Chapter 7 Other Considerations; Patch Management; Real-Time Communication; Additional Guidance - GE PACSystems RX3i Secure Deployment Manual

Chapter 7 Other Considerations

7.1 Patch Management

A strategy for applying security fixes, including patches, firmware updates, and configuration changes, should
be included in a facility's security plan. Applying these updates will often require that an affected PROFINET I/O
Device be temporarily taken out of service.
Some installations require extensive qualification be performed before changes are deployed to the production
environment. While this requirement is independent of security, ensuring the ability to promptly apply security
fixes while minimizing downtime may drive the need for additional infrastructure to help with this qualification.

7.2 Real-time Communication

When designing the network architecture, it is important to understand what impact the network protection
devices (such as firewalls) will have on the real-time characteristics of the communications traffic that must
pass through them. In particular, the PROFINET I/O protocol is generally expected to operate with small,
known, worst-case bounds on its communications latency and jitter. As a result, network architectures that
require real-time communications to pass through such devices may limit the applications that can be
successfully deployed.

7.3 Additional Guidance

Protocol-Specific Guidance

Protocol standards bodies may publish guidance on how to securely deploy and use their protocols. Such
documentation, when available, should be considered in addition to this document. This includes, but is not
limited to the following document:
PROFINET Security Guideline (TC3-04-0004a) by PROFIBUS INTERNATIONAL

Government Agencies and Standards Organizations

Government agencies and international standards organizations may provide guidance on creating and
maintaining a robust security program, including how to securely deploy and use Control Systems. For
example, the U.S. Department of Homeland Security has published guidance on Secure Architecture Design
and on Recommended Practices for cybersecurity with Control Systems. Such documentation, when
appropriate, should be considered in addition to this document. Similarly, the International Society of
Automation publishes the ISA-99 specifications to provide guidance on establishing and operating a
cybersecurity program, including recommended technologies for industrial automation and control systems.
GFK-2904D July 2018 27