Table of Contents
Advertisement
2 CYBERSECURITY
2.1
WHAT'S IN THIS CHAPTER
This chapter outlines some good practice approaches to cybersecurity as they relate to use of the FEC920
instrument, and draws attention to several FEC920 features that could assist in implementing robust
cybersecurity.
2.2
INTRODUCTION
When utilising the FEC920 in an industrial environment, it is important to take 'cybersecurity' into consideration:
in other words, the installation's design should aim to prevent unauthorized and malicious access. This includes
both physical access (for instance via the front panel or HMI screens), and electronic access (via network
connections and digital communications).
2.3
SECURE NETWORK TOPOLOGIES AND GOOD PRACTICES
Overall design of a site network is outside the scope of this manual. The Cybersecurity Good Practices Guide,
Part Number HA032968 provides an overview of principles to consider. This is available from
www.eurotherm.co.uk.
Typically, an industrial controller such as the FEC920 together with any associated HMI screens and controlled
devices should not be placed on a network with direct access to the public Internet. Rather, good practice
involves locating the devices on a fire-walled network segment, separated from the public Internet by a so-called
'demilitarized zone' (DMZ).
2.4
SECURITY FEATURES
The sections below draw attention to some of the cybersecurity features of the FEC920.
2.4.1 Principle of Secure by Default
Some of the digital communication features on the FEC920 can provide greater convenience and ease-of-use
(particularly in regards to initial configuration), but also can potentially make the controller more vulnerable. For
this reason, some of these features are turned off by default. In particular, ID061 (the BACnet port is closed
unless the BACnet option is enabled).
2.4.2 HMI Access Level / Comms Config Mode
As described in Section 5.3.8, the FEC920 device features tiered, password-restricted operator levels, so that
available functions and parameters can be restricted to appropriate personnel.
2.4.2.1 Logged Out Access Level
Logged out mode allows the user to select viewing mode, to view history, to view alarms, to toggle faceplate
cycling on and off, to send notes, to suspend/resume USB archiving and to access the login process.
2.4.2.2 Operator Access Level
In addition to the logged out features, Operator access level allows the user to acknowledge alarms, to edit
notes and to perform demand archive operations. By default, no password is required in order to enter Operator
level, but a password can be set either at Supervisor level or at Engineer level.
If the Auditor feature is enabled, the Operator user is disabled and instead replaced by the 25 User accounts.
2.4.2.3 Supervisor Access Level
In addition to the logged out features, this access level allows the user to view the recorder's configuration, and
to edit some values (such as alarm thresholds).
2.4.2.4 Engineer Access Level
This allows full access to all areas of the recorder configuration.
Page 4
FEC920: USER GUIDE
A5E45696052A Rev-AA
September 18
Advertisement
Table of Contents
