DeltaV Security Manual
DeltaV™ Security Manual
Implementing Security on the DeltaV Distributed Control System
v3.1.0
October 2014
To protect this information this public version only provides the Table of Content information.
A full copy of this document will be provided upon request to your local DeltaV sales/support office.
For internal Emerson personnel: This document is available on the Global Sales Portal in the DeltaV Confidential Papers section.
© 2015 Fisher-Rosemount Systems, Inc. All rights reserved.
This manual is Emerson confidential and intended for use only by customers, employees, LBPs, and others who are responsible for providing security
services to Emerson Process Management systems and products. It may be provided to potential customers as required to evaluate DeltaV security
implementation. It does not require an NDA for distribution.
This manual must not be posted on public websites or redistributed, except as noted above, without permission from Emerson
Process Management.
DeltaV Security Manual October 2014
Table of Contents
1 Introduction ................................................................................................................................5
1.1 Purpose ..........................................................................................................................................5
1.2 Organization ..................................................................................................................................5
1.3 Relevant documentation.................................................................................................................5
1.3.1 Background reading.................................................................................................................5
1.3.2 DeltaV documentation ...........................................................................................................6
1.3.3 Microsoft documentation........................................................................................................6
1.3.4 3rd party product documentation ..........................................................................................6
1.4 Security and DeltaV system projects................................................................................................7
1.5 Security Collaboration between IT and Operations Departments ...................................................8
1.6 Submitting Material for This Manual ............................................................................................ 10
1.7 Glossary....................................................................................................................................... 10
2 Security basics........................................................................................................................... 12
2.1 Threats to control systems ........................................................................................................... 12
2.2 Assets and compromises ............................................................................................................. 12
2.3 Vulnerabilities ............................................................................................................................. 13
2.4 Performing a risk assessment ....................................................................................................... 13
2.4.1 Summary security checklist ................................................................................................. 14
2.4.2 Defense-in-depth ................................................................................................................ 15
2.4.3 Security Hardening .............................................................................................................. 15
2.5 Protecting assets from threats...................................................................................................... 15
2.5.1 Overview.............................................................................................................................. 15
2.5.2 Principal safeguards ............................................................................................................. 16
2.5.2.1 Security policies and procedures.................................................................................. 16
2.5.2.2 Physical security .......................................................................................................... 18
2.5.2.3 Cyber security perimeters............................................................................................. 18
2.5.2.4 Encryption and digital signatures................................................................................. 19
2.5.2.5 Role-based access controls........................................................................................... 20
2.6 Implementing DeltaV security...................................................................................................... 20
3 DeltaV security .......................................................................................................................... 21
3.1 Overview...................................................................................................................................... 21
3.2 DeltaV architecture ..................................................................................................................... 22
3.2.1 External access to DeltaV systems ....................................................................................... 22
3.2.1.1 DeltaV 2.5 network ..................................................................................................... 22
www.emersonprocess.com/deltaV
i
DeltaV Security Manual October 2014
3.2.1.1.1 Description................................................................................................................ 22
3.2.1.1.2 DeltaV 2.5 network connectivity................................................................................ 25
3.2.1.1.3 Using wireless in the DeltaV 2.5 network ................................................................... 26
3.2.1.1.3.1 Wireless Ethernet device security...................................................................... 28
3.2.1.1.4 The DeltaV 2.5 network perimeter security device.................................................... 28
3.2.1.2 The DeltaV remote (RAS) network .................................................................................... 29
3.2.1.3 The Process DMZ............................................................................................................... 30
3.2.1.4 Remote access applications............................................................................................... 32
3.2.1.4.1 Overview................................................................................................................... 32
3.2.1.4.2 Microsoft Remote Desktop ....................................................................................... 33
3.2.1.4.3 DeltaV remotely accessible applications ................................................................... 34
3.2.1.4.4 DeltaV Firewall Conguration Information ................................................................. 35
3.2.2 DeltaV control system networks ............................................................................................... 39
3.2.2.1 DeltaV area control network (ACN) .............................................................................. 39
3.2.2.1.1 Description........................................................................................................... 39
3.2.2.1.2 Emerson Process Management Smart Switches ................................................... 40
3.2.2.1.2.1 Capabilities and operation ........................................................................... 40
3.2.2.1.2.2 Management ............................................................................................... 41
3.2.2.1.3 DeltaV Controller Firewall ..................................................................................... 41
3.2.2.1.3.1 Capabilities and operation ........................................................................... 41
3.2.2.1.3.2 Management ............................................................................................... 42
3.2.2.1.4 Connecting non-DeltaV computers to the ACN..................................................... 42
3.2.2.1.5 Extending the ACN using wireless Ethernet bridges............................................... 43
3.2.2.2 SIS networks................................................................................................................. 43
3.2.2.2.1 Description........................................................................................................... 43
3.2.2.2.2 DeltaV SIS Intrusion Protection Device (SIS IPD).................................................... 44
3.2.2.2.2.1 Capabilities and operation ........................................................................... 44
3.2.2.2.2.2 Management ............................................................................................... 45
3.2.2.2.3 SIS Engineering Workstations............................................................................... 45
3.2.2.3 WirelessHART segments................................................................................................ 45
3.2.2.3.1 Description........................................................................................................... 45
3.2.2.3.2 Separation of maintenance workstations and wireless devices ............................. 47
3.2.2.3.3 WirelessHART device security .............................................................................. 47
3.2.3 DeltaV Zones .................................................................................................................. 47
3.2.4 DeltaV workstations ....................................................................................................... 47
3.2.4.1 Physical security ..................................................................................................... 47
www.emersonprocess.com/deltaV
ii