In general, firewalls help protect network security zone perimeters by blocking unauthorized access and permitting authorized access. A firewall is a device or set of devices configured to permit, deny, encrypt, decrypt, or proxy traffic between different security zones based upon a set of rules and other criteria.
Process control devices and high-speed manufacturing machines require fast data throughput and often cannot tolerate the latency introduced by an aggressive security strategy inside the control network. Firewalls, therefore, play a significant role in a security strategy by providing levels of protection at the perimeters of the network. Firewalls are an important part of an overall, system level strategy. By default, firewall rules do not allow the transfer of incoming IP telegrams from a controller network to a fieldbus network.
NOTE: Schneider Electric adheres to industry best practices in the development and implementation of control systems. This includes a "Defense-in-Depth" approach to secure an Industrial Control System. This approach places the controllers behind one or more firewalls to restrict access to authorized personnel and protocols only.
|
|
|
UNAUTHENTICATED ACCESS AND SUBSEQUENT UNAUTHORIZED MACHINE OPERATION |
|
oEvaluate whether your environment or your machines are connected to your critical infrastructure and, if so, take appropriate steps in terms of prevention, based on Defense-in-Depth, before connecting the automation system to any network. oLimit the number of devices connected to a network to the minimum necessary. oIsolate your industrial network from other networks inside your company. oProtect any network against unintended access by using firewalls, VPN, or other, proven security measures. oMonitor activities within your systems. oPrevent subject devices from direct access or direct link by unauthorized parties or unauthenticated actions. oPrepare a recovery plan including backup of your system and process information. |
|
Failure to follow these instructions can result in death, serious injury, or equipment damage. |
There are three ways to manage the controller firewall configuration:
oStatic configuration
oDynamic changes
oApplication settings
Script files are used in the static configuration and for dynamic changes.
The static configuration is loaded at the controller boot.
The controller firewall can be statically configured by managing a default script file located in the controller. The path to this file is /usr/Cfg/FirewallDefault.cmd.
After the controller boot, the controller firewall configuration can be changed by the use of script files.
There are two ways to load these dynamic changes using:
oA physical SD card.
oA function block in the application.
