Remote Access And Demilitarized Zones; Access And Process Control Networks - GE PACSystems RX3i Secure Deployment Manual

Chapter 6. Network Architecture and Secure Deployment
The Manufacturing Zone networks (which include the Manufacturing Operations, Supervisory Control, and
Process Control networks) are segregated from other untrusted networks such as the enterprise network (also
referred to as the business network, corporate network, or intranet) and the internet using a Demilitarized
Zone (DMZ) architecture. The Process Control networks have limited exposure to traffic from higher-level
networks, including other networks in the Manufacturing Zone, as well as from other Process Control
networks.

6.2 Remote Access and Demilitarized Zones

A Demilitarized Zone (DMZ) architecture uses two firewalls to isolate servers that are accessible from
untrusted networks. The DMZ should be deployed such that only specific (restricted) communication is
allowed between the business network and the DMZ, and between the control network and the DMZ. The
business network and the control networks should ideally not communicate directly with each other.
If direct communication to a control network is required from the business network or from the internet,
carefully control, limit and monitor all access. For example, require two factor authentication for a user to
obtain access to the control network using Virtual Private Networking (VPN) and even then, restrict the
allowed protocols/ports to just the minimum set required. Further, every access attempt (successful or not)
and all blocked traffic should be recorded in a security log that is regularly audited.

6.3 Access and Process Control Networks

Ethernet traffic from the Supervisory Control network to the Process Control networks should be restricted to
support only the functionality that is required. For example, since Proficy Machine Edition uses SRTP to
download the application to the PACSystems controllers and NIUs, then SRTP traffic must be allowed through
the firewall. However, if a particular protocol (such as Modbus TCP) does not need to be used between those
regions, then the firewall should be configured to block that protocol. If, in addition to that, a controller does
not have some other reason it needs to use that protocol, then – in addition to blocking it at the firewall – the
controller itself should be configured to disable support for the protocol.
Note: Network Address Translation (NAT) firewalls typically do not expose all of the devices on
the trusted side of the firewall to devices on the untrusted side of the firewall. Further,
NAT firewalls rely on mapping the IP address/port on the trusted side of the firewall to a
different IP address/port on the untrusted side of the firewall. Since communication to
PACSystems controllers will typically be initiated from a computer on the untrusted side
of the Process Control network firewall, protecting a Process Control network using a
NAT firewall may cause additional communication challenges. Before deploying NAT,
carefully consider its impact on the required communications paths.
24 PACSystems PROFINET IO Devices Secure Deployment Guide GFK-2904D