4.9 Cyber security
This product was developed with the guidance of the
ISA/IEC 62443 cyber security standard. Even though
reasonable efforts to investigate, confirm, and resolve
security vulnerabilities in this product have been made,
risks still exist.
4.9.1 Precautions
As such, the flare.IQ Gen 2 DPU ports LAN A/LAN B and the
Ethernet switches they are connected to should never
connect to a switch or computer that is connected to the
internet or business IT infrastructure. The flare.IQ Gen 2’s
ethernet switch should only be connected to the DCS’s
Modbus communications module as a direct connection
if possible. The default password should also be changed
to a password of 8 or more characters.
4.9.2 Exposed ports and services
The flare.IQ Gen 2 DPU uses or exposes the following
ports and services to provide network communications:
Port
Service/description
80
Web console (TCP), http
443
Web console (TCP), https/TLS
502*
Modbus/TCP
Table 10: Network port assignments on DPU
*The port used by Modbus/TCP can be reassigned using the web console
to another value if required by the local network infrastructure
The two ethernet ports provided on each DPU are isolated
from each other at both the hardware and software
level. This is to isolate the DCS subnet carrying the
Modbus/TCP traffic from any possible interference from
a web console user connected to the alternate ethernet
port. Two independent TCP/IP network stacks run as
separate processes on the DPU. There is no means or
provision to ‘bridge’ the connections together. Network
traffic on LAN A is not visible on LAN B, or the reverse.
Care should be taken to only connect LAN A to the
configure/monitor network switch, and LAN B only to
the DCS/control network switch. The two network
switches should
never
be connected to each other.
Both LAN A and LAN B support internet control message
protocol (ICMP), or ‘ping’ echo request and reply messages.
As described in section 3.3.2 above, DHCP is not supported.
Static IP addresses must be reserved and assigned for each
DPU connection.
The web console provides user accounts and pre-defined
roles to limit access to authorized personnel. As shipped,
only a single web console ‘admin’ account is provided.
The default password for the admin account is ‘admin’.
CAUTION!
It is essential that the admin password
be changed immediately by the customer
and recorded in a secure location.
Panametrics
cannot
retrieve a lost or forgotten admin
password. Passwords are never stored or transferred in
plaintext, only as a ‘salted’ hash, which is considered
a ‘one-way’ function that is unfeasible to reverse.
Note that accounts created via the web console only
provide access to the web console. These accounts have
no access permissions on the host operating system.
The flare.IQ Gen 2 only requires that passwords be a
minimum of 8 characters in length. The product does
not enforce specific combinations of numbers, symbols,
or upper/lower case characters. It is expected that the
customer is aware of the risks inherent in the use of
weak passwords and will apply their own requirements
at the time of account creation.
From time to time, Panametrics may make available
software updates to add features or correct defects.
These updates will typically be provided by Panametrics
service, and available for download over the internet from
a designated location.
Panametrics digitally signs the software update
packages it provides, and the flare.IQ Gen 2 verifies the
digital signature before performing an update. Update
packages not signed by Panametrics are automatically
refused by the flare.IQ. This is to prevent installation of
malicious software that could damage the flare.IQ Gen 2,
affect its accuracy, or compromise the network security of
its customers.
42
Summary of Contents for flare.IQ Generation 2
Page 1: ...flare IQ Generation 2 Operation and maintenance manual...
Page 2: ...2...
Page 3: ...flare IQ Generation 2 Operation and maintenance manual 910 350 rev A June 2020 3...
Page 4: ...no content intended for this page 4...
Page 38: ...Figure 30 System wiring diagram 38...
Page 48: ...48...