GE PACSystems* RX3i Скачать руководство пользователя страница 12 | Manualshive

Страница: 12 / 35

GE PACSystems* RX3i Скачать руководство пользователя страница 12

GFK-2904D

July 2018

5

Chapter 2

Introduction

This section introduces the fundamentals of security and secure deployment.

2.1

Security

Security is the process of maintaining the confidentiality, integrity, and availability of a system:

•

Confidentiality: Ensure only the people you want to see information are those who can actually see it.

•

Integrity: Ensure the data is what it is supposed to be.

•

Availability: Ensure the system or data is available for use.

GE Automation & Controls recognizes the importance of building and deploying products with these concepts
in mind and encourages customers to take appropriate care in securing their GE Automation & Controls
products and solutions.

As GE Automation & Controls product vulnerabilities are discovered and fixed, security advisories are issued to
describe each vulnerability in a particular product version as well as the version in which the vulnerability was
fixed. GE Product Security Advisories can be found at the following location:

https://digitalsupport.ge.com/communities/en_US/Article/GE-Intelligent-Platforms-Security-Advisories

2.2

Firewall

Firewalls and other network security products, including Data Diodes and Intrusion Prevention Devices, can be
an important component of any security strategy. However, a strategy based solely on any single security
mechanism will not be as resilient as one that includes multiple, independent layers of security.

Therefore, GE Automation & Controls recommends taking a Defense in Depth approach to security.

2.3

Defense in Depth

Defense in Depth is the concept of using multiple, independent layers of security to raise the cost and
complexity of a successful attack. To carry out a successful attack on a system, an attacker would need to find
not just a single exploitable vulnerability, but would need to exploit vulnerabilities in each layer of defense that
protects an asset.

For example, if a system is protected because it is on a network protected by a firewall, the attacker only needs
to circumvent the firewall to gain unauthorized access. However, if there is an additional layer of defense, for
example, a username/password authentication requirement, now the attacker needs to find a way to
circumvent both the firewall and the username/password authentication.

«
...
10
11
12
13
14
...
»

Содержание PACSystems* RX3i

Страница 1: ...mation Controls For Public Disclosure Programmable Control Products PACSystems PROFINET IO Devices Secure Deployment Guide GFK 2904D PACSystems PROFINET IO Devices Secure Deployment Guide GFK 2904D Ju...

Страница 2: ...rmational purposes only and GE makes no warranty as to the accuracy of the information included herein Changes modifications and or improvements to equipment and specifications are made periodically a...

Страница 3: ...utomation com support Americas Phone 1 800 433 2682 International Americas Direct Dial 1 780 420 2010 if toll free 800 option is unavailable Customer Care Email digitalsupport ge com Primary language...

Страница 4: ...mendations 6 2 5 Checklist 6 Chapter 3 Communication Requirements 7 3 1 Supported Protocols 8 ETHERNET Protocols 8 Serial Protocols 8 3 2 Service Requests 9 SNP 9 3 3 PROFINET 10 Installing an I O Dev...

Страница 5: ...s 20 Firmware Signatures 20 Logging and Auditing 20 Chapter 5 Configuration Hardening 21 5 1 Scanner 21 5 2 Genius Gateway 22 Chapter 6 Network Architecture and Secure Deployment 23 6 1 Reference Arch...

Страница 6: ...Contents GFK 2904D July 2018 iii Table of Figures Figure 1 Reference Architecture 23...

Страница 7: ......

Страница 8: ...ionals and developers responsible for deploying and configuring PROFINET I O products Secure deployment information is provided in this manual for the following products supplied by GE Automation Cont...

Страница 9: ...ns in this Manual Rev Date Description D Jul 2018 Updated for IC695PNS101 IC695CEP001 C Feb 2017 Updated for replacement IC695PNS001 Bxxx implementation B Jun 2016 Updated Internet Layer Protocols tab...

Страница 10: ...EP PROFINET I O Controller Manual GFK 2571 RX3i Manuals PACSystems RX3i System Manual GFK 2314 PACSystems RX3i PROFINET Scanner Manual GFK 2737 PACSystems RX3i CEP PROFINET Scanner User Manual GFK 28...

Страница 11: ......

Страница 12: ...Article GE Intelligent Platforms Security Advisories 2 2 Firewall Firewalls and other network security products including Data Diodes and Intrusion Prevention Devices can be an important component of...

Страница 13: ...whitelisting software on control systems computers and keep the whitelist up to date 2 5 Checklist This section provides a sample checklist to help guide the process of securely deploying PROFINET I...

Страница 14: ...uired for the intended application Successfully doing this requires knowing which protocol is needed for each system level interaction This section describes how the supported serial and Ethernet appl...

Страница 15: ...client PROFINET DCP server PROFINET I O HTTP Server HTTPS Server MRP SNMP v1 server SNMP v2c server Serial Protocols In addition to Ethernet PROFINET I O Devices may also support communication over s...

Страница 16: ...rds and OEM key and sweep information View and optionally clear a log of any faults that have occurred in the Controller The Service Request protocol is transported over a specific media by encapsulat...

Страница 17: ...to the computer s network adapter It can then be used to re assign a unique name to the I O device being installed Note This protocol can also be used to make other modifications to the I O device suc...

Страница 18: ...e of the application Protocol I O Controller I O Devices DCE RPC Client Server DCE RPC Server Client PROFINET DCP Client Server PROFINET I O Bi directional Bi directional In addition if the PROFINET n...

Страница 19: ...a diagram showing firewall placement Lower Level Protocols Ethernet communication is typically described using four layers each with its own set of protocols At the top of that hierarchy is the Applic...

Страница 20: ...quests to other servers using any of several different protocols The exact set of protocols that are enabled used will depend on which modules are installed how they are configured and the details of...

Страница 21: ......

Страница 22: ...ization and Enforcement Approving or rejecting access requests This section describes the Access Control capabilities supported by GE Automation Controls PROFINET I O Devices which includes its Author...

Страница 23: ...ces from GE Automation Controls provide predefined access rights Predefined Access Rights Using the SNP Slave Application Protocol to update firmware on a PROFINET I O Device the Anonymous Subject is...

Страница 24: ...on GE Automation Controls PROFINET I O Device PROFINET communications Plaintext Login Authentication for a protocol may involve sending a plaintext password to the Server In some cases these plaintex...

Страница 25: ...th another network node on the same physical network a Next Generation Firewall could be deployed between the two network nodes This Next Generation Firewall should be configured to explicitly whiteli...

Страница 26: ...subject must be separately managed for each instance of a given kind of server Changing Passwords Functionality Authenticated Subjects How Passwords are assigned Firmware Update PRIV Level 4 user Stat...

Страница 27: ...n the table below Therefore compensating controls may be required to meet an installation s security requirements for protecting data in flight Protocol Provided Security Capabilities Transport Medium...

Страница 28: ...0 in the hardware configuration and download to the PROFINET I O controller Ethernet Port Enable Set Port Speed of Port submodule to Disabled in the hardware configuration and download to the PROFINET...

Страница 29: ...roller SD Card Identity Set the name of the Device using a DCP Client with the SD Card inserted Remove SD Card and enable the physical Write protect feature on the SD Card Re insert the SD Card in the...

Страница 30: ...ion provides security recommendations for deploying PROFINET I O Devices from GE Automation Controls in the context of a larger network 6 1 Reference Architecture The Figure 1 shows a reference deploy...

Страница 31: ...ts to just the minimum set required Further every access attempt successful or not and all blocked traffic should be recorded in a security log that is regularly audited 6 3 Access and Process Control...

Страница 32: ...DCP protocol However to help ensure that the Maintenance computer cannot be used to launch attacks on the I O devices using other protocols the firewall it connects through should block all protocols...

Страница 33: ......

Страница 34: ...nd jitter As a result network architectures that require real time communications to pass through such devices may limit the applications that can be successfully deployed 7 3 Additional Guidance Prot...

Страница 35: ...s are available on our web site www geautomation com Additional Resources For more information please visit our web site www geautomation com Copyright 2014 2018 General Electric Company All Rights Re...

Отзывы:

Нет отзывов

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды