Cyber Security

Introduction

The BMENOS0300 module is an inexpensive, easy-to-use network switch that is configured exclusively by means of the two rotary switches. In addition, it receives its IP address from a DHCP server, based on the auto-generated device name. As a simple device, the BMENOS0300 has very limited functionality. Its core functionality, switching, is configured using rotary switches. Diagnostics are provided by IP based Ethernet services.

This topic shows you how to provide CPU-based Ethernet services and switching functionality to the BMENOS0300 module.

Access Control

Because the BMENOS0300 is a switching module, there is no need for it to provide ACL protection to IP based services. All Ethernet packets are pass through. Hence protection can be provided for the connected end devices (such as the CPU and the Ethernet I/O adapter module).

The BMENOS0300 module accepts Ethernet packets sent to its Ethernet ports from connected Ethernet devices. If you wish to limit the inflow of Ethernet packets into your application, you can enable Access Control in the Security tab of the M580 CPU module DTM. Access Control restricts device access to the CPU in its role as a server. You can add the IP addresses of the devices that you want to communicate with the CPU to the list of Authorized Addresses:

By default, the IP address of the CPU’s embedded Ethernet I/O scanner service with subnet set to Yes allows any device in the subnet to communicate with the CPU through EtherNet/IP or Modbus TCP.
Add the IP address of any client device that may send a request to the CPU’s Ethernet I/O scanner service, which, in this case, acts as a Modbus TCP or EtherNet/IP server.
Add the IP address of your maintenance PC to communicate with the PAC through the CPU Ethernet I/O scanner service via Control Expert to configure and diagnose your application.

NOTE: The subnet in the IP Address column can be the subnet itself or any IP address inside the subnet. If you select Yes for a subnet that does not have a subnet mask, a pop-up window states that the screen cannot be validated because of a detected error.

Disabling Ethernet Services

Ethernet access to the BMENOS0300 module is not enabled until it is served an IP address from a DHCP server.

If you wish to disable Ethernet services for the module, do not assign it an IP address. In this configuration, the module continues to operate as an Ethernet switch, but does not initiate its Ethernet services.

When the BMENOS0300 receives an IP address, the information that can be accessed via its DDDT is read-only diagnostic data, which necessarily presents only a limited security concern. If the BMENOS0300 stops functioning properly as the result of a cyber attack, the module enters a reduced functionality operating mode, in which its switching function is disabled. This response limits the likelihood of the attack affecting other devices in the Ethernet network.

Disabling Switch Ports

You can disable the service port by setting the SERVICE rotary switch to the DISABLED position. You cannot disable the two network ports or the backplane port. However, as noted above, you can configure access control for the M580 CPU in your application.