Ge Pacsystems* rx3i User manual

Automation & Controls

For Public Disclosure

Programmable Control Products

PACSystems* PROFINET IO Devices Secure

Deployment Guide GFK-2904D

PACSystems*

PROFINET IO Devices

Secure Deployment

Guide

GFK-2904D

July 2018

Legal Information

Warnings, Cautions, and Notes as Used in this Publication GFL-002

Warning

Warning notices are used in this publication to emphasize that hazardous voltages,

currents, temperatures, or other conditions that could cause personal injury exist in

this equipment or may be associated with its use.

In situations where inattention could cause either personal injury or damage to

equipment, a Warning notice is used.

Caution

Caution notices are used where equipment might be damaged if care is not taken.

Attention

Indicates a procedure or condition that should be strictly followed.

Note: Notes merely call attention to information that is especially significant to understanding

and operating the equipment.

These instructions do not purport to cover all details or variations in equipment, nor to provide for every

possible contingency to be met during installation, operation, and maintenance. The information is supplied for

informational purposes only, and GE makes no warranty as to the accuracy of the information included herein.

Changes, modifications, and/or improvements to equipment and specifications are made periodically and

these changes may or may not be reflected herein. It is understood that GE may make changes, modifications,

or improvements to the equipment referenced herein or to the document itself at any time. This document is

intended for trained personnel familiar with the GE products referenced herein.

GE may have patents or pending patent applications covering subject matter in this document. The furnishing

of this document does not provide any license whatsoever to any of these patents.

GE PROVIDES THE FOLLOWING DOCUMENT AND THE INFORMATION INCLUDED THEREIN AS-IS AND

WITHOUT WARRANTY OF ANY KIND, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY IMPLIED

STATUTORY WARRANTY OF MERCHANTABILITY OR FITNESS FOR PARTICULAR PURPOSE.

* indicates a trademark of General Electric Company and/or its subsidiaries.

All other trademarks are the property of their respective owners.

Contact Information

If you purchased this product through an Authorized Channel Partner, please contact the seller directly.

General Contact Information

Online technical support and GlobalCare

www.geautomation.com/support

Additional information

www.geautomation.com

Solution Provider

[email protected]om

Technical Support

If you have technical problems that cannot be resolved with the information in this manual, please contact us

by telephone or email, or on the web at www.geautomation.com/support

Americas

Phone

1-800-433-2682

International Americas Direct Dial

1-780-420-2010 (if toll free 800-option is unavailable)

Customer Care Email

[email protected]

Primary language of support

English

Europe, the Middle East, and Africa

Phone

+800-1-433-2682

EMEA Direct Dial

+420-296-183-331 (if toll free 800-option is unavailable or

if dialing from a mobile telephone)

Customer Care Email

digitalsupport.emea@ge.com

Primary languages of support

English, French, German, Italian, Spanish

Asia Pacific

Phone

+86-21-3877-7006 (India, Indonesia, and Pakistan)

+86-400-820-8208 (rest of Asia)

Customer Care Email

[email protected]

Primary languages of support

Chinese, English

GFK-2904D July 2018 i

Table of Contents

PACSystems* PROFINET IO Devices Secure Deployment Guide GFK-2904D

Table of Contents ............................................................................................................................................................. i

Table of Figures............................................................................................................................................................... iii

Chapter 1 About this Guide ....................................................................................................................................... 1

1.1 Revisions in this Manual .......................................................................................................................... 2

1.2 PACSystems Documentation................................................................................................................. 3

Chapter 2 Introduction ............................................................................................................................................... 5

2.1 Security ....................................................................................................................................................... 5

2.2 Firewall ........................................................................................................................................................ 5

2.3 Defense in Depth....................................................................................................................................... 5

2.4 General Recommendations .................................................................................................................... 6

2.5 Checklist...................................................................................................................................................... 6

Chapter 3 Communication Requirements.............................................................................................................. 7

3.1 Supported Protocols................................................................................................................................ 8

ETHERNET Protocols .........................................................................................................................................8

Serial Protocols....................................................................................................................................................8

3.2 Service Requests....................................................................................................................................... 9

SNP ...........................................................................................................................................................................9

3.3 PROFINET.................................................................................................................................................. 10

Installing an I/O Device ..................................................................................................................................10

Network Discovery and Device Identification ......................................................................................10

Using an I/O Device .........................................................................................................................................11

3.4 Ethernet Firewall Configuration ......................................................................................................... 12

Lower-Level Protocols ...................................................................................................................................12

Application Layer Protocols.........................................................................................................................13

Chapter 4 Security Capabilities .............................................................................................................................. 15

4.1 Capabilities by Product ......................................................................................................................... 15

4.2 Access Control and Authorization ..................................................................................................... 15

Authorization Framework ............................................................................................................................15

Specifying Access Rights...............................................................................................................................16

Contents

ii PACSystems PROFINET IO Devices Secure Deployment Guide GFK-2904D

Enforcement ......................................................................................................................................................16

4.3 Authentication ........................................................................................................................................ 17

Server Protocols ...............................................................................................................................................17

Authentication Supported by the PROFINET Protocol......................................................................17

Plaintext Login...................................................................................................................................................17

Recommendations ..........................................................................................................................................17

4.4 Password Management......................................................................................................................... 19

Changing Passwords.......................................................................................................................................19

4.5 Confidentiality and Integrity ............................................................................................................... 20

Communication Protocols............................................................................................................................20

Firmware Signatures ......................................................................................................................................20

Logging and Auditing ......................................................................................................................................20

Chapter 5 Configuration Hardening ...................................................................................................................... 21

5.1 Scanner...................................................................................................................................................... 21

5.2 Genius Gateway ...................................................................................................................................... 22

Chapter 6 Network Architecture and Secure Deployment ............................................................................. 23

6.1 Reference Architecture......................................................................................................................... 23

6.2 Remote Access and Demilitarized Zones ......................................................................................... 24

6.3 Access and Process Control Networks ............................................................................................. 24

6.4 Access and PROFINET Networks ........................................................................................................ 25

Chapter 7 Other Considerations ............................................................................................................................ 27

7.1 Patch Management ................................................................................................................................ 27

7.2 Real-time Communication.................................................................................................................... 27

7.3 Additional Guidance .............................................................................................................................. 27

Protocol-Specific Guidance..........................................................................................................................27

Government Agencies and Standards Organizations .......................................................................27

Contents

GFK-2904D July 2018 iii

Table of Figures

Figure 1: Reference Architecture .............................................................................................................................................................23

GFK-2904D July 2018 1

Chapter 1 About this Guide

This document provides information that can be used to help improve the cyber security of systems that

include PROFINET I/O devices from GE Automation & Controls. It is intended for use by control engineers,

integrators, IT professionals, and developers responsible for deploying and configuring PROFINET I/O products.

Secure deployment information is provided in this manual for the following products supplied by

GE Automation & Controls.

Family

Catalog Number

Description

PACSystems RX3i

IC695PNS001

RX3i PROFINET Scanner module

PACSystems RX3i

IC695PNS101

RX3i Advanced PROFINET Scanner module.

PACSystems RX3i

IC695CEP001

CEP PROFINET Scanner module.

PACSystems RX3i

IC695GCG001

Genius Communications Gateway

Chapter 1. About this Guide

2 PACSystems PROFINET IO Devices Secure Deployment Guide GFK-2904D

1.1 Revisions in this Manual

Rev

Date

Description

Jul-

2018

•Updated for IC695PNS101, IC695CEP001.

Feb-

2017

•Updated for replacement IC695PNS001 (-Bxxx implementation).

Jun-

2016

•Updated Internet Layer Protocols table to include IGMP

Jul-

2014

•Added section 5.2, Genius Gateway.

•Updated diagram to include Genius Gateway.

Chapter 1. About this Guide

GFK-2904D July 2018 3

1.2 PACSystems Documentation

PACSystems Manuals

PACSystems RX7i, RX3i and RSTi-EP CPU Reference Manual

GFK-2222

PACSystems RX7i, RX3i and RSTi-EP CPU Programmer’s Reference Manual

GFK-2950

PACSystems RX7i, RX3i and RSTi-EP TCP/IP Ethernet Communications User Manual

GFK-2224

PACSystems TCP/IP Ethernet Communications Station Manager User Manual

GFK-2225

Proficy Machine Edition Logic Developer Getting Started

GFK-1918

Proficy Process Systems Getting Started Guide

GFK-2487

PACSystems RXi, RX3i, RX7i and RSTi-EP Controller Secure Deployment Guide

GFK-2830

PACSystems RX3i & RSTi-EP PROFINET I/O Controller Manual

GFK-2571

RX3i Manuals

PACSystems RX3i System Manual

GFK-2314

PACSystems RX3i PROFINET Scanner Manual

GFK-2737

PACSystems RX3i CEP PROFINET Scanner User Manual

GFK-2883

PACSystems RX3i Serial Communications Modules User’s Manual

GFK-2460

PACSystems RX3i Genius Communications Gateway User Manual

GFK-2892

PACSystems RX3i DNP3 Outstation Module IC695EDS001 User’s Manual

GFK-2911

PACSystems RX3i IEC 104 Server Module IC695EIS001User’s Manual

GFK-2949

Field Agent Manuals

Field Agents User Guide

GFK-2993

Field Agents Upgrade Guide

GFK-3017

In addition to these manuals, datasheets and product update documents describe individual modules and

product revisions. The most recent PACSystems documentation is available on the GE Automation & Controls

support website www.geautomation.com/support.

GFK-2904D July 2018 5

Chapter 2 Introduction

This section introduces the fundamentals of security and secure deployment.

2.1 Security

Security is the process of maintaining the confidentiality, integrity, and availability of a system:

•Confidentiality: Ensure only the people you want to see information are those who can actually see it.

•Integrity: Ensure the data is what it is supposed to be.

•Availability: Ensure the system or data is available for use.

GE Automation & Controls recognizes the importance of building and deploying products with these concepts

in mind and encourages customers to take appropriate care in securing their GE Automation & Controls

products and solutions.

As GE Automation & Controls product vulnerabilities are discovered and fixed, security advisories are issued to

describe each vulnerability in a particular product version as well as the version in which the vulnerability was

fixed. GE Product Security Advisories can be found at the following location:

https://digitalsupport.ge.com/communities/en_US/Article/GE-Intelligent-Platforms-Security-Advisories

2.2 Firewall

Firewalls and other network security products, including Data Diodes and Intrusion Prevention Devices, can be

an important component of any security strategy. However, a strategy based solely on any single security

mechanism will not be as resilient as one that includes multiple, independent layers of security.

Therefore, GE Automation & Controls recommends taking a Defense in Depth approach to security.

2.3 Defense in Depth

Defense in Depth is the concept of using multiple, independent layers of security to raise the cost and

complexity of a successful attack. To carry out a successful attack on a system, an attacker would need to find

not just a single exploitable vulnerability, but would need to exploit vulnerabilities in each layer of defense that

protects an asset.

For example, if a system is protected because it is on a network protected by a firewall, the attacker only needs

to circumvent the firewall to gain unauthorized access. However, if there is an additional layer of defense, for

example, a username/password authentication requirement, now the attacker needs to find a way to

circumvent both the firewall and the username/password authentication.

Chapter 2. Introduction

6 PACSystems PROFINET IO Devices Secure Deployment Guide GFK-2904D

2.4 General Recommendations

Adopting the following security best practices should be considered when using GE Automation & Controls

products and solutions.

•The PROFINET I/O Devices covered in this document were not designed for or intended to be

connected directly to any wide area network, including but not limited to a corporate network or the

Internet at large. Additional routers and firewalls (such as those illustrated in Figure 1: Reference

Architecture) that have been configured with access rules customized to the site's specific needs must

be used to access devices described in this document from outside the local control networks. If a

control system requires external connectivity, care must be taken to control, limit and monitor all

access, using, for example, virtual private networks (VPN) or Demilitarized Zone (DMZ) architectures.

•Harden system configurations by enabling/using the available security features, and by disabling

unnecessary ports, services, functionality, and network file shares.

•Apply all of the latest product security updates from GE Automation & Controls, SIMs, and other

recommendations.

•Apply all of the latest operating system security patches to control systems computers.

•Use anti-virus software on control systems computers and keep the associated anti-virus signatures

up-to-date.

•Use whitelisting software on control systems computers and keep the whitelist up-to-date.

2.5 Checklist

This section provides a sample checklist to help guide the process of securely deploying PROFINET I/O

products.

1) Create or locate a network diagram.

2) Identify and record the required communication paths between nodes.

3) Identify and record the protocols required along each path, including the role of each node. (Refer to

Chapter 3, Communication Requirements.)

4) Revise the network as needed to ensure appropriate partitioning, adding firewalls or other network

security devices as appropriate. Update the network diagram. (Refer to Chapter 6, Network

Architecture and Secure Deployment.)

5) Configure firewalls and other network security devices. (Refer to Section 3.4, Ethernet Firewall

Configuration and Chapter 6, Network Architecture and Secure Deployment.)

6) Enable and/or configure the appropriate security features on each PROFINET I/O Device. (Refer to

Chapter 4, Security Capabilities.)

7) On each PROFINET I/O Device, change every supported password to something other than its default

value. (Refer to Section 4.4, Password Management.)

8) Harden the configuration of each PROFINET I/O Device, disabling unneeded features, protocols and

ports. (Refer to Chapter 5, Configuration Hardening.)

9) Test/qualify the system.

10) Create an update/maintenance plan.

Note: Secure deployment is only one part of a robust security program. This document,

including the checklist above, is limited to providing secure deployment guidance only.

For more information about security programs in general, refer to Section 7.3, Additional

Guidance.

GFK-2904D July 2018 7

Chapter 3 Communication Requirements

Communication between different parts of a control system is, and must be, supported. However, the security

of a control system can be enhanced by limiting the protocols allowed, and the paths across which they are

allowed, to only what is needed. This can be accomplished by disabling every communication protocol that is

not needed on a particular device (refer to Chapter 5, Configuration Hardening), and by using appropriately

configured and deployed network security devices (for example, firewalls and routers) to block every protocol

(whether disabled or not) that does not need to pass from one network/segment to another.

GE Automation & Controls recommends limiting the protocols allowed by the network infrastructure to the

minimum set required for the intended application. Successfully doing this requires knowing which protocol is

needed for each system-level interaction.

This section describes how the supported serial and Ethernet application protocols are used with PROFINET

I/O Devices, and indicates the role of each participant in the communication. Lower-level Ethernet protocols

are not discussed here, but are instead assumed to be supported when needed by the application protocol.

Note: To support PROFINET communication between two nodes, the network must also

support UDP, IP, and ARP in both directions between the nodes.

Note: On a PROFINET I/O device, support for these protocols may be provided by a peripheral

module (for example, a PROFIBUS or Serial Communications module).

This information is intended to be used to help guide the specification of the network architecture and to help

configure firewalls internal to that network, in order to support only the required communications paths for

any particular installation.

Chapter 3. Communication Requirements

8 PACSystems PROFINET IO Devices Secure Deployment Guide GFK-2904D

3.1 Supported Protocols

ETHERNET Protocols

This section indicates which Ethernet protocols are supported, and by which PROFINET I/O Devices. Note that

some of the supported protocols may not be required in a given system, since the installation may only be

using a subset of the available protocols.

Supported ETHERNET Protocols

Protocol

RX3i

IC695CEP001

IC695PNS001-

Axxx

IC695PNS001-

BAxx

IC695PNS101

IC695GCG001

Link

ARP

✓

LLDP

✓

Internet

IPv4

✓

ICMP

✓

Transport

TCP

✓

UDP

✓

Application

Layer

DCE/RPC Client

✓

DCE/RPC Server

✓

PROFINET DCP

client

PROFINET DCP

server

✓

PROFINET I/O

✓

HTTP Server

✓

HTTPS Server

✓

MRP

✓

SNMP v1 server

✓

SNMP v2c server

Serial Protocols

In addition to Ethernet, PROFINET I/O Devices may also support communication over serial ports (USB). The

information provided here should be used to help guide the specification of any external security controls

required to restrict remote serial access, as well as the specification of any required physical security.

This section indicates which serial protocols are supported, and by which PROFINET I/O Devices. Note that

some of the supported protocols may not be required in a given system, since the installation may only be

using a subset of the available protocols.

Protocol

IC695CEP001

IC695PNS001-Axxx

SNP Slave1

✓

SNP functionality may be limited. For example, it may only provide Firmware Update Services.

Chapter 3. Communication Requirements

GFK-2904D July 2018 9

3.2 Service Requests

The Service Request protocol from GE Automation & Controls is a proprietary, media-independent application

protocol that provides access to services of GE Automation & Controls products. This is the primary protocol

used by Proficy Machine Edition: Logic Developer –PLC when communicating with a PACSystems CPU. It

supports many different operations, including:

•Upload /Download the user application & configuration to the Controller.

•Start/Stop the Controller.

•Read, write, verify, or clear Flash/EEPROM memory.

•Clear Controller memory.

•Gather diagnostic info from a Controller.

•Verify Equality.

•View and, in some cases, set the target Controller's operating parameters: device information,

memory usage, date and time, reference points/words, access levels, passwords and OEM key, and

sweep information.

•View and optionally clear a log of any faults that have occurred in the Controller. The Service Request

protocol is transported over a specific media by encapsulating it within a media-specific protocol.

Specifically, SNP is used for transporting it over a serial channel. Almost all SNP transmissions contain

at least a portion of a Service Request/Reply embedded within them.

Supporting communication between any two nodes using Service Requests requires that the system support

communicating using a media-specific protocol such as SNP between those two nodes.

SNP

Firmware Update: The SNP protocol is often used in PROFINET I/O Devices from GE Automation & Controls to

support updating the firmware on products or on an installed module that supports having its firmware

updated over the backplane. SNP is used to send Service Requests to a node via a serial connection, and to

convey the results back to the client.

Protocol

WinLoader.exe

(Windows® Computer)

I/O Device

SNP

Master

Slave

Chapter 3. Communication Requirements

10 PACSystems PROFINET IO Devices Secure Deployment Guide GFK-2904D

3.3 PROFINET

This section describes the communication paths needed to support common operations on a PROFINET

network.

Installing an I/O Device

Commissioning, adding, or replacing an I/O device requires that the device be assigned a unique name to use

on the PROFINET network. Doing this requires supporting the following communication path.

Protocol

Proficy Machine Edition

I/O Device

PROFINET DCP

Client

Server

Supporting this path will allow Proficy Machine Edition to directly discover all of the PROFINET I/O devices that

are connected to the same subnet as the computer. (Note that this protocol is not routable.) Proficy Machine

Edition implements the Client functionality directly from the computer network adapter, so I/O devices must

be local to the computer’s network adapter. It can then be used to (re-)assign a unique name to the I/O device

being installed.

Note: This protocol can also be used to make other modifications to the I/O device, such as

assigning a new IP address or resetting it to factory defaults. However, those functions

are not generally required when Installing an I/O device.

Network Discovery and Device Identification

Proficy Machine Edition can also request information about the devices on a PROFINET network from a

PACSystems Controller, and then retrieve additional identification information about each device. This request

is sent to the PACSystems Controller using the Service Request protocol (described elsewhere) embedded

within the SRTP or SNP protocols. The PACSystems Controller satisfies those requests using the following

communication paths.

Protocol

Local I/O Controller

Remote I/O Controllers and I/O Devices

DCE/RPC

Client

Server

PROFINET DCP

Client

Server

Note: No mechanism is provided through this communication path for assigning a name to a

new I/O device.

Chapter 3. Communication Requirements

GFK-2904D July 2018 11

Using an I/O Device

Using PROFINET I/O as part of the control application requires that all of the following communication paths be

supported throughout the life of the application.

Protocol

I/O Controller

I/O Devices

DCE/RPC

Client

Server

DCE/RPC

Server

Client

PROFINET DCP

Client

Server

PROFINET I/O

Bi-directional

In addition, if the PROFINET network is configured to support Media Redundancy (which requires a ring

physical topology) then the following application protocol must also be supported.

Protocol

I/O Controller

I/O Device

MRP

Bi-directional

Chapter 3. Communication Requirements

12 PACSystems PROFINET IO Devices Secure Deployment Guide GFK-2904D

3.4 Ethernet Firewall Configuration

Network-based and host-based firewalls should be configured to only allow expected and required network

traffic. This section identifies the EtherTypes and the TCP/UDP ports used by the protocols supported on

PROFINET I/O Devices.

This information should be used to help configure network firewalls, in order to support only the required

communications paths for any particular installation.

Note: Refer to Figure 1 for a diagram showing firewall placement.

Lower-Level Protocols

Ethernet communication is typically described using four layers, each with its own set of protocols. At the top

of that hierarchy is the Application layer. Below the Application layer are the Transport, Internet, and Link

layers.

Information on the supported protocols from these three lower layers is summarized here.

Link Layer Protocols

Protocol

ETHERNET Type

ARP

0x0806

LLDP

0x88cc

Internet Layer Protocols

Protocol

ETHERNET Type

IP Protocol #

IPv4

0x0800

(n/a)

ICMP

0x0800

IGMP

0x0800

Transport Layer Protocols

Protocol

ETHERNET Type

IP Protocol #

TCP

0x0800

UDP

0x0800

Each of these lower-level protocols is required by one or more of the Application protocols supported on the

PROFINET products.

Chapter 3. Communication Requirements

GFK-2904D July 2018 13

Application Layer Protocols

PROFINET devices are capable of acting as a server, responding to requests sent via any of several different

protocols. They are also capable of acting as a client, sending requests to other servers using any of several

different protocols. The exact set of protocols that are enabled/used will depend on which modules are

installed, how they are configured, and the details of the application program that is running.

Protocol

Server TCP Port

Destination UDP Port

ETHERNET Type

(non-IP protocol)

DCE/RPC

34964 on server

>1023 on client

HTTP

HTTPS

443

PROFINET DCP

0x8892

PROFINET I/O

0x8892

MRP

0x88e3

SNMP v1

161 on server

>1023 on client

Other manuals for PACSystems* RX3i

Table of contents

Popular Controllers manuals by other brands

Kramer

Kramer RC-74DL user manual

Laing Innotech

Laing Innotech LTC Series Installation and operating instruction

Dungs

Dungs DMA installation instructions

Hyster

Hyster H2.00-3.20XM Safety Precautions Maintenance And Repair

Linak

Linak LA20 user manual

ROLA-CHEM

ROLA-CHEM 554000 operating manual

Velleman

Velleman HQ POWER VDPDMXC144 manual

StudioComm

StudioComm 760-03 user guide

Jupiter

Jupiter Fusion Catalyst 4000 Getting started guide

Rockwell Automation

Rockwell Automation 1766-L32AWA installation instructions

albert

albert VK3BQO manual

Controlli

Controlli DG501C user guide

GREISINGER

GREISINGER gir 2000Pt Mounting and operating manual

Mitsubishi Electric

Mitsubishi Electric MELSEC iQ-R Series user manual

Eaton

Eaton EDS Series Installation & maintenance information

Emerson

Emerson Dixell XR44CH Installing and operating instructions

TECshow

TECshow NAVIGATOR 24 MKII user manual

Bartec

Bartec MAK 3003 manual

GE PACSystems* RX3i User manual

Popular Controllers manuals by other brands