GE PACSystems* RX3i, Secure Deployment Manual

Page: 14 / 35

GFK-2904D July 2018 7
Chapter 3
Communication Requirements
Communication between different parts of a control system is, and must be, supported. However, the security
of a control system can be enhanced by limiting the protocols allowed, and the paths across which they are
allowed, to only what is needed. This can be accomplished by disabling every communication protocol that is
not needed on a particular device (refer to Chapter 5,
Configuration Hardening ), and by using appropriately
configured and deployed network security devices (for example, firewalls and routers) to block every protocol
(whether disabled or not) that does not need to pass from one network/segment to another.
GE Automation & Controls recommends limiting the protocols allowed by the network infrastructure to the
minimum set required for the intended application. Successfully doing this requires knowing which protocol is
needed for each system-level interaction.
This section describes how the supported serial and Ethernet application protocols are used with PROFINET
I/O Devices, and indicates the role of each participant in the communication. Lower-level Ethernet protocols
are not discussed here, but are instead assumed to be supported when needed by the application protocol.
Note: To support PROFINET communication between two nodes, the network must also
support UDP, IP, and ARP in both directions between the nodes.
Note: On a PROFINET I/O device, support for these protocols may be provided by a peripheral
module (for example, a PROFIBUS or Serial Communications module).
This information is intended to be used to help guide the specification of the network architecture and to help
configure firewalls internal to that network, in order to support only the required communications paths for
any particular installation.