Loading ...
Loading ...
Loading ...
Cybersecurity recommended secure hardening guidelines
Securing the Network Management Module – 166
•
•
•
•
•
•
•
•
•
•
Restrict administrative privileges - Threat actors are increasingly focused on gaining control of legitimate credentials,
especially those associated with highly privileged accounts. Limit privileges to only those needed for a user’s duties.
Perform periodic account maintenance (remove unused accounts).
Change passwords and other system access credentials whenever there is a personnel change.
Use client certificates along with username and password as additional security measure.
Description of the User management in the Network Module:
User and profiles management: (Navigate to Contextual help>>>Settings>>>Local users)
Add users
Remove users
Edit users
Password/Account/Session management: (Navigate to
Contextual help>>>Settings>>>Local users)
Password strength rules –Minimum length/Minimum upper case/Minimum lower case/Minimum digit/Special character
Account expiration–Number of days before the account expiration/Number of tries before blocking the account
Session expiration– No activity timeout/Session lease time
See "Default settings parameters" in the embedded help for (recommended) default values.
Additionally, it is possible to enable account expiration to force users renew their password periodically.
Default credentials: admin/admin
Thechangeof the default "admin" password is enforced at first connection.
It is also recommended to change the default "admin" user namethroughtheContextual help>>>Settings>>>Local
userspage.
Follow embedded help for instructions on how to edit a user account.
Server and client certificate configuration: (Navigate to Contextual help>>>Settings>>>Certificate)
Follow embedded help for instructions on how to configure it.
5.2.2.4
Deactivate unused features
Network module provides multiple options to upgrade firmware, change configurations, set power schedules, etc. The device also
provide multiple options to connect with the device i.e. SSH, SNMP,SMTP,HTTPS etc. Services like SNMPv1 are considered
insecure and Eaton recommends disabling all such insecure services.
It is recommended to disable unused physical ports like USB and SD card.
Disable insecure services like SNMP v1
Network Security
Network module provides network access to facilitate communication with other devices in the systems and configuration. But this
capability could open up a big security hole if it’s not configured securely.
Eaton recommends segmentation of networks into logical enclaves and restrict the communication to host-to-host paths. This helps
protect sensitive information and critical services and limits damage from network perimeter breaches. At a minimum, a utility
Industrial Control Systems network should be segmented into a three-tiered architecture (as recommended by NIST SP800-82[R3])
for better security control.
•
•
•
•
•
•
•
•
•
•
•
Avoid using ‘umac’ based MAC algorithms, use only secure algorithms while connecting to SSH interface of the
card
Eaton Recommends using following secure algorithms:
Key Exchange algorithms
diffie-hellman-group14-sha256
diffie-hellman-group18-sha512
Encryption algorithms
aes256-ctr
Message Authentication Code (MAC) algorithms
Loading ...
Loading ...
Loading ...