EcoStruxure Plant

Hybrid & Discrete Industries

Confidential Property of Schneider Electric

Confidential Property of Schneider Electric | Page 2
Confidential Property of Schneider Electric | Page 3
Confidential Property of Schneider Electric | Page 4
Level of transparency
The level of transparency required between the control room and functional units or between functional units

depends on the communication services used:

• Control room engineering workstation (Unity Pro for programming & SCADA) communication.

• Time management using NTP.

• Device and assist management communication.

• Peer-to-peer communication between functional units.

• Transversal communication from one functional unit device (HMI as example) to another control functional unit device.

Confidential Property of Schneider Electric | Page 5

ConneXium TCSESM-E Switches
Take the following actions to enhance the security of ConneXium managed Ethernet switches:
• Change default passwords.
• Disable unused ports.
• Disable telnet access (used for configuration via CLI).
• After IP assignment, disable the Ethernet Switch Configurator.
• Use IP or MAC access control list to allow access to ports.

Confidential Property of Schneider Electric | Page 6

ConneXium Port Security
The Port security dialog is used to configure each port of the switch to help prevent unauthorized access. Access to the ports can be based on the
connected device’s MAC address (MAC-Based Port Security) or IP address (IP-Based Port Security). For each port, you can configure up to ten MAC
Addresses or IP Addresses that will be allowed to access the switch. The Action field is used to configure what action is taken if an unauthorized device
attempts to access the switch. Configurable actions are:

Confidential Property of Schneider Electric | Page 7

Syslog Server Snmpsoft Configuration
The Snmpsoft Syslog Server can be downloaded from https://www.snmpsoft.com/syslog-watcher/

To install syslog-watcher, download and run windows installer package SyslogWatcherSetup-4.8.6-win32.msi.

Configure Syslog Server Network Interfaces to use port 514, UDP and TCP protocols. To configure the Network Interfaces:

• Start syslog-watcher, from windows select all programs and launch SyslogWatcher4.

• On popup menu select Manage Local Syslog.

• Select Settings on menu bar.

• Configure ports as shown:

Confidential Property of Schneider Electric | Page 8

Unity Pro Syslog Configuration
Functional unit #1 will use a Syslog server running on the engineering workstation (Eng Station) to collect BMENOC0301 DTM events. Unity Pro Project
Settings needs to be configured for event logging, Syslog Server address, and the port to be used. In the Unity Pro Project Settings window, navigate to
General -> PLC diagnostics, then:

• Select Event Logging

• Enter the SYSLOG server address

• Enter the SYSLOG server port number

Confidential Property of Schneider Electric | Page 9

Unity Pro XL Security Tools
Security Editor

Use this tool to manage security settings for Unity Security Editor itself, Unity Pro XL and OS Loader. It allows you to define users, their passwords,
profiles and policies used when accessing Security Editor, Unity Pro XL and OS Loader. User profiles determine what privileges users have after logging
in (i.e., read only, read write). Policies define the protective measures applied at login (i.e., security off, security on mandatory login). A re-installation or
update of Unity Pro returns the Security Editor configuration to the default settings, so after an update it is a good idea to re-enter the customized
settings.

Unity Pro XL

Unity Pro XL is used to configure and program the Modicon M580 PACs in this example architecture. Configuring project properties allows the
assignment of passwords to the application, code sections, firmware and data storage components. In the project properties protection window, there
are four areas where passwords can be set: Application, Sections, Firmware and Data Storage.

Confidential Property of Schneider Electric | Page 10

Modicon M580 PAC Remote Run/Stop & Memory Protect
An integrity check is performed when you first launch Unity Pro to help defend Unity Pro files and software against being changed via a virus/malware
through the Internet. CPU firmware integrity is checked automatically after firmware upload or a restart of the CPU. A manual Integrity check can be
initiated in Unity Pro by selecting Help → About Unity Pro. Then in the Integrity check area click Perform self-test.

Confidential Property of Schneider Electric | Page 11

Modicon M580 PAC Functional Unit #1
IPsec Configuration

Confidential Property of Schneider Electric | Page 12

Internet Protocol Security (IPsec)
Internet Protocol Security (IPsec) was developed by the Internet Engineering Task Force (IETF) and designed as an open set of protocol standards that
help to make IP communication sessions private and secure. The IPsec authentication and encryption algorithms require user-defined cryptographic
keys that process the communications packets in an IPsec session. IPsec supports 2 types of messaging;

• Authenticated Header messaging provides source authentication and data integrity by encoding the header with a 96 bit hash algorithm. It helps protect against
replay attacks by using increasing sequence numbers and can be used to identify duplicate packets.

• Encapsulating Security Payload (ESP) messaging incorporates Authentication Header messaging and encrypts the original packet, then embeds it into a new
packet for transmission.

Confidential Property of Schneider Electric | Page 13

M580 PAC ETH_PORT_CTRL
Modicon M580 PAC supports the function block ETH_PORT_CTRL which allows the disabling/enabling of specified services in the Unity Pro application.
Services that can be disabled/enabled are:

• FTP – File Transfer Protocol used for exec upgrades.

• TFTP – Trivial File Transfer Protocol used for transfer of configuration files to devices such as CRA modules in Ethernet Remote I/O architecture.

• HTTP – Hypertext Transfer Protocol used for accessing web pages of Modicon M580.

• DHCP/BOOTP – Dynamic Host Configuration/BOOTP server used to configure IP address and subnet mask for devices such as CRA modules in Ethernet Remote
I/O drops.

Confidential Property of Schneider Electric | Page 14

Firewall
This firewall is used to help protect, control, and monitor traffic on the network. It compares network traffic against a set of configured

rules. The following is a short list of its capabilities.

• Restrict network traffic to only authorized devices and types of communications and services.

• Physically and logically separate the functional units from the less trusted layers of the network.

• Hide functional units from outside view.

• Apply firewall rules to enhance overall security.

• Event logging.

• Supports two types of rules: standard protocol denying rules and complex rules for advanced traffic filtering, for example, rules that block a subset of traffic types.

• Deep packet inspection using the utilities Modbus TCP Enforcer and EtherNet/IP Enforcer.

• Event logging of security events that triggers the sending of alarms to both the firewall memory and external alarm management systems.

Confidential Property of Schneider Electric | Page 15

Modicon M580 PAC Functional Unit #2
ConneXium Tofino Firewall Configuration

Confidential Property of Schneider Electric | Page 16

Modicon M580 PAC Functional Unit #2
Firewall Rules

Figure 60 is a screen capture of the rules that need to be created for the firewall to allow transparency to the RIO/DIO network for the engineering
workstation. Eng Station 2 is used for webpage access to devices in RIO/DIO network. Eng Station is used for Syslog Server, Unity Pro, Unity Loader,
OFS, and SoMove.

Confidential Property of Schneider Electric | Page 17

Modicon M580 PAC Functional Unit #2
Rule 1 is a default rule required to allow ARP traffic to and from any device. This rule allows TCP rules to operate. Devices that use the TCP protocol
use the ARP protocol to determine each other’s IP address and to establish a connection. This rule is required.

Rules 2-7 allow HTTP and Modbus TCP protocols needed to display STB and TeSys T web pages. A Modbus TCP Enforcer was used to allow only
Modbus function codes (FC) 3 & 8. FC 3 was used to read Modbus register data and FC 8 was used to read diagnostic information for the web pages.

Rules 8 & 9 allow HTTP and Modbus TCP protocols needed to display the Altivar 71 web pages. Modbus TCP Enforcer was used to allow only Modbus
function codes 3 and 43. FC 3 was used to read Modbus register data and FC 43 (Encapsulated Interface Transport) to populate web page data and
diagnostic information.

Rule 10 allows HTTP protocol for Modicon M580 PAC web pages.

Rules 11-13 allow HHTP, SNMP and Telnet used by ConneXium TCSESM-E switches to for web pages, management and configuration.

Rule 14 allows Modbus TCP to Modicon M580 PACs main IP address. Modbus TCP Enforcer was used to restrict the allowable Modbus function codes
to only FC 90 for programming and FC 8 for DTM diagnostic data.

Rule 15 allows ICMP Ping. This is only needed for connection to devices in Modicon M580 PAC ERIO network using Unity DTM browser.

Rule 16 allows EtherNet/IP (CIP) Explicit Messages to the Modicon M580 PAC using Unity DTM.

Rules 17-20 allow Modbus TCP Explicit Messages to the STBs, TeSys T, and Altivar 71 drive using Unity Pro DTM browser to obtain Modbus data,
which can be used to assist in diagnostics of module operation. Rule 19 also allows configuring TeSys T device using SoMove.

Rule 21 allows EtherNet/IP (CIP) Explicit Messages to X80 Remote Drop.

Rules 22-24 allow the SysLog protocol for event log messages from the BMENOC, Modicon M580 PAC and TCSESM-E switch.

Confidential Property of Schneider Electric | Page 18