Ge Pacsystems* rx3i User manual

Automation & Controls

For Public Disclosure

Programmable Control Products

PACSystems* PROFINET IO Devices Secure

Deployment Guide GFK-2904D

PACSystems*

PROFINET IO Devices

Secure Deployment

Guide

GFK-2904D

July 2018

Legal Information

Warnings, Cautions, and Notes as Used in this Publication GFL-002

Warning

Warning notices are used in this publication to emphasize that hazardous voltages,

currents, temperatures, or other conditions that could cause personal injury exist in

this equipment or may be associated with its use.

In situations where inattention could cause either personal injury or damage to

equipment, a Warning notice is used.

Caution

Caution notices are used where equipment might be damaged if care is not taken.

Attention

Indicates a procedure or condition that should be strictly followed.

Note: Notes merely call attention to information that is especially significant to understanding

and operating the equipment.

These instructions do not purport to cover all details or variations in equipment, nor to provide for every

possible contingency to be met during installation, operation, and maintenance. The information is supplied for

informational purposes only, and GE makes no warranty as to the accuracy of the information included herein.

Changes, modifications, and/or improvements to equipment and specifications are made periodically and

these changes may or may not be reflected herein. It is understood that GE may make changes, modifications,

or improvements to the equipment referenced herein or to the document itself at any time. This document is

intended for trained personnel familiar with the GE products referenced herein.

GE may have patents or pending patent applications covering subject matter in this document. The furnishing

of this document does not provide any license whatsoever to any of these patents.

GE PROVIDES THE FOLLOWING DOCUMENT AND THE INFORMATION INCLUDED THEREIN AS-IS AND

WITHOUT WARRANTY OF ANY KIND, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY IMPLIED

STATUTORY WARRANTY OF MERCHANTABILITY OR FITNESS FOR PARTICULAR PURPOSE.

* indicates a trademark of General Electric Company and/or its subsidiaries.

All other trademarks are the property of their respective owners.

Contact Information

If you purchased this product through an Authorized Channel Partner, please contact the seller directly.

General Contact Information

Online technical support and GlobalCare

www.geautomation.com/support

Additional information

www.geautomation.com

Solution Provider

[email protected]om

Technical Support

If you have technical problems that cannot be resolved with the information in this manual, please contact us

by telephone or email, or on the web at www.geautomation.com/support

Americas

Phone

1-800-433-2682

International Americas Direct Dial

1-780-420-2010 (if toll free 800-option is unavailable)

Customer Care Email

[email protected]

Primary language of support

English

Europe, the Middle East, and Africa

Phone

+800-1-433-2682

EMEA Direct Dial

+420-296-183-331 (if toll free 800-option is unavailable or

if dialing from a mobile telephone)

Customer Care Email

digitalsupport.emea@ge.com

Primary languages of support

English, French, German, Italian, Spanish

Asia Pacific

Phone

+86-21-3877-7006 (India, Indonesia, and Pakistan)

+86-400-820-8208 (rest of Asia)

Customer Care Email

[email protected]

Primary languages of support

Chinese, English

GFK-2904D July 2018 i

Table of Contents

PACSystems* PROFINET IO Devices Secure Deployment Guide GFK-2904D

Table of Contents ............................................................................................................................................................. i

Table of Figures............................................................................................................................................................... iii

Chapter 1 About this Guide ....................................................................................................................................... 1

1.1 Revisions in this Manual .......................................................................................................................... 2

1.2 PACSystems Documentation................................................................................................................. 3

Chapter 2 Introduction ............................................................................................................................................... 5

2.1 Security ....................................................................................................................................................... 5

2.2 Firewall ........................................................................................................................................................ 5

2.3 Defense in Depth....................................................................................................................................... 5

2.4 General Recommendations .................................................................................................................... 6

2.5 Checklist...................................................................................................................................................... 6

Chapter 3 Communication Requirements.............................................................................................................. 7

3.1 Supported Protocols................................................................................................................................ 8

ETHERNET Protocols .........................................................................................................................................8

Serial Protocols....................................................................................................................................................8

3.2 Service Requests....................................................................................................................................... 9

SNP ...........................................................................................................................................................................9

3.3 PROFINET.................................................................................................................................................. 10

Installing an I/O Device ..................................................................................................................................10

Network Discovery and Device Identification ......................................................................................10

Using an I/O Device .........................................................................................................................................11

3.4 Ethernet Firewall Configuration ......................................................................................................... 12

Lower-Level Protocols ...................................................................................................................................12

Application Layer Protocols.........................................................................................................................13

Chapter 4 Security Capabilities .............................................................................................................................. 15

4.1 Capabilities by Product ......................................................................................................................... 15

4.2 Access Control and Authorization ..................................................................................................... 15

Authorization Framework ............................................................................................................................15

Specifying Access Rights...............................................................................................................................16

Contents

ii PACSystems PROFINET IO Devices Secure Deployment Guide GFK-2904D

Enforcement ......................................................................................................................................................16

4.3 Authentication ........................................................................................................................................ 17

Server Protocols ...............................................................................................................................................17

Authentication Supported by the PROFINET Protocol......................................................................17

Plaintext Login...................................................................................................................................................17

Recommendations ..........................................................................................................................................17

4.4 Password Management......................................................................................................................... 19

Changing Passwords.......................................................................................................................................19

4.5 Confidentiality and Integrity ............................................................................................................... 20

Communication Protocols............................................................................................................................20

Firmware Signatures ......................................................................................................................................20

Logging and Auditing ......................................................................................................................................20

Chapter 5 Configuration Hardening ...................................................................................................................... 21

5.1 Scanner...................................................................................................................................................... 21

5.2 Genius Gateway ...................................................................................................................................... 22

Chapter 6 Network Architecture and Secure Deployment ............................................................................. 23

6.1 Reference Architecture......................................................................................................................... 23

6.2 Remote Access and Demilitarized Zones ......................................................................................... 24

6.3 Access and Process Control Networks ............................................................................................. 24

6.4 Access and PROFINET Networks ........................................................................................................ 25

Chapter 7 Other Considerations ............................................................................................................................ 27

7.1 Patch Management ................................................................................................................................ 27

7.2 Real-time Communication.................................................................................................................... 27

7.3 Additional Guidance .............................................................................................................................. 27

Protocol-Specific Guidance..........................................................................................................................27

Government Agencies and Standards Organizations .......................................................................27

Contents

GFK-2904D July 2018 iii

Table of Figures

Figure 1: Reference Architecture .............................................................................................................................................................23

GFK-2904D July 2018 1

Chapter 1 About this Guide

This document provides information that can be used to help improve the cyber security of systems that

include PROFINET I/O devices from GE Automation & Controls. It is intended for use by control engineers,

integrators, IT professionals, and developers responsible for deploying and configuring PROFINET I/O products.

Secure deployment information is provided in this manual for the following products supplied by

GE Automation & Controls.

Family

Catalog Number

Description

PACSystems RX3i

IC695PNS001

RX3i PROFINET Scanner module

PACSystems RX3i

IC695PNS101

RX3i Advanced PROFINET Scanner module.

PACSystems RX3i

IC695CEP001

CEP PROFINET Scanner module.

PACSystems RX3i

IC695GCG001

Genius Communications Gateway

Chapter 1. About this Guide

2 PACSystems PROFINET IO Devices Secure Deployment Guide GFK-2904D

1.1 Revisions in this Manual

Rev

Date

Description

Jul-

2018

•Updated for IC695PNS101, IC695CEP001.

Feb-

2017

•Updated for replacement IC695PNS001 (-Bxxx implementation).

Jun-

2016

•Updated Internet Layer Protocols table to include IGMP

Jul-

2014

•Added section 5.2, Genius Gateway.

•Updated diagram to include Genius Gateway.

Chapter 1. About this Guide

GFK-2904D July 2018 3

1.2 PACSystems Documentation

PACSystems Manuals

PACSystems RX7i, RX3i and RSTi-EP CPU Reference Manual

GFK-2222

PACSystems RX7i, RX3i and RSTi-EP CPU Programmer’s Reference Manual

GFK-2950

PACSystems RX7i, RX3i and RSTi-EP TCP/IP Ethernet Communications User Manual

GFK-2224

PACSystems TCP/IP Ethernet Communications Station Manager User Manual

GFK-2225

Proficy Machine Edition Logic Developer Getting Started

GFK-1918

Proficy Process Systems Getting Started Guide

GFK-2487

PACSystems RXi, RX3i, RX7i and RSTi-EP Controller Secure Deployment Guide

GFK-2830

PACSystems RX3i & RSTi-EP PROFINET I/O Controller Manual

GFK-2571

RX3i Manuals

PACSystems RX3i System Manual

GFK-2314

PACSystems RX3i PROFINET Scanner Manual

GFK-2737

PACSystems RX3i CEP PROFINET Scanner User Manual

GFK-2883

PACSystems RX3i Serial Communications Modules User’s Manual

GFK-2460

PACSystems RX3i Genius Communications Gateway User Manual

GFK-2892

PACSystems RX3i DNP3 Outstation Module IC695EDS001 User’s Manual

GFK-2911

PACSystems RX3i IEC 104 Server Module IC695EIS001User’s Manual

GFK-2949

Field Agent Manuals

Field Agents User Guide

GFK-2993

Field Agents Upgrade Guide

GFK-3017

In addition to these manuals, datasheets and product update documents describe individual modules and

product revisions. The most recent PACSystems documentation is available on the GE Automation & Controls

support website www.geautomation.com/support.

Other manuals for PACSystems* RX3i

Table of contents

Popular Controllers manuals by other brands

Sunricher

Sunricher SR-ZV9003T3-RGBW-US Installation

Ksenia

Ksenia intro Installation and configuration manual

Inovance

Inovance CAN200 Series manual

Gauzy

Gauzy LC6 FLEX Controller Installation and operation guide

Viking

Viking SLP-1 Technical practice

CKD

CKD KBX-30E-U Series instruction manual

Sharp Energy

Sharp Energy Sun Flux User manual & installation guide

Yamaha

Yamaha RCX40 user manual

AB Quality

AB Quality PowerFlex 400 Frames D-H Service bulletin

Yamaha

Yamaha MJC8 owner's manual

AL-KO

AL-KO ATC operating instructions

Savant

Savant SmartControl 2 Deployment guide

GameSir

GameSir T3S user manual

Kostal

Kostal inveor operating manual

Emerson

Emerson Yarway 20-55 Operating and safety instructions

CoCo

CoCo ACM-LV24 Quick installation guide

Brooks

Brooks SLA5810/20 Installation and operation manual

SIGMA TEK

SIGMA TEK SR 011 Technical manual

GE PACSystems* RX3i User manual

Popular Controllers manuals by other brands