Danfoss iC7 System Products User Guide

ENGINEERING
TOMORROW

User guide

Cybersecurity for iC7 System Products

An Informative Guide for System Integrators To Achieve the Required Security Level With Danfoss iC7 System Products for Marine Industry According to UR E26 and UR E27, and IEC 62443-3-3.

drives.danfoss.com | iC7

1 Introduction

1.1 Purpose of this Document

The unified requirements E26 and E27 are used by the system integrator to explain the cybersecurity of a system. The system integrator or OEM must demonstrate that the system designed has the capability to support the security level intended for different parts/zones in the system.

This document is a guide with recommendations aimed at system integrators using the iC7 system products for the marine industry as a component in the system. Drives in scope for this document: iC7 Marine (Active Front End and Propulsion and Machinery Inverter units) and iC7 Hybrid (Grid Converter, Generator INU and DC/DC converter based on liquid cooled system modules), in this document are referred to iC7 system drives for marine industry.

As product supplier, Danfoss shares information on iC7 system products to be used in the marine industry based on:

• IEC 62443-4-1: Development and production of the components
• IEC 62443-4-2: Description of the product, giving information on threats and mitigations, and how this product is compliant to achieve a certain security level.
• Unified requirements E26 and E27

The components selected to be used in the system must be able to fulfill the requirements needed for the intended/targeted security level (SL-T).

Table 1: Security Level (SL-T) and its IEC 62433-3-3 Definition

1) SL-0 is the lowest and SL-4 is the highest level.

The iC7 System Products for marine industry are described in the perspective of interaction with settings and functions in the product either local or in remote operation:

Local operation is defined as manual interaction with the drive via the local control panel (LCP) or via pc software tools.

Remote operation is defined as an external controller, for example a PLC, interacting with the drive.

The target security level for iC7 System Products for the marine industry is SL-1.

Recommendations to obtain SL-1 using the drives listed above in a system can be found in the section: Security Configuration Guidelines.

A list for the UR E27 Mitigation plan can be found in section 6.5 DNV July/2023 UR E27 Requirements Mitigation List.

1.2 Extended Requirements

The IEC 62443 is the basis for the cybersecurity. If an issuer of certificates or approvals extends the requirements, it is important for the system integrator to take these requirements into account when preparing the cybersecurity documentation.

In this document, a list of issuers with extended requirements can be found:

1.2.1 DNV: Rules for Classification Ships Edition July 2023

The Unified Requirements E26 and E27 are the bases for DNV: Rules for Classification Ships Edition July 2023. In this document, DNV Rules for Classification Ships Edition July 2023 are used as an example. This guidance can be used with the other Class Societies where cybersecurity requirements are based on UR E26 and UR E27.

In the document Rules for Classification: Ships edition July/2023, DNV has defined 3 levels of class notifications:

• Cyber Secure
• Cyber Secure (Essentials)
• Cyber Secure (Advanced)

Table 2: The Relations Between DNV Security Profiles and IEC 62443 Security Levels

This document focuses only on SP0 and SP1 requirements.

A list for the UR E27 mitigation plan can be found in 6.5 DNV July/2023 UR E27 Requirements Mitigation List.

1.3 Document Version

This guide is regularly reviewed and updated. All suggestions for improvement are welcome.

The original language of this guide is in English.

2 Safety

2.1 Safety Precautions

For information on safety precautions, refer to the product-specific operating guide.

2.2 Qualified Personnel

To allow trouble-free and safe operation of the unit, only qualified personnel with proven skills are allowed to transport, store, assemble, install, program, commission, maintain, and decommission this equipment.

Persons with proven skills:

• Are qualified electrical engineers, or persons who have received training from qualified electrical engineers and are suitably experienced to operate devices, systems, plants, and machinery in accordance with pertinent laws and regulations.
• Are familiar with the basic regulations concerning health and safety/accident prevention.
• Have read and understood the safety guidelines given in all manuals provided with the unit, especially the instructions given in the operating guide.
• Have a good knowledge of the generic and specialist standards applicable to the specific application.
• Are cleared by the asset owner to have access to the work zone according to the security level in the zone.

3 Security Measures

The following measures ensure the integration of security in iC7 System Products from Danfoss:

• The Secure product development lifecycle requirements specified in IEC 62443-4-1 are implemented. The implementation is certified by TÜV SÜD.
• Danfoss has implemented measures to safeguard integrity in our products and our manufacturing processes.
• Danfoss constantly checks the measures relating to hardening. Operating systems are configured in such a way that points of attack via ports or connection points of unneeded services, are minimized.
• To detect weak points at an early stage, Danfoss production system contains screening and control procedures in our production management system (PMS).

4 Security management

4.1 Overview

Danfoss drives security management is based on IEC 62443 and ISO 27001.

4.2 Procedure

1. Carry out an information security risk analysis. Determine all potential risks and define countermeasures for reducing the risk to an acceptable level.
An information security risk analysis includes the following steps:

• Identification of threatened objects
• Analysis of value and potential for damage
• Threat and weak point analysis
• Identification of existing security measures
• Risk evaluation
• Evaluation of effects with respect to protection goals: confidentiality, integrity, and availability

2. Define guidelines and introduce coordinated, organizational measures. Establish awareness of the high relevance of industrial cybersecurity at all levels in the company. Define guidelines and processes for a consistent approach to security compliance.

3. Introduce coordinated technical measures.

4. Conduct a security audit to ensure that all of the measures have been implemented and that they have also eliminated or reduced the identified risks.

5 IEC 62443-4-2 Certification

iC7 Marine-drives are working towards IEC 62443-4-2 SL1 certification.

6 Extended Requirements

6.1 Overview

In this section, requirements in relation to specific approvals or certificates are listed. These requirements can either have been extended or limited towards IEC 62443.

6.2 DNV Rules for Classification Ships edition July/2023

The DNV document, section 21: Cybersecurity, provides definitions on which security profile is to be used for the Class notifications:

• Cyber Secure: The system under consideration (SuC) shall comply with requirements for security profile 0 (SP0).
• Cyber Secure (Essentials): The system under consideration (SuC) shall comply with requirements for security profile 1 (SP1).
• Cyber Secure (Advanced): The system under consideration (SuC) shall comply with requirements for security profile 3 (SP3).

In DNV document, Section 21 Chapter 4.1.2 Security Profile adaptations, differences between IEC 62443-3-3 (SL) and security profiles (SP) are listed:

1. SP0 is a security profile that is not based on any security level of IEC 62443-3-3. The level of risk reduction is less than SL1 in IEC 62443-3-3.

2. Requirements listed with H are more stringent than IEC 62443-3-3 since these apply for an SP that is lower than the corresponding SL in IEC 62443-3-3.

3. Requirements indicated with L are less stringent than IEC 62443-3-3 since these apply for an SP that is higher than the corresponding SL in IEC 62443-3-3.

6.3 Color Code and Mitigation List

In section 6.4 Codes for Mitigation to be Achieved with Other Means, the following color codes are used to indicate the solution.

Table 3: Color Codes

	It is impossible to achieve the required effect with current W and SW design.
	This is possible with additional changes with the existing frame work.
	The product partly fulfills this requirement via similar means.
	The product already fulfills this requirement.
	Applicable according to standard, but either the product does not give access or is not allowed/able to handle this.
	Not applicable, irrelevant for this product.

6.4 Codes for Mitigation to be Achieved with Other Means

Table 4: Codes for Mitigation to be Achieved with Other Means

6.5 DNV July/2023 UR E27 Requirements Mitigation List

Drives mitigations are risk based. To control the risks iC7 Marine-drives create for the system, take different countermeasures on control system, network, and physical security level. All proposed mitigations create low or very low risk on a system level.

Table 5: DNV July/2023 UR E27 Requirements Mitigation List

1) SP1: Required for cybersecure (Essential). Corresponds to IEC 62443 SL1 ­ Protection against casual or coincidental violation.

7 iC7 System Products for Marine industry

7.1 iC7 Marine and iC7 Hybrid

iC7 System products for the marine industry consist of iC7 Marine and iC7 Hybrid drives.

Table 6: iC7 Marine and iC7 Hybrid

More information can be found from iC7 Marine (www.danfoss.com) and iC7 Hybrid (www.danfoss.com)

7.2 Interfaces

7.2.1 Default Interfaces

7.2.1.1 Overview

e30bm150.10

Figure 1: Interfaces of iC7 System Module

1   Basic I/O 6 × DI, 2 × DO, 2 × AI +/-10 V/0-20 mA, 1 × AO (0-10/4-20 mA)

2   NO/NC RO, 1 × NO RO 1 × Thermistor

3   Micro SD card for backup, firmware, logging data, setup transfer

4   Dual-Port Ethernet for multiple fieldbus protocols

5   Single Ethernet port for software tool

6   Option boards

7   Fiber optic

8   Star coupler board

9   Power units

There are 3 Ethernet ports (Dual-port and Single Ethernet port) and a Micro SD card slot by default in the iC7 system module.

7.2.1.2 Ethernet Ports

• 2 Ethernet ports are used for fieldbus connection.
• One Ethernet port is used for PC tool connections.

Ethernet ports can be configured by parameters to be enabled/disabled. Daisy chaining the fieldbus is supported for typical protocols, such as Modbus TCP and PROFINET RT.

7.2.1.3 Micro SD Card Slot

The Backup feature in MyDrive® Insight stores the parameter settings of the drive into a new or existing project file, RAM, or Flash memory of the drive, or to an optional microSD card. To utilize the microSD card as a storage device, the microSD card must be inserted in the slot.

The microSD cards supported are: SD, SDHC, or SDXC which must be formatted for the FAT32 file system. SDHC is the recommended type, as they are delivered preformatted to FAT32.

7.2.2 Optional Interfaces

7.2.2.1 Control Panel and Keypad

The control panel is typically the standard user interface and used when frequent interaction with the drive is required. The option enables easy setup of the drive via parameters, monitor drive status, and also shows notifications, in case of an event.

7.2.2.2 Display

e30bk605.1

Control Panel 2.8

Figure 2: Display

• 2.8″ monochromatic user interface with a display resolution of 240 x 160 pixels.
• Visual LEDs to identify drive status, fieldbus communication.
• Halo indicator with 3 colors to show drive status at a glance.
• A display which can be customized to show required or essential information.
• Buttons to control the drive locally, including a toggle button to easily switch between local and remote control.
• Parameter widgets which support alphanumeric and special characters, integers, floating points, date time formats, choice lists, and commands to configure application data.
• Help texts to support the operation.

To avoid unintended interaction via the control panel, the control panel display can be locked. To lock the control panel, press the [Back] button for 3 s. After 3 s, the following screen is shown.

e30bj741.10

Figure 3: Control Panel Lock Screen

When the control panel is locked, pressing the control panel buttons has no effect. To unlock the control panel, press the [Back] button for 3 s.

7.2.2.3 Local and Remote Operation

• Use the [REM/LOC] button to switch between local and remote control
• When remote control is active, the start/stop commands can be executed from Fieldbus or from I/O terminal (DI1 and DI2).
• When local control is active, the start/stop commands can be executed from the keypad.

7.2.2.4 Fiber Optic and Star Coupler Board

e30bi008.11

Figure 4: Example Control Connection with a Star Coupler Board: 8 Power Units in Parallel

1   Control board

2   Star coupler board

3    Maximum 16 power units

The system modules are controlled with the modular control unit. The control unit and the system modules are connected via fiber optics. When 2 or more parallel system modules are used, a star coupler board is needed. The modular control unit provides an interface towards the upper control system.

There is also an Ethernet port in star coupler board. The port is used for fault tracking purposes and it is disabled by default. Credentials are needed to enable the port.

7.2.2.5 Functional Extensions

Additional functional extensions can be added to incorporate analog and digital inputs and outputs as well as other functionality such as temperature measurement or voltage measurement.

The modular control unit can be mounted nearby to or remotely from the power unit. The control unit consists of various boards installed on a mounting plate. The boards are connected to each other with option connectors. Several boards and mounting plates can be installed in parallel.

e30bh877.11

Figure 5: Example of the Modular Control Unit

1   Mounting plate

2   Base grounding plate

3   Grounding plate extension

4   I/O and relay option

5   Control board

6   Option board

7   Option connectors

There are 3 different mechanical board types in the modular control unit:

• Control board
• Star coupler board
• Functional extensions, for example:
  • I/O and Relay Option (OC7C1)
  • Encoder/Resolver Option (OC7M0)
  • Temperature measurement option (OC7T0)
  • Voltage measurement option (OC7V0)

See more information on the option boards in the iC7 Series Functional Extension Options Installation Guide, the iC7 Series Functional Extension Options Operating Guide, and the iC7 Series Voltage Measurement Option OC7V0 Operating Guide.

7.3 Tools and Software for iC7 Marine and iC7 Hybrid Drives

MyDrive® Insight

MyDrive® Insight is a pc software tool that gives easy access to iC7 system drives, locally or remotely. Use it for commissioning, monitoring, and troubleshooting of drives.

Table 7: Features and Functions

For software packages and supporting documents refer MyDrive® Insight

Software

Download software for iC7 Marine drives from Software for iC7 Marine (www.danfoss.com) and for iC7 Hybrid from Software for iC7 Hybrid (www.danfoss.com).

8 Security Configuration Guidelines

8.1 Introduction to Recommendations

There are different possibilities to prevent local or remote access, to change settings, and to view data or settings in iC7 system products. Below a number of principals are proposed. It is up to the system integrator to decide which principle gives the needed protection for the system.

Reduction of the attack surface

Minimizing the risk of attacks is to keep the attack surface as limited as possible and only to have configured necessary functions. The systems only have the software required for the necessary tasks, only the necessary ports and connection points are open or accessible. Also, only the necessary services are activated during operation.

Protection of access to enclosures and rooms

The most basic line of defense is physically shielding the drives in enclosures or rooms with access control. The enclosure or room can have access control by locking mechanism where special tools, special keys or access codes are needed for accessing. Only qualified personnel have the means to get access. This will normally give a good security level and fulfill SL-1.

8.2 Security Recommendations

8.2.1 Local Access

Protection methods: Recommendations for iC7 system products

• IC7 system products are to be used for installation in a lockable control cabinet/ switching room. The locked control cabinet/switching room must provide sufficient protection against access by unauthorized persons.
• For installation where the above described access preventions are not possible, the following prevention methods are recommended:
  • Removing the LCP from the iC7 system products under normal operation.
  • If unintended access should happen, removing the LCP will prevent access to the drive parameters, and so on.
  • In service cases, an LCP can be handed out by the owner of the installation to a trusted person, for example, a trained service technician.

8.2.2 Connection to Trusted/Untrusted Networks

The trusted network is a carefully controlled and restricted segment within a specific network or control system.

If the network deployment occurs in an uncontrolled environment lacking adequate physical access control and account/domain management, it should be restricted to a carefully controlled and limited segment within a designated network or control system.

The drives must only be connected inside the trusted networks, which ensures that the measure for access is under control.

This connection must be created so that the drive connects only to the PLC point-to-point or via switches. Switches must be protected in a way that there is no possibility of exposing the drive to other devices and untrusted personnel.

Recommendations to ensure that only trusted devices have a connection to the drive:

• Protection for each network by allocating firewall solutions to the front of internal trusted networks of each network.
• Carefully manage firewalls, their configurations, and access rules.

The drives do not have internet connection capability without PLC interface. Ethernet-based control options allow for communication to the drive’s IP address.

In-built Ethernet: Ethernet option module must be positioned in a trusted network.

All services are enabled by default. It is recommended to disable services that are not used after commissioning:

• PC tool communication
• Ping response
• iC7 system products do not support wireless connections at the moment. Remote access is possible only via other devices. It is not
  recommended to provide remote access through any devices other than PLC.

8.2.3 Unused Ports

If there are unused ports, integrators must do protection measures to protect the integrity of the drive.

Ethernet ports can also be configured by parameters to be enabled/disabled.

8.2.4 Secure Password Recommendations

Access protection can be compromised easily by using passwords that are not secure enough. Attackers can use compromised access data to log into systems and manipulate the behavior of the drive. This can result in the wrong operation of the drives and damage the installed equipment.

It is important to:

• Develop guidelines for password renewal. Do not keep the same password for a longer period. This excludes persons earlier having or not supposed to be having access anymore.
• Develop guidelines on handling access data. Make sure that the guidelines are implemented consistently in the deployed engineering tools.
• Always keep the access data secret. It is the installation owner’s responsibility to ensure that only an authorized group of people is given access to the equipment to be able to change critical data.

When updating passwords, consider the following guidelines:

• Do not assign passwords that can be easily guessed, for example, simple number combinations like 1111 or 1234
• Assign, if possible, passwords with the required maximum length. This makes it more complicated to gain access unintentionally.

8.2.5 Service

The service is done using PC software tools which are operated on the service PC. iC7 system products have an Ethernet port interface to provide a connection for service PC. During the service, a trusted person, for example, a trained service technician is allowed to attach only trusted devices to the drive.

Recommendations for PC service:

• Do not have internet or other wireless connections active during the service.
• PC is hardened and enforces device security.

9 Software and Firmware Updates

• MyDrive® Insight
• Software for iC7 Marine (www.danfoss.com)
• Software for iC7 Hybrid (www.danfoss.com)

There is malicious firmware prevention, meaning that firmware is only executed if it is authenticated as genuine firmware.

10 Supplier Documentation

Various resources are available to give a better understanding of installation and make use of advanced drive operation and directives compliance. The following list of documents are available for the product:

Optional equipment is available that may change some of the information described in these publications. Be sure to follow the instructions supplied with the options for specific requirements.

Contact a Danfoss supplier or visit www.danfoss.com for more information.

Danfoss A/S
Ulsnaes 1
DK-6300 Graasten
drives.danfoss.com

Any information, including, but not limited to information on selection of product, its application or use, product design, weight, dimensions, capacity or any other technical data in product manuals, catalog descriptions, advertisements, etc. and whether made available in writing, orally, electronically, online or via download, shall be considered informative, and is only binding if and to the extent, explicit reference is made in a quotation or order confirmation. Danfoss cannot accept any responsibility for possible errors in catalogs, brochures, videos and other material. Danfoss reserves the right to alter its products without notice. This also applies to products ordered but not delivered provided that such alterations can be made without changes to form, fit or function of the product. All trademarks in this material are property of Danfoss A/S or Danfoss group companies. Danfoss and the Danfoss logo are trademarks of Danfoss A/S. All rights reserved.

Danfoss A/S © 2024.11    BC503123337224en-000101 / 172K7064A

Documents / Resources

Danfoss iC7 System Products [pdf] User Guide iC7 Marine, iC7 Hybrid, iC7 System Products, iC7, System Products, Products

References

• User Manual