Cybersecurity recommended secure hardening guidelines
Securing the Network Management Module – 214
•
•
•
•
•
•
•
•
•
•
Perform periodic account maintenance (remove unused accounts).
Ensure password length, complexity and expiration requirements are appropriately set, particularly for all administrative
accounts (e.g., minimum 10 characters, mix of upper- and lower-case and special characters, and expire every 90 days, or
otherwise in accordance with your organization’s policies).
Enforce session time-out after a period of inactivity.
5.2.2.5.1 Description of the User management in the Network Module:
User and profiles management: (Navigate to Settings>>>Users)
Add users (admin, operator, viewer)
Remove users
Edit users
Password/Account/Session management: (Navigate to Settings>>>Users)
Password strength rules – Minimum length/Minimum upper case/Minimum lower case/Minimum digit/Special character
Account expiration – Number of days before the account expiration/
Number of tries before blocking the account
Session expiration – No activity timeout/Session lease time
See "Default settings parameters" in the embedded help for (recommended) default values.
Additionally, it is possible to enable account expiration to force users renew their password periodically.
Default credentials: admin/admin
The change of the default "admin" password is enforced at first connection.
It is also recommended to change the default "admin" user name through the
Settings>>>Users or Settings>>>Local
users page.
Follow embedded help for instructions on how to edit a user account.
Local and Trusted remote certificate configuration: (Navigate to Settings>>>Certificate)
Follow embedded help for instructions on how to configure it.
Supported authentication: LDAP and Radius, follow embedded help for instructions on how to configure it.
5.2.2.6 Time Synchronization
Many operations in power grids and IT networks heavily depend on precise timing information.
Ensure the system clock is synchronized with an authoritative time source (using manual configuration, NTP). (Navigate to
Settings>>>General>>>Time&date settings)
Follow embedded help for instructions on how to configure it.
5.2.2.7 Deactivate unused features
Network module provides multiple options to upgrade firmware, change configurations, set power schedules, etc. The device also
provide multiple options to connect with the device i.e. SSH, SNMP,SMTP,HTTPS etc. Services like SNMPv1 are considered
insecure and Eaton recommends disabling all such insecure services.
It is recommended to disable unused physical ports like USB and SD card.
Disable insecure services like SNMP v1
5.2.2.8 Network Security
Network module supports network communication with other devices in the environment. This capability can present risks if it’s
not configured securely. Following are Eaton recommended best practices to help secure the network. Additional information
about various network protection strategies is available in
Eaton Cybersecurity Considerations for Electrical Distribution Systems
[R1].
Eaton recommends segmentation of networks into logical enclaves, denying traffic between segments except that which is
specifically allowed, and restricting communication to host-to-host paths (for example, using router ACLs and firewall rules). This
helps to protect sensitive information and critical services and creates additional barriers in the event of a network perimeter
breach. At a minimum, a utility Industrial Control Systems network should be segmented into a three-tiered architecture (as
recommended by NIST SP 800-82[R3]) for better security control.
Communication Protection: Network module provides the option to encrypt its network communications. Please ensure that
encryption options are enabled. You can secure the product’s communication capabilities by taking the following steps:
Содержание Network-M3
Страница 1: ...UPS Network Management Card Network M3 User s Guide English 10 27 2023...
Страница 2: ......
Страница 10: ...Table of Contents 10 Applicable product Eaton UPS ATS...
Страница 32: ...Home Contextual help of the web interface 32 3 2 7 1 3 Battery mode 3 2 7 1 4 Off mode...
Страница 34: ...Home Contextual help of the web interface 34 3 2 7 2 3 Battery mode 3 2 7 2 4 Off mode...
Страница 36: ...Home Contextual help of the web interface 36 3 2 7 3 2 Bypass mode 3 2 7 3 3 Battery mode...
Страница 37: ...Home Contextual help of the web interface 37 3 2 7 3 4 HE mode ESS mode 3 2 7 3 5 Maintenance bypass mode...
Страница 63: ...Protection Contextual help of the web interface 63 Example 2 Immediate OFF...
Страница 64: ...Protection Contextual help of the web interface 64 Example 4 Custom Settings 1...
Страница 120: ...Settings Contextual help of the web interface 120 3 7 6 3 SSH 3 7 6 4 SNMP 3 7 6 5 MQTT...
Страница 287: ...Acronyms and abbreviations Information 287...
Страница 294: ......