214
Appendix C—Recommended Secure Hardening Guidelines
VARIABLE SPEED DRIVE SERIES III LIT-12012999—June 2018 www.johnsoncontrols.com
Category Description
Restrict Logical access to Drive It is extremely important to securely configure the logical access mechanisms provided in VFD to safeguard
the device from unauthorized access. VFD provides various types of administrative, operational, configuration
privilege levels. The available access control mechanisms should be used properly to ensure that access to the
system is restricted to legitimate users only. And, such users are restricted to only the privilege levels necessary
to complete their job roles/functions.
Below are best practices to be followed to ensure adequate cybersecurity of the setup/system
• Default credentials are changed upon first login. VFD should not be commissioned for production with Default
credentials, it’s a serious Cybersecurity flaw as the default credentials are published in the manuals. Restrict
administrative privileges - Threat actors are increasingly focused on gaining control of legitimate credentials,
especially those associated with highly privileged accounts. Limit privileges to only those needed for a user’s
duties. Make sure that the password used in the device is only available to authorized users like Configuring
Engineers and not shared among all operational users.
• Perform periodic account maintenance to make sure that password is changed whenever there is personnel
change.
• Change passwords and other system access credentials as appropriate
• VFD is provided with data/access protection mechanism on keypad, follow below steps to utilize it
VFD provides four levels of data protection for users to ensure the security:
1. Lock parameters on keypad. User can lock the parameters through DI or disable change, in which way all the
parameters cannot be edited.
2. Lock parameters while motor running. Motor control parameters can only be modified when motor is in stop
mode. In which way to enhance the motor security. The parameters are listed in the application manual.
3. Through Power Xpert inControl tool, facility to hide parameters on keypad is available. User can hide the
parameters he/she thinks are significant for himself/herself. Such as IP address and so on.
4. Password on keypad.
• 0000 means no password, which is the default.
• Password range is 0001 ~ 9999.
• With password, user can monitor parameters value but need enter password if he/she wants to edit
parameters.
• User needs to re-enter the password if there is no key operation in 1 min after enter the password.
• User needs to enter the old password if he/she wants to change to a new one.
Restrict Network Access VFD provides network access to facilitate communication with other devices in the systems and configuration.
Butthis capability could open up a big security hole if it’s not configured securely.
Segmentation of networks into logical enclaves and restrict the communication to host-to-host paths. This helps
protect sensitive information and critical services and limits damage from network perimeter breaches. At a
minimum, a utility Industrial Control Systems network should be segmented into a three-tiered architecture
(asrecommended by NIST SP800-82[R3]) for better security control.
Deploy adequate network protection devices like Firewalls, Intrusion Detection / Protection devices,
Below are the protocols and their port details available on VFD. Use below information for configuring the
firewalls.
VFD provides below communication protocols –
• EtherNet IP protocols on RJ45 connector – enabled by default on port 44818 and 2222
• Modbus TCP protocol on RJ45 connector – enabled by default on port 502
• Modbus RTU on RS485 physical layer – enabled by default
• BACnet MS/TP on RS485 physical layer – disabled by default, when this is enabled, Modbus RTU is disabled.
All the protocols have dedicated menu structure, and details are described in User’s Manual for how to activate or
configure them.
• Detailed information about various Network level protection strategies in Cybersecurity Considerations for
Electrical Distribution Systems [R1].
To Next Page
Loading...
Need help?
General
