Chapter 4. Security Capabilities
GFK-2904D July 2018 17
4.3 Authentication
PROFINET I/O Devices from GE Automation & Controls may provide password-based authentication for some,
but not all, of its server protocols. For each unauthenticated protocol that is enabled, compensating controls
may be needed to satisfy a particular installation’s security requirements.
Note: The default configuration for all Server protocols except Web Server Firmware Update is
for no authentication, or for authentication using well-known default values.
Server Protocols
This section summarizes the authentication mechanisms supported by PROFINET I/O Devices for each
protocol. It is important to note that some PROFINET I/O Devices only support a subset of the options listed
here. Refer to Section 4.1, Capabilities by Product, for more details.
Authentication Supported by the PROFINET Protocol
The PROFINET I/O specification does not define an authentication mechanism and so none is supported on
GE Automation & Controls PROFINET I/O Device PROFINET communications.
Plaintext Login
Authentication for a protocol may involve sending a plaintext password to the Server. In some cases these
plaintext passwords cannot be more than seven (7) characters long. When such protocols are required,
additional compensating controls may be needed to satisfy a particular installation’s security requirements.
Recommendations
GE Automation & Controls strongly recommends that authentication be used for every enabled protocol that
supports authentication, that all default passwords be changed, and that access be appropriately restricted to
any computer-based file that includes a plaintext password.
Whenever protocols are used with no authentication mechanism, or when authentication is disabled or relies
on sending credentials in plaintext across the network, it is critical to control physical and electronic access to
the network to prevent unauthorized messages from being sent and acted upon.
Below are recommended actions to be taken to mitigate the risk of external or internal entities accessing an
Industrial Control System (ICS) network and sending unauthorized messages.
Personnel Security Protection
1) All individuals with permission to physically access ICS systems should have background checks and
be trained in the proper use and maintenance of ICS systems.
To Next Page
Loading...
