Rockwell Automation System Security Design Guidelines Reference Manual

System Security
Design Guidelines

Reference Manual

Original Instructions

Publication Title Reference Manual

Important User Information

Read this document and the documents listed in the additional resources section about installation, configuration, and
operation of this equipment before you install, configure, operate, or maintain this product. Users are required to familiarize
themselves with installation and wiring instructions in addition to requirements of all applicable codes, laws, and standards.

Activities including installation, adjustments, putting into service, use, assembly, disassembly, and maintenance are required to
be carried out by suitably trained personnel in accordance with applicable code of practice.

If this equipment is used in a manner not specified by the manufacturer, the protection provided by the equipment may be
impaired.

In no event will Rockwell Automation, Inc. be responsible or liable for indirect or consequential damages resulting from the use
or application of this equipment.

The examples and diagrams in this manual are included solely for illustrative purposes. Because of the many variables and
requirements associated with any particular installation, Rockwell Automation, Inc. cannot assume responsibility or liability for
actual use based on the examples and diagrams.

No patent liability is assumed by Rockwell Automation, Inc. with respect to use of information, circuits, equipment, or software
described in this manual.

Reproduction of the contents of this manual, in whole or in part, without written permission of Rockwell Automation, Inc., is
prohibited.

Throughout this manual, when necessary, we use notes to make you aware of safety considerations.

WARNING: Identifies information about practices or circumstances that can cause an explosion in a hazardous environment, which may
lead to personal injury or death, property damage, or economic loss.

ATT EN TI ON : Identifies information about practices or circumstances that can lead to personal injury or death, property damage, or
economic loss. Attentions help you identify a hazard, avoid a hazard, and recognize the consequence.

IMPORTANT

Identifies information that is critical for successful application and understanding of the product.

Labels may also be on or inside the equipment to provide specific precautions.

SHOCK HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that dangerous voltage may
be present.

BURN HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that surfaces may reach
dangerous temperatures.

ARC FLASH HAZARD: Labels may be on or inside the equipment, for example, a motor control center, to alert people to potential Arc
Flash. Arc Flash will cause severe injury or death. Wear proper Personal Protective Equipment (PPE). Follow ALL Regulatory requirements
for safe work practices and for Personal Protective Equipment (PPE).

2 Rockwell Automation Publication SECURE-RM001E-EN-P - March 2021

Table of Contents

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5

How Can I Get Help To Manage My Security Risk? . . . . . . . . . . . . . . 5

Summary of Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Chapter 1

Vulnerabilities How Rockwell Automation Handles Vulnerabilities . . . . . . . . . . . . . . 8

Report a Suspected Product Vulnerability . . . . . . . . . . . . . . . . . . . . 8

Public Vulnerability Disclosure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Supply Chain Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Threat Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Chapter 2

System Security Security Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Security Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Defense-in-Depth Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Notifications That Rockwell Automation Provides. . . . . . . . . . . 16

Security with Rockwell Automation Products . . . . . . . . . . . . . . . . . . . 16

Standard Security Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Secure Networks and
Communication

Chapter 3

Converged Plantwide Ethernet (CPwE). . . . . . . . . . . . . . . . . . . . . . . . . 19

Logical Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Network Firewalls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Deep Packet Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Industrial Demilitarized Zone (IDMZ) . . . . . . . . . . . . . . . . . . . . . . . . . 23

Control Access to the Industrial Zone. . . . . . . . . . . . . . . . . . . . . . . 24

Remote Desktop Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Industrial Firewall Zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Stratix 5950 Security Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Control Device Communication Ports . . . . . . . . . . . . . . . . . . . . . . 27

Switch and Routing Platforms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Stratix Managed Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Secure Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

CIP Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Wireless Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Rockwell Automation Publication SECURE-RM001E-EN-P - March 2021 3

Table of Contents

Chapter 4

Harden the Control System Patch Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Microsoft Patches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Product Change Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Hardware Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Software and Firmware Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Workstation Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

FactoryTalk Directory Application . . . . . . . . . . . . . . . . . . . . . . . . . 34

Physical Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Device Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Digitally Signed Firmware and Software . . . . . . . . . . . . . . . . . . . . . 35

High Integrity Add-On Instructions . . . . . . . . . . . . . . . . . . . . . . . . 36

Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Chapter 5

Manage User Access FactoryTalk Services Platform. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Control Data Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

FactoryTalk Administration Console Software. . . . . . . . . . . . . . . 41

Studio 5000 Logix Designer Application . . . . . . . . . . . . . . . . . . . . 41

FactoryTalk Security Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Policies and Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Centralized Security Authority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Security Authority Identifier (SAID). . . . . . . . . . . . . . . . . . . . . . . . 43

FactoryTalk View Site Edition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Protect Controller Logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

License-based Source and Execution Protection . . . . . . . . . . . . . . 45

Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Chapter 6

Monitor and Recover Audit and Change Management with FactoryTalk AssetCentre

Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Backups via FactoryTalk AssetCentre Software . . . . . . . . . . . . . . . . . . 49

Component Change Detection and Logging for Controllers . . . . . . 50

Chapter 7

Disposal Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Appendix A

History of Changes SECURE-RM001D-EN-P, March 2020 . . . . . . . . . . . . . . . . . . . . . . . . 53

SECURE-RM001C-EN-P, December 2019 . . . . . . . . . . . . . . . . . . . . . 53

SECURE-RM001B-EN-P, April 2019 . . . . . . . . . . . . . . . . . . . . . . . . . . 53

4 Rockwell Automation Publication SECURE-RM001E-EN-P - March 2021

Preface

This publication provides guidelines for how to use Rockwell Automation
products to improve the security of your industrial automation system.

For information on patch management options, security advisory details, and
general news and awareness on industrial security from the Rockwell
Automation Office of Product Safety and Security, see the Industrial

Cybersecurity capabilities web page.

How Can I Get Help To Manage My Security Risk?

Summary of Changes

The Knowledgebase Technote Industrial Security Advisory Index
specific product security alerts, advisories, and recommendations. Subscribe to
this index to receive notifications.

To address specific concerns, or to report issues, contact us
at secure@ra.rockwell.com
Block.

Rockwell Automation Network & Security Services consulting services are
available to assist customers assess and improve the state of security of
industrial control systems that use Rockwell Automation and other vendor
control products. We provide a holistic approach to manage your network
infrastructure and security throughout its lifecycle. For more information, see

Industrial Cybersecurity Services

This manual contains the following new information as indicated.

Top ic Pag e

New chapter on vulnerabilities, how to report suspected
vulnerabilities, and how Rockwell Automation responds
to reports.

Updates to patch management 31

Updates to version descriptions for software and
firmware

. Communicate securely via our PGP Public Key

.

7

33

points to

Rockwell Automation Publication SECURE-RM001E-EN-P - March 2021 5

Preface

Additional Resources

These documents contain additional information concerning related products
from Rockwell Automation.

Resource Description

Security Configuration User Manual, SECURE-UM001 Describes how to configure and use Rockwell Automation products to improve the security

CIP Secur ity with Rockwell Au tomation Products Application Technique,

SECURE-AT001

Converged Plantwide Ethernet (CPwE) Design and Implementation Guide,
publication ENET-TD001

Industrial Firewalls within a Converged Plantwide Ethernet Architecture White
Paper, publication ENET-WP011

Deploying Industrial Firewalls within a Converged Plantwide Ethernet Architecture
Design and Implementation Guide, publication ENET-TD002

Guidelines on Firewalls and Firewall Policy Recommendations of the National Institute of Standards and Technology

Industrial Automation Wiring and Grounding Guidelines, publication 1770-4.1

Product Certifications website,

http://www.rockwellautomation.com/global/certification/overview.page

of your industrial automation system.

Describes how to implement the Common Industrial Protocol (CIP™) Security standard in
your control system.

Provides guidelines for how to design, implement, and manage industrial Ethernet
networks.

Provides guidelines for how to implement industrial firewalls.

Outlines use cases for how to design, deploy, and manage industrial firewalls.

Provides general guidelines for how to install a Rockwell Automation industrial system.

Provides declarations of conformity, certificates, and other certification details.

You can view or download publications at

http://www.rockwellautomation.com/global/literature-library/overview.page

To order paper copies of technical documentation, contact your local
Allen-Bradley distributor or Rockwell Automation sales representative.

.

6 Rockwell Automation Publication SECURE-RM001E-EN-P - March 2021

Chapter 1

Vulnerabilities

A vulnerability is a flaw or weakness in a product or system that can be
exploited to compromise product or system confidentiality, integrity, or
availability.

Risk and vulnerability assessments are the starting point for any security policy
implementation. Vulnerability assessments examine your situation from
technologies, policies, procedures, and behaviors. An assessment provides a
picture of your current security posture (current risk state) and what you need
(mitigation techniques) to get to a preferred state (acceptable risk state).
Rockwell Automation recommends the formation of a multi-discipline team of
operations, engineering, IT, and safety representatives to collaborate in the
development and deployment of your industrial security policy.

A vulnerability assessment provides, at a minimum:

• An inventory of existing devices and software.

• Detailed observation and documentation of intended system operation.

• Identification of possible vulnerabilities.

• Prioritization of each vulnerability based on the impact and exploitation
potential.

The Common Vulnerability Scoring System (CVSS) is a free, open industry
standard for assessing the severity of vulnerabilities. Rockwell Automation
includes CVSS-based scores in Product Security Advisory notices to help
customers assess their risk and exposure, including how prioritize responses
and resources according to a specific threat. For more information, see
Common Vulnerability Scoring System Specification Document

The outcome of a vulnerability assessment can include mitigation techniques
that bring an operation into an acceptable risk state.

Actions that are taken after a risk assessment can include the following:

• New firewall controls

• New switch ports to lock down

• Stronger password policies

• Removal of unused software programs

• Improved procedures for managing the connection of external devices,
such as USB devices

• New or patched versions of firmware or software

.

Rockwell Automation Publication SECURE-RM001E-EN-P - March 2021 7

Chapter 1 Vulnerabilities

How Rockwell Automation Handles Vulnerabilities

Rockwell Automation recognizes the importance of security in industrial
control systems and is investing in its products, people, partnerships, and
integrated consulting services (Network & Security Services – NSS) to
enhance the security in our products and maintain productivity. Rockwell
Automation provides detailed and actionable information about security
vulnerabilities to help customers make informed decisions on what steps they
need to take to improve their security.

Report a Suspected Product Vulnerability

Rockwell Automation encourages submissions of suspected vulnerabilities as
soon as they are discovered. Rockwell Automation maintains a formalized
process to identify, assess, and remediate reported vulnerabilities for those
products that are in the Active or Active Mature state.

The Product Security Incident Response Team (PSIRT) at Rockwell
Automation responds to suspected vulnerabilities within Rockwell
Automation products. Reporters are strongly encouraged to file a vulnerability
report with the PSIRT via email at secure@ra.rockwell.com

The PSIRT works with reporters to understand and validate reports.
The PSIRT:

• Requests that the reporter keep any communication confidential

• Assigns a tracking ID to the vulnerability report

• Reviews and responds, usually within two business days

• Advises the reporter of significant changes in the status of any
vulnerability reported to the extent possible without revealing
information provided to us in confidence

• Works to remediate reported vulnerabilities in a timely manner.

The Rockwell Automation PSIRT encourages the encryption of sensitive
information prior to sharing over email. To request instructions on how to use
our public key, contact us at secure@ra.rockwell.com

The Rockwell Automation PSIRT may contact the reporter via email or an
another agreed upon communications mechanism throughout the disclosure
process.

.

.

8 Rockwell Automation Publication SECURE-RM001E-EN-P - March 2021

Vulnerabilities Chapter 1

The PSIRT asks that reporters adhere to the following :

• Play by the rules. This includes following the guidelines, as well as any
other relevant agreements.

• Report any vulnerability discovered promptly.

• Avoid violating the privacy of others, disrupting our systems, destroying
data, or harming user experience.

• Use only our PSIRT email to discuss vulnerability information with us,
unless otherwise agreed upon with the PSIRT.

• Keep the details of any discovered vulnerabilities confidential until
Rockwell Automation identifies a resolution.

• If a vulnerability provides unintended access to data, limit the amount of
data you access to the minimum required to demonstrate the issue.
Cease testing and submit a report immediately if you encounter any user
data during testing, such as personally identifiable information (PII),
personal healthcare information (PHI), credit card data, or proprietary
information.

• Only interact with test accounts you own or with explicit permission
from the account holder.

• Do not engage in extortion.

• Comply with all applicable laws.

Public Vulnerability Disclosure

The PSIRT discloses vulnerability details, mitigations, and solutions via the
Knowledgebase Technote Industrial Security Advisory Index

You can find additional information on the Industrial Cybersecurity
capabilities web page.

Rockwell Automation recognizes the hard work of reporters and provides
recognition within the advisories, unless otherwise specified. We recognize
reporters if they are the first to report a unique vulnerability and the report
triggers a product change.

The Rockwell Automation Vulnerability Disclosure Policy draws on the
United States Core Terms compiled by disclose.io, the vulnerability disclosure
guidance set forth by the CERT Coordination Center (CERT/CC) at
Carnegie Mellon University, and ISO 29147 and ISO 30111, which define
standards for receiving and processing vulnerability reports. Rockwell
Automation defines a reporter as an individual or organization that notifies a
vendor or coordinator of a suspected product vulnerability. Coordinators, on
the other hand, are defined as an individual or organization that coordinates
vulnerability information to affected parties.

.

Rockwell Automation Publication SECURE-RM001E-EN-P - March 2021 9

Chapter 1 Vulnerabilities

When conducting vulnerability research according to this policy, Rockwell
Automation considers the research to be:

• Authorized in accordance with the Computer Fraud and Abuse Act
(CFAA) (and/or similar state laws). Rockwell Automation will not
initiate or support legal action against you for accidental, good faith
violations of this policy.

• Exempt from the Digital Millennium Copyright Act (DMCA).
Rockwell Automation will not bring a claim against you for
circumvention of technology controls.

• Exempt from restrictions in our Terms & Conditions that would
interfere with conducting security research. Rockwell Automation
waives those restrictions on a limited basis for work done under this
policy.

• Lawful, helpful to the overall security of the Internet, and conducted in
good faith.

If at any time you have concerns or are uncertain whether your security
research is consistent with this policy, please email secure@ra.rockwell.com
before going any further.

.

Supply Chain Vulnerabilities

Threat Model

Rockwell Automation also prioritizes supply-chain vulnerabilities, especially if
a vulnerability affects more than one Rockwell Automation product. The
PSIRT accept reports regarding third-party components if the vulnerabilities
are disclosed in a multi-party, coordinated effort supported by a third-party
coordinator such as DHS CISA or the CERT/CC.

Threat modeling is a procedure to analyze network, application, and physical
security. A threat model identifies objectives and vulnerabilities, and then
defines countermeasures to mitigate the effects of threats to the system.

1. Describe the assets to protect.

Create classes of assets and information that you want to protect. For
example, a controller, the controller configuration, or recipe data in the
controller. Be as specific as possible. For example, include the following:

• serial number

•MAC ID

• IP address

•user access

• device dependencies

Prioritize the assets. Define the type of protection for each asset ­confidentiality, integrity, or availability.

10 Rockwell Automation Publication SECURE-RM001E-EN-P - March 2021

Vulnerabilities Chapter 1

2. Describe the policies that govern the assets

The policies are typically control-based in that they define who can do
what to which asset. Other policies can define attributes such as asset
availability, version control, or confidentiality requirements.

Because policies are written in a general manner, they are supported with
procedures, standards, and guidelines to provide the details on how to
implement, enforce, and monitor the policy.

3. Characterize the assets and their supporting systems

Examine the assets in their information systems and identify
information flows that affect the assets. Characterize the systems and
software that are part of the information flow.

• How are the assets accessed?

• Who can copy, move, or modify them?

• What methods can be used to interact with them?

• Do they exist in multiple locations?

• How are multiple copies synchronized?

4. Identify threats to the assets

For each asset, identify how and where to enforce the policy that governs
the asset. Based on the type of protections for the asset, examine the
information flows, systems characterizations, and enforcement
mechanisms. Identify potential threats (such as threats to
confidentiality, threats to integrity, and threats to availability).

For example:

• ‘System goes off line’ is a threat to availability.

• ‘Database synchronization fails’ is a threat to integrity.

5. Characterize the threats

For each threat, enumerate the mechanisms (vulnerabilities) that can
cause the potential threat to become an actual threat. Keep the
vulnerabilities as broad as possible in scope.

6. Visualize

Use a network diagram and overlay system information, asset locations,
information flows, enforcement points, and vulnerabilities. Annotate
the diagram with available resources (people, money, equipment).

Use this visualization as a method to divide the system into manageable
pieces. This visualization also shows relationships and possible
consequences when you make changes.

Rockwell Automation Publication SECURE-RM001E-EN-P - March 2021 11

Chapter 1 Vulnerabilities

7. Strategize

Use the visualization to find:

• Patterns that suggest enterprise-wide solutions rather than local or

point solutions.

• Interactions of resources and ease of affecting the network.

• Possibilities of vulnerabilities being exploited.

• Develop backup and restore procedures.

Group vulnerabilities and their locations. Identify methods to address as
many of the vulnerabilities as possible with one change or small set of
changes.

Remember that not all vulnerabilities need new technology to address
the issues. Proper configuration, privilege, and access control are key, and
can often be improved without harming production facilities.

8. Verify

• Map every proposed change directly to a threat to an asset.

• Make sure that the change does not introduce a new threat to another

asset.

Verify that no policy enforcement point can be circumvented.

12 Rockwell Automation Publication SECURE-RM001E-EN-P - March 2021

Chapter 2

RESET

SERIAL

CON / AUX

GE WAN 0

5VDC

-4.QA

FE 1SLFE 0

SL

FE 3SLFE 2

SLSL

SYS

ACT

LAN

EIP Mod

EIP Net

Setup

GPS

TimeCD

3 1

4 2

Out
1 2

Speed
Duplex

PRP

DLR

PoE

Alarms PSU

12345 6789 1011122526

13

1458912

10/100/1000 PoE+

100/1000 SFP

100/1000 SFP+

GPS ANT. DIG.TimeCode ANA.TimeCode

Console Alarm

TOD

16 17 20 21 24

25

OUTINOUT

IN

28

2724212223201718191613 14 15 28

Express
Setup

Disp.
Mode

L

NHiL

N

Hi

Lo

100-240V-, 50-60Hz, 2A

100-250V , 2A

24-60V , 10A 24-60V , 10A

100-250V , 2A

100-240V-, 50-60Hz, 2A

Lo

PSU1 PSU2

Module
Status

Network
Activity

Network
Status

1734-AENT

Point Bus
Status

System
Power

Field
Power

Module
Status

Network
Activity

Network
Status

1734-AENT

Point Bus
Status

REDUNDANCY MODULE

OK

COMM

PRI

D+
D-

MBRK

SHLD

IN1

1

2

IN2

COM

W

V

U

+

-

Mod
Net

5500S2

32791M

Internet

Plant/Enterprise LAN

Firewall

Firewall

Firewall

Process LAN

Level 3

Levels 0… 2

Levels 4 and 5

System Security

Just as the nature of manufacturing and industrial operations has changed, so
have the security risks. More connected operations can create more potential
entrance points for industrial security threats. Threats can come in many forms
– physical versus digital, internal versus external, or malicious versus
unintentional.

In the industrial automation and control system (IACS), follow common
industry standards, such as the Purdue Enterprise Reference Architecture
model, to define:

• Security zones - those assets that have the same security requirements

Rockwell Automation Publication SECURE-RM001E-EN-P - March 2021 13

• Trusts within security zones - relationships between assets that support
identification, authentication, accountability, and availability.

Chapter 1 System Security

Industrial security must address a wide range of concerns, including:

• Safeguard intellectual property and other valuable information.

• Safeguard operations from intrusions that could impact productivity,
product quality, operator safety, or the environment.

• Maintain critical infrastructure systems, especially systems in regulated
areas like energy and water/waster-water management.

• Maintain high-availability traffic policies for networks.

• Enable and control remote access to industrial operations.

Security Basics

Industrial security must be comprehensive. Extend security policies from the
enterprise through the plant level and to end devices. Address risks across your
people, processes, and technologies. Involve collaboration between IT and OT
personnel for design, management, and regular communication on expected
system functional requirements and policy compliance.

A robust approach to security includes the development and implementation
of the appropriate activities to complete the following steps:

• Identify the cybersecurity risk to systems, assets, data, and capabilities.

• Protect critical infrastructure services.

• Detect cybersecurity events.

• Respond to a detected cybersecurity event.

• Recover from and restore any capabilities or services that were impaired
due to a cybersecurity event.

Cybersecurity is the collection of technologies, processes and practices that
help protect networked computer systems from unauthorized use or harm.
Cybersecurity addresses cyber- attacks, which are offensive in nature and
emphasize network penetration techniques, and cyber-defenses, which are
defensive in nature and emphasize counter-measures intended to help
eliminate or mitigate cyber- attacks.

The main goals of cybersecurity in an industrial setting:

• Availability: maintain and never give up control in a control system

• Confidentiality: protect proprietary information and only let
individuals with a need-to-know have access to the information

• Integrity: ensure that the information flowing through the system has
not been tampered with

14 Rockwell Automation Publication SECURE-RM001E-EN-P - March 2021

Security Standards

There are a number of resources that organizations can use as a basis to manage
security and risk within the IACS. These resources can help organizations
develop a security management program.

Resource Description

ISA/IEC 62443 Standard Industrial Automation and Control Systems (IACS) Security (formerly ISA-99)

This standard addresses network and system security and defines the provision of multiple security protections,
especially in layers, with the intent to delay, if not block, an attack.

This standard a lso recommends password structures.

NIST 800-82
Framework

NIST Cybersecurity
Framework

NCCIC Agency National Cybersecurity and Communications Integration Center

Guide to Industrial Control Systems (ICS) Security
This framework provides recommendations for securing an IACS. The standard covers the use of firewalls, the

creation of demilitarized zones and intrusion detection capabilities, along with effective security policies, training
programs, and incident response mechanisms.

This framework provides guidelines that help organizations align cybersecurity activities with business
requirements, risk tolerances, and resources.

This agency provides recommendations for secure architecture design.

The United States Department of Homeland Security (DHS) includes the
Cybersecurity & Infrastructure Security Agency (CISA). CISA manages a
repository of alerts, advisories, and reports (ICS-CERT) for industrial control
systems.

• Alerts: provide timely notification to critical infrastructure owners and
operators concerning threats to critical infrastructure networks.

• Advisories: provide timely information about current security issues,
vulnerabilities, and exploits.

• Reports: provide Technical Information Papers (TIPs), Annual Reports
(Year in Review), and 3rd-party products applicable to industrial control
system owners/operators.

• Newsletters: periodic publication of security news and information
applicable to industrial control system owners/operators.

System S ecurity Chapter 1

For more information, see Cybersecurity and Infrastructure Security Agency >

Industrial Control Systems

.

Defense-in-Depth Security

Industrial security is best implemented as a complete system across your
operations. Common to security standards is the concept of defense-in-depth
(DiD). DiD security establishes multiple layers of protection based on diverse
technologies through physical, electronic, and procedural safeguards. Just like a
bank uses multiple security measures – such as video cameras, a security guard,
and a vault – DiD helps make sure that threats encounter multiple lines of
defense. DiD also assumes the implementation of cybersecurity policies that
include operations planning, user training, and physical access security
measures.

Rockwell Automation Publication SECURE-RM001E-EN-P - March 2021 15

Chapter 1 System Security

A defense-in-depth security approach consists of six main components:

• Policies and Procedures

•Physical

•Network

•Computer

•Application

•Device

Defense-in-depth employs a comprehensive approach to leverage multiple
methods to mitigate risks. To apply defense-in-depth, understand the
relationship of intruders (threats and threat actors) and vulnerabilities to the
controls (standards, detection methods, and countermeasures).

A threat actor, through intent, capability, or opportunity, poses a threat to the
IACS when the threat compromises operations, personnel, or technology and
exploits an existing weakness or vulnerability. Base countermeasures on best
practices, standards, and established company security policies.
Countermeasures protect critical assets through multiple layers of defense.
Organizations must constantly adjust and refine security countermeasures to
maintain protection against known and emerging threats.

Notifications That Rockwell Automation Provides

Rockwell Automation provides these types of product notices.

Notification Description Customer Action

Product Safety Advisory (PSA) Issued when a product failure may result in significant loss of capital equipment,

Product Notice (PN) Issued when a product failure may result in significant commercial loss or customer

Product Security Advisory Issued for security alerts and security recommendations where such risks stem

Security with Rockwell Automation Products

personal injury, or death.

dissatisfaction.

from cyber-attacks.
These advisories are intended to raise customer awareness of risks to affected

product operation or performance and also supply relevant recommendations for
how to reduce or remove the risk associated with a vulnerability.

Security is not a static end state, it is an interactive process. No single
product, methodology, or technology fully secures control networks. The
remaining chapters in this reference manual highlight Rockwell Automation
products that help manage:

• Identification, authentication, and user access

•Network segmentation and data flow

• Data confidentiality

• System integrity

• Resource availability and response to events

Required

Strongly Recommended

Strongly Recommended

16 Rockwell Automation Publication SECURE-RM001E-EN-P - March 2021

System S ecurity Chapter 1

Standard Security Components

In addition to the Rockwell Automation products described in this
publication, there are also references to these additional technologies.

Component Description

Microsoft® Active Directory service Use Active Directory for authentication and authorization in a Windows domain.

Active Directory (AD) is a directory service that Microsoft developed for Windows domain networks. It is included in
most Windows Server operating systems as a set of processes and services.

A server that runs the Active Directory Domain S ervices (AD DS) is called a domain controller. The domain controller
authenticates and authorizes all users and computers in a Windows domain type network. The domain controller
assigns and enforces security policies for all computers and software updates.

RADIUS protocol You can use the Remote Authentication Dial-In User Service (RADIUS) protocol to manage access to the Internet or

Cisco® TACACS+ protocol You can use the Cisco Terminal Access Controller Access-Control System Plus (TAC ACS+) to manage remote

IEEE 802.1x authentication You can use 802.1x authentication to manage port-based access for devices that want to connect to a network.

internal networks, wireless networks, and integrated email services.
The RADIUS protocol is a network protocol that provides centralized authentication, authorization, and accounting

(AAA) management for users. The RADIUS protocol is often used by Internet service providers (ISPs) and enterprises
to manage access to the Internet or internal networks, wireless networks, and integrated email services.

authentication for networked access control through a centralized server.
The Cisco TACACS+ protocol manages authentication, authorization, and accounting (AAA) services. The TACACS+

protocol uses the Transmission Control Protocol (TCP). Since TCP is a connection-oriented protocol, TACACS+ does
not have to implement transmission control. TACACS+ encrypts the full content of each packet.

802.1x authentication secures communication between authenticated and authorized devices. You can connect this
access control to the Active Director y to create a central administration connection for both network mana gement
and network access. This access control is the preferred method to create a central network access layer.

Rockwell Automation Publication SECURE-RM001E-EN-P - March 2021 17