Table of Contents
Advertisement
E34 Series Installation Guide
Cybersecurity (cont.)
Z207251-0C
Page 36 of 42
Alta Labs, Enercept, Enspector, Hawkeye, Trustat, Aerospond, Veris, and the Veris 'V' logo are trademarks or registered trademarks of Veris Industries, L.L.C. in the USA and/or other countries.
Protected Environment Assumptions
• Cybersecurity governance – available and up-to-date guidance on governing the use of information and technology
assets in your company.
• Perimeter security – installed devices, and devices that are not in service, are in an access-controlled or monitored
location.
• Emergency power – the control system provides the capability to switch to and from an emergency power supply
without affecting the existing security state or a documented degraded mode.
• Firmware upgrades – device upgrades are implemented consistently to the current version of firmware.
• Controls against malware – detection, prevention and recovery controls
to help protect against malware are implemented and combined with appropriate user awareness.
• Physical network segmentation – the control system provides the capability to:
• Physically segment control system networks from non-control system networks.
• Physically segment critical control system networks from non-critical control system networks.
• Logical isolation of critical networks – the control system provides the capability to logically and physically isolate
critical control system networks from non-critical control system networks. For example, using VLANs.
• Independence from non-control system networks – the control system provides network services to control system
networks, critical or non-critical, without a connection to non-control system networks.
• Encrypt protocol transmissions over all external connections using an encrypted tunnel, TLS wrapper or a similar
solution.
• Zone boundary protection – the control system provides the capability to:
• Manage connections through managed interfaces consisting of appropriate boundary protection devices, such as:
proxies, gateways, routers, firewalls and encrypted tunnels.
• Use an effective architecture, for example, firewalls protecting application gateways residing in a DMZ.
• Control system boundary protections at any designated alternate processing sites should provide the same
levels of protection as that of the primary site, for example, data centers.
• No public internet connectivity – access from the control system to the internet is not recommended. If a remote site
connection is needed, for example, encrypt protocol transmissions.
• Resource availability and redundancy – ability to break the connections between different network segments or use
duplicate devices in response to an incident.
• Manage communication loads – the control system provides the capability to manage communication loads to
mitigate the effects of information flooding types of DoS (Denial of Service) events.
• Control system backup – available and up-to-date backups for recovery from a control system failure.
Potential Risks and Compensating Controls
Address potential risks using these compensating controls:
Area
Issue
User accounts
Default account settings are often
the source of unauthorized access by
malicious users.
Secure protocols
Modbus TCP, BACnet/IP and SNMP
protocols are unsecure.
The device does not have the
capability to transmit encrypted data
using these protocols.
Default Security Settings
Area
Setting
Modbus TCP
Communication
BACnet/IP
protocols
SNMP
©2020 Veris Industries USA 800.354.8556 or +1.503.598.4564 / support@veris.com
Other companies' trademarks are hereby acknowledged to belong to their respective owners.
Risk
If you do not change the default
password, unauthorized access can
occur.
If a malicious user gained access to
your network, they could intercept
communications.
Default
Enabled
Disabled
Disabled
TM
Compensating Control
Change the default password to help
reduce unauthorized access.
For transmitting data over an internal
network, physically or logically
segment the network.
For transmitting data over an
external network, encrypt protocol
transmissions over all external
connections using an encrypted
tunnel, TLS wrapper or a similar
solution.
0420
- Quick Links:
- Wiring
Hide quick links:
Advertisement
Table of Contents
