Transcription

gGE PowerPOWER SERVICES ENGINEERINGPRODUCT SERVICETIL 1881-R221 JANUARY 2016Compliance Category – MTiming Code - 6TECHNICAL INFORMATION LETTERNETWORK SECURITY TIL FOR MARK V, VI AND VIE CONTROLLER PLATFORMSAPPLICATIONAll control panels using Mark V or Mark Ve and Mark VI or Mark VIe control platforms. Includes the following Mark VI, VIe,Mark V, Ve generation controllers: EX2100, EX2100e, LS2100, LS2100e, and Mark VIeS systems. All “Windows” based HMIsystems that are setup with remote access are included. The legacy I DOS systems are not included.PURPOSETo advise sites of new recommendations to help improve control system robustness to potential cyber-attack.REASON FOR REVISIONTo update the reference documentation to reflect migration of GHT-200042 to GEH-6808.Compliance CategoryM - MaintenanceIdentifies maintenance guidelines or best practices for reliable equipmentoperation.C - Compliance RequiredIdentifies the need for action to correct a condition that, if left uncorrected,may result in reduced equipment reliability or efficiency. Compliance may berequired within a specific operating time.A - AlertFailure to comply with the TIL could result in equipment damage or facilitydamage. Compliance is mandated within a specific operating time.S – SafetyFailure to comply with this TIL could result in personal injury. Compliance ismandated within a specific operating time.Timing Code1Prior to Unit Startup / Prior to Continued Operation (forced outage condition)2At First Opportunity (next shutdown)3Prior to Operation of Affected System4At First Exposure of Component5At Scheduled Component Part Repair or Replacement6Next Scheduled Outage 2016 General Electric CompanyThe proprietary information published in this Technical Information Letter is offered to you by GE in consideration of its ongoing sales and servicerelationship with your organization. However, since the operation of your plant involves many factors not within our knowledge, and since operationof the plant is in your control and ultimate responsibility for its continuing successful operation rests with you, GE specifically disclaims anyresponsibility for liability based on claims for damage of any type, i.e. direct, consequential or special that may be alleged to have been incurred asresult of applying this information regardless of whether it is claimed that GE is strictly liable, in breach of contract, in breach of warranty, negligent, oris in other respects responsible for any alleged injury or damage sustained by your organization as a result of applying this information.This Technical Information Letter contains proprietary information of General Electric Company and is furnished to its customer solely to assist thatcustomer in the installation, testing, operation and/or maintenance of the equipment described. This document shall not be reproduced or distributedin whole or in part nor shall its contents be disclosed to any third party without the written approval of GE Power Services Engineering. All rightsreserved.

TIL 1881-R2BACKGROUND DISCUSSIONWhen the Mark VI and VIe control systems were developed, these controllers were envisioned to work on isolated privatenetworks with no connectivity outside the plant. Over time, the need to take advantage of remote maintenance anddiagnostic services has resulted in increased levels of interconnectivity with corporate networks. This has created apotential exposure risk of cyber-attack.There are generally 3 separate networks found in Mark VI and Mark VIe controller platformsUDH – Unit Data Highway – Transports data and commands between the controller panels and the HMI / OSM (On-sitemonitor)PDH – Plant data highway – Transport data between HMIs and the DCS (distributed control system) and /or OSM and / orRSG. Not connected to control panels.IONET – transports data between the controller and IO circuit boards. On Mark VI platforms this is a small Thinet (COAX)based network but on Mark VIe this network forms the extensive internal “backplane” of the controller.Figure 1: Mark VI network exampleEthernet networks are an integral part of both the Mark VI and Mark VIe product platforms. When developed, thesesystems were configured with standard Ethernet software services such as FTP and Telnet.FTP (File transfer protocol) allows for the transmission of data files over the network. Telnet is a very common terminalsession program that allows some basic remote interface with a computer or controller over the network. Neitherservices have inherent security or encryption and transmit any user identifier or password data in plain text format,making this information vulnerable to capture by hackers. In addition, Mark VI and Mark VIe controllers have historically 2016 General Electric CompanyThis Technical Information Letter contains proprietary information of General Electric Company and is furnished to its customer solely to assist thatcustomer in the installation, testing, operation and/or maintenance of the equipment described. This document shall not be reproduced or distributedin whole or in part nor shall its contents be disclosed to any third party without the written approval of GE Power Services Engineering. All rightsreserved.Page 2

TIL 1881-R2shipped with simple default passwords, which also increase the chance of unauthorized access. FTP and Telnet maypresent a concern in the UDH part of the network.Another potential concern is remote access to the HMI controllers by unauthorized individuals. For the most part, theseconcerns were identified and mitigated when remote connection and control of the HMI was developed (for remotetuning and diagnostic troubleshooting). However, the same remote access utilities used to provide remote service are apotential vulnerability and it is now recommended to disable these services when not in use.Finally, this TIL recommends the application of a network traffic filter between the UDH network and any remotenetwork connections (shown as the S3C in lower left of Fig 2). This device will block all non-control related traffic fromentering the UDH from an external source such as an OSM. This can provide an additional layer of security within theplant perimeter.GE will continue to monitor and help customers to improve their security postures and to support compliance efforts asthey relate to our equipment.Figure 2: Typical high level overview of plant with OSM and remote tuning capabilityDue to the wide range of plant configurations it is necessary to break the recommendations of this TIL down intoseveral sub-parts, some of which may not apply to all systems.RECOMMENDATIONS1.Disable FTP and Telnet services running in the Control PanelThis recommendation applies to all sites with Mark VI and VIe platform controllers. These services are not requiredfor normal operation. However they may occasionally be used during maintenance/troubleshooting work andmay occasionally need to be temporarily re-enabled. Please see the section titled, “How to Disable NetworkServices and Modify Passwords in Mark VI and Mark VIe Generation Controllers,” in GEH-6808 for detailedinstructions on how to disable or re-enable these services. On some HMIs this software tool may have come preinstalled, however if it is not, then it can be ordered using GE part number DS224SVCPATCH01. To determine if it isinstalled on any particular HMI, search for the following file.svc patch 1.exeThis software will not run on older Windows NT or Windows 2000 HMIs. Sites interested in implementing thispatch on these systems should contact GE for assistance. This patch will not fix other legacy securityvulnerabilities in Windows NT or Windows 2000 as these products are no longer actively supported byMicrosoft (Windows is a trademark of Microsoft Corporation). 2016 General Electric CompanyThis Technical Information Letter contains proprietary information of General Electric Company and is furnished to its customer solely to assist thatcustomer in the installation, testing, operation and/or maintenance of the equipment described. This document shall not be reproduced or distributedin whole or in part nor shall its contents be disclosed to any third party without the written approval of GE Power Services Engineering. All rightsreserved.Page 3

TIL 1881-R22.Modify the default passwords shipped with the systemCustomers should modify the default access passwords to the HMIs and control panels and develop a secure butreliable system to manage access to these when necessary. In order to modify the controller default logincredentials and password it will be necessary to install the same software patch referenced in recommendation 1.See “How to Disable Network Services and Modify Passwords in Mark VI and Mark VIe Generation Controllers” inGEH-6808 for detailed instructions.3.Maintain any remote service lock boxes in the off position when not in useThis recommendation only applies to sites with remote tuning (Dry Low NOx tuning) or other remote servicescapabilities. See appendix B for further details.4.Disable HMI remote access softwareThis applies to all sites using HMIs. HMI Remote access software should be disabled. It should be temporarily reenabled only for approved remote support and disabled again at the end of the support session. NetSupportManager is the recommended remote access software for all machines in use: pre and post Windows 7 HMIs.See appendix C for details on turning on/off these software services.5.Install UDH network traffic filtering equipment capable of checking and removing all non- control relatedtrafficThis recommendation applies to sites with external network connectivity to the plant control networks. Thisincludes OSM, RSG and customer sites with their own internal remote monitoring and diagnostic systems. Moredetails are provided in Appendix D.This TIL can be considered complete when all applicable recommendations have been implemented. For siteswithout remote connections, that means recommendations 1, 2 and 4 should be implemented. For sites withremote connections to their controller network all 5 recommendations should be implemented.PLANNING INFORMATIONCompliance Compliance Category: M Timing Code: 6Manpower SkillsControls field engineerParts HMI software update disk, GE part number DS224SVCPATCH01.S3C network filter should be ordered via upgrade process as some site specific configuration is required.Special ToolingNone required to implement the TIL. However, Mark VI or Mark VIe serial programming cables are required if it is necessaryto temporarily re-enable Telnet on the controller. Details and part numbers are provided in GEH-6808.Reference Documents GEH-6808 TIL 1626 and TIL 1777Scope of WorkRecommendations 1, 2 and 4 can be implemented in one 8 hr shift for sites with up to 4 HMIs / 4 Control panels and canbe implemented by either a Controls field engineer or knowledgeable customer personnel. Recommendation 5 needs to beexecuted via the upgrade process and once configured may take up to 4 hrs on site to install.Contact your local GE Service Manager or Contract Performance Manager for assistance or for additionalinformation. Contact your local GE Service Manager or Contract Performance Manager in order to update GE unitrecord sheets or to submit as-built drawings for changes incurred by this TIL. 2016 General Electric CompanyThis Technical Information Letter contains proprietary information of General Electric Company and is furnished to its customer solely to assist thatcustomer in the installation, testing, operation and/or maintenance of the equipment described. This document shall not be reproduced or distributedin whole or in part nor shall its contents be disclosed to any third party without the written approval of GE Power Services Engineering. All rightsreserved.Page 4

TIL 1881-R2APPENDIX ARecommended Password Protection Guidelines:These apply to both HMI User passwords (Appendix B) and internal controller passwords (GEH-6808).At a minimum, the responsible entity shall require and use passwords, subject to the following, as technically feasible: Each password shall be a minimum of six characters.Each password shall consist of a combination of alpha, numeric, and “special” characters.Each password shall be changed at least annually, or more frequently based on risk.In order for GE remote personnel to authenticate to an HMI after the lockbox is in the closed position, the customer mustprovide a username and password. It is recommended that HMI passwords comply with minimum length, complexityrequirements, and that expiration requirements and account activity are reviewed on a periodic basis. It will remain thecustomer’s responsibility to maintain secure but ready access to the various account details. It is important that properrecords of accounts and passwords be maintained by the site as inability to locate this information may result insignificant delays to maintenance related activities.APPENDIX BFigure 3: Example Remote Connection LockboxThe lockbox is a device that can power up/ down the router which enables access to the HMI via the OSM or in some casesthe RSG. The lockbox physically isolates the power to the router that enables this communication pathway and access toboth the box and the key should be controlled. In order to reduce disruption to maintenance activity, there should be asecure, well defined process to get this turned on or off as required. When no pre-arranged tuning or diagnostic activity is inprogress, it should be in the locked off position.APPENDIX CWindows 7 and earlier HMIs using PC Anywhere or with PC Anywhere installed from the factoryPCAnywhere Service Disabling Instructions:1.2.Go to “Start” Menu ; Select “Run”On the Run Box type “Services” and hit the “Enter” key. Component Services window will open as shown below.Select “Services (local)” on left panel. 2016 General Electric CompanyThis Technical Information Letter contains proprietary information of General Electric Company and is furnished to its customer solely to assist thatcustomer in the installation, testing, operation and/or maintenance of the equipment described. This document shall not be reproduced or distributedin whole or in part nor shall its contents be disclosed to any third party without the written approval of GE Power Services Engineering. All rightsreserved.Page 5

TIL 1881-R23.Look for “Symantec pcAnywhere Host Service” on right panel and select that service.4.To disable the service right click and select “Properties”. 2016 General Electric CompanyThis Technical Information Letter contains proprietary information of General Electric Company and is furnished to its customer solely to assist thatcustomer in the installation, testing, operation and/or maintenance of the equipment described. This document shall not be reproduced or distributedin whole or in part nor shall its contents be disclosed to any third party without the written approval of GE Power Services Engineering. All rightsreserved.Page 6

TIL 1881-R25.Select “Disabled” from Startup type drop down in the Symantec pcAnywhere Host Service Properties window.As shown below. Click OK.PCAnywhere Service Enabling Instructions:1.2.Follow step 1 to 4 as described above instruction set.Select “Automatic” from Startup type drop down in the Symantec pcAnywhere Host Service Properties window.As shown below. Click the Apply button.3. Once the service is set Automatic click the Start button to start the service. Click OK. 2016 General Electric CompanyThis Technical Information Letter contains proprietary information of General Electric Company and is furnished to its customer solely to assist thatcustomer in the installation, testing, operation and/or maintenance of the equipment described. This document shall not be reproduced or distributedin whole or in part nor shall its contents be disclosed to any third party without the written approval of GE Power Services Engineering. All rightsreserved.Page 7

TIL 1881-R2Windows XP and 7 HMIs using Microsoft Remote Desktop ConnectionRemote Desktop Service Disable Instructions:1.2.Go to “Start” Menu ; Select “Run”On the Run Box type “Services” and hit the “Enter” key. Component Services window will open as shown below.Select “Services (local)” on left panel.3.Look for “Remote Access Connection Manager” on right panel and select that service.4.To disable the service right click and select “Properties”.Windows XP and 7 HMIs using NetSupport ManagerNetSupport Manager Disable Instructions:1. Go to “Start” Menu ; Select “Run”2. On the Run Box type “Services” and hit the “Enter” key. Component Services window will open as shown below.Select “Services (local)” on left panel.3. Look for “Client32” on right panel and select that service. 2016 General Electric CompanyThis Technical Information Letter contains proprietary information of General Electric Company and is furnished to its customer solely to assist thatcustomer in the installation, testing, operation and/or maintenance of the equipment described. This document shall not be reproduced or distributedin whole or in part nor shall its contents be disclosed to any third party without the written approval of GE Power Services Engineering. All rightsreserved.Page 8

TIL 1881-R24.5.Right click on the Client32 service and select PropertiesTo disable the service, choose Disabled from the Startup Type list box and click the OK button.6. To re-enable NetSupport Manager service, follow steps 1-4 and chose Automatic from the Startup Type list boxand click Apply. Click the Start button and click OK.APPENDIX DS3C (Support segment security connector availability)This is an optional additional layer of protection to isolate the controller network from unapproved traffic.Perimeter ProtectionLike an Internet Firewall, the S3C is inserted at the edge of your electronic security perimeter on your Unit DataHighway (UDH). It serves as the gateway for ALL traffic between your M&D on-site monitoring equipment anddevices within your control system network. The S3C inspects and filters all incoming or outgoing communicationsrequired for monitoring or remote tuning of your assets. 2016 General Electric CompanyThis Technical Information Letter contains proprietary information of General Electric Company and is furnished to its customer solely to assist thatcustomer in the installation, testing, operation and/or maintenance of the equipment described. This document shall not be reproduced or distributedin whole or in part nor shall its contents be disclosed to any third party without the written approval of GE Power Services Engineering. All rightsreserved.Page 9

TIL 1881-R2Controlled CommunicationOnly the network communications that explicitly match those permitted by our custom policies will traverse throughthe S3C, all other communications should be denied and then captured for your review.Figure 4: S3C (UDH Firewall) shown inserted between OSM and the UDHTiered Inspection: The S3C inspects communications passing between interfaces and evaluates it against multiplecriteria established in custom policies specifically tailored for M&D services. Any traffic that does not conform toALL of the criteria defined within a policy is denied access to its network target.Permitted Services: Only communications necessary for legitimate functionality and operation of approved resourcesshould be permitted. The S3C provides exactly this level of control. GE security engineers have systematically identifiedall required communication ports and protocols for M&D services for required functions with their associatedresources. These have been documented and authored into the S3C policies to permit these communications.Cyber SecurityThe M&D platform is configured to provide customers with a secured data connection helping them to achievetheir security compliance requirements. The basis for network security comes down to permitting only what isnecessary in order to maintain the performance and operation of required services. GE has created the S3C withan auditable, defensive position to facilitate this.Security ManagementM&D is committed to providing a solution that fits into your enterprise security management. Embedding industrybest practices for security management into the S3C allows for a seamless integration into your existinginfrastructure and technology administration. We provide security that allows vendor transparency and maintainsyour independence from external security policies.ConfigurationSome site specific configuration will be required.OrderingBecause some site specific setup and configuration is required these devices should be ordered via the upgradeprocess so that the correct site specific parts and configuration can be installed.Management FeaturesIndependent Management Interface, event Logging, traffic Logging, SNMP Alerts. 2016 General Electric CompanyThis Technical Information Letter contains proprietary information of General Electric Company and is furnished to its customer solely to assist thatcustomer in the installation, testing, operation and/or maintenance of the equipment described. This document shall not be reproduced or distributedin whole or in part nor shall its contents be disclosed to any third party without the written approval of GE Power Services Engineering. All rightsreserved.Page 10

TIL 1881-R2TIL COMPLIANCE RECORDCompliance with this TIL must be entered in local records. GE requests that the customer notify GE upon compliance ofthis TIL.Complete the following TIL Compliance Record and FAX or Email it to:TIL ComplianceFAX: (678) 844-3451Email: [email protected] COMPLIANCE RECORDFor Internal Records Only #Site Name:Customer Name:Customer Contact InformationGE Contact InformationContact Name:Contact AX:Turbine Serial Number(s):INSTALLED EQUIPMENTTIL Completed Date:100% TIL Completed:Description:Unit Numbers:Part Description:Part NumberMLI NumberComments:If there are any redlined drawings that pertain to this TIL implementation, please FAX or Email the drawingsalong with this TIL Compliance Record.NOTE:FAX this form to:TIL ComplianceFAX: (678) 844-3451Email: [email protected] 2016 General Electric CompanyThis Technical Information Letter contains proprietary information of General Electric Company and is furnished to its customer solely to assist thatcustomer in the installation, testing, operation and/or maintenance of the equipment described. This document shall not be reproduced or distributedin whole or in part nor shall its contents be disclosed to any third party without the written approval of GE Power Services Engineering. All rightsreserved.Page 11

GE Power NETWORK SECURITY TIL FOR MARK V, VI AND VIE CONTROLLER PLATFORMS APPLICATION All control panels using Mark V or Mark Ve and Mark VI or Mark VIe control platforms. Includes the following Mark VI, VIe, Mark V, Ve generation controllers: EX2100, EX2100e, LS2100, LS2100e, and Mark VIeS systems. All "Windows" based HMI