65
SME2-IS - Manual - 06- 2021
INSTALLATION
6 CYBER SECURITY6 CYBER SECURITY
— Preface
The cyber security functions implemented by the SME2-IS mitigate cyber threats, by providing:
• Protected communications between the SME2-IS and the mapped tool viaSSH (Secure SHell)
• Password based user authentication
• Management of authorisations for Role Based Access Control (RBAC)
• Protected log ling (Syslog service)
The following operative areas can be identied:
• Conguration Management
• HW Systems and Networking Equipment
• Initial System Conguration
• Threat and Vulnerability Management
• Access Control
• Authentication and Authorization Management
• Auditing
• Network Communication Security
The described procedures have been selected in consideration of the following standards and
guidelines:
• ISO/IEC 27001:2013
• NERC CIP – North American Electric Reliability Corporation Critical Infrastructure Protection
• IEC 62351
IEC 62351 will be applied if expressly requested, to guarantee control of communications protocols
and data ows.
— Configuration management
Conguration management is a set of procedures which control modications to hardware, rm-
ware, software and documentation to ensure that all devices are protected against unwanted mod-
ication before, during and after system implementation.
— Hardware systems and networking equipment
The devices are industrial and satisfy industrial quality and EMC standards.
Only passive systems without fans are used for heat management. The devices can be assigned IP
addresses on the basis of pertinent network planning rules. Appropriate HW protection mechanisms
can be implemented on request
(e.g. tamperproong, etc.).
— Initial system configuration
The protection relays are equipped only with the network services required to execute their protec-
tion programs, thus limiting the number of open TCP / UDP ports.
All services and operating systems are updated to the latest version at the time of release. Access
even for "known" users is eliminated and only one local non-administrator user is left active to install
and congure the device initially.
— Threat and vulnerability management
The device's operating system is supported by the vendor to ensure conformity with regular security
bulletins and patches.
— Access control
Further to the local non-administrator user, user authentication can be delegated to a centralised
platform by the RADIUS client, to obtain access to the active Windows directory.
— Authentication and authorization management
AAM is based on the “RBAC” (Rule Based Access Control) model, i.e. the device allows execution of
functions in relation to the user's assigned role.
The following roles are available:
• “Administrator”: Complete control of the device
• “Operator1”: Limited Level 1 read/write access
• “Operator2”: Limited Level 2 read/write access
— Auditing
The device tracks the most important system operations/actions, like accesses and modications to
the conguration, with a “syslog” service.
To Next Page
Loading...
Need help?
General
