Beruflich Dokumente
Kultur Dokumente
• Control room engineering workstation (Unity Pro for programming & SCADA) communication.
• Transversal communication from one functional unit device (HMI as example) to another control functional unit device.
Configure Syslog Server Network Interfaces to use port 514, UDP and TCP protocols. To configure the Network Interfaces:
• Start syslog-watcher, from windows select all programs and launch SyslogWatcher4.
Use this tool to manage security settings for Unity Security Editor itself, Unity Pro XL and OS Loader. It allows you to define users, their passwords,
profiles and policies used when accessing Security Editor, Unity Pro XL and OS Loader. User profiles determine what privileges users have after logging
in (i.e., read only, read write). Policies define the protective measures applied at login (i.e., security off, security on mandatory login). A re-installation or
update of Unity Pro returns the Security Editor configuration to the default settings, so after an update it is a good idea to re-enter the customized
settings.
Unity Pro XL
Unity Pro XL is used to configure and program the Modicon M580 PACs in this example architecture. Configuring project properties allows the
assignment of passwords to the application, code sections, firmware and data storage components. In the project properties protection window, there
are four areas where passwords can be set: Application, Sections, Firmware and Data Storage.
• Authenticated Header messaging provides source authentication and data integrity by encoding the header with a 96 bit hash algorithm. It helps protect against
replay attacks by using increasing sequence numbers and can be used to identify duplicate packets.
• Encapsulating Security Payload (ESP) messaging incorporates Authentication Header messaging and encrypts the original packet, then embeds it into a new
packet for transmission.
• TFTP – Trivial File Transfer Protocol used for transfer of configuration files to devices such as CRA modules in Ethernet Remote I/O architecture.
• HTTP – Hypertext Transfer Protocol used for accessing web pages of Modicon M580.
• DHCP/BOOTP – Dynamic Host Configuration/BOOTP server used to configure IP address and subnet mask for devices such as CRA modules in Ethernet Remote
I/O drops.
• Restrict network traffic to only authorized devices and types of communications and services.
• Physically and logically separate the functional units from the less trusted layers of the network.
• Event logging.
• Supports two types of rules: standard protocol denying rules and complex rules for advanced traffic filtering, for example, rules that block a subset of traffic types.
• Deep packet inspection using the utilities Modbus TCP Enforcer and EtherNet/IP Enforcer.
• Event logging of security events that triggers the sending of alarms to both the firewall memory and external alarm management systems.
Figure 60 is a screen capture of the rules that need to be created for the firewall to allow transparency to the RIO/DIO network for the engineering
workstation. Eng Station 2 is used for webpage access to devices in RIO/DIO network. Eng Station is used for Syslog Server, Unity Pro, Unity Loader,
OFS, and SoMove.
Rules 2-7 allow HTTP and Modbus TCP protocols needed to display STB and TeSys T web pages. A Modbus TCP Enforcer was used to allow only
Modbus function codes (FC) 3 & 8. FC 3 was used to read Modbus register data and FC 8 was used to read diagnostic information for the web pages.
Rules 8 & 9 allow HTTP and Modbus TCP protocols needed to display the Altivar 71 web pages. Modbus TCP Enforcer was used to allow only Modbus
function codes 3 and 43. FC 3 was used to read Modbus register data and FC 43 (Encapsulated Interface Transport) to populate web page data and
diagnostic information.
Rule 10 allows HTTP protocol for Modicon M580 PAC web pages.
Rules 11-13 allow HHTP, SNMP and Telnet used by ConneXium TCSESM-E switches to for web pages, management and configuration.
Rule 14 allows Modbus TCP to Modicon M580 PACs main IP address. Modbus TCP Enforcer was used to restrict the allowable Modbus function codes
to only FC 90 for programming and FC 8 for DTM diagnostic data.
Rule 15 allows ICMP Ping. This is only needed for connection to devices in Modicon M580 PAC ERIO network using Unity DTM browser.
Rule 16 allows EtherNet/IP (CIP) Explicit Messages to the Modicon M580 PAC using Unity DTM.
Rules 17-20 allow Modbus TCP Explicit Messages to the STBs, TeSys T, and Altivar 71 drive using Unity Pro DTM browser to obtain Modbus data,
which can be used to assist in diagnostics of module operation. Rule 19 also allows configuring TeSys T device using SoMove.
Rules 22-24 allow the SysLog protocol for event log messages from the BMENOC, Modicon M580 PAC and TCSESM-E switch.