Foxboro Evo™

Process Automation System

Security Guidelines for

ISASecure Certified Products

*B0700GH* *C*

B0700GH

Rev C
October 24, 2016
Schneider Electric, Invensys, Foxboro, Foxboro Evo, and I/A Series are trademarks of Schneider Electric SE, its
subsidiaries, and affiliates.
All other brand names may be trademarks of their respective owners.

Copyright 2014–2016 Invensys Systems, Inc.

All rights reserved.

Invensys is now part of Schneider Electric.

SOFTWARE LICENSE AND COPYRIGHT INFORMATION

Before using the Invensys Systems, Inc. supplied software supported by this documentation, you
should read and understand the following information concerning copyrighted software.
1. The license provisions in the software license for your system govern your obligations
and usage rights to the software described in this documentation. If any portion of
those license provisions is violated, Invensys Systems, Inc. will no longer provide you
with support services and assumes no further responsibilities for your system or its
operation.
2. All software issued by Invensys Systems, Inc. and copies of the software that you are
specifically permitted to make, are protected in accordance with Federal copyright
laws. It is illegal to make copies of any software media provided to you by
Invensys Systems, Inc. for any purpose other than those purposes mentioned in the
software license.
Contents
Figures..................................................................................................................................... v

Tables.................................................................................................................................... vii

Preface.................................................................................................................................... ix
Revision Information ............................................................................................................... ix
Reference Documents .............................................................................................................. ix
Glossary .................................................................................................................................... x

1. Security Requirements Installation and Upgrade............................................................... 1

Pre-Installation Requirements ................................................................................................... 1
Installation Requirements .......................................................................................................... 1
Upgrade Requirements .............................................................................................................. 2
API Security .............................................................................................................................. 3
Enabling/Disabling of Ports ...................................................................................................... 3

2. Security Requirements For Administrators ........................................................................ 5

Administrating Control Core Services in a Secure Manner ................................................... 5

3. Security Guidelines for Routine Operation and Maintenance ........................................... 7

General Security Considerations ............................................................................................... 7
Known or Presumed Threats ................................................................................................ 7
GPS Time Synchronization .................................................................................................. 8
RemoteWatch Services ......................................................................................................... 8
Operator Guidance ................................................................................................................. 10
Actions and Constraints ..................................................................................................... 10
Operators are cautioned not to take any action that would compromise the trust
boundary: ........................................................................................................................... 10
Operation and Maintenance Instructions ........................................................................... 10
Reporting Security Vulnerabilities ...................................................................................... 10
Creating Backup of System Security State Information ...................................................... 10
Information Flow Management .......................................................................................... 10
Security Tools .................................................................................................................... 11
System McAfee® Products Media Kit ........................................................................... 11

Index .................................................................................................................................... 13

iii
B0700GH – Rev C Contents

iv
Figures
1-1. Security Enhancements Dialog Box ............................................................................... 2

v
B0700GH – Rev C Figures

vi
Preface
This document describes security guidelines for installation and operation of ISASecure™ certi-
fied products used in the Foxboro Evo Automated Process Control System.

Revision Information
For this revision of this document (B0700GH, Rev. C), the following changes were made:
Chapter 1 “Introduction”
♦ Removed this chapter.
Chapter 1 “Security Requirements Installation and Upgrade”
♦ Added the security guideline references at the beginning of this chapter.
♦ Updated “Installation Requirements” on page 1.
♦ Added the FDC280 to this chapter.
Chapter 3 “Security Guidelines for Routine Operation and Maintenance”
♦ Added “General Security Considerations” on page 7.
♦ Added the FDC280 to “Creating Backup of System Security State Information” on
page 10.
♦ Updated “System McAfee® Products Media Kit” on page 11.

Reference Documents
The following documents provide additional and related information. You can find the latest revi-
sions of the documents on the Global Customer Support web page:
https://support.ips.invensys.com.
♦ Security Implementation User's Guide for I/A Series or Foxboro Evo Workstations with
Windows 7 or Windows Server 2008 Operating Systems (B0700ET)
♦ Switch Configurator Application Software Guide for the Foxboro Evo Control Network
(B0700CA)
♦ The MESH Control Network System Planning and Sizing (B0700AX)
♦ The Foxboro Evo Control Network Architecture Guide (B0700AZ)
♦ Control Core Services v9.3 Software Installation Guide (B0700SW)
♦ Control Core Services v9.2 Software Installation Guide (B0700SU)
♦ Control Core Services v9.1 Software Installation Guide (B0700SS)
♦ Integrated Control Block Descriptions (B0193AX)
♦ System Management Displays (B0193JC)
♦ System Definition: A Step-By-Step Procedure (B0193WQ)
♦ System Definition Release Notes for Windows 7 and Windows Server 2008 (B0700SH)
♦ Time Synchronization User’s Guide (B0700AQ)

ix
B0700GH – Rev C Preface

♦ Address Translation Station User’s Guide (B0700BP)

♦ Field Control Processor 280 (FCP280) User’s Guide (B0700FW)
♦ Field Control Processor 280 (FCP280) On-Line Image Update (B0700FX)
♦ Field Control Processor 280 (FCP280) Sizing Guidelines and Excel® Workbook
(B0700FY)
♦ Field Device Controller 280 (FDC280) User's Guide (B0700GQ)
♦ FDC280 Sizing Guidelines and Excel®Workbook (B0700GS)
♦ Station Assessment Tool User’s Guide, (B0700DZ)
♦ Symantec System Recovery 2013 Desktop, Server and Virtual Editions Guide for I/A Series
Systems (B0700EY)
♦ Optional McAfee® Security Products Installation and Configuration Guide
(B0700EX)
♦ FoxView™ and FoxDraw™ Software V10.4 Release Notes (B0700SN)
♦ Control Core Services v9.3 Release Notes (B0700SV)
♦ Control Core Services v9.2 Release Notes (B0700ST)
♦ Control Core Services v9.1 Release Notes (B0700SR)
♦ System Manager (B0750AP)
♦ System Manager V2.6 Release Notes (B0750RS)
♦ Foxboro Evo Control Software Installation Guide (B0750RA)
♦ Virtualization User’s Guide (B0700VM)

Glossary
API Application Programming Interface

Domain Controller A server on the Foxboro Evo Control Network that is responsible for
allowing host access to Windows domain resources. It stores the user
account information, authenticates users, and enforces security policy for
a Windows domain.

CLI Command Line Interface

COTS Commercial Off the Shelf

EDSA Embedded Device Security Assurance

FBM Fieldbus Module

FCP Field Control Processor

FDSI Field Device System Integrator

HART Highway Addressable Remote Transducer - a control system communica-

tions protocol.

x
Preface B0700GH – Rev C

NTP Network Time Protocol

SAT Station Assessment Tool

xi
B0700GH – Rev C Preface

xii
1. Security Requirements
Installation and Upgrade
This chapter describes security requirements for installation of the system and for installation of
upgrades to the system subsequent to the initial installation.
For the FCP280 security guidelines, refer to “FCP280 Security Guidelines” in Field Control Pro-
cessor 280 (FCP280) User's Guide (B0700FW).
For the FDC280 security guidelines, refer to Field Device Controller 280 (FDC280) User's Guide
(B0700GQ).

Pre-Installation Requirements
Installation personnel must verify the following before installing the system in order to align
product installation with EDSA certification:
♦ The installation is equipped with sufficient physical security and meets the environ-
mental and facility requirements specified in the FCP280 equipment specification,
PSS 31H-FCP280, or in the FDC280 equipment specification, PSS 31H-2FDC280
♦ System hardware, software, and documentation required to complete the installation
is available (see below).

Installation Requirements
General software installation requirements for Control Core Services v9.1 or later are found in the
Control Core Services vX.X Software Installation Guide included with your software. Installation
requires the Control Core Services vX.X Day 0 Media Kit included with Control Core Services
v9.1 or later (refer to the Control Core Services vX.X Release Notes document included with your
version of Control Core Services) or the appropriate media kit included with your version of the
Control Core Services. Documentation required for secure installation of the system is listed in
the preface. You can find the latest revisions of the documents on the Global Customer Support
web page https://support.ips.invensys.com.
When installing an ISASecure compliant system, you must ensure that Install I/A Series software
for a security enhanced system (the default setting) is selected when installing Control Core Ser-
vices. This setting is shown in Figure 1-1.

1
B0700GH – Rev C 1. Security Requirements Installation and Upgrade

Figure 1-1. Security Enhancements Dialog Box

At the completion of installation, you should create a BIOS password and lockdown the BIOS for
all workstations in the system. It is also recommended that the Message Manager (MM) port be
disabled if it is not in use on the system. Refer to Security Implementation User's Guide for
I/A Series and Foxboro Evo Workstations with Windows 7 or Windows Server 2008 Operating Systems
(B0700ET) for a description of how to perform these operations.
The Ethernet Switches should also be password protected and locked down by disabling the CLI.
Unused ports should be disabled. Steps for performing this procedure are described in Switch
Configurator Application Software Guide for the Foxboro Evo Control Network (B0700CA).

Upgrade Requirements
Security requirements for upgrades to Control Core Services v9.1 or later are similar to require-
ments for initial installation. You will be provided with an upgrade media kit and supporting doc-
umentation similar to that provided with Control Core Services v9.1 or later.

2
1. Security Requirements Installation and Upgrade B0700GH – Rev C

API Security
API security is achieved by correct usage of Integrated Control Blocks as described in Integrated
Control Block Descriptions (B0193AX), as well as adhering to sizing recommendations defined in
Field Control Processor 280 (FCP280) Sizing Guidelines and Excel® Workbook (B0700FY),
FDC280 Sizing Guidelines and Excel®Workbook (B0700GS), and The MESH Control Network
System Planning and Sizing (B0700AX).

Enabling/Disabling of Ports
All unused ports should be disabled at the completion of a system installation or upgrade. The
ability to enable or disable ports must be limited to personnel with administrator privileges
through the use of password protected accounts.

3
B0700GH – Rev C 1. Security Requirements Installation and Upgrade

4
2. Security Requirements For
Administrators
This chapter describes best practices for Foxboro Evo system administrators, as required for
maintaining a high level of security.
Administrative functions for implementing a high level of security in the initial installation of a
system are described in the Control Core Services v9.x Software Installation Guide included with
your software. In addition, Security Implementation User's Guide for I/A Series and Foxboro Evo
Workstations with Windows 7 or Windows Server 2008 Operating Systems (B0700ET), describes use
of security enhancements in a Control Core Services system, including the application of Admin-
istrative Privileges, Active Directory functions, and establishing Users and Security Groups.

Administrating Control Core Services in a Secure Manner

Administrators are advised to include practices that strengthen security in their routine manage-
ment of the Foxboro Evo system access:
♦ Use strong passwords and change them periodically. Refer to Control Core Services v9.x
Software Installation Guide included with your software, in the section “Security
Enhanced Foxboro Evo Control Core Services v9.x Installation for Domain Control-
lers on The Foxboro Evo Control Network”, for password complexity
recommendations.
♦ Protect the administrator passwords. Provide to others only on a need-to-know basis -
generally only those who perform installation or administration functions as part of
their assigned job. The administrator passwords should be written down and kept in a
secured (locked) location, or stored in a password management tool to ensure they are
not forgotten or lost.
♦ Lock down unused device ports such as USB and removable disk drives. Refer to Secu-
rity Implementation User's Guide for I/A Series and Foxboro Evo Workstations with
Windows 7 or Windows Server 2008 Operating Systems (B0700ET) for instructions on
disabling unused device ports.
♦ Maintain up-to-date backups and handle backups securely. Refer to Security Imple-
mentation User's Guide for I/A Series and Foxboro Evo Workstations with Windows 7 or
Windows Server 2008 Operating Systems (B0700ET) for information on creating and
maintaining backups.
♦ Assign users to security groups in accordance with their actual job in the organization.
Do not give users privileges beyond what they need to do their job. Refer to the Con-
trol Core Services v9.x Software Installation Guide included with your software.
♦ Do not allow a user to have more than one account.
♦ Remove users immediately if they no longer need access to the system.

5
B0700GH – Rev C 2. Security Requirements For Administrators

6
3. Security Guidelines for Routine
Operation and Maintenance
This chapter describes general security guidelines for Foxboro Evo system operators/users in the
course of routine operation or maintenance.

General Security Considerations

Adherence to the security guidelines is required to ensure use of the product complies with ISASe-
cure certification.

Known or Presumed Threats

Cybersecurity threats to the Industrial Control System (ICS) can come from many sources,
including malicious individuals and groups (disgruntled employees, hackers, intelligence services,
international and domestic cyberterrorism, hacktivism, cybercrime syndicates, etc.).
The physical and electronic security perimeter (trust boundary) is the first line of defense for pro-
tecting ICS assets from these threats. Additional defense in depth measure are provided in a prop-
erly configured Foxboro Evo system, such as operating system hardening, network segmentation,
malware protection, role based access management, etc.
However, implementing a physical and electronic security perimeter with defense in depth mea-
sures is not enough to ensure ICS cybersecurity over the life of the system. This is for several rea-
sons.
1. Known cybersecurity threats exist that a trust boundary cannot mitigate. These
include operational security threats, such as poor credential management, unpatched
software, use of removable media, a poorly defined or enforced trust boundary or sim-
ply failure to follow prescribed operational procedures.
2. Cybersecurity threats are constantly evolving. Defense in-depth measures must be
maintained to keep pace with these changes. These include maintaining current mal-
ware definitions, system software updates, and periodic security reviews.
3. Optional authorized communication channels can be added to the Foxboro Evo sys-
tem that accept or allow information to cross the physical and electronic security
perimeter. These are GPS time synchronization and RemoteWatch Services. While
these options are sufficiently securable, their use introduces remotely accessible data
entry/exit points into the system with their own unique threats. These are explained
in the following sections.
4. Other threats to an ICS exist, such as natural disasters, war, terrorism, environmental
or mechanical failure, and the inadvertent actions of authorized users. However, these
are not generally considered cybersecurity threats and preventive controls are not
likely to be effective against them. Instead, detective, corrective and compensating
controls such as alarms, software backups, checkpoints and failsafe should be used to
protect assets, limit loss, and help in recovery. These controls are provided as functions
of the standard product or recommended as standard operating procedure and should

7
B0700GH – Rev C 3. Security Guidelines for Routine Operation and Maintenance

be considered in the design and operation of a Foxboro Evo system.

GPS Time Synchronization

The system can be optionally configured to obtain its time from the Global Positioning System
(GPS). GPS time is obtained from the civilian portion of the microwave signal broadcast by a
constellation of satellites operated by the US Air Force. While this signal is available anywhere on
Earth (assuming an unobstructed line of sight to four or more GPS satellites), the civilian signal is
subject to jamming and spoofing similar to most RF signals.
The threats from GPS jamming are mitigated in software and hardware with detective and correc-
tive controls, as follows:
♦ If the Master Timekeeper detects a GPS signal failure, it sends a system error message.
♦ If invalid time signals, contradictory signals, or no signals are received, the GPS
receiver reverts to a highly accurate internal clock. This allows it to maintain the
stream of time strobe signals if it does not receive appropriate signals from the GPS
antenna system.
The threat of GPS spoofing (to provide a past or future time to the system) is not directly miti-
gated in software, since the civilian signal is not encrypted and an authentication mechanism is
not provided in the civilian standard. If an incorrect but valid time is received, the system will
accept this as the new system time and all stations may use this time to timestamp data, as it
would with the correct time. Although the time may be inaccurate compared to actual time, the
control system will operate normally otherwise, since the timing of Control Block loops is not
done using this time.
While spoofing of the civilian GPS signal is technically possible, there are several factors which
make successful exploitation of this vulnerability unlikely. The equipment needed to spoof a GPS
time signal is relatively expensive and the knowledge and technical expertise required to execute
an effective attack is not common.
Protective measures may be used against spoofing, such as positioning the GPS antenna so it does
not have a line-of-site to any terrestrial object that is outside the security perimeter (land, road-
way, roof top, telephone pole, cell tower, hill top, mountain, etc.). Any obstruction must provide
sufficient shielding to prevent unauthorized microwave signals from reaching the GPS antenna;
either directly or by reflection.
When spoofing of the GPS signal is a concern, detective controls, such as commercial GPS moni-
toring equipment and applications that detect unexpected changes in workstation time or com-
pare workstation time with another reference clock should be used to detect and report spoofing
attempts. However, these are not standard Foxboro Evo applications.

RemoteWatch Services
The system can be optionally configured for RemoteWatch Services1 for proactive monitoring
and troubleshooting of the ICS (refer to RemoteWatch Server C20 Style B Software V5.0 Installa-
tion Guide (B0860BX)). When monitored parameters exceed a predefined threshold, Remote-
Watch alerts engineers in the Global Customer Support Center. Then these engineers can login to
the customer’s site remotely and troubleshoot the problem.

1.
RemoteWatch Services obtained SSAE 16 Type 1 SCO 2 certification as of December 31, 2015.

8
3. Security Guidelines for Routine Operation and Maintenance B0700GH – Rev C

The RemoteWatch Server communicates with the Global Customer Support Center using a
secure VPN point-to-point protocol. The VPN is provided by NextNine which is a company that
develops and sells Operational Technology (OT) security management software for the industrial
and critical infrastructure market. The product uses Transport Layer Security (TLS) v1.0 and
higher, with 1024 bit encryption, for secure communications.
Internet access is configured to only allow outbound TCP connection request on port 443
through the firewall from the RemoteWatch Server at the customer’s site to the NextNine Com-
munications Server located in the Global Customer Support Center. Because the customer's fire-
wall is configured to pass only outbound connection requests, external parties (including Global
Customer Support Center) are blocked from initiating connections to the customer's site. Fur-
thermore, the NextNine VPN ensures that only connections between RemoteWatch Server and
the Global Customer Support Center are allowed.
When RemoteWatch Server is added to a Foxboro Evo system, the following additional threats are
considered.
1. A Foxboro Evo workstation or station could be accessed directly from the Wide Area
Network (WAN) or internet.
2. The RemoteWatch Server could accept and process unsolicited messages or connec-
tion requests from the WAN or internet.
3. The RemoteWatch network firewall could fail to block unsolicited messages or con-
nection requests from the WAN or internet.
4. Information exchanged or intended to be exchanged between the RemoteWatch
Server and the Global Customer Support Center could be disclosed to unauthorized
parties or tampered with.
These threats are mitigated by proper configuration and maintenance of the RemoteWatch Server
product (refer to appropriate RemoteWatch Installation Guide for your version of RemoteWatch,
as well as its included user’s guide and release notes), which includes network and defense in depth
protections.
The first three of these threats are mitigated by proper network and server configuration. Note
that the installation guide shows several possible network configurations. However, to meet
ISASecure requirements, the RemoteWatch Server must be located in a demilitarized zone
(DMZ), between firewalls that separate the Plant Network from the WAN and the internet. This
is described in the RemoteWatch documentation as configurations which support a “Plant Net-
work Isolated from the WAN” or “No connection to the customer's WAN”.
The fourth threat is mitigated by use of the NextNine VPN. Current VPN technology based on
TLS 1.2 (2008) is generally considered secure, while previous versions are considered secure when
using a secure block cipher (with mitigations). The history of published exploits on previous ver-
sions and the list of further improvements anticipated in TLS 1.3 demonstrate the need to keep
current with software updates and patches. Following Global Customer Support Center mainte-
nance and service recommendations for RemoteWatch will ensure that the NextNine VPN is kept
current with software updates and patches. Contact Global Customer Support via their web page:
https://support.ips.invensys.com
For information about the RemoteWatch Server installation and network security, refer to:
♦ RemoteWatch Server C20 Style B Software V5.0 Installation Guide (B0860BX)
♦ RemoteWatch Server V5.1.1 Upgrade Guide (B0860BR)
♦ RemoteWatch V5.1.1 Release Notes (B0860RS)

9
B0700GH – Rev C 3. Security Guidelines for Routine Operation and Maintenance

♦ RemoteWatch V5.1 User's Guide (B0860CR)

Operator Guidance
Actions and Constraints
Operators are cautioned not to take any action that would compromise the trust boundary:
♦ Do not allow unauthorized persons to enter the trust boundary.
♦ Do not share your password with anyone.
♦ Do not make any unauthorized change to the system within the trust boundary,
including:
♦ Do not change or attempt to change any of the BIOS settings on any com-
puter or device within the trust boundary
♦ Do not connect or attempt to connect portable media such as thumb drives or
CDs/DVDs to any device within the trust boundary
♦ Do not make any connection to any active port or device within the trust
boundary.

Operation and Maintenance Instructions

Operation and maintenance instructions for the Foxboro Evo system are listed in the “Preface” on
page ix. The latest revisions of each document are available through our Global Customer Sup-
port at https://support.ips.invensys.com.

Reporting Security Vulnerabilities

Report suspected security vulnerabilities in Foxboro Evo system hardware or software to Global
Customer Support at https://support.ips.invensys.com.

Creating Backup of System Security State Information

Instructions on creating backups at the workstation level are found in Symantec System Recovery
2013 Desktop, Server and Virtual Editions Guide for I/A Series Systems (B0700EY). In the Foxboro
Evo system, security state information is allocated to the hosting workstation.
At the device level, the FCP280 or FDC280 is backed up by the boot host workstation or the pri-
mary module, or from flash memory if self-hosted. Refer to the section “Memory Dumps” in
Field Control Processor 280 (FCP280) User’s Guide (B0700FW) or Field Device Controller 280
(FDC280) User's Guide (B0700GQ), for a description of how to recover a database image of the
FCP280 or FDC280 after a malfunction.

Information Flow Management

Information flow management is provided by Microsoft® Active Directory Domain Controllers.
The Domain controller is a server on the control network that is responsible for managing the
host access to Windows domain resources. It stores user account information, authenticates users,
and enforces security policy for a Windows domain. Information on Active Directory is contained
in Security Enhancements User's Guide for I/A Series or Foxboro Evo Workstations with Windows 7 or
Windows Server 2008 Operating Systems (B0700ET).

10
3. Security Guidelines for Routine Operation and Maintenance B0700GH – Rev C

Security Tools
Station Assessment Tool
The Station Assessment Tool (SAT) is available to help users setup a secure configuration and
conduct an audit against a secure baseline. Information on use of the SAT can be found in Station
Assessment Tool (SAT) User’s Guide (B0700DZ).

System McAfee® Products Media Kit

For customers desiring enhanced security, including enhanced system management functionality,
Foxboro offers the optional System McAfee® Products Media Kit (K0174LX). This includes
ePolicy Orchestrator™, McAfee Agent, Rogue System Detection, VirusScan Enterprise, Host
Intrusion Prevention, Device Control, and Integrity Control. Refer to Optional McAfee(R) Secu-
rity Products Installation and Configuration Guide for DVD K0174LX (B0700EZ) and the website
https://support.ips.invensys.com/content/mcafee2/vscan2.asp for information on these products, and
the versions supported in the Foxboro system.

11
B0700GH – Rev C 3. Security Guidelines for Routine Operation and Maintenance

12
Index
A
Actions and Constraints 10
Administrating Control Core Services in a Secure Manner 5
API Security 3

C
Creating Backup of System Security State Information 10

D
Domain Controller x

E
Enabling/Disabling of Ports 3

I
Information Flow Management 10
Installation Requirements 1

K
Known or Presumed Threats 7

M
McAfee® Products Media Kit 11

O
Operation and Maintenance Instructions 10

P
Pre-Installation Requirements 1

R
Reporting Security Vulnerabilities 10

S
Security Tools 11
Station Assessment Tool (SAT) 11

13
B0700GH – Rev C Index

U
Upgrade Requirements 2
User Guidance 10

14
Index B0700GH – Rev C

15
Invensys Systems, Inc.
38 Neponset Avenue
Foxborough, MA 02035-2037
United States of America
www.schneider-electric.com

Global Customer Support

Inside U.S.: 1-866-746-6477
Outside U.S.: 1-508-549-2424
Website: https://support.ips.invensys.com