manualshive.com logo in svg

GE PACSystems* RX3i, Secure Deployment Manual

The GE PACSystems* RX3i is a cutting-edge industrial control system designed for maximum performance and flexibility. Unlock the full potential of your RX3i system with our comprehensive User Manual, available for free download at manualshive.com. This manual provides detailed instructions and support to ensure seamless operation and optimal productivity.

Share
Download
background image

Chapter 2. Introduction 

PACSystems PROFINET IO Devices Secure Deployment Guide 

GFK-2904D 

2.4

 

General Recommendations 

Adopting the following security best practices should be considered when using GE Automation & Controls 
products and solutions. 

 

The PROFINET I/O Devices covered in this document were not designed for or intended to be 
connected directly to any wide area network, including but not limited to a corporate network or the 
Internet at large. Additional routers and firewalls (such as those illustrated in 

Figure 1: Reference 

Architecture

) that have been configured with access rules customized to the site's specific needs must 

be used to access devices described in this document from outside the local control networks. If a 
control system requires external connectivity, care must be taken to control, limit and monitor all 
access, using, for example, virtual private networks (VPN) or Demilitarized Zone (DMZ) architectures. 

 

Harden system configurations by enabling/using the available security features, and by disabling 
unnecessary ports, services, functionality, and network file shares. 

 

Apply all of the latest product security updates from GE Automation & Controls, SIMs, and other 
recommendations. 

 

Apply all of the latest operating system security patches to control systems computers. 

 

Use anti-virus software on control systems computers and keep the associated anti-virus signatures 
up-to-date. 

 

Use whitelisting software on control systems computers and keep the whitelist up-to-date. 

 

2.5

 

Checklist 

This section provides a sample checklist to help guide the process of securely deploying PROFINET I/O 
products. 

1)

 

Create or locate a network diagram. 

2)

 

Identify and record the required communication paths between nodes. 

3)

 

Identify and record the protocols required along each path, including the role of each node. (Refer to 
Chapter 3, 

Communication Requirements

.) 

4)

 

Revise the network as needed to ensure appropriate partitioning, adding firewalls or other network 
security devices as appropriate. Update the network diagram. (Refer to Chapter 6, 

Network 

Architecture and Secure Deployment

.) 

5)

 

Configure firewalls and other network security devices. (Refer to Section 3.4, 

Ethernet Firewall 

Configuration

 and Chapter 6, 

Network Architecture and Secure Deployment

.) 

6)

 

Enable and/or configure the appropriate security features on each PROFINET I/O Device. (Refer to 
Chapter 4,

 Security Capabilities

.) 

7)

 

On each PROFINET I/O Device, change every supported password to something other than its default 
value. (Refer to Section 4.4, 

Password Management

.) 

8)

 

Harden the configuration of each PROFINET I/O Device, disabling unneeded features, protocols and 
ports. (Refer to Chapter 5, 

Configuration Hardening

.) 

9)

 

Test/qualify the system. 

10)

 

Create an update/maintenance plan. 

 

Note: 

Secure deployment is only one part of a robust security program. This document, 
including the checklist above, is limited to providing secure deployment guidance only. 
For more information about security programs in general, refer to Section 7.3, 

Additional 

Guidance

 
 

Summary of Contents for PACSystems* RX3i

Page 1: ...mation Controls For Public Disclosure Programmable Control Products PACSystems PROFINET IO Devices Secure Deployment Guide GFK 2904D PACSystems PROFINET IO Devices Secure Deployment Guide GFK 2904D Ju...

Page 2: ...rmational purposes only and GE makes no warranty as to the accuracy of the information included herein Changes modifications and or improvements to equipment and specifications are made periodically a...

Page 3: ...utomation com support Americas Phone 1 800 433 2682 International Americas Direct Dial 1 780 420 2010 if toll free 800 option is unavailable Customer Care Email digitalsupport ge com Primary language...

Page 4: ...mendations 6 2 5 Checklist 6 Chapter 3 Communication Requirements 7 3 1 Supported Protocols 8 ETHERNET Protocols 8 Serial Protocols 8 3 2 Service Requests 9 SNP 9 3 3 PROFINET 10 Installing an I O Dev...

Page 5: ...s 20 Firmware Signatures 20 Logging and Auditing 20 Chapter 5 Configuration Hardening 21 5 1 Scanner 21 5 2 Genius Gateway 22 Chapter 6 Network Architecture and Secure Deployment 23 6 1 Reference Arch...

Page 6: ...Contents GFK 2904D July 2018 iii Table of Figures Figure 1 Reference Architecture 23...

Page 7: ......

Page 8: ...ionals and developers responsible for deploying and configuring PROFINET I O products Secure deployment information is provided in this manual for the following products supplied by GE Automation Cont...

Page 9: ...ns in this Manual Rev Date Description D Jul 2018 Updated for IC695PNS101 IC695CEP001 C Feb 2017 Updated for replacement IC695PNS001 Bxxx implementation B Jun 2016 Updated Internet Layer Protocols tab...

Page 10: ...EP PROFINET I O Controller Manual GFK 2571 RX3i Manuals PACSystems RX3i System Manual GFK 2314 PACSystems RX3i PROFINET Scanner Manual GFK 2737 PACSystems RX3i CEP PROFINET Scanner User Manual GFK 28...

Page 11: ......

Page 12: ...Article GE Intelligent Platforms Security Advisories 2 2 Firewall Firewalls and other network security products including Data Diodes and Intrusion Prevention Devices can be an important component of...

Page 13: ...whitelisting software on control systems computers and keep the whitelist up to date 2 5 Checklist This section provides a sample checklist to help guide the process of securely deploying PROFINET I...

Page 14: ...uired for the intended application Successfully doing this requires knowing which protocol is needed for each system level interaction This section describes how the supported serial and Ethernet appl...

Page 15: ...client PROFINET DCP server PROFINET I O HTTP Server HTTPS Server MRP SNMP v1 server SNMP v2c server Serial Protocols In addition to Ethernet PROFINET I O Devices may also support communication over s...

Page 16: ...rds and OEM key and sweep information View and optionally clear a log of any faults that have occurred in the Controller The Service Request protocol is transported over a specific media by encapsulat...

Page 17: ...to the computer s network adapter It can then be used to re assign a unique name to the I O device being installed Note This protocol can also be used to make other modifications to the I O device suc...

Page 18: ...e of the application Protocol I O Controller I O Devices DCE RPC Client Server DCE RPC Server Client PROFINET DCP Client Server PROFINET I O Bi directional Bi directional In addition if the PROFINET n...

Page 19: ...a diagram showing firewall placement Lower Level Protocols Ethernet communication is typically described using four layers each with its own set of protocols At the top of that hierarchy is the Applic...

Page 20: ...quests to other servers using any of several different protocols The exact set of protocols that are enabled used will depend on which modules are installed how they are configured and the details of...

Page 21: ......

Page 22: ...ization and Enforcement Approving or rejecting access requests This section describes the Access Control capabilities supported by GE Automation Controls PROFINET I O Devices which includes its Author...

Page 23: ...ces from GE Automation Controls provide predefined access rights Predefined Access Rights Using the SNP Slave Application Protocol to update firmware on a PROFINET I O Device the Anonymous Subject is...

Page 24: ...on GE Automation Controls PROFINET I O Device PROFINET communications Plaintext Login Authentication for a protocol may involve sending a plaintext password to the Server In some cases these plaintex...

Page 25: ...th another network node on the same physical network a Next Generation Firewall could be deployed between the two network nodes This Next Generation Firewall should be configured to explicitly whiteli...

Page 26: ...subject must be separately managed for each instance of a given kind of server Changing Passwords Functionality Authenticated Subjects How Passwords are assigned Firmware Update PRIV Level 4 user Stat...

Page 27: ...n the table below Therefore compensating controls may be required to meet an installation s security requirements for protecting data in flight Protocol Provided Security Capabilities Transport Medium...

Page 28: ...0 in the hardware configuration and download to the PROFINET I O controller Ethernet Port Enable Set Port Speed of Port submodule to Disabled in the hardware configuration and download to the PROFINET...

Page 29: ...roller SD Card Identity Set the name of the Device using a DCP Client with the SD Card inserted Remove SD Card and enable the physical Write protect feature on the SD Card Re insert the SD Card in the...

Page 30: ...ion provides security recommendations for deploying PROFINET I O Devices from GE Automation Controls in the context of a larger network 6 1 Reference Architecture The Figure 1 shows a reference deploy...

Page 31: ...ts to just the minimum set required Further every access attempt successful or not and all blocked traffic should be recorded in a security log that is regularly audited 6 3 Access and Process Control...

Page 32: ...DCP protocol However to help ensure that the Maintenance computer cannot be used to launch attacks on the I O devices using other protocols the firewall it connects through should block all protocols...

Page 33: ......

Page 34: ...nd jitter As a result network architectures that require real time communications to pass through such devices may limit the applications that can be successfully deployed 7 3 Additional Guidance Prot...

Page 35: ...s are available on our web site www geautomation com Additional Resources For more information please visit our web site www geautomation com Copyright 2014 2018 General Electric Company All Rights Re...

Reviews:

No comments

Related manuals for PACSystems* RX3i

Faber JP Manual preview
JP
Brand: Faber Pages: 8
GE RSTi-EP User Manual preview
RSTi-EP
Brand: GE Pages: 425
Bang & Olufsen Beolink 1000 Service Manual preview
Beolink 1000
Brand: Bang & Olufsen Pages: 9
Bang & Olufsen Beolink 1000 User Manual preview
Beolink 1000
Brand: Bang & Olufsen Pages: 12
Hach SC1500 User Manual preview
SC1500
Brand: Hach Pages: 86
Bang & Olufsen Beo4 Getting Started preview
Beo4
Brand: Bang & Olufsen Pages: 80
Bang & Olufsen Beo4 Manual preview
Beo4
Brand: Bang & Olufsen Pages: 13
J3C S20 Assembly Instructions preview
S20
Brand: J3C Pages: 2
Gascat ARGOS Installation, Operation & Maintenance Manual preview
ARGOS
Brand: Gascat Pages: 32
OBaby mercury Instruction Manual preview
mercury
Brand: OBaby Pages: 7
Quectel M85 User Manual preview
M85
Brand: Quectel Pages: 90
SOMFY Situo 1 RTS Installation And Operating Manual preview
Situo 1 RTS
Brand: SOMFY Pages: 112
Apricus Sentinel S4 Mounting, Connection, Operation preview
Sentinel S4
Brand: Apricus Pages: 32
Analog Devices Linear Technology ADI Power DC3017A Demo Manual preview
Linear Technology ADI Power DC3017A
Brand: Analog Devices Pages: 12
Delabie PREMIX COMPACT Manual preview
PREMIX COMPACT
Brand: Delabie Pages: 20
Linear Technology LTC3703 Manual preview
LTC3703
Brand: Linear Technology Pages: 32
nurse TOWN Instructions Manual preview
TOWN
Brand: nurse Pages: 24
ASROCK iEP-5000G Series Quick Installation Manual preview
iEP-5000G Series
Brand: ASROCK Pages: 2

Brands by name

Popular brands

Load more brands