Confidentiality: Ensure only the people you want to see information can see it.
Integrity: Ensure the data is what it is supposed to be.
Availability: Ensure the system or data is available for use.
GE recognizes the importance of building and deploying products with these concepts in
mind and encourages customers to take appropriate care in securing their GE products
and solutions.
Different sites will have different needs and requirements surrounding these concepts.
Follow the site's requirements when building, deploying, and using systems, keeping in
mind the impact that decisions and procedures will have on the site's security posture.
Example: The Microsoft Windows Operating System supports ACLs on files and
devices to define which users have what access rights to those items.
Example: The network switches support ACLs on their administrative interfaces to
define which elements of the system have the right to access the administrative
functions.
Note When done at the operating system level, ACLs protect an item no matter what tool
(program) is used to attempt access - this is called authoritative security. This is a stronger
level of protection than when the tool being used determines whether to allow access or
not - this is called cooperative or client-based security. Cooperative security can be
bypassed by using a different client to access the resource, authoritative security cannot
be bypassed as easily.
The concept of Least Privileges states that each user should be granted only the access
rights and privileges that they need to perform their work function. This protects items
and configurations against inadvertent changes by users, possibly because of malware that
the user has inadvertently triggered
Authorization (done on a per-item basis) is done not to a set of user identities, but
instead to a Role - it's ACL is not a list of usernames but a (much smaller) list of
Roles. As users are added and removed from the system the ACLs on each item do
not have to change since they were tied to the Roles and not the users, making
updates very fast and efficient.
Reporting on the members of a single Role is quick and easy compared to having to
visit all items and examine their individual ACLs.
If a user's Role changes (their job requirements change) it is a simpler task to assign
them to a new role, and perhaps change it back again if the change was only
temporary.
New roles are typically easy to define as the site's operating procedures change and
different classifications of users are required or different sets of privileges are
identified.
Example: The Microsoft Windows Operating System has a single security group that
grants Administrative access to computers - the Administrators group. Adding or
removing a user to the Administrators group will grant or revoke the user's
administrative privileges and the individual ACLs on all files and devices does not
have to be changed.
Example: The ToolboxST subsystem supports a Users and Roles concept, which
defines what rights and privileges are given for each Role. If a site decides to change
whether the Operators role is allowed to force variables, granting or revoking the
Force privilege to the Operators role is all that is required - there is no need to
change each user's privileges.
Provide physical security for all devices - many, if not most devices can be
compromised by an attacker that has physical access to the device at startup/boot
time or direct access to the non-volatile media that the device boots from (hard drive,
flash memory, etc.). Access to network equipment (switches, routers) can allow for
introduction of new devices onto the networks, including network monitoring
equipment.
Disable unused services on devices to reduce the mechanisms available for attacks.
Wherever possible, configure the site's password requirements (length,
complexity) into the devices or operating systems to have each device enforce
them automatically. If it cannot be automatically enforced it must be done
procedurally.
The Windows Operating System password requirements can be enforced via
local policies, or if the computers are in a domain by Group Policy.
If the SecurityST product was purchased, the ANIXIS Password Policy
Enforcement program can be configured with additional password requirements
above and beyond what is supported by the Microsoft Windows Operating
System.
Implement Role Based Access Control wherever available, and keep the list of users
and roles current.
Some system components allow for logging (auditing) failures, use these if
available - preferably logging to a centralized site SIEM (if available) for both
convenience and pattern analysis across devices.
Implement a site-wide scheme for applying software patches, especially those
defined as security patches.
Implement a site-wide scheme for supplying anti-virus software wherever
appropriate, including a method to keep the anti-virus signatures up-to-date.
Consider the use of Whitelisting as an advanced method of malware protection.
Whitelisting is generally recognized as one of the most powerful methods to protect
against malware, but it usually comes at a relatively high maintenance/complexity
cost.
The Mark VIe controller supports whitelisting when placed into Secure Mode
(low maintenance).
The SecurityST product supports an optional whitelisting scheme targeted
towards applications running on an HMI, Engineering Workstation, Historian,
and the SecurityST Server itself.
Implement a Network Intrusion Detection scheme for communication traffic where
appropriate, especially traffic that crosses an electronic security perimeter.
Limiting visibility to the control system is a strong defense-in-depth approach to help
prevent attacks. This is accomplished by using separate communications networks
(Virtual Local Area Networks or VLANs) to isolate different types of equipment, then
tightly controlling the network traffic that can cross from one VLAN to another. There are
various schemes and recommendations (ISA-99, IEC-62443) that include network
segmentation and they should be followed when making any networking changes or while
introducing new equipment to the control system.
Verify the source and integrity of media before placing it into site equipment.
Software distributions should be verified by whatever method the manufacturer
supports, such as signed installation files or a separate web site that lists the
hashes for the files on the distribution media.
Use of password protected media does not ensure that the media is free from
malicious software, but it does help prevent the media from being infected while
left unattended.
Make sure that the AutoRun option in the Windows Operating System is disabled to
help prevent software from being automatically run when the media is inserted into
the computer.
Typically all USB ports cannot be disabled on an HMI or Engineering Workstation as
they are used for peripherals (keyboard, mouse, speakers) and hardware license keys.
If these functions can be supported by using internal USB ports, it may be possible to
disable the external USB ports if desired.
Consider using hardware USB port locks to prevent access to the USB ports, and/or
pulling the front or rear USB port connectors coming from the computer's
motherboard.
Consider using additional software packages (such as the Sophos Anti-Virus
package supplied with the SecurityST product) to control access to the USB ports on
computers.
Consider blocking the use of USB ports on all but one or two computers (often the
Engineering Workstation(s)) to limit USB exposure, then use the internal network to
transfer the information to the computers that need it.
The password for the Mark VIe controller's local account should be defined
according to the site policy and knowledge of the password should be limited.
The ToolboxST application is used to change the password, and it will enforce a
fixed set of length and complexity requirements. If the site requires additional
password constraints they should be addressed procedurally. The following
constraints are enforced by the ToolboxST application:
Minimum Password Length: 7 characters
Complexity Requirements: A minimum of 3 out of 4 character groups
represented, with the groups being: Lower case, Upper case, Numeric, and
Special characters.
The Mark VIe main processor board contains a serial port which is only used for
advanced diagnostics. It is not used during normal operation and no users are expected to
access this port. Limiting access to this port (via locked cabinets or controlled entry to the
room) enhances the security of the physical system. When the Mark VIe is placed into
Secure Mode the serial port console interface is disabled.
Access to the console serial port can be limited by limiting physical access to the
serial port - such as implementing room access control or locks on the Mark VIe
cabinet.
If the SecurityST product was purchased, place the Mark VIe controllers in Secure
Mode to disable the console ports.
The Mark VIe controller supports a Secure Shell (SSH) connection over the UDH
network for console access. This is only used for advanced diagnostics and is not used in
normal operation. Users connecting to the SSH server will be required to enter the
administrative mode credentials to gain access. When the Mark VIe is placed into Secure
Mode the SSH console interface is disabled.
SSH clients should be selected that include authentication of the server's public key.
Once each controller's public key has been recorded, users should NOT provide
credentials to devices that are not in the trusted controller list. (Some SSH clients can
be configured to deny connections to untrusted devices before prompting for the
user's credentials.)
If a UDH default gateway has been defined in the Mark VIe controller, verify that the
default gateway is a router with rules that prevent routing SSH connections beyond
the UDH unless this is an explicit requirement at the site.
If the SecurityST product was purchased, place the Mark VIe controllers in Secure
Mode to disable the console ports.
Use the ToolboxST Users and Roles capability to control the runtime commands that
individual users are allowed to issue to the Mark VIe controller.
If the SecurityST product was purchased, place the Mark VIe controllers in Secure
Mode to ensure that the Mark VIe controller authenticates the user and limits their
actions to their assigned Controller Role.
If the SecurityST product was purchased, place the Mark VIe controller into Secure
Mode to activate the application whitelisting and user authentication subsystems.
There is a USB port on certain Mark VIe controllers (such as the UCSB version) but it is
not active during normal operation - no USB driver is even loaded. The USB port is only
used for an initial software load to provide a minimal system ready to accept a full
download via a ToolboxST Download operation. The USB port is only active when a user
holds down the USB Enable button while powering up the controller. With the button
held down, the controller will load an image from the USB device and then cease
operation. Upon the next power up (with the button not depressed) it will load the image
and await the full download.
The Mark VIe configuration should not define a default gateway for the UDH unless
it is required. Common reasons for requiring a UDH default gateway include:
To be able to support communication to an OSM or Historian located on the
Monitoring Data Highway (MDH).
To be able to support a Security Information and Event Monitor (SIEM), or
Syslog server, that is not physically connected to the UDH.
If a default gateway is defined for the UDH in the Mark VIe configuration, it should
be directed to a router that limits communication to only required message traffic.
3.2.2 Servers
The Mark VIe controller includes an optional OPC UA Server for the exchange of real
time data and commands. The OPC UA Server will listen for OPC UA client connections
and respond to the client's request to read or write data values.
Use the ToolboxST Users and Roles feature to define a set of Roles.
Grant each Role the Privileges required according to site operating policies.
Assign each User to a Role based upon the capabilities they require to perform their
job.
Use the Access Control methods defined in the section, HMI product to control
access to the ToolboxST configuration files.
Do not alter the Access Control Lists on the configuration files unless it is to
strengthen it to meet site requirements.
The configurations associated with devices, libraries, and software modules include a
Protection attribute that can be used to assign a password to various levels of access. The
available levels vary slightly based upon what is being protected, but in general they
provide specific types of access (View, Modify) only when the user enters the defined
password. These passwords propagate with the module to prevent the protection from
being circumvented by simply copying it to another (unprotected) device.
Use the Protection attribute in configurations at the device level and/or the software
module level to control access.
The Access Roles settings allow granting access according to the user's current role.
Password settings allow specifying a password required for various levels of access,
including View Design, Modify Data, and Modify Design. The passwords are
independent of the user that is logged in, and will continue to protect information
even if the configuration files are copied from one computer or system definition to
another.
Follow site password strength and complexity rules when defining these passwords,
the ToolboxST tool only places a minimal set of requirements on passwords.
The computer hosting the ToolboxST application must have connectivity to the
devices that it must download or diagnose. This typically means UDH access for
Mark VIe controllers, and PDH access for WorkstationST-based computers.
For each Repository (one is typical, but there may be multiple) define the level of
access associated with each user (ReadOnly versus ReadWrite).
An Administrative level account is required on the computer that hosts the CMS
Server for the initial creation of a repository and to maintain the list of users and the
access level granted to each user.
The CMS Server uses a web interface for client connections. This interface uses the
HTTPS protocol to identify the CMS Server as being legitimate and to protect the
information flowing through the client - server connection. This requires a Web Server
Certificate in order to establish the HTTPS connection. Do not remove this layer of
protection, and instruct users not to provide their credentials to a server that is not trusted.
Do not change the service definition to run the CMS Server (Apache Service) with
additional privileges (such as running it under the SYSTEM account).
Do not modify the ACLs on the directories that are used to store the information
placed into the repositories. Access to the files should be controlled through the CMS
Server and its internal access control lists.
Do not expose the raw files in the repositories via other mechanisms (such as a
sharename) as it will not honor the Repository access list definitions and the
information may be provided without encryption.
When configuring the CMS Clients to talk to the CMS Server, always use the CMS
Server's PDH address, never its UDH address.
If a Default Gateway is programmed into the computer hosting the CMS Server,
verify that the Default Gateway is a router with rules that prevent CMS Server access
from outside the PDH unless that is an explicit site requirement. If accessing from
outside the PDH, the Firewall rules on the CMS Server Host may need to be altered
to allow access to the CMS Server from outside of the local subnet.
5.2.2 Servers
The CMS Server provides its services via a Web Server. A single-purpose dedicated
Apache Web Server is used for this purpose. The CMS interface is exposed via the
HTTPS protocol, which uses a Server Certificate in order to both identify the CMS Server
as a trusted server and to encrypt information exchanges between the CMS Client and the
CMS Server.
If the site includes a domain controller (such as with the SecurityST product) then the
default certificate used by the CMS Server (self-signed) should be replaced by one
issued by the site domain controller. CMS Clients in the domain will trust the
certificate automatically instead of asking the users to validate the trust of the CMS
Server certificate independently.
If a self-signed CMS Server certificate is used, provide a mechanism for users to
verify the correct server is being contacted before marking the CMS Server as
trusted.
The CMS Server certificate may be placed into the client computer's Machine
Store so that each individual user does not need to validate the certificate
independently.
Make sure the DCOM security settings for the WorkstationST OPC DA Server match
the site requirements for access.
A WorkstationST OPC DA Client is available to communicate with other control systems
and devices. The WorkstationST OPC DA Client has the ability to run using a configured
set of credentials when establishing the connection, or run in an open mode where no
credentials are required.
Use the ToolboxST Users and Roles capability to define the set of users that have
download privileges to WorkstationST devices.
The OPC DA subsystem uses the Microsoft DCOM layer for access control, which
can be configured to restrict access to only the anticipated client accounts, or supply
a set of credentials to servers so that the WorkstationST client can be authenticated.
The OPC UA subsystem uses application or user level certificates to authenticate
users. Mapping certificates to Windows Users provides the ability to use the
ToolboxST Users and Roles subsystem to control what the remote client is allowed
to do, or to provide an identity to a remote server so that it can control what the
WorkstationST client can do.
Protocols that do not support native authentication can use additional firewalls to
limit the clients that are allowed to connect, or use IPsec to provide better control
over the clients that can connect as well as the ability to encrypt the communication.
The ACLs on the locations where WorkstationST stores its own configurations
(default is C:\Config) should not be changed unless it is to strengthen them to meet
site requirements.
The ACLs on the locations where WorkstationST stores its runtime data (Alarms,
Recorder, Historian configuration files) should not be changed unless it is to
strengthen them to meet site requirements.
If sharenames are created to expose WorkstationST runtime data to other
computers (such as Trip Logs), the ACLs on the sharenames should provide only
Read access.
If a Workstation is to receive EGD messages from a controller that does not share
any networks with the workstation (such as a workstation in the MDH) then the
"Enable Routing" option must be enabled in the WorkstationST configuration.
If a Workstation is obtaining information from another Workstation "by proxy" or via
a client attached to the other Workstation's server, the information should be routed
over the PDH instead of the UDH (on a dual network system).
The WorkstationST application provides many servers to provide information to other
computers, and clients to be able to access information on other computers. These data
interfaces can cause significant message traffic, especially during the initial connection
period. These exchanges should not be done over a critical control network (such as the
UDH) unless there is no other option.
In a dual network control zone, make sure the UDH has been defined as a Unit
network and the PDH has been defined as a Plant network in the ToolboxST network
definitions.
6.2.2 Servers
The WorkstationST application is the main real time data interface to the controllers,
providing that data to a variety of clients over a variety of protocols. The protocol support
is typically accomplished by having multiple WorkstationST Server functions and
enabling the Server functions that are required for the site. Each Server and Protocol has
different capabilities when it comes to authentication and encryption of data over that
interface.
General Guidelines:
Favor the use of protocols that provide client and server authentication over protocols
that do not.
If a protocol does not provide authentication, consider using additional means
(outside of the protocol) to enhance the security of the client-server connections. This
includes controlling the clients that can connect to the server and adding signatures
and encryption to preserve the integrity and confidentially of the message exchanges.
Refer to the chapter, Security and Secure Deployment for additional information on
protecting unauthenticated protocols.
The following Servers are included in the WorkstationST package.
A WorkstationST Modbus Server is included, which can accept client connections via
serial RS-232 or Ethernet connections. The Modbus protocol does not support native
authentication.
A WorkstationST GSM Server option is included which accepts client connections
via Ethernet connections. The GSM protocol does not support native authentication.
A WorkstationST OPC DA Server is included which accepts client connections via
Ethernet connections. The Server uses Microsoft DCOM security to control the
clients that are allowed to connect.
A WorkstationST OPC AE Server option is included which accepts client
connections via Ethernet connections.
A WorkstationST OPC UA Server option is included which accepts client
connections via Ethernet connections. The Server can be configured to use
Authenticated users via certificates, and can map user certificates to local user
accounts to provide control over what actions the user is allowed to perform.
A WorkstationST FOUNDATION Fieldbus gateway option is included in the Device
Manager Gateway. The FOUNDATION Fieldbus gateway does not support native
authentication.
A WorkstationST HART gateway option is include in the Device Manager Gateway.
The HART gateway does not support native authentication.
A WorkstationST Profibus gateway option is included in the Device Manager
Gateway. The Profibus gateway does not support native authentication.
A WorkstationST NTP Server is included. The NTP protocol does not support native
authentication.
Used by OSM and Historian Interfaces to read real time data from
770 TCP WorkstationST
WorkstationST
1616 TCP GeCssAmGateway WorkstationST Acoustic Monitor Server (option)
3683--
TCP Used by eTCSS, Toolbox application
3685
4840 TCP Opc.Ua.DiscoveryServer OPC UA Discovery Service
5150 TCP SDB SDB Server (for Mark VI and other legacy device configurations)
5310--
TCP GE SDI WorkstationST SDI Server Interfaces
5312
GeCssControlSystem
7050 TCP WorkstationST Control System Health Alarm Server
Helath
7070 TCP GE Alarm Receiver interface
7071 TCP GE Interface with local CIMPLICITY External Alarm Manager
GeCssDeviceManager
7086 TCP WorkstationST Device Manager Gateway
Gateway
GeCssDeviceManager
7091 TCP WorkstationST Device Manager Gateway FOUNDATION Fieldbus DTM
Gateway
Individual accounts should be created to be able to grant only the rights and
privileges required by the user or users of that account. In many cases, site security
policy will require that the accounts be on a per-user basis for accountability.
Use the Users and Roles feature of the ToolboxST application to assign users to
Roles and then assign only the privileges that Role requires.
The Operators group is given READ access so that the go to code function can be
used to view the sequencing or logic tree that generated an alarm.
The Maintenance group is given MODIFY access so that they can make changes to
the configuration files.
The Administrators group is given FULL access for system management operations.
Use of an administrator level account for normal maintenance activity should be
discouraged.
Do not alter the default ACLs used to protect the controller configuration files unless
it is to strengthen them to meet site requirements.
ACLs should be granted on the basis of group membership to prevent having to
modify the ACLs on all resources when changes need to be made to the access level
of a user. By assigning access rights to a group the change can be made in one
location by adding or removing the user from the group, the ACLs on the individual
files or directories does not have to be changed.
The domain HMI Operators group is added to the local Operators group.
The domain HMI Maintenance group is added to the local Maintenance group.
The domain HMI Administrators group is added to the local Administrators group.
Follow the rules in the NetworkST section when configuring the HMI network
adapters, with a special emphasis on the protocol bindings allowed on the UDH.
A Default Gateway can be defined for the HMI if it requires communications with
devices outside of the PDH and UDH.
Do not define a Default Gateway unless this HMI is required to communicate with
devices off of the networks that it is connected to (UDH and PDH).
If a Default Gateway is defined it should be a router with access control rules that
allow only required communications.
If a Default Gateway is defined it should be located on the PDH, not the UDH. (The
NetworkST 4.x architecture defines a default gateway address on the UDH and on
the PDH, the PDH address should always be used in the HMI.)
Do not change the network bindings away from the standards defined in the
NetworkST section of this document.
Update the password policies on computers to match the site requirements for
passwords. Consider a SecurityST system if the password requirements are above and
beyond what can be enforced by a stand-alone Windows Operating System.
Make sure to remove all generic as shipped passwords as part of the commissioning
of the system.
Do not modify the ACLs on the HMI resources unless it is to strengthen them to meet
site requirements. This is especially important for controller configuration and CMS
related directories.
When dealing with multiple computers (Engineering Workstations, HMIs,
Historians) consider purchasing a SecurityST system to provide a single point
location for user and rights management.
If using a SecurityST system, make sure to define local accounts for Emergency use.
(Refer to the section, SecurityST Product for additional information.)
Use the SecurityST Group Policies to harden the HMI configurations, also available
to be applied to non-domain computers as a GPOPack in the GE DS226CHP
Computer Hardening Procedure product.
Computers are often configured to include sharenames, a named resource that allows
external access to the directories and files on the computer from other computers.
If any sharenames are created, set the access control lists on the sharenames
independently from the access control lists on the directories and files accessed via
the sharenames.
Sharename access control lists can (and often should) be more restrictive than the
ACLs on the files that it exposes, allowing the same user ReadOnly access via the
Sharename (remotely) but ReadWrite access if accessed locally.
Exercise extreme caution if any sharenames are exposed outside of the computer's
native networking zone. Additional firewalls and protection should be considered,
and a double hop through a DMZ based computer is recommended.
8.1 Overview
The NetworkST architecture (NetworkST 3.1) provides a standard set of predefined
networks along with redundant sets of switches that implement those networks. A layered
option (NetworkST 4.0) adds a pair of redundant routers and a Firewall to support
additional communications options, with many sites choosing the firewall to be the
location of their Electronic Security Perimeter. Options are available to place the
management interfaces of the switches and routers onto a separate VLAN.
The most typical configuration includes two networks in the control zone. The Unit Data
Highway (UDH) and the Plant Data Highway (PDH) are separate networks that both
reside in the same control zone. The main difference between the two is that most critical
control messages are transported over the UDH and non-critical traffic is transported over
the PDH. This allows the switches and routers to give a higher priority to the critical
control messages on the UDH over the lower priority traffic on the PDH. Most
supervisory level computers (such as the Engineering Workstations and HMIs) are on
both networks, using the UDH for critical control messages and the PDH for
inter-computer communications (such as file sharing or historical data lookups).
The addition of the (optional, NetworkST 4.0) routers and firewalls allows for the
creation of additional networks with controlled access to the UDH and PDH. In typical
configurations this includes a Monitoring Data Highway (MDH) and one or more DMZ
style networks that can be used for Enterprise level access, remote access, or other
controlled access to meet the site requirements. These networks provide a
defense-in-depth approach where device communications must pass through both the
firewall and the routers to get to equipment in the control zone. Separate firewall and
router rules can be added to provide each additional network only the communications
capability required to meet site requirements. It is not uncommon for additional networks
outside of the firewall to be created for different device classes, such as for networked
printers or interfaces to higher level DCS systems.
The management interfaces of the network switches and routers can be exposed on a
separate Management VLAN (MGH) to isolate and control administrative access. In the
standard configurations all access to the MGH is controlled through access rules in the
router, no supervisory level devices are placed directly on the MGH. In addition, the
switches and routers have standard access control lists that allow management
communication from a limited number of addresses. The firewall is not placed on the
MGH to preserve the defense-in-depth protection provided by the routers in case the
firewall itself is compromised.
Follow normal password policies when defining the local administrative level
password, and only expose the password to people with the need for it.
When a SecurityST system is present it provides a RADIUS server that is used for
authenticating individual users for switch and router administrative level access. When
the RADIUS server is detected the switches and routers no longer accept login via the
local administrative account, domain credentials (username and password) are used to
authenticate individual users. Users who are a member of the Network Administrators
group are granted administrator level access.
Do not bypass using the RADIUS server for authentication, as this preserves a single
point for authentication (Active Directory user account) and authorization
(membership in Network Administrators), and provides a unique user identity for
logging access.
Physical access to the switches should be controlled to prevent disconnecting the
switches from the domain controller and therefore bypassing the RADIUS
authentication. (When disconnected the local administrative account is automatically
enabled.)
The firewall is not placed on the Management VLAN and it does not use RADIUS
authentication. This enables isolation of the firewall from the MGH and the RADIUS
Servers running on the Domain Controllers such that a compromise of the firewall does
not grant unfettered access to these resources. A local administrative level account is
created internal to the firewall for management level access.
Follow normal password policies when defining the firewall's local administrative
level password, and control the distribution of the password to those with an
approved need.
Do not reconfigure the networks to place the firewall on the Management VLAN or
any control network (UDH, PDH) unless that is a specific site requirement.
Consider using the two factor authentication methods provided by the firewall to
control access through the firewall.
Do not change the access control lists for the network equipment management
functions unless mandated by the site requirements.
The default set of router rules and access control lists provide for management access
by the main Engineering Workstation (EWS1_SVR) and the SecurityST primary
Application Server (AP1). Specifying two locations provide redundancy and
diagnostic capability in case of a single point of failure. If a site does not provide
both, the unused address can be removed from the access lists and router rules.
Do not remove the access control lists on management functions from the switches as
this helps prevent compromise if the MGH network is breached. Modify the access
control lists if the site requirements are not met by the as-shipped configurations,
don't remove them.
Do not place the firewall on the MGH as a compromise of the firewall would grant
unfettered access to the MGH and potentially all networks in the plant. All access
through the firewall should also have to go through the routers before landing on any
control or management network.
Do not add physical ports on the MGH network, access to the MGH should be
through devices on the PDH routing through the routers to the MGH. Add additional
router rules to permit only the required access from those devices to the MGH and
the devices on the MGH. (Devices on the PDH should require both router rules and
access control lists on the target device to reach management interfaces on the
network switches and routers.)
8.3.2 Servers
The network switches and routers support a set of servers to provide for management
functions. These servers are shipped with access control lists that limit access to the
server functions.
A Secure Shell (SSH) server is include to support administrative access for maintenance
and diagnostic activity. Access to the SSH server is controlled through an access control
list. Each server is configured with a unique server certificate to use for the secure
connection and to verify the identity of the device.
SSH clients making connections to the network equipment should verify the public
key signature of the device against a list of trusted devices. Users should be warned
not to provide logon credentials to devices that are not trusted. A method of updating
the trusted device list should be established to cover new or replaced devices.
The access control list for the SSH server should not be removed, if a site has
additional requirements they should be added to the existing access control list.
A Simple Network Monitoring Protocol (SNMP) server is included to support network
monitoring (Control System Health) functions. These functions retrieve switch
operational data (read only) to display conditions or alert on anomalies.
The access control list for the SNMP server should not be removed, if a site has
additional requirements they should be added to the existing access control list.
The SNMP protocol uses a community string to control access within the protocol
requests. The network equipment should only ever define a "read only" community
string, never define a community string with write access.
Maintain the community string according to the sites password policy for background
applications or service accounts - or (because this is read only) determine a specific
maintenance procedure.
161 UDP SNMP SNMP server for condition monitoring (switches, routers)
The SecurityST product provides the Active Directory subsystem that creates a
computer domain allowing centralized management of user accounts and access
rights. Users accounts maintained on the domain controllers are available for logging
into each HMI or Engineering Workstation. Without the centralized management
individual accounts on each HMI must be maintained if individual user accounts are
used.
The SecurityST product provides the RADIUS server used by the networking
equipment (switches and routers) to determine if users are to be granted
administrative access. Without the RADIUS server only the local switch
administrative account is available. If individual accounting of users is required then
each piece of networking equipment must be configured with each user account.
The SecurityST product provides the Certificate Authority (including an MSCEP
server) which is required to put a Mark VIe controller into Secure Mode. Without the
Certificate Authority the Mark VIe controller cannot enter Secure Mode.
The SecurityST product provides the Certificate Authority which (in conjunction
with Active Directory user accounts) provides users with certificates used for secure
communications between the user's ToolboxST application and the controller.
Without the Certificate Authority only unsecured connections are available.
The SecurityST product provides the Certificate Authority which issues certificates
to various optional devices and servers to identify them as trusted. Without the
Certificate Authority, other mechanisms must be put into place to identify these
components (such as the External Firewall, SIEM, Whitelisting application) as
trusted. (For web applications this includes the HTTPS certificates that identify the
site as being trusted.)
The SecurityST product includes an LDAP server used to authenticate (credential)
and authorize (group membership) access to the SIEM. Without the LDAP server
individual local accounts would need to be maintained.
The SecurityST product provides the Group Policy subsystem that is used to define
and push a set of operating system and application settings out to the various
computers in the domain. These Group Policies configure many settings including
user and password management, network access, and encryption requirements, as
well as hardening policies that disable unused and unwanted services and windows
components. Without the Group Policy subsystem these changes have to be
maintained on each computer individually.
The SecurityST product provides a password policy component that extends the
Windows Operating System capabilities while providing more comprehensive
information to users attempting to meet these policies. Without this password
management system enforcement of the policies needs to be done procedurally.
Use the SecurityST Domain Controllers for all user account management, keeping
local accounts only for emergency conditions (domain down for more than 30 days).
Do not distribute the local passwords outside of emergency conditions, and reset the
local account passwords after the emergency period is over.
Use SecurityST Domain Users identities when configuring the Users and Roles and
CMS Administration capabilities.
Use the SecurityST password policy subsystem to enforce site requirements for
password management.
Use the SecurityST RADIUS server to authenticate users to network equipment
(switches and routers). Add users who require administrative access to the Network
Administrators group.
Use the SecurityST AP1 CatTools application for network equipment configuration
backup and change notification.
Use the SecurityST AP1 SIEM as the syslog server for network equipment and
controllers.
Use the SecurityST AP1 Patching subsystem to keep computer software current
(especially with respect to Security updates).
Use the SecurityST AP1 Anti-virus subsystem to protect all computers.
Use the SecurityST AP1 Backup subsystem to protect all computers, including the
Engineering Workstations, HMIs, and CMS Server.
Use the SecurityST Group Policies to enforce hardening policies on computers that
have joined the domain.
DCOM Distributed Component Object Model, a Microsoft concept and protocol for
communicating between programs running on different computers.
DMZ Demilitarized Zone, a network that is separated from the Control and Monitoring
zones by both the routers and the firewall that is often used for locating computers that
serve plant information to entities outside of the electronic security perimeter.
EGD Protocol Ethernet Global Data, a UDP based protocol used to communicate
between devices. It is used for real time data and commands.
Firewall A device that connects between multiple networks in order to limit the types
of traffic that are allowed to flow between the networks.
GPO Group Policy Object, a collection of operating system settings that are applied to
computers to configure items such as security settings or disabling unused services.
GPOPack Group Policy Object Pack, a mechanism for being able to apply a set of
Group Policy settings to computers that are not joined to domain. It decodes the objective
of the Group Policy settings and applies them (as best it can) as either direct operating
settings or local policy settings.
MDH Management Data Highway, a network that contains devices that need to monitor
but not control. Traffic from the Monitoring Zone (MDH) to the Control Zone (PDH and
UDH) must go through a router with access lists that limit the allowed traffic.
MGH Management VLAN, a network that is used for the management interface for
networking equipment (routers and switches). Traffic from the Management VLAN
(MGH) to the Control Zone (PDH) must go through a router with access lists that limit
the allowed traffic.
OPC Open Platform Communications, a set of standards and protocols used for
communication between programs, typically running on different computers.
RADIUS Remote Authentication Dial-In User Service, a protocol originally created for
authenticating dial-up users, now used to authenticate users from many different types of
devices that are not joined into the domain. Domain Controllers provide RADIUS servers.
SDI Protocol A TCP based protocol used to communicate between devices. It is used
for configuration information as well as real time data and commands.
SIEM Security Information and Event Management, a server that collects event
messages from various other subsystems to provide a central location for analyzing and
viewing these events.
UDH Unit Data Highway, a network that is used to transport critical control
information within the Control Zone. Traffic to the Control Zone (PDH and UDH) from
outside the Control Zone must go through a router with access lists that limit the allowed
traffic.
VLAN Virtual Local Area Network (LAN), a mechanism for logically connecting
multiple devices into one network within a switch or router. Networking equipment
typically support multiple different VLANs within a single switch to provide isolation of
network segments within a single switch. VLANs include the UDH, PDH, MDH, MGH,
and DMZ.