Technical FAQs

Ask a Question

Is there a summary of M580 security features?

 Secure Accesses to the PAC
This is the access control list, a white list of IP addresses that can get connected to the controller either on the CPU or on the NOC module. 
·    Prevent unauthorized network device access
·    Access Control can restrict access to the Ethernet communication module in its role as either a Modbus TCP or EtherNet/IP server. User specifies the IP addresses of these devices allowed to communicate with the module.
·    Configuration done in Unity PRO.
·    Can be modified on line on M580 CPU (not on the BMENOC).

Secure  PAC operating modes 
·    Any changes in PAC program or configuration are password protected at PAC level. User / PAC application needs to authenticate before making any change.
·    Remote RUN/STOP authorization can be controlled by internal bit.
·    Memory Protect mechanism prevents any changes in the PAC.

Secure PAC firmware 
To help prevent any malware or firmware modification and to counter reverse engineering attempts.
·    Firmware is now protected by being encrypted using AES256 encryption algorithm. The firmware integrity is ensured by using the powerful SHA 256 bit algorithm. 
SHA-256 is a Secure Hash Algorithm defined by NIST in its FIPS-180-4 publication and used in many cryptography algorithms. SHA-256 is a stronger hash algorithm than SHA-1 which is no longer approved by NIST for many algorithms since 2012. 
·    Any data which could be helpful to make reverse engineering has been removed. 

Control the integrity of the firmware 
·    Checking an electronic signature (cryptography) before loading the firmware to be sure that it has not been corrupted

Control the integrity of the real-time processing
·    In real time, M580 checks the integrity of its memory, of its system tasks, of its processor and instructions to be processed. As soon as M580 detects something unexpected on those checks, then it automatically switches into a system stop mode, recording the last states of the memory, processors, and tasks to be able to make a “post mortem” analysis with R&D.

Unity Pro Change Management 
·    A flexible and more secure system for traceability of PLC applications 
updates Encrypted textual Log file  (not only in Event Viewer)
·    Security Editor on Server
   
Enabling and Disabling Security and Ethernet Services
The BME NOC 03•1 Ethernet communications module and the M580 CPU provides several Ethernet services. The enhance application security services can be restricted. From Unity Pro DTM the following services can be enabled and disabled:
-    EtherNet/IP (EIP) server (adapter) 
-    DHCP/BOOTP server 
-    SNMP agent
-    IPsec

IPsec service
Internet protocol security is an open set of protocol standards that make IP communication sessions private and secure for traffic between modules using IPsec, developed by the internet engineering task force (IETF). The IPsec authentication and encryption algorithms require user defined cryptographic keys that process each communications packet in an IPsec session.  For more information about IPsec refer to www.IETF.org.

When IPsec is enabled on BMENOCs, the following  traffic/services can be IP secured:


-    SNMP agent and SNMP traps
-    NTP client
-    EtherNet/IP TCP traffic as adapter/server 
-    Modbus server (port502)
-    HTTP
-    ICMP (Ping, etc)
-    FTP server, TFTP server


IP Filter List
IPsec uses packet filters to evaluate communication packets according to their connections to various services. Packet filters are located between the endpoints of a peer-to-peer connection to verify that the packets adhere to the established administrative rules for communications. Every IP filter in a single IP filter list has the IP address of the same source of the communications packets. The IP addresses for the destinations of communications packets (BME NOC 03•1 modules) are different.

The Access Control List (ACL) function allows/disallows incoming traffic the following services based on IP address or subnet:

-    Modbus server (port 502) 
-    EIP adapter   
-    FTP server  
-    TFTP server  
-    HTTP server  
-    SNMP agent  

This feature is useful when requirement is to allow only validated IP addresses to get connected to the controller.

Syslog for Ethernet Services
The SysLog function can detect and log the following events to the Syslog server: 

-    TCP failure connection due to Access Control List 
-    Enable/Disable of communication Services via ETH_PORT_CTRL FB. 
-    Ethernet port Link up/down events 
-    RSTP topology change 
-    Configuration download of COM services 
-    Program operating Mode change of COMs (Run, stop) 
-    Failed and successful FTP login (for Firmware update and Fast Device Replacement)

CSPN certification
This certification is an exotic one since it does not follow usual rules of certifications. Here you put your product on a table and for 2 months, a team of professional and experienced “hackers” try to enter the product. If after 2 months, your product could not be penetrated, then you have your certificate.
       

 
Was this helpful?
What can we do to improve the information ?