Trust Zone Requirements

For compliance with 62443 4-2 SL1 requirements, a trust zone must be enforced around the redundant chassis and its I/O network. You can use several methods to enforce a trust zone. One method is to allow remote access to the redundant chassis only through a
CIP Security
-enabled communication module. Physically isolate unsecured devices, such as remote I/O, in a non-converged network.
The following example shows a trust zone configuration for the primary chassis. Apply the same configuration to both primary and secondary chassis.
Trust Zone Configuration Example
Trust zone configuration for primary chassis
Item
Description
A
A
CIP Security
-enabled 1756-EN4TR communication module is the only method of direct remote access to the redundant chassis. The zone where this module is located must have
CIP
bridging configured to allow only secure traffic and not allow trusted IP addresses. Star, DLR, and PRP topologies are supported with
CIP Security
. We recommend including multiple
CIP Security
-enabled 1756-EN4TR modules per chassis for backup access to the chassis.
B
Physically isolated I/O network. No other direct physical connections are allowed to remote I/O devices except the redundant chassis pair. All remote access to I/O is accomplished through the secured 1756-EN4TR communication module (item A) for updates and maintenance.
A physically isolated, non-converged I/O network provides these protections:
  • All remote access to the chassis is enforced via
    CIP Security
    zones/conduits while also being verified via x.509 certificates for authentication/authorization.
  • Because the I/O network is connected via Ethernet cables only to the redundant chassis, access to the I/O network is limited:
    • Direct access is possible only via devices in the redundant chassis pair, which can include communication modules other than 1756-EN4TR modules
    • Remote access is possible only via secured 1756-EN4TR modules, which allow authorized access only to the redundant chassis pair
    IMPORTANT:
    Any remote access to the I/O devices for maintenance and updates must be done via the secured 1756-EN4TR module. Other types of network modules, such as
    ControlNet®
    or
    DeviceNet®
    modules, are not supported with Logix SIS or
    ControlLogix®
    5590 redundancy, and must not be used.
  • Isolating the I/O network reduces the attack surface as all remote access to the I/O network passes through the
    CIP Security
    -enabled communication module.
For defense in depth with non-converged I/O networks, we recommend that you still implement and configure the firewall layers as recommended on the referenced firewall applications.
WARNING:
If you choose to use a converged I/O network, you must use additional measures to prevent unauthorized access to the redundant chassis pair or I/O modules. If the redundant chassis pair contains any Ethernet devices that are visible to the broader network, you must enforce a trust zone to prevent unauthorized access to the Ethernet devices and remote I/O modules.
A firewall is required with converged I/O networks.
While firewall configuration is application-specific, we recommend the following:
  • Use an allow list that provides access only to the following:
    • Specific machines
    • Minimum protocols that are required to communicate to unsecured devices in the redundant chassis pair
  • Protect addresses of devices on both redundant chassis.
  • Place the firewall around the redundant chassis pair and the I/O network that it operates.
    We advise not to place a firewall
    between
    the redundant chassis pair and the I/O network that it operates. A firewall that is configured on the communication path between a controller and its I/O network can introduce risks, such as a compromised safety reaction time or blocked communication between the controller and I/O devices.
For more information about firewall configuration, see the following:
  • PlantPAx Distributed Control System Configuration and Implementation User Manual, publication PROCES-UM100
  • Deploying Industrial Firewalls within a Converged Plantwide Ethernet Architecture Design and Implementation Guide, publication ENET-TD002
Provide Feedback
Have questions or feedback about this documentation? Please submit your feedback here.
Normal