cybersecurity software 2006 (jun 2020) software change notice · 1 day ago · about this software...

`

HONEYWELL FORGE CYBERSECURITY SUITE

2006 (JUN 2020), R201

Cybersecurity Software 2006 (Jun 2020)

Software Change Notice

CS-HFCSE100en-2006A

June 2020

DocID (CS-HFCSE100en-2006A) 2

DISCLAIMER

This document contains Honeywell proprietary information. Information contained

herein is to be used solely for the purpose submitted, and no part of this document

or its contents shall be reproduced, published, or disclosed to a third party without

the express permission of Honeywell International Sàrl.

While this information is presented in good faith and believed to be accurate,

Honeywell disclaims the implied warranties of merchantability and fitness for a

purpose and makes no express warranties except as may be stated in its written

agreement with and for its customer.

In no event is Honeywell liable to anyone for any direct, special, or consequential

damages. The information and specifications in this document are subject to change

without notice.

Copyright 2020- Honeywell International Sàrl


Table of contents

ABOUT THIS SOFTWARE CHANGE NOTICE ...................................................................................... 5

Revision history ....................................................................................................................................................................... 6

Intended audience .................................................................................................................................................................. 6

Technical assistance .............................................................................................................................................................. 6

1. SECURITY CONSIDERATIONS ..................................................................................................... 7

2. PRODUCT AND RELEASE OVERVIEW ....................................................................................... 8

2.1 New and Enhanced features in Honeywell Forge Cybersecurity Suite 2006 (Jun 2020) 10

3. RELEASE MEDIA CONTENTS ....................................................................................................... 12

3.1 User documentation book set .......................................................................................................................... 15

3.2 Forward and backwards compatibility....................................................................................................... 17

3.3 New installations and upgrades ..................................................................................................................... 22

4. SPECIAL CONSIDERATIONS......................................................................................................... 23

4.1 Known to exist in this version ......................................................................................................................... 23

4.2 Fixed from previous versions .......................................................................................................................... 23

5. SOFTWARE AND HARDWARE SPECIFICATIONS ................................................................... 24

5.1 Honeywell Forge Cybersecurity Suite 2006 (Jun 2020) guest minimal and recommended

sizing.............................................................................................................................................................................. 24

5.2 VSE Sizing Guidelines ........................................................................................................................................... 33

5.3 Virtualization host recommended sizing ................................................................................................... 34


List of Figures

FIGURE 1 HONEYWELL FORGE CYBERSECURITY SUITE BASIC ARCHITECTURE ................................................................... 9 TABLE 1 DOCUMENTATION SET .................................................................................................................................... 15 TABLE 2 INSTALLATION, UPGRADE, AND UPDATE MATRIX ............................................................................................... 18 TABLE 3 SUPPORTED PRODUCT LINES LIST ................................................................................................................... 21 TABLE 4 MINIMAL AND RECOMMENDED HARDWARE ...................................................................................................... 24 TABLE 5 MINIMAL AND RECOMMENDED HARDWARE FOR VIRTUALIZATION ...................................................................... 34


About this Software Change Notice

Welcome to the Honeywell Forge Cybersecurity Suite 2006 (Jun 2020) release.

This Software Change Notice (SCN) continues the software consolidation to a single family of

products under the Honeywell Forge family name.

A summary description of supported features, functionality and infrastructure are discussed

later in this document and are described in more details in the user documentation, in

addition to detailed requirements and constraints that affect successful deployment and

operation of the Honeywell Forge Cybersecurity Suite.

NOTE

Before installing and deploying the Honeywell Forge Cybersecurity Suite, check the

Honeywell support website for the latest updates to this SCN. If you are a new user, you

will need to register at the following link: http://www.honeywellprocess.com

While the most up-to-date information is provided at release-time, before installing, you are

strongly advised to check Honeywell’s support website for updates to this Software Change

Notice. Other related information and updates are also available at this site, such as: software

update patches, current user documentation, and compatibility updates.

Follow the following steps to access the latest information about the Honeywell Forge

Cybersecurity Suite 2006 (Jun 2020) and other Honeywell Cybersecurity Products:

• Go to https://www.honeywellprocess.com.

• Log in with username and password or register for a new account.

• Click Support.

• Follow on-screen instructions to access appropriate support information.

• If you are unable to access the online support system, contact the Honeywell Technical

Assistance Center to obtain SCN and user guide updates.

NOTE

• Read this entire SCN before installing and deploying the Honeywell

Forge Cybersecurity Suite.

• While this document contains information for all users of the

Honeywell Forge Cybersecurity Suite 2006 (Jun 2020), it is highly

recommended that each operator and engineer using this release, as

well as Honeywell field engineers, be provided with a copy of this SCN

and become familiar with its content.

https://www.honeywellprocess.com/


Revision history

Revision Supported Release Date Description

A 2006 (Jun 2020) June 2020 Adding: Hardening Report, Active Discovery

Service, Remote Access Gateway secure

communication to database, Performance

Analyzer defect fixes and improvements,

Intended audience

This guide is primarily intended for Honeywell and customer personnel who install,

configure, and use the product.

Technical assistance

For support, contact your local Honeywell Global Technical Assistance Center (GTAC). To find

your relevant GTAC visit the website, https://www.honeywellprocess.com/en-US/contact-

us/customer-support-contacts/Pages/default.aspx.

https://www.honeywellprocess.com/en-US/contact-us/customer-support-contacts/Pages/default.aspx

https://www.honeywellprocess.com/en-US/contact-us/customer-support-contacts/Pages/default.aspx

SECURITY CONSIDERATIONS


1. Security Considerations

Security recommendations and best practices are outlined at the beginning of every

Honeywell Forge Cybersecurity Suite user guide. Be sure to familiarize yourself with them

and act to protect your plant.

CAUTION

Some Honeywell Forge Cybersecurity Suite components are mission critical.

Take all necessary physical measures to prevent attacks or disasters.

Carefully review recommended security practices for each component and each

aspect of physical and software security and take necessary actions to protect

your assets.

PRODUCT AND RELEASE OVERVIEW

CS-HFCSE100en-2006A 8

2. Product and Release Overview

Honeywell Forge Cybersecurity Suite is an Operational Technology (OT) security

management platform for securing Industrial Control Systems (ICS)/SCADA environments.

The Honeywell Forge Cybersecurity Suite enables organizations to integrate OT and IT

infrastructures and operations while minimizing security vulnerabilities. This is done by

monitoring remote field assets from a single security and operations center. This technology

automates the monitoring and verification of plant-wide security essential deployment and

enforcement activities.

The Honeywell Forge Cybersecurity Suite identifies precisely what is in the OT environment

to achieve an accurate inventory of the organization’s ICS assets that includes hardware ,

software and service configurations.

To maintain high levels of security and uptime, secure remote access to field assets is

required by first and third-party personnel and machines. The Honeywell Forge

Cybersecurity Suite provides extremely granular and robust AAA (Authentication,

Authorization and Accounting) remote access by:

• ensuring secure remote access and monitoring

• protected file distribution to machines

• safe data transfer from plants to corporate data center for analysis and risk management.

The Honeywell Forge Cybersecurity Suite unifies and automates the policy management

process via the creation, deployment, and enforcement of plant-wide and granular security

policies. Using the Honeywell Forge Cybersecurity Suite’s security policy management,

operations and control teams can significantly improve OT security and compliance.

The Honeywell Forge Cybersecurity Suite infrastructure is designed for multisite,

multivendor deployment, with all sites connected to the security and operations center via a

secure tunnel. This distributed architecture guarantees data security and integrity.

Key features include:

• Secure remote access

• Secure file transfer

• Automated patch and anti-virus updates

• Asset discovery

• Performance/health monitoring

• Hardening reporting



• Compliance reporting

The Honeywell Forge Cybersecurity Suite architecture comprises three main software

components, as shown in Figure 1:

Security Center (SC)

The security and operations center installed at the organizational data center.

Virtual Security Engines (VSEs)

Virtual Security Engines are components installed at remote sites for monitoring assets and

for providing other services essential for security and operations.

Communication Server (CS)

The Communication Server provides secure communication between the SC and VSEs.

Figure 1 Honeywell Forge Cybersecurity Suite basic architecture

In a typical deployment, one or more VSEs are installed at remote sites to monitor assets.

Each VSE collects and analyzes data from assets and sends it to the SC, which further analyzes

and stores the data. In addition, the SC allows its operators to perform monitoring, remote

activity management, software distribution, and troubleshooting functions.

NEW FEATURES AND PURPOSE OF THIS RELEASE

The purpose of this release is to expand on the remote access only capabilities of the 2003

(Mar 2020) release. This 2006 (Jun 2020) release adds monitoring of ICS assets for

cybersecurity risks and discovery capabilities.



2.1 New and Enhanced features in Honeywell Forge Cybersecurity Suite 2006 (Jun 2020)

Remote Access Gateway Secure Database Communication

As part of the ongoing effort to increase security and as an enhancement to the Regional

Remote Access feature, the Remote Access Gateway can now securely connect to the Security

Center database.

Part of Enterprise Core and Enterprise Premium Offerings.

Hardening Compliance

This is a new component that provides a report on Assets with complied and not complied

settings per checked rule. The Center for Internet Security serves as the base for hardening

compliance checks.

Part of Enterprise Premium Offering.

Active Asset Discovery Service

In addition to the already existing Active Asset Discovery Product Line, which the VSE runs on

schedule; the Active Asset Discovery Service is set to actively discover Assets in network

segments that the VSE is not allowed or cannot access. The discover functionality is identical

between the Windows Service and the VSE Product Line. Do note that monitoring assets is

still available only for Assets created by the Active Discovery Product Line.

Part of Site, Enterprise Core, and Enterprise Premium Offerings.

Cisco Network Devices

Now also identifies firewall equipment based on OID and correctly identifies license change

and firewall rules without a timestamp.


VSE Utilities, Enhanced SYSLOG Forwarding

Now allows and manages multiple simultaneously running instances. Added parameters for

modifying file retention duration.

Part of Enterprise Core and Enterprise Premium Offerings.

Windows Supplemental

Group Policy Objects reports now identifies PowerShell3 and above, domain controller

properties and account status, miscellaneous operating system information, and support for

secure (HTTPS) connection.



Removing Extended ASCII characters that the WMI service returns, when occur in large

quantities, can cause storage size inflation and in extreme scenarios, the VSE stops collecting

new information.


Virtualization

Added support for vCenter 6.7, for PowerCLI 11.3.0.13990089, for standalone ESXi servers

(no vCenter required).


RELEASE MEDIA CONTENTS


3. Release Media Contents

The Honeywell Forge Cybersecurity Suite is distributed via Honeywell’s secure Electronic

Software Download, providing an ISO file for each of the following media kits.

1. Cybersecurity Software 2003 Site

(CS-HFCP-SITE-200-51156882)

a. Updated! Please use the package from §3 below – Virtual Security Engine New

Installation ER7.1.23 (Engineering Release)

b. Updated! Please use the package from §3 below – Virtual Security Engine Upgrade

ER7.1.23 (only from VSE ER4.9.32 and ER4.9.52)

c. Virtual Security Proxy New Installation ER1.1.4

d. Hash value (SHA-256):

AADBAA55E3E8E2A1A1819CF64F6932F7A77815FF24D0CCF82C5B72953AB263B6

2. Cybersecurity Software 2003 Center

(CS-HFCP-CNTR-200-51156880)

a. Application Server New Installation ER6.2.8

b. Application Server Upgrade ER7.0.2

c. Application Server Upgrade ER7.0.3

d. Communication Server New Installation ER6.0.13

e. Updated! Please use the package from §3 below – Remote Access Gateway New

Installation ER6.2.5

f. Remote Access Bridge New Installation ER4.9.18

g. Session Recording New Installation ER6.0.4

h. Hash value (SHA-256):

E682AEB05A1D10FAE792289AE78527ACE6FAF0D82F3172C1FDD0E86251EA74D7

3. Cybersecurity Software 2006 RAG and VSE Installation Package Update

Please download the updated software using this link.

a. Virtual Security Engine New Installation ER7.1.23 (Installation execution file change

only)

b. Virtual Security Engine Upgrade ER7.1.23 (only from VSE ER4.9.32 and ER4.9.52)

(Installation/upgrade execution file change only)

c. Remote Access Gateway New Installation ER6.2.8

d. Hash value (SHA-256):

5E9CBFB496D92D00549C42B5F60310115DDA6F6CFE125B75349628F362DD240C

https://honeywellprocess.blob.core.windows.net/public/Support/Customer/HFCS2006-VSE-RAG.zip



4. Cybersecurity Software 2006 Documentation Set

(CS-HFCP-PDFC-200- 51156911)

Please do remember to also check honeywellprocess.com for the most recent document

versions.

a. Start with “DocList.pdf” User guides in searchable indexed set

b. Hash value (SHA-256):

3F03C135DA6A9F1C52E174E6192D3F2E13C6E020B953BD2AE7665D039F74A7F8

5. Cybersecurity Software 2006 Optional Components

(CS-HFCP-OPTS-200- 51156912)

a. Reports New Installation ER7.0.2

b. Active Discovery Product Line ER4.1.14

c. Active Asset Discovery Service ER4.2.0

d. Hardening Compliance ER1.2.1

e. Passive Asset Discovery Service ER4.1.0

f. Performance Analyzer for Enterprise Premium Offering

i. Remote Services Self-Monitoring ER4.6.1

ii. Acronis Backup and Restore ER1.2.0

iii. Availability Only ER1.0

iv. Automated Data Export ER2.0

v. Carbon Black ER1.0.0

vi. Cisco Network Devices ER2.6.1

vii. Control Firewall ER1.1.0

viii. Controllers ER1.14.0

ix. Controllers – TDC ER1.8.0

x. Domain Controller ER1.1.0

xi. Experion – TPS ER1.6.0

xii. File Scout ER1.0.0

xiii. McAfee MOVE ER1.9.0

xiv. PHD ER1.3.0

xv. Safety Manager ER1.0.0

xvi. Server-Station ER2.8.0

xvii. Splunk Reverse Tunnel ER1.1.0

xviii. VSE Automated Data Export ER1.5.0

xix. VSE Supplemental ER1.5.0

xx. VSE Utilities ER3.2.1

xxi. Virtualization ER1.4.1




xxii. Windows Supplemental ER2.18.1

xxiii. Windows Server Update Services ER3.5.10

g. Risk Monitoring for Site Offering

i. Acronis Backup and Restore ER1.2.0

ii. Carbon Black ER1.0.0

iii. Cisco Network Devices ER2.6.1

iv. Controllers ER1.14.0

v. McAfee MOVE AV ER1.9.0

vi. Virtualization ER1.4.1

vii. Windows Supplemental ER2.18.1

h. Hash value (SHA-256):

CB2E6D4489470D5FE170A10A0ED2F161B4A4FB5006266D223153EF7EFE460C43

6. Cybersecurity Software 2003 Installation Prerequisites

(CS-HFCP-PREQ-200-51156881)

Applicable only for a new installations.

a. Active Discovery

i. WinPcap 4.1.3

b. Couchbase

i. Community Server 5.0.1

ii. NPD 4.7.1

iii. ODP.NET for Oracle 12c

iv. URL Rewrite 2

c. Crystal Reports

i. Runtime (32-bit) 13.0.1

d. Oracle

i. Client (32-bit) 12.2

ii. Server (64-bit) 12.2

e. Product Lines Supporting Utilities

i. Experion PKS Server Client-Side Components

ii. NAPICMD

f. Visual C++ Redistributable

g. Hash value (SHA-256):

C60FE071460DE76B1FEC11C01172EEBC5D70ACC740462FC85BBC1096EC94882C



3.1 User documentation book set

The following list identifies publications released with the Honeywell Forge Cybersecurity

Suite 2006 (Jun 2020)

These are provided on the Honeywell Forge Cybersecurity Suite 2006 (Jun 2020) Document

Set media and may also be downloaded from https://www.honeywellprocess.com support

website. Additional guides and updates to the guides will be periodically uploaded to the

support website, as they are available.

NOTE

The documentation set of Honeywell Forge Cybersecurity Suite’s Site Offering is

comprised of several functional “pieces” which together cover all functionality.

Some of these pieces are also used in other Honeywell Forge Cybersecurity Suite

offerings, such as the Enterprise Premium Offering. Therefore, it may be

necessary to check more than one document for complete instructions on

installing, configuring, and using the Site Offering. Generally, the Honeywell

Forge Cybersecurity Suite Site Offering documents focus on the Virtual Security

Engine, and the Performance Analyzer documents apply to the data collection

aspects. There are separate documents for Asset Discovery, and Risk Monitoring

Administration.

Installing the Site Offering makes use of the following documents:

Honeywell Forge Cybersecurity Suite 2006 Software Change Notice (this

document)

VSE Installation Guide to install the VSE product

Performance Analyzer Installation and Configuration Guide

Configuring the Site Offering makes use of the following documents:

VSE Administrator Guide

VSE User Guide

Active Asset Discovery Product Line User Guide

Active Asset Discovery Service User Guide, if applicable

Passive Asset Discovery Service User Guide, if applicable

Risk Monitoring Administration Guide

Table 1 Documentation set




Document Name Document Number

Honeywell Forge Cybersecurity Suite 2006 (Jun 2020)– Software

Change Notice (this document) CS-HFCPE100en-2006A

Honeywell Forge Cybersecurity Suite 2003 (Mar 2020) – Security

Center Getting Started Guide CS-HFCPE400en-2003A


Center Administrator Guide CS-HFCPE700en-2003A


Center DB-API Reference Guide CS-HFCPE800en-2003A

Honeywell Forge Cybersecurity Suite 2003 (Mar 2020) – VSE User

Guide CS-HFCPE601en-2003A

Honeywell Forge Cybersecurity Suite 2003 (Mar 2020) – VSE

Installation Guide CS-HFCPE501en-2003A

Honeywell Forge Cybersecurity Suite 2003 (Mar 2020) – VSE

Administrator Guide CS-HFCPE609en-2003A

Honeywell Forge Cybersecurity Suite 2006 (Jun 2020) – VSE

Utilities User Guide (Service) CS-HFCPE607en-2003A

Honeywell Forge Cybersecurity Suite 2003 (Mar 2020) – Active

Asset Discovery User Guide (Product Line) CS-HFCPE602en-2003A

Honeywell Forge Cybersecurity Suite 2006 (Jun 2020) – Active

Asset Discovery User Guide (Service) CS-HFCPE611en-2003A

Honeywell Forge Cybersecurity Suite 2003 (Mar 2020) – Passive

Asset Discovery User Guide (Service) CS-HFCPE603en-2003A

Honeywell Forge Cybersecurity Suite 2006 (Jun 2020) –

Communication Server Installation Guide CS-HFCPE503en-2003A


Performance Analyzers Installation and Configuration Guide CS-HFCPE505en-2006A

Honeywell Forge Cybersecurity Suite 2003 (Mar 2020) – Remote

Access Bridge Installation Guide CS-HFCPE502en-2003A

Honeywell Forge Cybersecurity Suite 2006 (Jun 2020) – Remote

Access Gateway Installation Guide CS-HFCPE504en-2006A

Honeywell Forge Cybersecurity Suite 2003 (Mar 2020) – Risk CS-HFCPE702en-2003A



Document Name Document Number

Monitoring Administration Guide


Hardening Compliance User Guide CS-HFCPE611en-2006A

3.2 Forward and backwards compatibility

This Honeywell Forge Cybersecurity Suite release, and future releases, normally will be

backward compatible with all officially released and supported options. Please see the

separate PA SCN document for specific compatibility clauses.

With Enterprise Core or Premium installed, every end user must install the new Remote

Access utility, Secure Connect, on a desktop or laptop. The Secure Connect utility can be

downloaded directly from the Security Center’s Resources area.

Operating Systems and software versions that are not explicitly listed are not supported.

Please note that in some cases, a Honeywell Forge Cybersecurity Suite component upgrade

also requires an upgrade to the Operating System. For example, upgrade to the database may

need an upgrade to an Oracle-supported Operating System.



Table 2 Installation, upgrade, and update matrix

From product and version To product and version

New installation – SC and DB

Honeywell Forge Cybersecurity Suite

1909/1911 (Nov 2019) – SC and DB

Honeywell Forge Cybersecurity Suite 2003

(Mar 2020) – SC and DB


(Mar 2020)– Prerequisites


(Nov 2019) – SC and DB


(Mar 2020)– SC and DB

New installation – CS Honeywell Forge Cybersecurity Suite 1911

(Nov 2019) – CS

ICS Shield R500.1, R501.1 – CS Honeywell Forge Cybersecurity Suite

1909/1911 (Nov 2019) – CS


(Nov 2019) – CS


(Nov 2019) – CS


(Nov 2019) – CS Not needed

New installation – RAB ICS Shield R501.1

ICS Shield R500.1 – RAB ICS Shield R501.1

ICS Shield R501.1 – RAB Not needed

New installation – RAG Honeywell Forge Cybersecurity Suite 2003

(Mar 2020)

ICS Shield R500.1, R501.1, R510.2 Honeywell Forge Cybersecurity Suite 2003

(Mar 2020)


(Mar 2003) – RAG Not needed

New installation – Session Recording Honeywell Forge Cybersecurity Suite 1911

(Nov 2019) – Session Recording

ICS Shield 500.1, R501.x – Session Recording Honeywell Forge Cybersecurity Suite 1911










(Nov 2019) – Session Recording Not needed

New installation – Hyper Tunnel Honeywell Forge Cybersecurity Suite

1909/1911 (Nov 2019) – Hyper Tunnel

ICS Shield R500.1, R501.x – Hyper Tunnel Honeywell Forge Cybersecurity Suite

1909/1911 (Nov 2019) – Hyper Tunnel

ICS Shield R510.x, Honeywell Forge

Cybersecurity Suite 1909 (Nov 2003) –

Hyper Tunnel

Not needed

Secure Connect Not needed as it is included in and managed

by the SC distribution

VNC Player Not needed as it is included in and managed

by the SC distribution

New installation – VSE


(Mar 2020)– VSE


(Mar 2020)– Prerequisites

ICS Shield R500.1 – VSE Honeywell Forge Cybersecurity Suite 2003

(Mar 2020)– VSE

ICS Shield R501.1 – VSE




(Mar 2020)– VSE

ICS Shield R510.2 – VSE Honeywell Forge Cybersecurity Suite 2003

(Mar 2020)– VSE


(Nov 2019) – VSE Not supported


(Nov 2019) – VSE


(Mar 2020)– VSE




New installation – VSP ICS Shield R510.1

ICS Shield R500.1, R501.1 – VSP ICS Shield R510.1

ICS Shield R510.1 – VSP Not needed

New installation – Passive Discovery SRV Honeywell Forge Cybersecurity Suite 2003

(Mar 2020) – Passive Discovery SRV

New installation – Active Discovery SRV Honeywell Forge Cybersecurity Suite 2006

(Jun 2020) – Active Discovery SRV

New installation – Active Discovery PL Honeywell Forge Cybersecurity Suite 2003

(Mar 2020) – Active Discovery PL

ICS Shield R500.1, R501.1 – Active Discovery

PL



ICS Shield R510.1, R510.2 – Active Discovery

PL



ICS Shield R510.3+ – Active Discovery PL Honeywell Forge Cybersecurity Suite 2003


New installation – Reports Honeywell Forge Cybersecurity Suite 2003

(Mar 2020) – Reports

New installation – Options(*)


(Mar 2020) – Options(*)


(Mar 2020) – Prerequisites

ICS Shield R510.3 Honeywell Forge Cybersecurity Suite 2003



(Nov 2019) – Options(*)



New installation – Hardening Compliance Honeywell Forge Cybersecurity Suite 2006

(Jun 2020) – Hardening Compliance

(*) Options are backward-compatible, except stated otherwise, and their update/upgrade is

performed through the Security Center’s user interface.



Table 3 Supported Product Lines list

Product Line name and version

Remote Services Self-Monitoring 4.6.1

Acronis Backup and Restore 1.2.0

Availability Only 1.0

Automated Data Export 2.0

Carbon Black 1.0.0

Cisco Network Devices 2.6.1

Control Firewall 1.1.0

Controllers 1.14.0

Controllers – TDC 1.8.0

Domain Controller 1.1.0

Experion – TPS 1.6.0

File Scout 1.0.0

McAfee MOVE 1.9.0

PHD 1.3.0

Safety Manager 1.0.0

Server-Station 2.8.0

Splunk Reverse Tunnel 1.1.0

VSE Automated Data Export 1.5.0

VSE Supplemental 1.5.0

VSE Utilities 3.2.1

Virtualization 1.4.1

Windows Supplemental 2.18.1

WSUS 3.5.10



3.3 New installations and upgrades

Installations and upgrades to the Center are performed by trained and experienced

Honeywell personnel.

Installations, upgrades, and updates to the Site can be performed by trained customer

personnel as well as trained Honeywell personnel.

NOTE

Prior upgrading a VSE that is already using Active Asset Discovery – do contact a

Honeywell Representative as there may exist specific upgrade requirements and

processes.

Contact the Honeywell Global Technical Assistance Center or your Honeywell Representative

to prepare for and discuss the installation or upgrade of the Honeywell Forge Cybersecurity

Suite 2006 (Jun 2020) software.

SPECIAL CONSIDERATIONS


4. Special Considerations

4.1 Known to exist in this version

The following system issues are known to exist for this version of the Honeywell Forge Cybersecurity

Suite. If available, a workaround is also provided.

Contact your relevant Honeywell Global Technical Assistance Center for more information.

• We added here only the Honeywell Forge Cybersecurity Suite 2006 (Jun 2020). Please also refer

to Honeywell Forge Cybersecurity Suite2003 (Mar 2020) SCN for more known items.

• Experion security logs events collection does not work for nodes in a workgroup.

• Acronis backup information not collected for offline devices.

• Automatic installation of PowerShell and PowerCLI fails on VSE version BigDipper (ER4.8).

Please upgrade to HFCS 2003 VSE ER7.1.23.

4.2 Fixed from previous versions

• The RAG now successfully securely connects to the SC database.

Identified in Honeywell Forge Cybersecurity Suite 2003 (Mar 2020) and ICS Shield R510.4.

• Collected data now show a complete list of compliance properties.

Identified in Honeywell Forge Cybersecurity Suite 2003 (Mar 2020).

• Guest accounts, also with non-default name, now correctly identified on domain controllers.

Identified in Honeywell Forge Cybersecurity Suite 2003 (Mar 2020).

SOFTWARE AND HARDWARE SPECIFICATIONS


5. Software and Hardware Specifications

This chapter provides information about the software and hardware specifications for the

Honeywell Forge Cybersecurity Suite 2006 (Jun 2020).

Governing guidelines for Honeywell for determining software recommendations

Google Chrome Enterprise

Mozilla Firefox

Microsoft Edge Spartan (2014-2019) – not supported

Microsoft Edge Anaheim (2020-later) – not yet supported

Windows 10 Professional and version 1903

Windows Server 2016 Standard and version 1607

Windows Server 2019 Standard and version 1809

Microsoft is moving to a “Modern Lifecycle Policy” that affects deployments in the cloud, and

to some extent, also on-premise deployments.

5.1 Honeywell Forge Cybersecurity Suite 2006 (Jun 2020) guest minimal and recommended sizing

If the Customer plans to only use the Remote Access functionality of the Honeywell Forge

Cybersecurity Suite, such as in the Enterprise Core offering, then the minimal size is enough.

Otherwise, such as for Enterprise Premium and Site offerings, please use the recommended

size.

Table 4 Minimal and recommended hardware

Component Name VM Host Ordinal Number

Guest OS and Requirements

OS Additions

Client machines

(laptops, desktops)

N/A Any officially Microsoft

supported Windows 64-

bit OS

Implementation

dependent and like

Terminal Server

https://support.google.com/chrome/a/answer/7679408

https://wiki.mozilla.org/Release_Management/Calendar

https://docs.microsoft.com/en-us/deployedge/microsoft-edge-relnote-stable-channel

https://docs.microsoft.com/en-us/windows/release-information/

https://support.microsoft.com/en-us/lifecycle/search?alpha=Windows%20Server%20Standard%202016

https://support.microsoft.com/en-us/lifecycle/search?alpha=Windows%20Server%20Standard%202019

https://support.microsoft.com/en-us/help/30881/modern-lifecycle-policy





OS Additions

Terminal Server VM Host #1 Upgrade:

• Windows Server 2016 Standard

New:



CPUs:

• 8 cores (min1)

• 16 cores (rec2)

Memory:

• 32 GB (min)

• 64 GB (rec)

Storage:

• 100 GB (OS)

• 200 GB (data, different than CS)

Internet Explorer 11

(for PL Distribution

only)

At least one of:

• Firefox 76 and later

• Chrome 83 and later

1 min – minimum 2 rec – recommended





OS Additions

Application Server

Remote Access

Gateway

VM Host #1 Upgrade:


New:



CPUs:

• 8 cores (min)

• 16 cores (rec)

Memory:

• 16 GB (min)

• 32 GB (rec)

Storage:

• 150 GB (OS)

• 1 TB (data, on a different physical disk from CS)

IIS

Crystal Reports

runtime 2011, 32-bit

ActivePerl 5.28, 64-

bit (optional)

Oracle 12.2.0.1

Client, 32-bit





OS Additions

Database Server VM Host #2 Upgrade:


New:



CPUs:

• 8 cores (min)

• 16 cores (rec)

Memory:

• 32 GB (min)

• 64 GB (rec)

Storage:

• 150 GB (OS)

• 50 GB (logging)

• 1 TB (min, data)

• 2 TB (data, on a different physical disk from VSEs)

Oracle 12.2.0.1

Server, 64-bit





OS Additions

Communication

Server

Remote Access

Bridge

VM Host #1 Upgrade:


New:



CPUs:

• 4 cores (min)

• 8 cores (rec)

Memory:

• 8 GB (min)

• 16 GB (rec)

Storage:

• 100 GB (OS)

• 200 GB (min, CS data only)

• 500 GB (CS data only on a different physical disk than TS and SC)

N/A





OS Additions

Support VSE (Virtual

Security Engine, used

by Honeywell GTAC)

VM Host #2 Upgrade:


New:



CPUs:

• 4 cores (min)

• 8 cores (rec)

Memory:

• 8 GB (min)

• 16 GB (rec)

Storage:

• 100 GB (OS)

• 200 GB (data, on a different physical disk than DB)

N/A





OS Additions

Center VSE (Virtual

Security Engine,

located next to the

Security Center)

VM Host #2 Upgrade:


New:



CPUs:

• 4 cores (min)

• 8 cores (rec)

Memory:

• 8 GB (min)

• 16 GB (rec)

Storage:

• 100 GB (OS)

• 500 GB (data, on a different physical disk than DB)

N/A

Reports Center

Hardening

Compliance

VM Host #3 New:



CPUs: • 8 cores (min)

• 16 cores (rec)

Memory: • 8 GB (min)

• 32 GB (rec)

Storage: • 100 GB (OS)

• 1TB (OS)

N/A





OS Additions

Regional Remote

Access – Remote

Access Gateway

VM Host #4 Upgrade:


New:



CPUs:

• 4 cores (min)

• 16 cores (rec)

Memory:

• 8 GB (min)

• 32 GB (rec)

Storage:

• 100 GB (OS)

• 500 GB (data)

N/A





OS Additions

Regional Remote

Access – Remote

Access Bridge

VM Host #4 Upgrade:


New:



CPUs:

• 4 cores (min)

• 16 cores (rec)

Memory:

• 8 GB (min)

• 32 GB (rec)

Storage:

• 100 GB (OS)

• 500 GB (data, optional)

N/A

Site VSE (Virtual

Security Engine that

supports up to 1000

remote access only

assets

OR

300 full monitoring

assets

OR

100 full risk

monitoring assets)

VM Host #5 See §5.2 below N/A





OS Additions

VSP (Virtual Security

Proxy)

VM Host #??? Upgrade:


New:



CPUs:

• 4 cores (min)

• 8 cores (rec)

Memory:

• 8 GB (min)

• 16 GB (rec)

Storage:

• 100 GB (OS)

N/A

5.2 VSE Sizing Guidelines

Deployment Type OS CPUs RAM Storage

Existing Risk

Management

customers upgrading

to Site

• Windows 10 Professional 1903 and later


4 CPUs (min)

8 CPUs (rec)

8 GB (min)

16 GB (rec)

100 GB (OS)

200 GB

(data)

Existing ICS Shield or

Cybersecurity Suite

customers that

upgrade and keep

current deployment



2 CPUs (min)

4 CPUs (rec)

4 GB (min)

8 GB (rec)

100 GB (OS)

200 GB

(data)



Deployment Type OS CPUs RAM Storage

Existing ICS Shield or

Cybersecurity Suite

customers that

upgrade and upgrade

to Enterprise

Premium



4 CPUs (min)

8 CPUs (rec)

8 GB (min)

16 GB (rec)

100 GB (OS)

200 GB

(data)

New customers

installing Site

• Windows Server 2016 Standard and later

4 CPUs (min)

8 CPUs (rec)

8 GB (min)

16 GB (rec)

100 GB (OS)

200 GB

(data)

New customers

installing Enterprise

Core


2 CPUs (min)

4 CPUs (rec)

4 GB (min)

8 GB (rec)

100 GB (OS)

200 GB

(data)

New customers

installing Enterprise

Premium


4 CPUs (min)

8 CPUs (rec)

8 GB (min)

16 GB (rec)

100 GB (OS)

200 GB

(data)

New customers

installing High

Volume Enterprise

Premium


8 CPUs (min)

16 CPUs (rec)

16 GB (min)

32 GB (rec)

100 GB (OS)

200 GB

(data)

5.3 Virtualization host recommended sizing

Table 5 Minimal and recommended hardware for virtualization



Component Name ICS Shield Components Sizing Hardware Models

VM Host #1

(Application

Server)

Base:

• Application Server with Remote Access Gateway

• Communication Server with Remote Access Bridge

• Support VSE

Optional:

• Terminal Server

• Streaming Services

2x10 CPUs

8x16GB RAM

8x600GB RAID10

4 Gbit NICs

MZ-PCVM19

VM Host #2

(Database Server)

Base:

• Database server

Optional:

• Center VSE

2x10 CPUs

8x16GB RAM

8x600GB RAID10

4 Gbit NICs

MZ-PCVM19

VM Host #3

(Reports)

Base

• Reports

• Hardening Compliance

2x10 CPUs

8x16GB RAM

8x600GB RAID10

4 Gbit NICs

MZ-PCVM19

VM Host #4

(Regional Hub)

Base

• Remote Access Gateway

• Remote Access Bridge

2x10 CPUs

8x16GB RAM

8x600GB RAID10

4 Gbit NICs

MZ-PCVM19

VM Host #5..n

(per Remote Site)

Base:

• VSE (up to 1000 remote access only assets OR 300 full monitoring assets OR 100 full risk monitoring assets)

Optional:

• Additional VSEs, to support more assets.

• McAfee ePO Server or Symantec SEPM Server

• Microsoft SUS Server

10 CPUs

4x8GB RAM

2x600GB 15K

2x1.2TB RAID1

1Gbit NIC

MZ-PCVMM4



Component Name ICS Shield Components Sizing Hardware Models

VM Host #5..n

(per Remote Site)

Base:

• VSP

4 CPUs

2x8GB RAM

4x300GB RAID5

2 Gbit NICs

MZ-PCSV67

VM Host #6..n

(per area in a

Remote Site)

Base:

• Passive Asset Discovery Service

And/Or • Active Asset Discovery

Service

4 CPUs

2x8GB RAM

2x1TB RAID1

2 Gbit NICs

MZ-PCSV66

Optional:

NE-NICS04

MZ-PCVC42

CS-HFCSE100en-2006A

© 2020 Honeywell International Sàrl

Honeywell Process Solutions

1250 W Sam Houston Pkwy S #150, Houston, TX

77042

Honeywell House, Skimped Hill Lane

Bracknell, Berkshire, RG12 1EB

Building #1, 555 Huanke Road, Zhangjiang Hi-

Tech Park,

Pudong New Area, Shanghai, China 201203

www.honeywellprocess.com

Honeywell Connected Enterprise

715 Peachtree Street NE Atlanta, GA 30308

www.honeywell.com

http://www.honeywellprocess.com/

http://www.honeywell.com/

cybersecurity software 2006 (jun 2020) software change notice · 1 day ago · about this software...

Documents