General Recommendations; Checklist - GE PACSystems RX3i Secure Deployment Manual

Chapter 2. Introduction

2.4 General Recommendations

Adopting the following security best practices should be considered when using GE Automation & Controls
products and solutions.
•
The PROFINET I/O Devices covered in this document were not designed for or intended to be
connected directly to any wide area network, including but not limited to a corporate network or the
Internet at large. Additional routers and firewalls (such as those illustrated in
Architecture) that have been configured with access rules customized to the site's specific needs must
be used to access devices described in this document from outside the local control networks. If a
control system requires external connectivity, care must be taken to control, limit and monitor all
access, using, for example, virtual private networks (VPN) or Demilitarized Zone (DMZ) architectures.
•
Harden system configurations by enabling/using the available security features, and by disabling
unnecessary ports, services, functionality, and network file shares.
•
Apply all of the latest product security updates from GE Automation & Controls, SIMs, and other
recommendations.
•
Apply all of the latest operating system security patches to control systems computers.
•
Use anti-virus software on control systems computers and keep the associated anti-virus signatures
up-to-date.
•
Use whitelisting software on control systems computers and keep the whitelist up-to-date.

2.5 Checklist

This section provides a sample checklist to help guide the process of securely deploying PROFINET I/O
products.
1) Create or locate a network diagram.
2) Identify and record the required communication paths between nodes.
3) Identify and record the protocols required along each path, including the role of each node. (Refer to
Chapter 3, Communication
4) Revise the network as needed to ensure appropriate partitioning, adding firewalls or other network
security devices as appropriate. Update the network diagram. (Refer to Chapter 6,
Architecture and Secure
5) Configure firewalls and other network security devices. (Refer to Section 3.4,
Configuration and Chapter 6,
6) Enable and/or configure the appropriate security features on each PROFINET I/O Device. (Refer to
Chapter 4, Security
7) On each PROFINET I/O Device, change every supported password to something other than its default
value. (Refer to Section 4.4,
8) Harden the configuration of each PROFINET I/O Device, disabling unneeded features, protocols and
ports. (Refer to Chapter 5,
9) Test/qualify the system.
10) Create an update/maintenance plan.
Note: Secure deployment is only one part of a robust security program. This document,
including the checklist above, is limited to providing secure deployment guidance only.
For more information about security programs in general, refer to Section 7.3,
Guidance.
6
Requirements.)
Deployment.)
Network Architecture and Secure
Capabilities.)
Password Management.)
Configuration Hardening.)
PACSystems PROFINET IO Devices Secure Deployment Guide
Figure 1: Reference
Network
Ethernet Firewall
Deployment.)
Additional
GFK-2904D