DeltaV System Health Monitoring Networking and Security



Similar documents
Automated Patch Management Service

OpenText Secure MFT Network and Firewall Requirements

Plant Messenger Alert Reporting Service

Local Patch Management Update Service

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Endpoint Security for DeltaV Systems

DeltaV Network Time Synchronization

Plantwide Event Historian

DeltaV OPC.NET Server

DeltaV System Cyber-Security

How To Load balance traffic of Mail server hosted in the Internal network and redirect traffic over preferred Interface

Kaseya Server Instal ation User Guide June 6, 2008

Monitoring Traffic manager

Wireless Remote Video Monitoring

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Nokia for Business. Nokia and Nokia Connecting People are registered trademarks of Nokia Corporation

Network Configuration Settings

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Placing the BlackBerry Enterprise Server for Microsoft Exchange in a demilitarized zone

Nokia E90 Communicator support

Smart Operations Management Suite

Wireless Remote Video Monitoring

Smart Card Two Factor Authentication

Lifecycle Services for Syncade Logistics

Deploying ACLs to Manage Network Security

Symantec Endpoint Protection 11.0 Architecture, Sizing, and Performance Recommendations

Backup and Recovery FAQs

Emerson Smart Firewall

Many network and firewall administrators consider the network firewall at the network edge as their primary defense against all network woes.

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

Digi Connect WAN Application Helper NAT, GRE, ESP and TCP/UPD Forwarding and IP Filtering

About Firewall Protection

Fireware How To Logging and Notification

Dell SupportAssist Version 2.0 for Dell OpenManage Essentials Quick Start Guide

Figure 41-1 IP Filter Rules

Security perimeter white paper. Configuring a security perimeter around JEP(S) with IIS SMTP

Backup and Recovery. Introduction. Benefits. Best-in-class offering. Easy-to-use Backup and Recovery solution.

Serial Deployment Quick Start Guide

F-Secure Messaging Security Gateway. Deployment Guide

12. Firewalls Content

DeltaV System Software Update Deployment

OPC Mirror. OPC Mirror. Introduction. Product Data Sheet. Bi-directional data flow. Easy configuration. Fast data transfer. OPC Data Access compliant

What is the Barracuda SSL VPN Server Agent?

Wireless Field Data Backhaul

Agenda. Understanding of Firewall s definition and Categorization. Understanding of Firewall s Deployment Architectures

Technical Brief for Windows Home Server Remote Access

Ricoh HotSpot Printer/MFP Whitepaper Version 4_r4

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

Integration Guide. EMC Data Domain and Silver Peak VXOA Integration Guide

DeltaV Virtualization High Availability and Disaster Recovery

Proxies. Chapter 4. Network & Security Gildas Avoine

DeltaV Guardian Support

To install the SMTP service:

Implementation Guide. Juniper Networks SRX Series Services Gateways/ Websense V10000 G2 appliance. v7.6

HotSpot Enterprise Mobile Printing Solution. Security Whitepaper

CSCE 465 Computer & Network Security

Firewall Audit Techniques. K.S.Narayanan HCL Technologies Limited

Smart Tips. Enabling WAN Load Balancing. Key Features. Network Diagram. Overview. Featured Products. WAN Failover. Enabling WAN Load Balancing Page 1

Installing Policy Patrol on a separate machine

Password Reset PRO. Quick Setup Guide for Single Server or Two-Tier Installation

Avaya Port Matrix: Avaya Diagnostic Server 2.5

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

Polycom. RealPresence Ready Firewall Traversal Tips

Module 6. Designing and Deploying External Access. MVA Jump Start

PAVING THE PATH TO THE ELIMINATION OF THE TRADITIONAL DMZ

SolarWinds. Packet Analysis Sensor Deployment Guide

Implementing Network Address Translation and Port Redirection in epipe

Did you know your security solution can help with PCI compliance too?

Security and the Mitel Teleworker Solution

Issue 2EN. Nokia and Nokia Connecting People are registered trademarks of Nokia Corporation

Technical Brief ActiveSync Configuration for WatchGuard SSL 100

Security Technology: Firewalls and VPNs

What is VLAN Routing?

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

Monitoring the NTP Server. eg Enterprise v6.0

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

How to Secure a Groove Manager Web Site

Bypassing PISA AGM Theme Seminar Presented by Ricky Lou Zecure Lab Limited

SonicWALL Clean VPN. Protect applications with granular access control based on user identity and device identity/integrity

How To Configure Virtual Host with Load Balancing and Health Checking

EMC CLARiiON Secure Remote Support Solutions Technical Notes P/N REV A03 October 5, 2010

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

This article describes a detailed configuration example that demonstrates how to configure Cyberoam to provide the access of internal resources.

FIREWALLS & CBAC. philip.heimer@hh.se

CUSTOMER SAP Afaria Overview

Firewall. User Manual

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Application Note: GateManager Internet requirement and port settings

Security FAQs (Frequently Asked Questions) for Xerox Remote Print Services

PANO MANAGER CONNECTOR FOR SCVMM& HYPER-V

Technical Support Information

Secure Remote Monitoring of the Critical System Infrastructure. An Application Note from the Experts in Business-Critical Continuity

Application Note. Onsight TeamLink And Firewall Detect v6.3

How to Open HTTP or HTTPS traffic to a webserver behind the NetVanta 2000 Series unit (Enhanced OS)

Backup and Recovery. Backup and Recovery. Introduction. DeltaV Product Data Sheet. Best-in-class offering. Easy-to-use Backup and Recovery solution

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA

IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT

Backup and Recovery. Backup and Recovery. Introduction. DeltaV Product Data Sheet. Best-in-class offering. Easy-to-use Backup and Recovery solution

Transcription:

DeltaV Distributed Control System White Paper DeltaV System Health Monitoring Networking and Security Introduction Emerson Process Management s DeltaV System Health Monitoring service enables you to proactively maintain the health of your control system assets with continuous automated health monitoring. An on-site monitoring appliance powers the System Health Monitoring service, continuously checking critical health information of the integrated DeltaV distributed control system (DCS) 24x7x365. Detected alert conditions are sent via email to Emerson, quickly analyzed, and then communicated to the local Emerson service experts and site maintenance personnel with appropriate recommended mitigating actions. When deploying the System Health Monitoring on-site monitoring appliance, there are some networking and security considerations that need to be accounted for. This document provides the detailed information to properly deploy the on-site monitoring appliance securely and ensure adherence to the best practices for DeltaV DCS cybersecurity.

DeltaV System Health Monitoring Networking and Security Network Architecture The following diagram represents the architecture integration for the System Health Monitor (SHM) appliance. The architecture emphasizes a layered secure model and complies with Emerson s whitepaper Best Practices for DeltaV Cybersecurity. The minimum connectivity requirements for the SHM appliance are a connection to the L2 & L2.5 LANs. -- The SHM appliance contains four Network Interface connections supporting 10/100/1000 MB. SMTP / E-Mail Server Business Application Business / L4 LAN DMZ Application Email Proxy Server DMZ / L3.5 LAN PCN Application PCN / PIN / L3 LAN Local Information Network / L2.5 LAN DeltaV Engineering DeltaV Application DeltaV Operator System Health Monitoring Appliance DeltaV Control Network / L2 LAN DeltaV Controllers (BPCS) DeltaV Controllers (SIS) Field Devices / L1 NOTES 1. System architecture according to Emerson whitepaper Best Practices for DeltaV Cyber-Security. 2. Separate Interfaces exist for the SHM Appliance, requires connections to the L2 & L2.5 LANs. Figure 1 Typical DeltaV Network Architecture with SHM. 2

DeltaV System Health Monitoring Networking and Security Communication Services 3.1 Applications There is only one application service on the SHM appliance which originates from the L2.5 LAN. This is the mail service notification, SMTP, which is programmed to send informational messages to the local site Mail Server. 3.2 Protocol Services Mail notification protocol services are as follows: Application Layer Protocol = SMTP Version = Standard SMTP, non-binding Transport Layer Protocol = Transmission Control Protocol, TCP Transport Layer Port = 25 3.3 Directional Communication Requirements All SMTP communications originate from the SHM appliance. Therefore, unidirectional communications can be assumed for security policy configurations. Because TCP is utilized for Transport Services, acknowledgement exchange messages are expected which require communication responses back to the SHM appliance. Such communications are standard and do not warrant additional firewall security policies. 3.4 Communication End-Point The only End-Point the SHM appliance communicates with is the site Email Server (or the site Email Proxy server if one is deployed). The intended SMTP message is ultimately relayed to Emerson s Remote Monitoring Center via the site Email Server. 3.5 Communication Frequency and Loading By design, the SHM monitor polls diagnostic data on the L2 network at specified intervals for each node to balance overall loading. If an alert condition is present, the SHM appliance generates an SMTP message for each alert. The following loading characteristics are considered: 1 System Alert = 1 SMTP message Messages are generated by exception Maximum messages per second = 2 Persistent abnormal conditions do not generate repeated SMTP messages. i.e. 1 every 24hrs. Message content, payload for network packets, are generally less than 1k in size and will be less than the maximum frame size, 1514 bytes. If filtering or throttling is required for SMTP messages, Emerson anticipates the site Mail Server configurations would facilitate such actions. However, we do not anticipate this as a fundamental configuration requirement. 3.6 Security The following security features apply to the SHM appliance: SMTP message content contains diagnostic data, exclusively, for the control system. SMTP messages, by default, do not require encryption services. --As required, SMTP encryption can be enforced from the site Mail Server to Emerson s Remote Monitoring Center. 3

DeltaV System Health Monitoring Networking and Security Outgoing email sent to Emerson s Remote Monitoring Center does not include: -- Server IP Address -- Domain Name SMTP User Account requirements can be configured with either of the following options: -- Anonymous -- User Account Enforcement An L2 Domain Service Account is required to facilitate application services for the SHM appliance. -- This account only applies to the L2 Domain. Network Management access to the SHM appliance is via HTTPS with configurable user account access. -- Accessible via L2 & L2.5 LANs Remote Access, RDP or otherwise, is not possible to the SHM appliance. Therefore, Emerson does not require remote access to the appliance. security policy is INSIDE to OUTSIDE to facilitate SMTP, TCP port 25 -- There are no OUTSIDE to INSIDE security policies required to be configured for the SHM appliance. FW Rule: access-list inside_access_out extended permit tcp host 192.168.50.20 host 172.16.100.10 eq 25 RULE access-list inside_access_out remark SMTP Service for Emerson SHM Appliance 192.168.50.20 172.16.100.10 INSIDE 172.16.100.1 192.168.50.1 OUTSIDE SHM Email Proxy or Email Server Stateful Inspection Dynamic Connection Process 1. Host 192.168.50.20 sends SMTP Message destined to 172.16.100.10. 2. Access Rule is confirmed via Security Policy and creates a virtual connection between 192.168.50.20 and 172.16.100.10. a. Source port for 192.168.50.20 is random and >1024, i.e. 9030. b. Destination port for 172.16.100.10 = 25. 3. Because a virtual connection has been established between these two IP s & Ports (9030 & 25), the allows IP 172.16.100.10/25 to reply (ACK s) back to 192.168.50.20/9030. This is handled at the Transport Layer, TCP Services. a. Any other communications from 172.16.100.10 to 192.168.50.20 which is not serviced by Ports 9030 & 25 are blocked at the. 4. Once the virtual connection is closed no communications are allowed from INSIDE to OUTSIDE, nor OUTSIDE to INSIDE. 5. Because the rules do not depict a specific rule from OUTSIDE to INSIDE, 172.16.100.10 can NEVER originate communications back to 192.168.50.20. The will block this communication. Figure 2 Communication details for SHM. 4

DeltaV System Health Monitoring Networking and Security White Paper Emerson Process Management Asia Pacific: 65.6777.8211 Europe, Middle East: 41.41.768.6111 North America, Latin America: +1 800.833.8314 or +1 512.832.3774 2015, Emerson Process Management. All rights reserved. The Emerson logo is a trademark and service mark of Emerson Electric Co. DeltaV is a mark of one of the Emerson Process Management family of companies. All other marks are the property of their respective owners. The contents of this publication are presented for informational purposes only, and while every effort has been made to ensure their accuracy, they are not to be construed as warranties or guarantees, express or implied, regarding the products or services described herein or their use or applicability. All sales are governed by our terms and conditions, which are available on request. We reserve the right to modify or improve the designs or specifications of our products at any time without notice.