The DeltaV Security Manual

Cyber Security implementations for DeltaV

Digital Automation Systems
This public version of the manual contains only the table of contents and introductory
sections. Please contact your Emerson DeltaV sales office to request a full copy of the
manual.

2010 Fisher-Rosemount Systems, Inc. All rights reserved.

Table of Contents
Cyber Security for DeltaV Digital Automation Systems: ................................. 2
1

Introduction ............................................................................................... 6
Where to Find Implementation Information.......................................................................... 6

Security Basics ...........................................................................................

DeltaV Software Security Features ........................................................................................
Basic Vulnerability Assessment .............................................................................................
Basic Physical Security ..........................................................................................................
Basic Workstation Security ....................................................................................................
Basic Controller Security........................................................................................................
Basic Network Secure Architecture .......................................................................................
Basic Security Policies and Procedures ................................................................................
Basic Security Checklist.........................................................................................................

Assessing Vulnerabilities ...........................................................................

Security Risks Defined ...........................................................................................................
Accidental External Attack ................................................................................................
Accidental Internal Attack .................................................................................................
Deliberate External Attack ................................................................................................
Deliberate Internal Attack .................................................................................................
Defining the System Boundary ..............................................................................................
System Access Points Defined .........................................................................................
Document the System Architecture ..................................................................................
Documenting the Risks .....................................................................................................
Identifying Risks to Mitigate ..............................................................................................
Document the Security Policy...........................................................................................

Security Best Practices ..............................................................................

Working with IT Professionals ...............................................................................................
Working with Emerson Process Management to implement DeltaV security ........................
Supported DeltaV Network Architecture ...........................................................................
Advanced Security Configurations within the DeltaV Control Network ............................
Using a DMZ to Add a Protection Layer to the External Communications.......................
Accessing Data on the DeltaV System ..................................................................................
Accessing Real-Time Process Data from the DeltaV Control System .............................
Writing Data into the DeltaV Control System ...................................................................
Setting up OPC Access to the DeltaV System .................................................................

DeltaV Workstation Security ..................................................................................................

Physical Security ..............................................................................................................
Disable Floppy Drives, USB Ports and CD/DVD Drives...................................................
Set up Microsoft-based Access for Each User .................................................................
Two Factor Authentication (Smart Card Support) ............................................................
Set up Role-based User AccessDeltaV User Manager ................................................
Set up the Workstation Operator Environment .................................................................
Workstation File Security ..................................................................................................
Disabling Unused Workstation Services...........................................................................
Using Internet Explorer on a DeltaV Workstation .............................................................
Using Email on a DeltaV Workstation ...............................................................................
Microsoft Operating System Configuration .......................................................................
Using Anti-Spyware and Anti-Adware Utilities ..................................................................
DeltaV Controller Security .....................................................................................................
Physical Security ..............................................................................................................
DeltaV Controller Firewall .................................................................................................
DeltaV Controller I/O Protection .......................................................................................
DeltaV SISLogic Solver Protection ...............................................................................
Network Switch Security ........................................................................................................
Physical Security ..............................................................................................................
Disable Unused Network Ports .........................................................................................
Remote Workstation Security ................................................................................................
DeltaV Remote Access Service (RAS) Protection .................................................................
DeltaV Remote Client protection ...........................................................................................
Setting Up Anti-Virus Protection ............................................................................................
DeltaV Support for Anti-Virus Software ............................................................................
Microsoft Security Update Management ................................................................................
DeltaV Support for Microsoft Security Updates ................................................................
Microsoft Security Updates ...............................................................................................
Using a Perimeter Firewall or UTM Appliance .......................................................................
Installing a Non-DeltaV Workstation as a DeltaV Network Node ..........................................
DeltaV Zones Security ...........................................................................................................
Modem Use on a DeltaV System ...........................................................................................
Set Up a Network Intrusion Detection/Prevention System(IDS/IPS) .....................................
Change Control Process ........................................................................................................
Maintaining Security during the System Integration and Configuration Processes ...............

System Security Monitoring .......................................................................

DeltaV SNMP Use .................................................................................................................

Disaster Recovery .......................................................................................

Workstation Hardening ...............................................................................

DeltaV Workstation Security Hardening Templates ..............................................................

Perimeter Firewall .......................................................................................

Perimeter Firewall Configuration Settings .............................................................................

List of Disabled Services on a DeltaV Workstation ..................................

Introduction

This document is a guide for process engineers, information technology personnel, operations
managers and other plant personnel responsible for developing and maintaining the cybersecurity of DeltaV digital automation systems.
The following whitepapers provide introductory material for understanding digital security. Read
these whitepapers before reading this document:

Best Practices for DeltaV Cyber Security

DeltaV Cyber Security

Although no system can be made completely free from risk, you can reduce risk in the following
ways:

Develop a comprehensive security policy for your DeltaV Process Control system

Follow the guidelines in this document.

Provide training for your employees.

Make digital security an ongoing process through continuous reevaluation of security

risks and rigorous implementation of practices that make sense for your system.

Where to Find Implementation Information

This document provides guidelines and suggestions for developing and implementing a cybersecurity protected DeltaV automation system. The detailed instructions for configuring the system
as described in this document are contained in other DeltaV documents and Emerson Process
Management information sources.
These sources are:

DeltaV Books Online: the main, online reference for details on DeltaV implementation. It
is available on the DeltaV product media and is a free-standing application that can be
obtained separately for planning your system implementation.

Installing Your DeltaV Digital Automation System and Getting Started with Your DeltaV
Digital Automation System manuals: provide information on hardware setup and
overviews of the DeltaV system architecture and applications. These manuals are
available on paper, and electronic versions are also included within Books Online.

Whitepapers: provide information on a variety of topics. They are typically free-standing

documents covering a single topic. Whitepapers provide detailed information to help
users better understand product functionality or implementation. They are available at
www.easydeltav.com.

Product data sheets: specify product capabilities and functionality. They are available at
www.easydeltav.com.

Knowledge-based-articles (KBA): provide up-to-the-minute information on implementing a

DeltaV digital automation system. They are available to Foundation Support customers
on the secure support site.