151
Security Considerations
Security control recommendations are provided hereby to avoid unauthorized external access that may
result in the following:
• Loss of system availability.
• Incorrect execution of controls causing damage to the plant, or theft or contamination of the
product.
• The capture, modification or deletion and loss of data.
• Device Isolation:
o Isolated Solution
Restrict physical access to the device and other network devices in the network.
The device must be physically protected in locked cabinets, and logically protected with
passwords to prevent tampering.
Isolate the device from the other computer networks.
o Control Room Isolation
Isolate devices to the process control network, following best practices.
Logically segment process control system networks into multiple segments (such as
control network, supervisory network, non-control system network, business network).
o Provide Remote Access/Isolation
Use VPN and Business Firewall to prohibit or restrict unnecessary network traffic into
control system networks from non-control system network and vice versa.
• MDM Communication
o Secure the communication between the device/cellular network and the remote MDM host,
over a private VPN IPsec tunnel.
o Use a firewall and secure the local area network connecting VPN Gateway and server
hosting MDM/host application.
• Key Management Recommendation
o Avoid using default and common credentials.
o The user is strongly advised to change the default password for device access during
installation. Also, the user is strongly advised to periodically change the password of the
device as per respective organization policies.
o Follow standards and / or best practices for key management (e.g.: NIST, ISO)
o Take steps to implement and enforce physical security of devices in network
o Apply Zone Protection profiles to provide protection against entire zones from flood attacks
and DoS protection. This provides granular defense for specific systems, especially
critical systems that users access from the internet and often attack targets, such as web
servers and database servers. Apply both types of protection.
o Logically and physically isolate control system networks from non-control system networks.
The network devices (e.g. switches, routers, firewalls) along with necessary access control and
routing policy can be used to logically isolate, prioritize the different network segment and/or
application traffic.
Caution: The caution warns you of possible damage to property and provides instructions to
avoid damage to Mini-AT.
Security Control Recommendations:
To Next Page
Loading...
Need help?
General
