Managing Accounts

Schneider Electric recommends the following regarding account management:

  • Create a standard user account with no administrative privileges.

  • Use the standard user account to launch applications. Use more privileged accounts to launch an application only if the application requires higher privilege levels to perform its role in the system.

  • Use an administrative level account to install applications.

Managing User Account Controls (UAC) (Windows 10)

To block unauthorized attempts to make system changes, Windows 10 grants applications the permission levels of a normal user, with no administrative privileges. At this level, applications cannot make changes to the system. UAC prompts the user to grant or deny additional permissions to an application. Set UAC to its maximum level. At the maximum level, UAC prompts the user before allowing an application to make any changes that require administrative permissions.

To access UAC settings in Windows 10, open Control Panel > User Accounts and Family Safety > User Accounts > Change User Account Control Settings, or enter UAC in the Windows 10 Start Menu search field.

Managing Passwords

Password management is one of the fundamental tools of device hardening, which is the process of configuring a device against communication-based threats. Schneider Electric recommends the following password management guidelines:

  • Enable password authentication on all e-mail and Web servers, CPUs, and Ethernet interface modules.

  • Change all default passwords immediately after installation, including those for:

    • user and application accounts on Windows, SCADA, HMI, and other systems

    • scripts and source code

    • network control equipment

    • devices with user accounts

    • FTP servers

    • SNMP and HTTP devices

    • Control Expert

  • Grant passwords only to people who require access. Prohibit password sharing.

  • Do not display passwords during password entry.

    • Require passwords that are difficult to guess. They should contain at least 8 characters and should combine upper and lower case letters, digits, and special characters when permitted.

  • Require users and applications to change passwords on a scheduled interval.

  • Remove employee access accounts when employment has terminated.

  • Require different passwords for different accounts, systems, and applications.

  • Maintain a secure master list of administrator account passwords so they can be quickly accessed in the event of an emergency.

  • Implement password management so that it does not interfere with the ability of an operator to respond to an event such as an emergency shutdown.

  • Do not transmit passwords via e-mail or other manner over the insecure Internet.

Managing HTTP

Hypertext transfer protocol (HTTP) is the underlying protocol used by the Web. It is used in control systems to support embedded Web servers in control products. Schneider Electric Web servers use HTTP communications to display data and send commands via webpages.

If the HTTP server is not required, disable it. Otherwise, use hypertext transfer protocol secure (HTTPS), which is a combination of HTTP and a cryptographic protocol, instead of HTTP if possible. Only allow traffic to specific devices, by implementing access control mechanisms such as a firewall rule that restricts access from specific devices to specific devices.

You can configure HTTPS as the default Web server on the products that support this feature.

Managing FTP

File transfer protocol (FTP) provides remote file handling services through a TCP/IP-based network, such as Internet. FTP uses a client-server architecture as well as separate control and data connections between the client and the server.

Consider the following behavior of the FTP service provided by Schneider Electric:

  • FTP protocol is disabled by default.

    FTP protocol is necessary for specific maintenance and configuration activities only. We advise our customers to disable the entire set of FTP services when they are not required.

  • FTP protocol is inherently unsecure and therefore must be used with care to avoid sensitive information disclosure and unauthorized access to the controllers:

    • Change the default passwords of all devices that support FTP, when possible.

    • Use Access Control List to restrict communication to the authorized IP addresses. Refer to “Cyber Security Services Per Platform” for details on the concerned module.

    • When using BMENOC module, configure the IPSEC feature (Set Up Encrypted Communication).

    • Block all inbound and outbound FTP traffics at the boundary of the enterprise network and operations network of the control room.

    • Filter FTP commands between the control network and operations network to specific hosts or communicate them over a separate, encrypted management network.

    • Use external module to setup a VPN between the Modicon PLC impacted modules and the engineering workstation on control network.

  • BMENOC0301/11 does not support IP forwarding to the device network (IPsec limitations in the architecture).

    If transparency is required between the control and device networks, an external router/VPN is needed to provide an encrypted communication between the control and device networks (see the illustration in “CSPN Security Target”).

In FTP protocol, transparency is required to perform the following operations from the control network:

  • Update of Modicon M580 CPU firmware from the Automation Device Maintenance or Unity Loader software through FTP service

  • Network diagnostics of Modicon M580 CPU executed from a network management tool through SNMP service

Managing SNMP

Simple network management protocol (SNMP) provides network management services between a central management console and network devices such as routers, printers, and PACs. The protocol consists of three parts:

  • Manager: an application that manages SNMP agents on a network by issuing requests, getting responses, and listening for and processing agent-issued traps

  • Agent: a network-management software module that resides in a managed device. The agent allows configuration parameters to be changed by managers. Managed devices can be any type of device: routers, access servers, switches, bridges, hubs, PACs, drives.

  • Network management system (NMS): the terminal through which administrators can conduct administrative tasks

Schneider Electric Ethernet devices have SNMP service capability for network management.

Often SNMP is automatically installed with public as the read string and private as the write string. This type of installation allows an attacker to perform reconnaissance on a system to create a denial of service.

To help reduce the risk of an attack via SNMP:

  • If SNMP v1 is required, use access settings to limit the devices (IP addresses) that can access the switch. Assign different read and read/write passwords to devices.

  • Change the default passwords of all devices that support SNMP.

  • Block all inbound and outbound SNMP traffic at the boundary of the enterprise network and operations network of the control room.

  • Filter SNMP v1 commands between the control network and operations network to specific hosts or communicate them over a separate, encrypted management network.

  • Control access by identifying which IP address has privilege to query an SNMP device.

  • Use an external module to set up a VPN between the Modicon PLC impacted modules and the engineering workstation on the control network.

Managing Control Expert Application, Section, Data Storage, and Firmware Password

In Control Expert, passwords apply to the following (depending on the CPU):

  • Application

    Control Expert and CPU application protection by a password helps prevent unwanted application modification, download, or opening (.STU, .STA and .ZEF files). The password is stored encrypted in the application.

    In addition to the password protection you can encrypt the .STU, .STA and .ZEF files. The file encryption feature in Control Expert helps prevent modifications by any malicious person and reinforces protection against theft of intellectual property. The file encryption option is protected by a password mechanism.

    NOTE: When a controller is managed as part of a system project, the application password and file encryption are disabled in Control Expert editor and need to be managed by using the Topology Manager.

    More details are provided in the Application Protection topic.

  • Section

    The section protection function is accessible from the Properties screen of the project in offline mode. This function is used to protect the program sections. More details are provided in the Section and Subroutine Protection topic.

    NOTE: The section protection is not active as long as the protection has not been activated in the project.

  • Data Storage/Web

    Data storage protection by a password helps prevent unwanted access to the data storage zone of the SD memory card (if a valid card is inserted in the CPU). It also helps prevent unwanted access to web diagnostics (for M580 CPU firmware ≥ 4.0). More details are provided in the Data Storage Protection topic.

  • Firmware

    Firmware download protection by a password helps prevent download of malicious firmware inside the CPU. More details are provided in the Firmware Protection topic.