GE IPC2018 Quick reference guide
GFK-3015
IPC2018
Industrial PC (IPC)
Secure Deployment Guide
June 2017
For public disclosure
These instructions do not purport to cover all details or variations in equipment, nor to provide for every possible
contingency to be met during installation, operation, and maintenance. The information is supplied for informational
purposes only, and GE makes no warranty as to the accuracy of the information included herein. Changes, modifications,
and/or improvements to equipment and specifications are made periodically and these changes may or may not be reflected
herein. It is understood that GE may make changes, modifications, or improvements to the equipment referenced herein or to
the document itself at any time. This document is intended for trained personnel familiar with the GE products referenced
herein.
GE may have patents or pending patent applications covering subject matter in this document. The furnishing of this
document does not provide any license whatsoever to any of these patents.
Public – This document is approved for public disclosure.
GE provides the following document and the information included therein as is and without warranty of any kind,
expressed or implied, including but not limited to any implied statutory warranty of merchantability or fitness for
particular purpose.
For further assistance or technical information, contact the nearest GE Sales or Service Office, or an authorized GE Sales
Representative.
Issued: June 2017
© 2017 General Electric Company.
___________________________________
* Indicates a trademark of General Electric Company and/or its subsidiaries.
All other trademarks are the property of their respective owners.
We would appreciate your feedback about our documentation.
Related Documents
Document # Title
GFK-3014 RXi2-EP Industrial PC (IPC) Hardware Reference Manual
GFA-2130 RXi2-EP IPC Data Sheet
For public disclosure
Safety Symbol Legend
Warning
Indicates a procedure or condition that, if not strictly observed, could result in
personal injury or death.
Caution
Indicates a procedure or condition that, if not strictly observed, could result in damage
to or destruction of equipment.
Attention
Indicates a procedure or condition that should be strictly followed to improve these
applications.
GFK-3015 Secure Deployment Guide 3
For public disclosure
Contact Information
If you purchased this product through an Authorized Channel Partner, contact the seller directly.
General Contact Information
Online technical support and GlobalCare www.ge-ip.com/support
Additional information www.geautomation.com
Technical Support
Contact us by telephone, email, or at www.ge-ip.com/support.
Americas
Phone 1-800-433-2682
International Americas Direct Dial 1-780-420-2010 (if toll free 800 option is unavailable)
Primary language of support English
Europe (not Germany), Middle East, and Africa (EMEA)
Phone + 800-1-433-2682
EMEA Direct Dial
+ 420-23-901-5850
(if toll free 800 option is unavailable or dialing from a mobile telephone)
Primary languages of support English, French, Italian, Czech, Spanish
Germany
Phone + 49-821–5034–170
Asia Pacific (APO)
Phone
+ 86-400-820-8208
+ 86-21-3877–7006 (India, Indonesia, and Pakistan)
Technical Support Email
Customer Care Email
customercar[email protected]
4 GFK-3015 IPC2018 IPC Secure Deployment Guide
For public disclosure
Contents
1 Introduction ....................................................................................................................................... 7
2 Security and Secure Deployment................................................................................................. 9
2.1 What is Security?.....................................................................................................................................9
2.2 I have a Firewall: Isn’t that Enough? ...........................................................................................................9
2.3 What is Defense in Depth? ........................................................................................................................9
2.4 General Recommendations ........................................................................................................................9
2.5 Checklist.............................................................................................................................................. 10
3 IPC2018 IPC Functional Overview.............................................................................................. 11
3.1 IPC2018 with iFix ................................................................................................................................. 11
3.2 IPC2018 with CIMPLICITY.................................................................................................................... 11
3.3 Platform Configuration and Hardening....................................................................................................... 11
4 Network Architecture and Secure Deployment ...................................................................... 13
4.1 Reference Architecture ........................................................................................................................... 13
4.2 Demilitarized Zones (DMZ)..................................................................................................................... 13
5 Other Considerations .................................................................................................................... 15
5.1 Anti-virus software ................................................................................................................................ 15
5.2 Data Execution Prevention (DEP) ............................................................................................................. 15
5.3 Patching............................................................................................................................................... 15
5.3.1 Patching GE Proficy Software ........................................................................................................... 15
5.3.2 Patching third-party Software............................................................................................................ 15
5.4 Additional Guidance .............................................................................................................................. 16
5.4.1 Protocol-specific Guidance ............................................................................................................... 16
5.4.2 Government Agencies and Standards Organizations............................................................................... 16
GFK-3015 Secure Deployment Guide 5
For public disclosure
Notes
6 GFK-3015 IPC2018 IPC Secure Deployment Guide
For public disclosure
1 Introduction
This document provides information that can be used to help improve the cyber security of systems that include IPC2018
Industrial PC (IPC) products. It is intended for use by control engineers, integrators, IT professionals, and developers
responsible for deploying and configuring IPC products. Secure deployment information is provided in this manual for the
following IPC2018 IPC products.
IPC2018 IPC Products
Product Product Description
RXi2-EPxxxxxxxxxx IPC2018 with bC6L17
R2Xxxxxxxxxxx IPC2018 with bC6L18
Caution
The controllers and supervisory level computers covered in this document were not
designed for or intended to be connected directly to any wide area network, including
but not limited to a corporate network or the Internet at large. Additional routers and
firewalls (such as supplied with the NetworkST* 4.0 option) that have been configured
with access rules customized to the site's specific needs must be used to access devices
described in this document from outside the local control networks.
Introduction GFK-3015 Secure Deployment Guide 7
For public disclosure
Notes
8 GFK-3015 IPC2018 IPC Secure Deployment Guide
For public disclosure
2 Security and Secure Deployment
This chapter describes the fundamentals of security and secure deployment.
2.1 What is Security?
Security is the process of maintaining the confidentiality, integrity, and availability of a system:
•Confidentiality: Ensure only the people you want to see information can see it.
•Integrity: Ensure the data is what it is supposed to be.
•Availability: Ensure the system or data is available for use.
GE recognizes the importance of building and deploying products with these concepts in mind and encourages customers to
take appropriate care in securing their GE products and solutions.
2.2 I have a Firewall: Isn’t that Enough?
Firewalls and other network security products, including Data Diodes and Intrusion Prevention Devices, can be an important
component of any security strategy. However, a strategy based solely on any single security mechanism will not be as resilient
as one that includes multiple, independent layers of security. Therefore, GE recommends taking a Defense in Depth approach
to security.
2.3 What is Defense in Depth?
Defense in Depth is the concept of using multiple, independent layers of security to raise the cost and complexity of a
successful attack. To carry out a successful attack on a system, an attacker would need to find not just a single exploitable
vulnerability, but would need to exploit vulnerabilities in each layer of defense that protects an asset.
For example, if a system is protected because it is on a network protected by a firewall, the attacker only needs to circumvent
the firewall to gain unauthorized access. However, if there is an additional layer of defense, say a username/password
authentication requirement, now the attacker needs to find a way to circumvent both the firewall and the username/password
authentication.
2.4 General Recommendations
Adopting the following security best practices should be considered when using GE products and solutions.
• Deploy and configure firewalls to limit the exposure of control system networks to other networks, including internal
business networks and the Internet. If a control system requires external connectivity, care must be taken to control, limit
and monitor all access, using, for example, virtual private networks (VPN) or Demilitarized Zone (DMZ) architectures.
• Harden system configurations by enabling/using the available security features, and by disabling unnecessary ports,
services, functionality, and network file shares.
• Apply all of the latest GE product security updates, SIMs, and other recommendations.
• Apply all of the latest operating system security patches to control systems PCs.
• Use anti-virus software on control systems PCs and keep the associated anti-virus signatures up-to-date.
• Use whitelisting software on control systems PCs and keep the whitelist up-to-date.
Security and Secure Deployment GFK-3015 Secure Deployment Guide 9
For public disclosure
2.5 Checklist
This section provides a sample checklist to help guide the process of securely deploying IPC2018 IPC products.
1. Create or locate a network diagram.
2. Identify and record the required communication paths between nodes.
3. Identify and record the protocols required along each path, including the role of each node.
4. Revise the network as needed to ensure appropriate partitioning, adding firewalls or other network security devices as
appropriate. Update the network diagram. (Refer to the chapter Network Architecture and Secure Deployment.)
5. Configure firewalls and other network security devices
6. Enable and/or configure the appropriate security features on each module.
7. For each module, change every supported password to something other than its default value.
8. Harden the configuration of each module, disabling unneeded features, protocols and ports.
9. Test/qualify the system.
10. Create an update/maintenance plan.
Note Secure deployment is only one part of a robust security program. This document, including the checklist above, is
limited to only providing secure deployment guidance. For more information about security programs in general, refer to the
section Additional Guidance.
10 GFK-3015 IPC2018 IPC Secure Deployment Guide
For public disclosure
3 IPC2018 IPC Functional Overview
The information in the chapter is intended to assist with infrastructure configuration for iFix and CIMPLICITY.
3.1 IPC2018 with iFix
Currently, an iFix bundle for RXi2-EP IPC is not available and there is no plan to offer an iFix bundle for this product.
3.2 IPC2018 with CIMPLICITY
Currently, a CIMPLICITY bundle for RXi2-EP IPC is not available and there is no plan to offer a CIMPLICITY bundle for
this product.
3.3 Platform Configuration and Hardening
GE recommends configuring operating systems, databases, and other platforms in accordance with vendor recommendations
or industry standards.
The following organizations publish best practices, checklists, benchmarks, and other resources for securing systems:
System Security Resources
Organization Website
Center for Internet Security®(CIS™)http://www.cisecurity.org
National Institute of Standards and Technology®(NIST) http://checklists.nist.gov
Microsoft®http://technet.microsoft.com/security/default.aspx
The following TCP/IP ports are enabled on Microsoft Windows®by default. GE recommends disabling these TCP/IP ports to
harden the operating system.
TCP/IP Ports to Disable
TCP/IP Port Description
135 Microsoft Windows RPC
1947 Aladdin HASP license manager
13000 mc-nmf
14000 Scotty-ft
IPC2018 IPC Functional Overview GFK-3015 Secure Deployment Guide 11
For public disclosure
Notes
12 GFK-3015 IPC2018 IPC Secure Deployment Guide
For public disclosure
4 Network Architecture and Secure
Deployment
This chapter provides security recommendations for deploying remote access using iFIX WebSpace.
4.1 Reference Architecture
The following figure provides a reference deployment of IPC2018 IPC components. The control system network is segregated
from other untrusted networks such as the enterprise network (also referred to as the business network, corporate network, or
intranet) and the internet. Process control network data and applications are authenticated and exposed in a limited fashion
using web-based applications and reporting capabilities.
!
"#$%&&'
()
*
+ ,-%
)
.$&.%
%
"/
+0
1
Network Architecture
4.2 Demilitarized Zones (DMZ)
A DMZ architecture uses two firewalls to isolate servers that are accessible from untrusted networks. Never expose an iFIX
SCADA node directly to the internet. Instead, place a relay server or WebSpace in a DMZ configuration.
For additional isolation, three firewalls can be deployed to create a double-hop DMZ configuration in which both the relay
server and the WebSpace server can be deployed in their own DMZ.
Network Architecture and Secure Deployment GFK-3015 Secure Deployment Guide 13
For public disclosure
Notes
14 GFK-3015 IPC2018 IPC Secure Deployment Guide
For public disclosure
5 Other Considerations
This chapter provides additional recommendations and frequently asked questions (FAQ).
5.1 Anti-virus software
GE encourages customers to use third-party anti-virus (AV) software of their choice and to keep it up-to-date with the latest
updates.
While GE does not specifically certify any particular anti-virus supplier’s software, we do test our products with GE’s
corporate standard (currently Sophos Antivirus) installed and running on all test and system lab machines. In the event there
is a Proficy product defect discovered while running any anti-virus software, GE will make all reasonable efforts to provide a
solution. However, if the issue is found to be based on specific behavior of the AV software, the customer might be advised to
work with the AV software vendor and/or switch to another AV software vendor to get resolution to their issue.
5.2 Data Execution Prevention (DEP)
GE products function with Microsoft Windows Data Execution Prevention (DEP) enabled and GE recommends that
customers enable this feature as an added protection against the exploitation of application security vulnerabilities such as
buffer overflows.
In the event there is a Proficy product defect discovered while running DEP, GE will make all reasonable efforts to provide a
solution.
5.3 Patching
5.3.1 Patching GE Proficy Software
GE recommends that customers keep Proficy software up-to-date by applying the latest Software Improvement Module (SIM)
to their deployed Proficy products. SIMs add new functionality, fix bugs, and address security vulnerabilities.
Security advisories and security-related SIMs can be found on the GE Support website at
http://www.geautomation.com/security.
Customers can also sign up for notification of new SIMs and security advisories on the website.
5.3.2 Patching third-party Software
GE recommends that customers keep operating systems, databases, and other third-party software in their environment
up-to-date with the latest security patches from the software vendor.
GE regularly validates the compatibility of selected GE products with third-party operating system security patches. For more
information on this process, refer to GE Support website at http://www.geautomation.com/security.
Other Considerations GFK-3015 Secure Deployment Guide 15
For public disclosure
5.4 Additional Guidance
5.4.1 Protocol-specific Guidance
Protocol standards bodies may publish guidance on how to securely deploy and use their protocols. Such documentation,
when available, should be considered in addition to this document.
5.4.2 Government Agencies and Standards Organizations
Government agencies and international standards organizations may provide guidance on creating and maintaining a robust
security program, including how to securely deploy and use Control Systems. For example, the U.S. Department of Homeland
Security has published guidance on Secure Architecture Design and on Recommended Practices for cyber security with
Control Systems. Such documentation, when appropriate, should be considered in addition to this document. Similarly, the
International Society of Automation publishes the ISA-99 specifications to provide guidance on establishing and operating a
cyber-security program, including recommended technologies for industrial automation and control systems.
16 GFK-3015 IPC2018 IPC Secure Deployment Guide
For public disclosure
Automation & Controls
1-800-433-2682
1-434-978-5100
www.geautomation.com GFK-3015 For public disclosure
Table of contents
Other GE Industrial PC manuals
