Secure Accesses to the PAC
This is the access control list, a whitelist of IP addresses that can get connected to the controller either on the CPU or on the NOC module.
· Prevent unauthorized network device access
· Access Control can restrict access to the Ethernet communication module in its role as either a Modbus TCP or EtherNet/IP server. User specifies the IP addresses of these devices allowed to communicate with the module.
· Configuration done in Control Expert - formerly known as Unity Pro.
· Can be modified on line on M580 CPU (not on the BMENOC).
Secure PAC operating modes
· Any changes in PAC program or configuration are password protected at PAC level. User / PAC application needs to authenticate before making any change.
· Remote RUN/STOP authorization can be controlled by internal bit.
· Memory Protect mechanism prevents any changes in the PAC.
Secure PAC firmware
To help prevent any malware or firmware modification and to counter reverse engineering attempts.
· Firmware is now protected by being encrypted using AES256 encryption algorithm. The firmware integrity is ensured by using the powerful SHA 256 bit algorithm.
SHA-256 is a Secure Hash Algorithm defined by NIST in its FIPS-180-4 publication and used in many cryptography algorithms. SHA-256 is a stronger hash algorithm than SHA-1 which is no longer approved by NIST for many algorithms since 2012.
· Any data which could be helpful to make reverse engineering has been removed.
Control the integrity of the firmware
· New Boot Loader for firmware integrity check -> leveraging existing HW component called OTP *One time programmable*
· Firmware integrity check.
· Encrypted and Digitally signed (Genuine) firmware according to =SE= KEY standard.
· Secure firmware update via HTTPS. (No FTP for firmware download)
· EcoStruxure Automation Device Maintenance (EADM) mandatory for firmware upgrade.
HTTPS
· Data Storage via HTTPS (No FTP for Data Storage)
· HTTPS for Webpage access (Self-Signed)
Control the integrity of the real-time processing
· In real time, M580 checks the integrity of its memory, of its system tasks, of its processor and instructions to be processed. As soon as M580 detects something unexpected on those checks, then it automatically switches into a system stop mode, recording the last states of the memory, processors, and tasks to be able to make a “post mortem” analysis with R&D.
Control Expert Change Management
· A flexible and more secure system for traceability of PLC applications
updates Encrypted textual Log file (not only in Event Viewer)
· Security Editor on Server
Enabling and Disabling Security and Ethernet Services
The BME NOC 03•1 Ethernet communications module and the M580 CPU provides several Ethernet services. The enhance application security services can be restricted. From Control Expert DTM the following services can be enabled and disabled:
- EtherNet/IP (EIP) server (adapter)
- DHCP/BOOTP server
- SNMP agent (SNMP no longer used for fw v4,x created with CE 15.2 onwards)
- IPsec
IPsec service
Internet protocol security is an open set of protocol standards that make IP communication sessions private and secure for traffic between modules using IPsec, developed by the internet engineering task force (IETF). The IPsec authentication and encryption algorithms require user defined cryptographic keys that process each communications packet in an IPsec session. For more information about IPsec refer to www.IETF.org.
When IPsec is enabled on BMENOCs, the following traffic/services can be IP secured:
- SNMP agent and SNMP traps
- NTP client
- EtherNet/IP TCP traffic as adapter/server
- Modbus server (port502)
- HTTPS
- ICMP (Ping, etc)
- FTP server, TFTP server
IP Filter List
IPsec uses packet filters to evaluate communication packets according to their connections to various services. Packet filters are located between the endpoints of a peer-to-peer connection to verify that the packets adhere to the established administrative rules for communications. Every IP filter in a single IP filter list has the IP address of the same source of the communications packets. The IP addresses for the destinations of communications packets (BME NOC 03•1 modules) are different.
The Access Control List (ACL) function allows/disallows incoming traffic the following services based on IP address or subnet:
- Modbus server (port 502)
- EIP adapter
- FTP server (Used only for FDR)
- TFTP server
- HTTPS server
- SNMP agent
This feature is useful when requirement is to allow only validated IP addresses to get connected to the controller.
Syslog for Ethernet Services
The SysLog function can detect and log the following events to the Syslog server:
- TCP failure connection due to Access Control List
- Enable/Disable of communication Services via ETH_PORT_CTRL FB.
- Ethernet port Link up/down events
- RSTP topology change
- Configuration download of COM services
- Program operating Mode change of COMs (Run, stop)
- Failed and successful FTP login (for Firmware update and Fast Device Replacement)
CSPN certification
This certification is an exotic one since it does not follow usual rules of certifications. Here you put your product on a table and for 2 months, a team of professional and experienced “hackers” try to enter the product. If after 2 months, your product could not be penetrated, then you have your certificate.
This is the access control list, a whitelist of IP addresses that can get connected to the controller either on the CPU or on the NOC module.
· Prevent unauthorized network device access
· Access Control can restrict access to the Ethernet communication module in its role as either a Modbus TCP or EtherNet/IP server. User specifies the IP addresses of these devices allowed to communicate with the module.
· Configuration done in Control Expert - formerly known as Unity Pro.
· Can be modified on line on M580 CPU (not on the BMENOC).
Secure PAC operating modes
· Any changes in PAC program or configuration are password protected at PAC level. User / PAC application needs to authenticate before making any change.
· Remote RUN/STOP authorization can be controlled by internal bit.
· Memory Protect mechanism prevents any changes in the PAC.
Secure PAC firmware
To help prevent any malware or firmware modification and to counter reverse engineering attempts.
· Firmware is now protected by being encrypted using AES256 encryption algorithm. The firmware integrity is ensured by using the powerful SHA 256 bit algorithm.
SHA-256 is a Secure Hash Algorithm defined by NIST in its FIPS-180-4 publication and used in many cryptography algorithms. SHA-256 is a stronger hash algorithm than SHA-1 which is no longer approved by NIST for many algorithms since 2012.
· Any data which could be helpful to make reverse engineering has been removed.
Control the integrity of the firmware
· New Boot Loader for firmware integrity check -> leveraging existing HW component called OTP *One time programmable*
· Firmware integrity check.
· Encrypted and Digitally signed (Genuine) firmware according to =SE= KEY standard.
· Secure firmware update via HTTPS. (No FTP for firmware download)
· EcoStruxure Automation Device Maintenance (EADM) mandatory for firmware upgrade.
HTTPS
· Data Storage via HTTPS (No FTP for Data Storage)
· HTTPS for Webpage access (Self-Signed)
Control the integrity of the real-time processing
· In real time, M580 checks the integrity of its memory, of its system tasks, of its processor and instructions to be processed. As soon as M580 detects something unexpected on those checks, then it automatically switches into a system stop mode, recording the last states of the memory, processors, and tasks to be able to make a “post mortem” analysis with R&D.
Control Expert Change Management
· A flexible and more secure system for traceability of PLC applications
updates Encrypted textual Log file (not only in Event Viewer)
· Security Editor on Server
Enabling and Disabling Security and Ethernet Services
The BME NOC 03•1 Ethernet communications module and the M580 CPU provides several Ethernet services. The enhance application security services can be restricted. From Control Expert DTM the following services can be enabled and disabled:
- EtherNet/IP (EIP) server (adapter)
- DHCP/BOOTP server
- SNMP agent (SNMP no longer used for fw v4,x created with CE 15.2 onwards)
- IPsec
IPsec service
Internet protocol security is an open set of protocol standards that make IP communication sessions private and secure for traffic between modules using IPsec, developed by the internet engineering task force (IETF). The IPsec authentication and encryption algorithms require user defined cryptographic keys that process each communications packet in an IPsec session. For more information about IPsec refer to www.IETF.org.
When IPsec is enabled on BMENOCs, the following traffic/services can be IP secured:
- SNMP agent and SNMP traps
- NTP client
- EtherNet/IP TCP traffic as adapter/server
- Modbus server (port502)
- HTTPS
- ICMP (Ping, etc)
- FTP server, TFTP server
IP Filter List
IPsec uses packet filters to evaluate communication packets according to their connections to various services. Packet filters are located between the endpoints of a peer-to-peer connection to verify that the packets adhere to the established administrative rules for communications. Every IP filter in a single IP filter list has the IP address of the same source of the communications packets. The IP addresses for the destinations of communications packets (BME NOC 03•1 modules) are different.
The Access Control List (ACL) function allows/disallows incoming traffic the following services based on IP address or subnet:
- Modbus server (port 502)
- EIP adapter
- FTP server (Used only for FDR)
- TFTP server
- HTTPS server
- SNMP agent
This feature is useful when requirement is to allow only validated IP addresses to get connected to the controller.
Syslog for Ethernet Services
The SysLog function can detect and log the following events to the Syslog server:
- TCP failure connection due to Access Control List
- Enable/Disable of communication Services via ETH_PORT_CTRL FB.
- Ethernet port Link up/down events
- RSTP topology change
- Configuration download of COM services
- Program operating Mode change of COMs (Run, stop)
- Failed and successful FTP login (for Firmware update and Fast Device Replacement)
CSPN certification
This certification is an exotic one since it does not follow usual rules of certifications. Here you put your product on a table and for 2 months, a team of professional and experienced “hackers” try to enter the product. If after 2 months, your product could not be penetrated, then you have your certificate.
Released for:Schneider Electric Canada
