Eaton Network-M3 User Manual

Cybersecurity recommended secure hardening guidelinesSecuring the Network Management Module – 214••••••••••Perform periodic account maintenance (remove unused accounts).Ensure password length, complexity and expiration requirements are appropriately set, particularly for all administrativeaccounts (e.g., minimum 10 characters, mix of upper- and lower-case and special characters, and expire every 90 days, orotherwise in accordance with your organization’s policies).Enforce session time-out after a period of inactivity.5.2.2.5.1 Description of the User management in the Network Module:User and profiles management: (Navigate to Settings>>>Users)Add users (admin, operator, viewer)Remove usersEdit usersPassword/Account/Session management: (Navigate to Settings>>>Users)Password strength rules – Minimum length/Minimum upper case/Minimum lower case/Minimum digit/Special characterAccount expiration – Number of days before the account expiration/Number of tries before blocking the accountSession expiration – No activity timeout/Session lease timeSee "Default settings parameters" in the embedded help for (recommended) default values.Additionally, it is possible to enable account expiration to force users renew their password periodically.Default credentials: admin/adminThe change of the default "admin" password is enforced at first connection.It is also recommended to change the default "admin" user name through theSettings>>>Users or Settings>>>Localusers page.Follow embedded help for instructions on how to edit a user account.Local and Trusted remote certificate configuration: (Navigate to Settings>>>Certificate)Follow embedded help for instructions on how to configure it.Supported authentication: LDAP and Radius, follow embedded help for instructions on how to configure it.5.2.2.6 Time SynchronizationMany operations in power grids and IT networks heavily depend on precise timing information.Ensure the system clock is synchronized with an authoritative time source (using manual configuration, NTP). (Navigate toSettings>>>General>>>Time&date settings)Follow embedded help for instructions on how to configure it.5.2.2.7 Deactivate unused featuresNetwork module provides multiple options to upgrade firmware, change configurations, set power schedules, etc. The device alsoprovide multiple options to connect with the device i.e. SSH, SNMP,SMTP,HTTPS etc. Services like SNMPv1 are consideredinsecure and Eaton recommends disabling all such insecure services.It is recommended to disable unused physical ports like USB and SD card.Disable insecure services like SNMP v15.2.2.8 Network SecurityNetwork module supports network communication with other devices in the environment. This capability can present risks if it’snot configured securely. Following are Eaton recommended best practices to help secure the network. Additional informationabout various network protection strategies is available inEaton Cybersecurity Considerations for Electrical Distribution Systems[R1].Eaton recommends segmentation of networks into logical enclaves, denying traffic between segments except that which isspecifically allowed, and restricting communication to host-to-host paths (for example, using router ACLs and firewall rules). Thishelps to protect sensitive information and critical services and creates additional barriers in the event of a network perimeterbreach. At a minimum, a utility Industrial Control Systems network should be segmented into a three-tiered architecture (asrecommended by NIST SP 800-82[R3]) for better security control.Communication Protection: Network module provides the option to encrypt its network communications. Please ensure thatencryption options are enabled. You can secure the product’s communication capabilities by taking the following steps: