DOCA0172EN-14

Security Capabilities

General Cybersecurity Recommendations

WARNING
POTENTIAL COMPROMISE OF SYSTEM AVAILABILITY, INTEGRITY, AND CONFIDENTIALITY
  • Disable unused ports/services to help minimize pathways for malicious attackers.
  • Place networked devices behind multiple layers of cyber defenses (such as firewalls, network segmentation, and network intrusion detection and protection).
  • Use cybersecurity best practices (for example, least privilege, separation of duties) to help prevent unauthorized exposure, loss, modification of data and logs, or interruption of services.
Failure to follow these instructions can result in death, serious injury, or equipment damage.

For detailed information about cybersecurity for the EcoStruxure Panel Server, see DOCA0211•• EcoStruxure Panel Server - Cybersecurity Guide. For a general introduction to cybersecurity threats and how to address them, see How Can I Reduce Vulnerability to Cyber Attacks?.

For more information about cybersecurity, visit Schneider Electric Cybersecurity Support Portal.

Security Features

Security features have been built into the EcoStruxure Panel Server to help the device to operate correctly and behave according to its intended purpose.

The key features are:

  • Authentication when accessing the product resources from EcoStruxure Power Commission software or from the webpages

  • Secure communications between the EcoStruxure Panel Server and its associated wireless devices (supporting confidentiality and integrity)

  • Configurable security services and settings

  • Firmware update mechanism

Two Wired by Design EcoStruxure Panel Server models (PAS600LWD and PAS600PWD) are offered with no native wireless chipset. This removes the potential threat from unauthorized radio devices.

These features provide security capabilities which help to protect the product from potential security threat, that could disrupt the product operation (availability), modify information (integrity) or disclose confidential information (confidentiality).

The security capabilities features are intended to mitigate the inherent threats which are linked to the use of the EcoStruxure Panel Server in an Operational Technology environment.

However, the effectiveness of these capabilities depends on the adoption and application of the following recommendations:

Potential Risks and Compensation Controls

Area

Issue

Risk

Compensating controls

Unsecure protocols

Modbus and some IT protocols (NTP, DHCP, DNS, and DPWS) are unsecure.

The device does not have the capability to transmit data encrypted using these protocols.

If a malicious user gained access to your network, they could intercept communications.

If transmitting data over an internal network, physically or logically segment the network.

If transmitting data over an external network, encrypt protocol transmissions over all external connections using a VPN (Virtual Private Network) or a similar solution.

For communication with Modbus devices limit access to Modbus TCP/IP devices on you network by deactivating Modbus communication per Panel Server interface (ETH1/ETH2/Wi-Fi) on the Panel Server webpages.

Wireless radio communication

During the pairing window, unauthorized radio devices may try to join the network.

If a rogue device gained access to your network, they could eavesdrop on the communication of your wireless network, create an integrity data breach (for example, by sending fake data), or create a Denial of Service (DoS).

Reduce commissioning window to limit exposure.

Once the pairing is performed, consult the list of paired devices in EcoStruxure Panel Server configuration using EcoStruxure Power Commission software and make sure that the list of devices contains no unexpected or rogue devices.

QR Code is a registered trademark of DENSO WAVE INCORPORATED in Japan and other countries.

Was this helpful?