Table of Contents
Advertisement
2
Security and Secure Deployment
This chapter describes the fundamentals of security and secure deployment.
2.1 What is Security?
Security is the process of maintaining the confidentiality, integrity, and availability of a system:
•
Confidentiality: Ensure only the people you want to see information can see it.
•
Integrity: Ensure the data is what it is supposed to be.
•
Availability: Ensure the system or data is available for use.
GE recognizes the importance of building and deploying products with these concepts in mind and encourages customers to
take appropriate care in securing their GE products and solutions.
2.2 I have a Firewall: Isn't that Enough?
Firewalls and other network security products, including Data Diodes and Intrusion Prevention Devices, can be an important
component of any security strategy. However, a strategy based solely on any single security mechanism will not be as resilient
as one that includes multiple, independent layers of security. Therefore, GE recommends taking a Defense in Depth approach
to security.
2.3 What is Defense in Depth?
Defense in Depth is the concept of using multiple, independent layers of security to raise the cost and complexity of a
successful attack. To carry out a successful attack on a system, an attacker would need to find not just a single exploitable
vulnerability, but would need to exploit vulnerabilities in each layer of defense that protects an asset.
For example, if a system is protected because it is on a network protected by a firewall, the attacker only needs to circumvent
the firewall to gain unauthorized access. However, if there is an additional layer of defense, say a username/password
authentication requirement, now the attacker needs to find a way to circumvent both the firewall and the username/password
authentication.
2.4 General Recommendations
Adopting the following security best practices should be considered when using GE products and solutions.
•
Deploy and configure firewalls to limit the exposure of control system networks to other networks, including internal
business networks and the Internet. If a control system requires external connectivity, care must be taken to control, limit
and monitor all access, using, for example, virtual private networks (VPN) or Demilitarized Zone (DMZ) architectures.
•
Harden system configurations by enabling/using the available security features, and by disabling unnecessary ports,
services, functionality, and network file shares.
•
Apply all of the latest GE product security updates, SIMs, and other recommendations.
•
Apply all of the latest operating system security patches to control systems PCs.
•
Use anti-virus software on control systems PCs and keep the associated anti-virus signatures up-to-date.
•
Use whitelisting software on control systems PCs and keep the whitelist up-to-date.
Security and Secure Deployment
For public disclosure
GFK-3015 Secure Deployment Guide 9
Advertisement
Table of Contents
