How it Works
Honeywell
Loading...
SmartVFD
Operation Manual
8 pgs258.41 Kb0
Data Sheet
12 pgs752.3 Kb0
Table of contents
Loading...

Honeywell SmartVFD Operation Manual

31-00140-01
SmartVFD Security Guide
RS485 BACNET MSTP OR MODBUS RTU OR N2 NETWORK
ETHERNET BACNET IP OR MODBUS TCP
LON – LONWORKS BUS
BUILDING
MANAGEMENT
SYSTEM (JACE
OR OTHER) OR
IP ROUTER
PC
PC
PC
HVFDSDMCA
COMMISSIONING
KIT
SMARTVFD
CLOUD
MCR37280
OPERATING GUIDE

INTRODUCTION AND INTENDED AUDIENCE

This manual contains security-related information to guide the contractor install, operate, and securely maintain it.

SYSTEM OVERVIEW

The following is a system diagram of the SmartVFD in an example installation.
HVFDCDMCA Commissioning Kit: Required for direct access commissioning of the SmartVFD. Connects to PC via USB and connects to SmartVFD via RJ45 using a communication bus.
Drive Care Tool: PC software designed to allow user access to all of the VFD parameters. It is used in conjuction with the HVFDCDMCA Commissioning Kit hardware to connect a PC to the SmartVFD.
Building Management System: The Building Management System is not specifically defined, but can be any management system that accepts one of the communication types already described and used by the SmartVFD.
The SmartVFD has multiple communication protocol options. Typically only one communication protocol is chosen to interface with the SmartVFD in any given installation.

SYSTEM DESIGN AND PLANNING

This section contains information on activities that need to happen when the system is being planned by the contractor.
Fig. 1.
Some key elements of the diagram are:
Lonworks network: Lonworks (LON) network provides access to the Honeywell SmartVFD controller so it can communicate and share information.
BACnet network: The BACnet MS/TP or BACnet IP network provides access to the Honeywell SmartVFD controller.
Modbus RTU or N2 network: Modbus RTU or N2 bus networks provide access to the Honeywell SmartVFD controller so it can communicate and share information.

Physical Security of Components

It is important to have a plan for physical security of system components. It is recommended that the contractor identify the security needs of the building owner and provide guidance for implementation in addition to the requirements of the building owner.
It is recommended that the organization responsible for providing security for network assets be involved in the planning. The Building owner/Customer's IT groups needs to approve and connect the SmartVFD to the system so that the IT system will work with the SMARTVFD.
Physical security controls, such as a locked cabinet or equipment room that restricts physical access to the SMARTVFD are necessary to prevent system tampering, power interruption, and other security issues.
Ensure that SMARTVFD components requiring high reliability are protected with secure power sources and emergency power systems. Honeywell recommends
SMARTVFD SECURITY GUIDE
strongly that you consider reliable power for the SmartVFD control system. System reliability is an important security issue and following these requirements and recommendations allows continuous monitoring and ensures HVAC control system reliability.

IT Network

Typically a static IP address is used for accessing the BACnet/IP to MS/TP router. Refer to your user manual to access the configuration menu in the MS/TP router.
See additional notes in “APPENDIX 1 - IT NETWORK NOTES” on page 3.
See additional notes in “APPENDIX 4 - SMARTVFD PC SECURITY INFORMATION” on page 4 for Installation Security Issues.

Lon/ BACnet/Modbus/N2 Communications Bus

It is required that physical security access to SMARTVFD communications bus wiring be accomplished by:
1. Installing wiring in physically inaccessible locations that restricts physical access to the Lon or BACnet communications bus.
Or
2. Installing wire in conduit.
Any PC application accessing the SmartVFD via the BMS or router should be protected with a robust password.
See “APPENDIX 3 - SECURITY MAINTENANCE TASKS” on page 3.

PCs used to access the SmartVFD

Each PC used for accessing the SmartVFD either via the HVFDCDMCA kit and Drive Care Tool or remotely via a communication bus or ethernet must be protected as a secure platform. Maintaining a secure client platform will involve OS updates, anti-virus software, and protection of local ports from attacks including spam, phishing, and physical compromise.
See “APPENDIX 4 - SMARTVFD PC SECURITY INFORMATION” on page 4 for Installation security issues.
See “APPENDIX 5 - FIREWALL AND NETWORK INTRUSION ISSUES” on page 6 for PC security information.
See “APPENDIX 6 - HARDENING AND COMPUTER ISSUES” on page 7.

MAINTENANCE

This sections contains information for maintaining the SMARTVFD system.
This required physical security access protection is important to prevent security threats to the control system. Failure to protect the Communication bus can lead to critical security issues. For example, data loss or corruption could result due to not following the required protection for the Lon or BACnet communication bus.
See “APPENDIX 2 - INSTALLATION BEST PRACTICES” on page 3.

Secure and Unique Passwords

User-level parameter access to the SmartVFD via the keypad can be restricted to monitoring only through the use of an access code settable on the keypad, parameter P8.1 and P8.2.
Access to the SmartVFD directly by PC via the Drive Care Tool software (and the HVFDCDMCA hardware kit) requires no password.
Make sure SmartVFD clients (PCs) are running up to date virus software and comply with Corporate PC security standards.
The Gateway is associated with the building during commissioning and should be inspected periodically for connection. If there is no connection, the connection issues should be resolved in a timely manner.

DECOMMISSIONING

This section contains information for maintaining the SmartVFD system.
There is no specific process for decommissioning the SmartVFD. Simply shutting it off or physically removing the wiring to the device will remove the SmartVFD from the system.
31-00140—01 2
SMARTVFD SECURITY GUIDE

SMARTVFD INSTALLATION SECURITY CHECKLIST

Job Name:
Job Location:
Contractor:
Date:
IT Representative:
Date:
Complete the following security tasks for your installation.
• Design a secure installation considering both software and hardware vulnerabilities.
• Develop a Disaster and Recovery Plan.
• Develop a Backup and Recovery Strategy.
• Install, configure, and keep antivirus software updated on SmartVFD Clients (PCs).
• Securely configure networks and firewalls.
• Set up network intrusion detection.
• Harden the network system to further safeguard against unauthorized access.
• Deliver all required system information upon delivery to the system owner.
• Train end-users on security maintenance tasks at system delivery.
• Assess security risks.

APPENDIX 1 - IT NETWORK NOTES

This section contains information for maintaining the SMARTVFD system.
Businesses with critical Point of Sale infrastructure (POS) or other important assets must use internal network segmentation. Proper network segmentation can be accomplished in a small business with the use of a security gateway or firewall.

APPENDIX 2 - INSTALLATION BEST PRACTICES

This section contains additional Installation best practices for SmartVFD.
SMARTVFD Communication Bus (Lon, BACnet MS/TP, etc):
Security of the bus also means that the bus is electrically reliable for communications. It is important the bus is installed with one wire type consistent throughout the whole gateway to controller connection as to eliminate reflections from bus wire impedance mismatches.
Shielded wire is not recommended for normal installations. See installation instructions for details.

APPENDIX 3 - SECURITY MAINTENANCE TASKS

This section contains additional information on security maintenance tasks for SmartVFD.
It is important to train end-users on documented security maintenance tasks.

Disaster Recovery Planning

Creating, implementing, and maintaining a disaster recovery plan is import for the contractor and customer as the system can be restored in the event of a security breach or equipment failure. As a contractor, you may assist in helping the customer develop a plan or provide services to help implement and maintain the plan. The plan needs to ensure clearly documented procedures, document the person or organization responsible, and provide review of the plan during planned maintenance intervals.

Backup and recovery strategies

Performing backups of operating data is a risk mitigation task to secure your SmartVFD system.
Industrial Society of Automation / Industrial Electrotechnical Commission ISA/IEC 62443 Network and system security for industrial-process measurement and control is a recommended security standard that prescribes a clear definition of zones and network segmentation. IEC 62443-Segmentation allows the best control over access and security within an automation network.
An excellent reference for control security topics is NIST Special Publication 800-82 Revision 2: Guide to Industrial Control Systems (ICS) Security available at: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NI ST.SP.800-82r2.pdf
3 31-00140—01
Important configuration information may be lost if there are failures due to a natural disaster, hardware or software failure, or computer virus.
Backup strategies should take into account hard drive failures, user errors, and permanent loss of computer connection, virus infection or other problems.
Do not store backup images on the same computer being backed up. If network drives are not available, store backup images to a connected drive using USB.
Configure your backup software to do full backup's weekly and incremental backups nightly to lower the load and performance impact of backup activities. Ensure that the data was backup up correctly after the backup is complete.
Loading...
+ 5 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use