices on that network. For example, if a PROFINET I/O device fails and needs to
be replaced, the replacement I/O device will need to be assigned a name. As described in 3.5 PROFINET, this
can be done using the PROFINET DCP protocol. However, to help ensure that the Maintenance computer
cannot be used to launch attacks on the I/O devices using other protocols, the firewall it connects through
should block all protocols that are not needed for performing the maintenance functions.
Note: Since the PROFINET DCP protocol is not routable, the firewall used will most likely need
to be configured so it operates in Transparent mode. This will allow the Maintenance
computer to be part of the same subnet as the PROFINET I/O devices, as required by the
PROFINET DCP protocol.
Transparent mode is noted by the use of a T on the firewall in the Reference Architecture
diagram (Figure 1).
GFK-2904D
Chapter 6. Network Architecture and Secure Deployment
July 2018 25