Trust Zone Requirements
For compliance with 62443 4-2 SL1 requirements, a trust zone must be enforced around the
redundant chassis and its I/O network. You can use several methods to enforce a trust zone.
One method is to allow remote access to the redundant chassis only through a
CIP Security™
-enabled communication module. Physically isolate unsecured devices, such as remote I/O, in
a non-converged network. The following example shows a trust zone configuration for the primary chassis. Apply the
same configuration to both primary and secondary chassis.
Trust Zone Configuration Example
Item | Description |
|---|---|
A | A CIP Security™ -enabled 1756-EN4TR communication module is the only method of direct remote
access to the redundant chassis. The zone where this module is located must have CIP™ bridging configured to allow only secure traffic and not allow trusted IP
addresses. Star, DLR, and PRP topologies are supported with CIP Security™ . We recommend including multiple CIP Security™ -enabled 1756-EN4TR modules per chassis for backup access to the chassis. |
B | Physically isolated I/O network. No other direct physical connections are allowed to remote I/O devices except the redundant chassis pair. All remote access to I/O is accomplished through the secured 1756-EN4TR communication module (item A) for updates and maintenance. |
A physically isolated, non-converged I/O network provides these protections:
- All remote access to the chassis is enforced viaCIP Security™zones/conduits while also being verified via x.509 certificates for authentication/authorization.
- Because the I/O network is connected via Ethernet cables only to the redundant chassis, access to the I/O network is limited:
- Direct access is possible only via devices in the redundant chassis pair, which can include communication modules other than 1756-EN4TR modules
- Remote access is possible only via secured 1756-EN4TR modules, which allow authorized access only to the redundant chassis pair
IMPORTANT:Any remote access to the I/O devices for maintenance and updates must be done via the secured 1756-EN4TR module. Other types of network modules, such asControlNet®orDeviceNet®modules, are not supported with Logix SIS orControlLogix®5590 redundancy, and must not be used. - Isolating the I/O network reduces the attack surface as all remote access to the I/O network passes through theCIP Security™-enabled communication module.
For defense in depth with non-converged I/O networks, we recommend that you still implement
and configure the firewall layers as recommended on the referenced firewall applications.
WARNING:
If you choose to use a converged I/O network, you must use additional measures to prevent
unauthorized access to the redundant chassis pair or I/O modules. If the redundant chassis
pair contains any Ethernet devices that are visible to the broader network, you must enforce
a trust zone to prevent unauthorized access to the Ethernet devices and remote I/O modules.
A firewall is required with converged I/O networks.
While firewall configuration is application-specific, we recommend the following:
- Use an allow list that provides access only to the following:
- Specific machines
- Minimum protocols that are required to communicate to unsecured devices in the redundant chassis pair
- Protect addresses of devices on both redundant chassis.
- Place the firewall around the redundant chassis pair and the I/O network that it operates.We advise not to place a firewallbetweenthe redundant chassis pair and the I/O network that it operates. A firewall that is configured on the communication path between a controller and its I/O network can introduce risks, such as a compromised safety reaction time or blocked communication between the controller and I/O devices.
For more information about firewall configuration, see the following:
- PlantPAx Distributed Control System Configuration and Implementation User Manual, publication PROCES-UM100
- Deploying Industrial Firewalls within a Converged Plantwide Ethernet Architecture Design and Implementation Guide, publication ENET-TD002
Provide Feedback