Belden Hirschmann HiOS-2S User Manual
Belden Hirschmann HiOS-2S User Manual

Belden Hirschmann HiOS-2S User Manual

Security bobcat rail switch
Table of Contents

Advertisement

Quick Links

User Manual
Security
BOBCAT Rail Switch
HiOS-2S
UM Security BRS-2S
Technical support
Release 8.7 05/2022
https://hirschmann-support.belden.com

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the Hirschmann HiOS-2S and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Summary of Contents for Belden Hirschmann HiOS-2S

  • Page 1 User Manual Security BOBCAT Rail Switch HiOS-2S UM Security BRS-2S Technical support Release 8.7 05/2022 https://hirschmann-support.belden.com...
  • Page 2 The naming of copyrighted trademarks in this manual, even when not specially indicated, should not be taken to mean that these names may be considered as free in the sense of the trademark and tradename protection law and hence that they may be freely used by anyone.
  • Page 3: Table Of Contents

    Contents Contents Document History ............7 Safety instructions.
  • Page 4 Contents Security configuration............28 2.6.1 Assign a static IP address for the device management .
  • Page 5 Contents Hardening the network infrastructure ..........46 Measures to secure the network infrastructure .
  • Page 6 Contents UM Security BRS-2S Release 8.7 05/2022...
  • Page 7: Document History

    Document History Document History Version Finalize date Finalized by Relevant content changes 0.21a 2021-08-30 U. Messerle Prepared draft for review. 0.30b 2021-11-02 U. Messerle Reworked according to review results: Removed default user credentials "user/public". Added "hardening" to scope. Generalized some descriptions for device security (they also apply to operation and maintenance).
  • Page 8 Document History UM Security BRS-2S Release 8.7 05/2022...
  • Page 9: Safety Instructions

    Safety instructions Safety instructions WARNING UNCONTROLLED MACHINE ACTIONS To avoid uncontrolled machine actions caused by data loss, configure all the data transmission devices individually. Before you start any machine which is controlled via data transmission, be sure to complete the configuration of all data transmission devices.
  • Page 10 Safety instructions UM Security BRS-2S Release 8.7 05/2022...
  • Page 11: About This Manual

    About this Manual About this Manual The “Configuration” user manual contains the information you need to start operating the device. It takes you step by step from the first startup operation through to the basic settings for operation in your environment. The “Installation”...
  • Page 12: Key

    The designations used in this manual have the following meanings: List  Work step  Link Cross-reference with link Note: A note emphasizes a significant fact or draws your attention to a dependency. Representation of a CLI command or field contents in the graphical user interface Courier Execution in the Graphical User Interface Execution in the Command Line Interface...
  • Page 13: Security Planning

    Security planning 1.1 Introduction 1 Security planning Introduction 1.1.1 Subject The user manual "Security" contains security recommendations for your network device. It deals with the following lifecycle phases of your device: Secure installation  Secure commissioning  Secure administration and operation ...
  • Page 14: Capability Security Level

    Security planning 1.1 Introduction 1.1.4 Capability security level The security requirements, planning steps, and measures in this document deal with the capability security level 1 (SL-C 1) according to the standard IEC 62443-4-2. SL-C 1 means protection against casual or coincidental security violations. Some security requirements, measures, and steps mentioned in this document may exceed the target security level SL-C 1.
  • Page 15: Defense In Depth

    Security planning 1.2 Defense in depth Defense in depth 1.2.1 Purpose Defense in depth is a strategy that employs various independent security measures to guard an asset under consideration against specific attacks. A system that employs defense in depth first confronts an attacker with a particular barrier. If an attacker overcomes this barrier, the system presents another barrier of a different type.
  • Page 16 Security planning 1.2 Defense in depth Barrier Description Non-default user account An attacker must guess or find out the real user account names. names An attacker must guess or find out the real passwords. Non-default passwords Specific, restricted An attacker must guess or find out the administrator account account privileges credentials to read privileged data or manipulate device settings.
  • Page 17: Impact Of The System Lifecycle To The Device Lifecycle

    Security planning 1.3 Impact of the system lifecycle to the device lifecycle Impact of the system lifecycle to the device lifecycle A network device is a component in a superordinate system. Therefore, the system lifecycle determines parts of the device lifecycle. A system lifecycle involves a planning phase. The decisions taken in the planning phase affect the device lifecycle directly or indirectly.
  • Page 18: Impact Of Device Requirements On System Planning

    Security planning 1.4 Impact of device requirements on system planning Impact of device requirements on system planning Some requirements of the device have an impact on the system lifecycle phases, in particular on system planning. Topics of this interdependence include: A secure installation location, including the aspects: ...
  • Page 19: Plan A Dedicated User Account Login Policy

    Security planning 1.4 Impact of device requirements on system planning Digital Input If you plan to use the Digital Input, consider the following security aspects: To help protect the device, connect the Digital Input only to a circuit that meets the device ...
  • Page 20: Plan A Dedicated User Account Name And Access Role Policy For Device Management

    Security planning 1.4 Impact of device requirements on system planning Note: The device asks you to change the default password on the first login. Hirschmann recommends planning an overarching user account password policy and apply it to each device. To deter attackers, consider planning different passwords on different devices. Table 1: User credentials for the user account in the delivery state User Name Default Password Access Role...
  • Page 21: Vlan Plan Considerations Depending On Redundancy Protocols

    Security planning 1.4 Impact of device requirements on system planning 1.4.6 VLAN plan considerations depending on redundancy protocols Network availability can be an important base for the security of the superordinate system. The device offers redundancy protocols for this purpose. The redundancy protocols HIPER Ring and Ring/Network Coupling employ the fixed VLAN ID 1 for their protocol packets.
  • Page 22 Security planning 1.4 Impact of device requirements on system planning UM Security BRS-2S Release 8.7 05/2022...
  • Page 23: Device Security

    Device security 2.1 Security vs. functionality 2 Device security Security vs. functionality This chapter deals with the device security throughout lifecycle phases of the device. For the functional device lifecycle phases, refer to the detailed device documents: User manual "Installation", for example, for permissible ambient conditions ...
  • Page 24: Prerequisites For Installation And Setup

    Device security 2.2 Prerequisites for installation and setup Prerequisites for installation and setup Hirschmann assumes that, when reading this section, you have already performed the system planning steps, including: The choice of a suitable physical location for the devices (see on page 26 “Choice of a secure ...
  • Page 25: Recommended Installation Work Step Sequence

    Device security 2.3 Recommended installation work step sequence Recommended installation work step sequence The device security lifecycle phases in a practical order are: Choice of a secure installation location (see on page 26 “Choice of a secure installation  location”) Initial software update (see on page 27 “Software update”) ...
  • Page 26: Choice Of A Secure Installation Location

    Device security 2.4 Choice of a secure installation location Choice of a secure installation location Refer to the user manual "Installation" for a suitable physical installation location. Select an installation location that in addition offers appropriate device security by restricting physical access. Check that the following device security requirements are fulfilled if needed: Install the device in a room that can be locked and where only authorized personnel have ...
  • Page 27: Software Update

    Device security 2.5 Software update Software update The following description applies to: The initial software update for a device out-of-the-box  A software update as part of operation or maintenance  Check if an updated release of the device software is available. You find information and software downloads on the Hirschmann product pages on the Internet at www.hirschmann.com.
  • Page 28: Security Configuration

    Device security 2.6 Security configuration Security configuration The following description applies to: The initial security configuration for a device out-of-the-box  Changes in the security configuration as part of operation or maintenance  Refer to the user manual "Configuration" for the functional device configuration. Note: To configure the device, you need management access to the device, which requires at least a preliminary IP configuration.
  • Page 29: Assign A Static Ip Address For The Device Management

    Device security 2.6 Security configuration You can also elect to configure the following advanced user authentication measures as needed (see on page 36 “Configure advanced user authentication”): Use 802.1X for user authentication.  Use a dedicated authentication policy list.  Configure RADIUS access instead of or in addition to the local IAS (Integrated Authentication ...
  • Page 30: Disable Logical Access To The Signal Contact

    Device security 2.6 Security configuration 2.6.4 Disable logical access to the Signal Contact If you do not need the Signal Contact, disable the Signal Contact in the device configuration. In the delivery state, the Signal Contact is disabled. If you do need the Signal Contact (see on page 39 “Signal Contact considerations”).
  • Page 31: Disable Booting From An External Memory

    Device security 2.6 Security configuration Energy conservation aspects: If you set the power limit for a given port to the known power consumption of the PD, this may  help in powering more PDs in certain cases. If you know the power consumption needs of a PD on a time-of-day or day-of-week basis, you ...
  • Page 32: Disable Loading A Configuration Profile That Lacks A Valid Fingerprint

    Device security 2.6 Security configuration 2.6.12 Disable loading a configuration profile that lacks a valid fingerprint Disable the loading of a configuration profile that lacks a valid fingerprint. This helps secure the device against loading an unsigned configuration profile placed on an external memory and plugged into the device with the intention that the unsigned configuration profile will take effect after a reboot.
  • Page 33: Configure A Dedicated Https Certificate

    Device security 2.6 Security configuration 2.6.15 Configure a dedicated HTTPS certificate In the state of delivery, the device contains a self-signed HTTPS certificate. You have the option of: Replacing the existing HTTPS certificate with a new, self-signed HTTPS certificate on the ...
  • Page 34: Configure A Dedicated User Account Password Policy

    Device security 2.6 Security configuration Waiting time before the device auto-unlocks a locked user account: For security reasons, configure the value as high as possible. For availability reasons, configure it as low as practical. Use a value >0. Chose a value that corresponds to your situation. These steps helps ensure that the device will lock out a user after the maximum number of failed user logins in a row and then enforces a waiting period.
  • Page 35: Adapt Session Timeouts

    Device security 2.6 Security configuration Create user accounts. For each new user account, perform the following steps:  – Create a user account with a dedicated name. – Assign the new user account an access role that offers only the least necessary privileges. –...
  • Page 36: Configure Logging

    Device security 2.6 Security configuration 2.6.22 Configure logging Configure logging: Configure synchronization of the device system clock to a trusted source.  See the user manual "Configuration" on how to synchronize the device system clock to a trusted source. If you use PTP (IEEE 1588), refer to the PTP chapters. Configure logging severity levels.
  • Page 37: Create A Backup Of Device-Specific Data

    Device security 2.6 Security configuration 2.6.26 Create a backup of device-specific data When the device configuration is complete: Consider creating a backup copy of the configuration. For example, place the backup file in a  device-specific folder. Include other device-specific data. For example, copy device-specific private keys or certificates ...
  • Page 38: Possible Hardware Modifications For Security

    Device security 2.7 Possible hardware modifications for security Possible hardware modifications for security The following descriptions apply to: The possible hardware modifications for a device out-of-the-box  Possible hardware modifications as part of operation or maintenance  Perform the following hardware modification steps, like covering or obstructing a slot or a port, as needed: Restrict physical access to the USB port.
  • Page 39: Device Installation

    Device security 2.8 Device installation Device installation The following description applies to: The installation of a device in a new system  Changes to the device as part of operation or maintenance  Perform the device installation according to the user manual "Installation" for the device. 2.8.1 Data connections Perform the data connections according to the user manual "Installation"...
  • Page 40: Operation

    Device security 2.9 Operation Operation In the operation phase of the device, Hirschmann assumes you have already taken the appropriate physical and logical steps to set up the device and operate it properly regarding the functional and security aspects of the device. This essentially reduces the required security steps during the operation phase to the considerations already described in this security manual, the user manual "Installation"...
  • Page 41: Maintenance

    Device security 2.10 Maintenance 2.10 Maintenance 2.10.1 Software update If necessary, perform a software update: For the security aspects (see on page 27 “Software update”).  For the detailed worksteps, see the user manual "Configuration", chapter "Loading software  updates". 2.10.2 Hardware enhancement Typical application cases include:...
  • Page 42: Decommissioning

    Device security 2.11 Decommissioning 2.11 Decommissioning If you have high security requirements, consider physical destruction (see on page 42 “Secure physical destruction of device and components”). Secure physical destruction addresses the possible reading-out of memory blocks from the flash memory and makes deletion and wiping (see on page 42 “Destruction of confidential data and secrets”) redundant.
  • Page 43: Network Security Support

    Network security support 3.1 Introduction 3 Network security support This chapter lists what the device can do for the security of your network, including enhancing the availability of your network. The chapter deals with device functionality in the operation and maintenance lifecycle phases that can affect the security of your network.
  • Page 44: Prerequisites For Setting Up Network Security

    Network security support 3.2 Prerequisites for setting up network security Prerequisites for setting up network security A securely configured device can help you make your network more secure and available. Hirschmann assumes that, when reading this section, you have taken the necessary steps to securing the device itself (see on page 23 “Device security”).
  • Page 45: Employ Defense In Depth For Your Network Infrastructure

    Network security support 3.3 Employ defense in depth for your network infrastructure Employ defense in depth for your network infrastructure Defense in creates uses several barriers that a potential attacker has to overcome one after the other. Hirschmann assumes that, when reading this section, you have already set up a dedicated plan for defending your system in depth (see on page 15 “Defense in depth”).
  • Page 46: Hardening The Network Infrastructure

    Network security support 3.4 Hardening the network infrastructure Hardening the network infrastructure The suggested hardening measures are collected in the chapter (see on page 47 “Measures to secure the network infrastructure”). Pick the measures suitable for defense in depth first. Then complement them by selecting from the remaining hardening possibilities.
  • Page 47: Measures To Secure The Network Infrastructure

    Network security support 3.5 Measures to secure the network infrastructure Measures to secure the network infrastructure The collection of suggested measures can be used for hardening and for defense in depth. Pick the measures suitable for defense in depth first. Then complement them by selecting from the remaining hardening possibilities.
  • Page 48: Restrict Logical Access To Your Network

    Network security support 3.6 Restrict logical access to your network Restrict logical access to your network 3.6.1 Configure a dedicated management VLAN If you have already set up a dedicated management VLAN, you can skip this chapter. Else follow the description (see on page 29 “Configure a VLAN dedicated to management access.”).
  • Page 49: Secure The Network Protocols Used

    Network security support 3.7 Secure the network protocols used Secure the network protocols used 3.7.1 Disable GMRP and MMRP The GARP Multicast Registration Protocol (GMRP) and its successor, the Multiple MAC Registration Protocol (MMRP) can be used to register group MAC addresses dynamically and automatically setup multicast forwarding in a device.
  • Page 50: Secure The Redundancy Protocols Used

    Network security support 3.8 Secure the redundancy protocols used Secure the redundancy protocols used Note: Securing the redundancy protocols used can also help you enhance and maintain the availability of your network infrastructure. 3.8.1 Secure RSTP guards and helper protocols Secure RSTP guards.
  • Page 51: Configure Attack Protection Functions

    Network security support 3.9 Configure attack protection functions Configure attack protection functions 3.9.1 Configure Denial of Service (DoS) protection Configure DoS protection. See the user manual "Graphical User Interface" on how to configure DoS protection. 3.9.2 Configure rate limiters Configure rate limiters. See the user manual "Graphical User Interface" on how to configure rate limiters.
  • Page 52: Configure Network Time Synchronization

    Network security support 3.10 Configure network time synchronization 3.10 Configure network time synchronization Hirschmann assumes that, when reading this section, you have taken the necessary steps to securing the device itself (see on page 35 “Configure time synchronization”). To help synchronize the time in the network, the device may act as a time server. Configure the server function of the device.
  • Page 53: Configure Logging

    Network security support 3.11 Configure logging 3.11 Configure logging Configure logging severity levels and destinations. The necessary settings depend on our security requirements. See the user manual "Configuration" on how to configure logging severity levels and destinations. Note: Secure logging also relies on the synchronization of the device system clock to a trustworthy source (see on page 35 “Configure time synchronization”).
  • Page 54 Network security support 3.11 Configure logging UM Security BRS-2S Release 8.7 05/2022...
  • Page 55: A Index

    Index A Index Access through EtherNet/IP (configuration) ........32 Access through IEC 61850-MMS (configuration) .
  • Page 56 Index Capability security level (introduction) ..........14 Choice of a secure installation location .
  • Page 57 Index Data connections (installation) ..........39 Data link redundancy requirements (installation) .
  • Page 58 Index Hardening the network infrastructure (network) ........46 Hardening vs.
  • Page 59 Index Network ACLs ..............48 Attack protection functions .
  • Page 60 Index Physical Restrict access to network ports or SFP slots ........38 Restrict access to the device and port LEDs .
  • Page 61 Index Scope of this document ............13 Secure HIPER Ring (network) .
  • Page 62 Index UM Security BRS-2S Release 8.7 05/2022...
  • Page 63: B Further Support

    You find the addresses of our partners on the Internet at www.hirschmann.com. A list of local telephone numbers and email addresses for technical support directly from Hirschmann is available at hirschmann-support.belden.com. This site also includes a free of charge knowledge base and a software download section.
  • Page 64: C Readers' Comments

    Readers’ Comments C Readers’ Comments What is your opinion of this manual? We are constantly striving to provide as comprehensive a description of our product as possible, as well as important information to assist you in the operation of this product. Your comments and suggestions help us to further improve the quality of our documentation.
  • Page 65 Readers’ Comments General comments: Sender: Company / Department: Name / Telephone number: Street: Zip code / City: E-mail: Date / Signature: Dear User, Please fill out and return this page as a fax to the number +49 (0)7127/14-1600 or  per mail to ...

Table of Contents