Manuel D’UtilisationTable des matières1 Introduction51.1 Purpose51.2 Organization51.3 Relevant documentation51.3.1 Background reading51.3.2 DeltaV documentation61.3.3 Microsoft documentation61.3.4 3rd party product documentation61.4 Security and DeltaV system projects71.5 Security Collaboration between IT and Operations Departments81.6 Submitting Material for This Manual101.7 Glossary102 Security basics122.1 Threats to control systems122.2 Assets and compromises122.3 Vulnerabilities132.4 Performing a risk assessment132.4.1 Summary security checklist142.4.2 Defense-in-depth152.4.3 Security Hardening152.5 Protecting assets from threats152.5.1 Overview152.5.2 Principal safeguards162.5.2.1 Security policies and procedures162.5.2.2 Physical security182.5.2.3 Cyber security perimeters182.5.2.4 Encryption and digital signatures192.5.2.5 Role-based access controls202.6 Implementing DeltaV security203 DeltaV security213.1 Overview213.2 DeltaV architecture223.2.1 External access to DeltaV systems223.2.1.1 DeltaV 2.5 network223.2.1.1.1 Description223.2.1.1.2 DeltaV 2.5 network connectivity253.2.1.1.3 Using wireless in the DeltaV 2.5 network263.2.1.1.3.1 Wireless Ethernet device security283.2.1.1.4 The DeltaV 2.5 network perimeter security device283.2.1.2 The DeltaV remote (RAS) network293.2.1.3 The Process DMZ303.2.1.4 Remote access applications323.2.1.4.1 Overview323.2.1.4.2 Microsoft Remote Desktop333.2.1.4.3 DeltaV remotely accessible applications343.2.1.4.4 DeltaV Firewall Configuration Information353.2.2 DeltaV control system networks393.2.2.1 DeltaV area control network (ACN)393.2.2.1.1 Description393.2.2.1.2 Emerson Process Management Smart Switches403.2.2.1.2.1 Capabilities and operation403.2.2.1.2.2 Management413.2.2.1.3 DeltaV Controller Firewall413.2.2.1.3.1 Capabilities and operation413.2.2.1.3.2 Management423.2.2.1.4 Connecting non-DeltaV computers to the ACN423.2.2.1.5 Extending the ACN using wireless Ethernet bridges433.2.2.2 SIS networks433.2.2.2.1 Description433.2.2.2.2 DeltaV SIS Intrusion Protection Device (SIS IPD)443.2.2.2.2.1 Capabilities and operation443.2.2.2.2.2 Management453.2.2.2.3 SIS Engineering Workstations453.2.2.3 WirelessHART segments453.2.2.3.1 Description453.2.2.3.2 Separation of maintenance workstations and wireless devices473.2.2.3.3 WirelessHART device security473.2.3 DeltaV Zones473.2.4 DeltaV workstations473.2.4.1 Physical security473.2.4.2 Workstation security templates483.2.4.3 Workstation locking483.2.4.4 File system483.2.4.5 Removable devices493.2.4.6 Anti-Virus software493.2.4.7 Workstation applications and services503.2.4.7.1 Disabled services503.2.4.7.2 Email523.2.4.7.3 Internet Explorer523.2.4.8 Workstation Data, Alarms, and Events533.2.4.8.1 Data access533.2.4.8.1.1 Control parameters533.2.4.8.1.2 Data historians543.2.4.9 Portable device security543.2.5 Controller security553.2.5.1 Physical security553.2.5.2 Connection to the ACN563.2.5.3 DeltaV Controller I/O protection563.3 DeltaV functional security563.3.1 User security563.3.1.1 Account management563.3.1.1.1 Centralized management of accounts573.3.1.1.2 Account creation and maintenance573.3.1.1.3 Account expiration583.3.1.1.4 Removal of temporary accounts593.3.1.1.5 Removal of unused accounts593.3.1.2 Passwords593.3.1.2.1 Composition603.3.1.2.2 Default passwords603.3.1.2.3 Expiration period613.3.1.2.4 Expiration prompt613.3.1.2.5 Reuse613.3.1.3 Shared accounts613.3.1.4 Installation-generated user accounts623.3.1.5 Account activity logging623.3.1.6 Logging into the DeltaV system623.3.2 Security event handling633.3.2.1 Event logging and reporting633.3.2.1.1 General security event handling633.3.2.1.2 User activities633.3.2.1.3 Log of failed login attempts633.3.2.2 Event monitoring643.4 Security certifications643.4.1 Vendor products644 Patching654.1 General patching policy654.1.1 Operational impacts664.1.2 Patch list management684.1.3 Patching timeliness694.1.4 Policies and procedures704.2 Microsoft Windows updates714.2.1 Introduction714.2.2 Windows non-security updates714.2.3 Security updates714.3 DeltaV workstation hotfixes724.4 DeltaV Controller and I/O hotfixes735 Backups and disaster recovery745.1 Overvie745.2 Backup/Recovery capability745.3 Backup strategy756 Cyber security services766.1 Standards, policies and procedures766.2 Confidentiality agreements766.3 Standards committees766.4 Security contact766.5 System change procedures776.6 Incident Response Policies and Procedures786.7 System hardening786.8 Conducting security risk assessments786.9 Use of troubleshooting tools78Taille: 750 koPages: 7Language: EnglishOuvrir le manuel