cybersecurity software 2006 (jun 2020) software change notice · 1 day ago · about this software...
TRANSCRIPT
`
HONEYWELL FORGE CYBERSECURITY SUITE
2006 (JUN 2020), R201
Cybersecurity Software 2006 (Jun 2020)
Software Change Notice
CS-HFCSE100en-2006A
June 2020
DocID (CS-HFCSE100en-2006A) 2
DISCLAIMER
This document contains Honeywell proprietary information. Information contained
herein is to be used solely for the purpose submitted, and no part of this document
or its contents shall be reproduced, published, or disclosed to a third party without
the express permission of Honeywell International Sàrl.
While this information is presented in good faith and believed to be accurate,
Honeywell disclaims the implied warranties of merchantability and fitness for a
purpose and makes no express warranties except as may be stated in its written
agreement with and for its customer.
In no event is Honeywell liable to anyone for any direct, special, or consequential
damages. The information and specifications in this document are subject to change
without notice.
Copyright 2020- Honeywell International Sàrl
DocID (CS-HFCSE100en-2006A) 3
Table of contents
ABOUT THIS SOFTWARE CHANGE NOTICE ...................................................................................... 5
Revision history ....................................................................................................................................................................... 6
Intended audience .................................................................................................................................................................. 6
Technical assistance .............................................................................................................................................................. 6
1. SECURITY CONSIDERATIONS ..................................................................................................... 7
2. PRODUCT AND RELEASE OVERVIEW ....................................................................................... 8
2.1 New and Enhanced features in Honeywell Forge Cybersecurity Suite 2006 (Jun 2020) 10
3. RELEASE MEDIA CONTENTS ....................................................................................................... 12
3.1 User documentation book set .......................................................................................................................... 15
3.2 Forward and backwards compatibility....................................................................................................... 17
3.3 New installations and upgrades ..................................................................................................................... 22
4. SPECIAL CONSIDERATIONS......................................................................................................... 23
4.1 Known to exist in this version ......................................................................................................................... 23
4.2 Fixed from previous versions .......................................................................................................................... 23
5. SOFTWARE AND HARDWARE SPECIFICATIONS ................................................................... 24
5.1 Honeywell Forge Cybersecurity Suite 2006 (Jun 2020) guest minimal and recommended
sizing.............................................................................................................................................................................. 24
5.2 VSE Sizing Guidelines ........................................................................................................................................... 33
5.3 Virtualization host recommended sizing ................................................................................................... 34
DocID (CS-HFCSE100en-2006A) 4
List of Figures
FIGURE 1 HONEYWELL FORGE CYBERSECURITY SUITE BASIC ARCHITECTURE ................................................................... 9 TABLE 1 DOCUMENTATION SET .................................................................................................................................... 15 TABLE 2 INSTALLATION, UPGRADE, AND UPDATE MATRIX ............................................................................................... 18 TABLE 3 SUPPORTED PRODUCT LINES LIST ................................................................................................................... 21 TABLE 4 MINIMAL AND RECOMMENDED HARDWARE ...................................................................................................... 24 TABLE 5 MINIMAL AND RECOMMENDED HARDWARE FOR VIRTUALIZATION ...................................................................... 34
DocID (CS-HFCSE100en-2006A) 5
About this Software Change Notice
Welcome to the Honeywell Forge Cybersecurity Suite 2006 (Jun 2020) release.
This Software Change Notice (SCN) continues the software consolidation to a single family of
products under the Honeywell Forge family name.
A summary description of supported features, functionality and infrastructure are discussed
later in this document and are described in more details in the user documentation, in
addition to detailed requirements and constraints that affect successful deployment and
operation of the Honeywell Forge Cybersecurity Suite.
NOTE
Before installing and deploying the Honeywell Forge Cybersecurity Suite, check the
Honeywell support website for the latest updates to this SCN. If you are a new user, you
will need to register at the following link: http://www.honeywellprocess.com
While the most up-to-date information is provided at release-time, before installing, you are
strongly advised to check Honeywell’s support website for updates to this Software Change
Notice. Other related information and updates are also available at this site, such as: software
update patches, current user documentation, and compatibility updates.
Follow the following steps to access the latest information about the Honeywell Forge
Cybersecurity Suite 2006 (Jun 2020) and other Honeywell Cybersecurity Products:
• Go to https://www.honeywellprocess.com.
• Log in with username and password or register for a new account.
• Click Support.
• Follow on-screen instructions to access appropriate support information.
• If you are unable to access the online support system, contact the Honeywell Technical
Assistance Center to obtain SCN and user guide updates.
NOTE
• Read this entire SCN before installing and deploying the Honeywell
Forge Cybersecurity Suite.
• While this document contains information for all users of the
Honeywell Forge Cybersecurity Suite 2006 (Jun 2020), it is highly
recommended that each operator and engineer using this release, as
well as Honeywell field engineers, be provided with a copy of this SCN
and become familiar with its content.
DocID (CS-HFCSE100en-2006A) 6
Revision history
Revision Supported Release Date Description
A 2006 (Jun 2020) June 2020 Adding: Hardening Report, Active Discovery
Service, Remote Access Gateway secure
communication to database, Performance
Analyzer defect fixes and improvements,
Intended audience
This guide is primarily intended for Honeywell and customer personnel who install,
configure, and use the product.
Technical assistance
For support, contact your local Honeywell Global Technical Assistance Center (GTAC). To find
your relevant GTAC visit the website, https://www.honeywellprocess.com/en-US/contact-
us/customer-support-contacts/Pages/default.aspx.
SECURITY CONSIDERATIONS
DocID (CS-HFCSE100en-2006A) 7
1. Security Considerations
Security recommendations and best practices are outlined at the beginning of every
Honeywell Forge Cybersecurity Suite user guide. Be sure to familiarize yourself with them
and act to protect your plant.
CAUTION
Some Honeywell Forge Cybersecurity Suite components are mission critical.
Take all necessary physical measures to prevent attacks or disasters.
Carefully review recommended security practices for each component and each
aspect of physical and software security and take necessary actions to protect
your assets.
PRODUCT AND RELEASE OVERVIEW
CS-HFCSE100en-2006A 8
2. Product and Release Overview
Honeywell Forge Cybersecurity Suite is an Operational Technology (OT) security
management platform for securing Industrial Control Systems (ICS)/SCADA environments.
The Honeywell Forge Cybersecurity Suite enables organizations to integrate OT and IT
infrastructures and operations while minimizing security vulnerabilities. This is done by
monitoring remote field assets from a single security and operations center. This technology
automates the monitoring and verification of plant-wide security essential deployment and
enforcement activities.
The Honeywell Forge Cybersecurity Suite identifies precisely what is in the OT environment
to achieve an accurate inventory of the organization’s ICS assets that includes hardware ,
software and service configurations.
To maintain high levels of security and uptime, secure remote access to field assets is
required by first and third-party personnel and machines. The Honeywell Forge
Cybersecurity Suite provides extremely granular and robust AAA (Authentication,
Authorization and Accounting) remote access by:
• ensuring secure remote access and monitoring
• protected file distribution to machines
• safe data transfer from plants to corporate data center for analysis and risk management.
The Honeywell Forge Cybersecurity Suite unifies and automates the policy management
process via the creation, deployment, and enforcement of plant-wide and granular security
policies. Using the Honeywell Forge Cybersecurity Suite’s security policy management,
operations and control teams can significantly improve OT security and compliance.
The Honeywell Forge Cybersecurity Suite infrastructure is designed for multisite,
multivendor deployment, with all sites connected to the security and operations center via a
secure tunnel. This distributed architecture guarantees data security and integrity.
Key features include:
• Secure remote access
• Secure file transfer
• Automated patch and anti-virus updates
• Asset discovery
• Performance/health monitoring
• Hardening reporting
PRODUCT AND RELEASE OVERVIEW
CS-HFCSE100en-2006A 9
• Compliance reporting
The Honeywell Forge Cybersecurity Suite architecture comprises three main software
components, as shown in Figure 1:
Security Center (SC)
The security and operations center installed at the organizational data center.
Virtual Security Engines (VSEs)
Virtual Security Engines are components installed at remote sites for monitoring assets and
for providing other services essential for security and operations.
Communication Server (CS)
The Communication Server provides secure communication between the SC and VSEs.
Figure 1 Honeywell Forge Cybersecurity Suite basic architecture
In a typical deployment, one or more VSEs are installed at remote sites to monitor assets.
Each VSE collects and analyzes data from assets and sends it to the SC, which further analyzes
and stores the data. In addition, the SC allows its operators to perform monitoring, remote
activity management, software distribution, and troubleshooting functions.
NEW FEATURES AND PURPOSE OF THIS RELEASE
The purpose of this release is to expand on the remote access only capabilities of the 2003
(Mar 2020) release. This 2006 (Jun 2020) release adds monitoring of ICS assets for
cybersecurity risks and discovery capabilities.
PRODUCT AND RELEASE OVERVIEW
CS-HFCSE100en-2006A 10
2.1 New and Enhanced features in Honeywell Forge Cybersecurity Suite 2006 (Jun 2020)
Remote Access Gateway Secure Database Communication
As part of the ongoing effort to increase security and as an enhancement to the Regional
Remote Access feature, the Remote Access Gateway can now securely connect to the Security
Center database.
Part of Enterprise Core and Enterprise Premium Offerings.
Hardening Compliance
This is a new component that provides a report on Assets with complied and not complied
settings per checked rule. The Center for Internet Security serves as the base for hardening
compliance checks.
Part of Enterprise Premium Offering.
Active Asset Discovery Service
In addition to the already existing Active Asset Discovery Product Line, which the VSE runs on
schedule; the Active Asset Discovery Service is set to actively discover Assets in network
segments that the VSE is not allowed or cannot access. The discover functionality is identical
between the Windows Service and the VSE Product Line. Do note that monitoring assets is
still available only for Assets created by the Active Discovery Product Line.
Part of Site, Enterprise Core, and Enterprise Premium Offerings.
Cisco Network Devices
Now also identifies firewall equipment based on OID and correctly identifies license change
and firewall rules without a timestamp.
Part of Site, Enterprise Core, and Enterprise Premium Offerings.
VSE Utilities, Enhanced SYSLOG Forwarding
Now allows and manages multiple simultaneously running instances. Added parameters for
modifying file retention duration.
Part of Enterprise Core and Enterprise Premium Offerings.
Windows Supplemental
Group Policy Objects reports now identifies PowerShell3 and above, domain controller
properties and account status, miscellaneous operating system information, and support for
secure (HTTPS) connection.
PRODUCT AND RELEASE OVERVIEW
CS-HFCSE100en-2006A 11
Removing Extended ASCII characters that the WMI service returns, when occur in large
quantities, can cause storage size inflation and in extreme scenarios, the VSE stops collecting
new information.
Part of Site, Enterprise Core, and Enterprise Premium Offerings.
Virtualization
Added support for vCenter 6.7, for PowerCLI 11.3.0.13990089, for standalone ESXi servers
(no vCenter required).
Part of Site, Enterprise Core, and Enterprise Premium Offerings.
RELEASE MEDIA CONTENTS
CS-HFCSE100en-2006A 12
3. Release Media Contents
The Honeywell Forge Cybersecurity Suite is distributed via Honeywell’s secure Electronic
Software Download, providing an ISO file for each of the following media kits.
1. Cybersecurity Software 2003 Site
(CS-HFCP-SITE-200-51156882)
a. Updated! Please use the package from §3 below – Virtual Security Engine New
Installation ER7.1.23 (Engineering Release)
b. Updated! Please use the package from §3 below – Virtual Security Engine Upgrade
ER7.1.23 (only from VSE ER4.9.32 and ER4.9.52)
c. Virtual Security Proxy New Installation ER1.1.4
d. Hash value (SHA-256):
AADBAA55E3E8E2A1A1819CF64F6932F7A77815FF24D0CCF82C5B72953AB263B6
2. Cybersecurity Software 2003 Center
(CS-HFCP-CNTR-200-51156880)
a. Application Server New Installation ER6.2.8
b. Application Server Upgrade ER7.0.2
c. Application Server Upgrade ER7.0.3
d. Communication Server New Installation ER6.0.13
e. Updated! Please use the package from §3 below – Remote Access Gateway New
Installation ER6.2.5
f. Remote Access Bridge New Installation ER4.9.18
g. Session Recording New Installation ER6.0.4
h. Hash value (SHA-256):
E682AEB05A1D10FAE792289AE78527ACE6FAF0D82F3172C1FDD0E86251EA74D7
3. Cybersecurity Software 2006 RAG and VSE Installation Package Update
Please download the updated software using this link.
a. Virtual Security Engine New Installation ER7.1.23 (Installation execution file change
only)
b. Virtual Security Engine Upgrade ER7.1.23 (only from VSE ER4.9.32 and ER4.9.52)
(Installation/upgrade execution file change only)
c. Remote Access Gateway New Installation ER6.2.8
d. Hash value (SHA-256):
5E9CBFB496D92D00549C42B5F60310115DDA6F6CFE125B75349628F362DD240C
RELEASE MEDIA CONTENTS
CS-HFCSE100en-2006A 13
4. Cybersecurity Software 2006 Documentation Set
(CS-HFCP-PDFC-200- 51156911)
Please do remember to also check honeywellprocess.com for the most recent document
versions.
a. Start with “DocList.pdf” User guides in searchable indexed set
b. Hash value (SHA-256):
3F03C135DA6A9F1C52E174E6192D3F2E13C6E020B953BD2AE7665D039F74A7F8
5. Cybersecurity Software 2006 Optional Components
(CS-HFCP-OPTS-200- 51156912)
a. Reports New Installation ER7.0.2
b. Active Discovery Product Line ER4.1.14
c. Active Asset Discovery Service ER4.2.0
d. Hardening Compliance ER1.2.1
e. Passive Asset Discovery Service ER4.1.0
f. Performance Analyzer for Enterprise Premium Offering
i. Remote Services Self-Monitoring ER4.6.1
ii. Acronis Backup and Restore ER1.2.0
iii. Availability Only ER1.0
iv. Automated Data Export ER2.0
v. Carbon Black ER1.0.0
vi. Cisco Network Devices ER2.6.1
vii. Control Firewall ER1.1.0
viii. Controllers ER1.14.0
ix. Controllers – TDC ER1.8.0
x. Domain Controller ER1.1.0
xi. Experion – TPS ER1.6.0
xii. File Scout ER1.0.0
xiii. McAfee MOVE ER1.9.0
xiv. PHD ER1.3.0
xv. Safety Manager ER1.0.0
xvi. Server-Station ER2.8.0
xvii. Splunk Reverse Tunnel ER1.1.0
xviii. VSE Automated Data Export ER1.5.0
xix. VSE Supplemental ER1.5.0
xx. VSE Utilities ER3.2.1
xxi. Virtualization ER1.4.1
RELEASE MEDIA CONTENTS
CS-HFCSE100en-2006A 14
xxii. Windows Supplemental ER2.18.1
xxiii. Windows Server Update Services ER3.5.10
g. Risk Monitoring for Site Offering
i. Acronis Backup and Restore ER1.2.0
ii. Carbon Black ER1.0.0
iii. Cisco Network Devices ER2.6.1
iv. Controllers ER1.14.0
v. McAfee MOVE AV ER1.9.0
vi. Virtualization ER1.4.1
vii. Windows Supplemental ER2.18.1
h. Hash value (SHA-256):
CB2E6D4489470D5FE170A10A0ED2F161B4A4FB5006266D223153EF7EFE460C43
6. Cybersecurity Software 2003 Installation Prerequisites
(CS-HFCP-PREQ-200-51156881)
Applicable only for a new installations.
a. Active Discovery
i. WinPcap 4.1.3
b. Couchbase
i. Community Server 5.0.1
ii. NPD 4.7.1
iii. ODP.NET for Oracle 12c
iv. URL Rewrite 2
c. Crystal Reports
i. Runtime (32-bit) 13.0.1
d. Oracle
i. Client (32-bit) 12.2
ii. Server (64-bit) 12.2
e. Product Lines Supporting Utilities
i. Experion PKS Server Client-Side Components
ii. NAPICMD
f. Visual C++ Redistributable
g. Hash value (SHA-256):
C60FE071460DE76B1FEC11C01172EEBC5D70ACC740462FC85BBC1096EC94882C
RELEASE MEDIA CONTENTS
CS-HFCSE100en-2006A 15
3.1 User documentation book set
The following list identifies publications released with the Honeywell Forge Cybersecurity
Suite 2006 (Jun 2020)
These are provided on the Honeywell Forge Cybersecurity Suite 2006 (Jun 2020) Document
Set media and may also be downloaded from https://www.honeywellprocess.com support
website. Additional guides and updates to the guides will be periodically uploaded to the
support website, as they are available.
NOTE
The documentation set of Honeywell Forge Cybersecurity Suite’s Site Offering is
comprised of several functional “pieces” which together cover all functionality.
Some of these pieces are also used in other Honeywell Forge Cybersecurity Suite
offerings, such as the Enterprise Premium Offering. Therefore, it may be
necessary to check more than one document for complete instructions on
installing, configuring, and using the Site Offering. Generally, the Honeywell
Forge Cybersecurity Suite Site Offering documents focus on the Virtual Security
Engine, and the Performance Analyzer documents apply to the data collection
aspects. There are separate documents for Asset Discovery, and Risk Monitoring
Administration.
Installing the Site Offering makes use of the following documents:
Honeywell Forge Cybersecurity Suite 2006 Software Change Notice (this
document)
VSE Installation Guide to install the VSE product
Performance Analyzer Installation and Configuration Guide
Configuring the Site Offering makes use of the following documents:
VSE Administrator Guide
VSE User Guide
Active Asset Discovery Product Line User Guide
Active Asset Discovery Service User Guide, if applicable
Passive Asset Discovery Service User Guide, if applicable
Risk Monitoring Administration Guide
Table 1 Documentation set
RELEASE MEDIA CONTENTS
CS-HFCSE100en-2006A 16
Document Name Document Number
Honeywell Forge Cybersecurity Suite 2006 (Jun 2020)– Software
Change Notice (this document) CS-HFCPE100en-2006A
Honeywell Forge Cybersecurity Suite 2003 (Mar 2020) – Security
Center Getting Started Guide CS-HFCPE400en-2003A
Honeywell Forge Cybersecurity Suite 2003 (Mar 2020) – Security
Center Administrator Guide CS-HFCPE700en-2003A
Honeywell Forge Cybersecurity Suite 2003 (Mar 2020) – Security
Center DB-API Reference Guide CS-HFCPE800en-2003A
Honeywell Forge Cybersecurity Suite 2003 (Mar 2020) – VSE User
Guide CS-HFCPE601en-2003A
Honeywell Forge Cybersecurity Suite 2003 (Mar 2020) – VSE
Installation Guide CS-HFCPE501en-2003A
Honeywell Forge Cybersecurity Suite 2003 (Mar 2020) – VSE
Administrator Guide CS-HFCPE609en-2003A
Honeywell Forge Cybersecurity Suite 2006 (Jun 2020) – VSE
Utilities User Guide (Service) CS-HFCPE607en-2003A
Honeywell Forge Cybersecurity Suite 2003 (Mar 2020) – Active
Asset Discovery User Guide (Product Line) CS-HFCPE602en-2003A
Honeywell Forge Cybersecurity Suite 2006 (Jun 2020) – Active
Asset Discovery User Guide (Service) CS-HFCPE611en-2003A
Honeywell Forge Cybersecurity Suite 2003 (Mar 2020) – Passive
Asset Discovery User Guide (Service) CS-HFCPE603en-2003A
Honeywell Forge Cybersecurity Suite 2006 (Jun 2020) –
Communication Server Installation Guide CS-HFCPE503en-2003A
Honeywell Forge Cybersecurity Suite 2006 (Jun 2020) –
Performance Analyzers Installation and Configuration Guide CS-HFCPE505en-2006A
Honeywell Forge Cybersecurity Suite 2003 (Mar 2020) – Remote
Access Bridge Installation Guide CS-HFCPE502en-2003A
Honeywell Forge Cybersecurity Suite 2006 (Jun 2020) – Remote
Access Gateway Installation Guide CS-HFCPE504en-2006A
Honeywell Forge Cybersecurity Suite 2003 (Mar 2020) – Risk CS-HFCPE702en-2003A
RELEASE MEDIA CONTENTS
CS-HFCSE100en-2006A 17
Document Name Document Number
Monitoring Administration Guide
Honeywell Forge Cybersecurity Suite 2006 (Jun 2020) –
Hardening Compliance User Guide CS-HFCPE611en-2006A
3.2 Forward and backwards compatibility
This Honeywell Forge Cybersecurity Suite release, and future releases, normally will be
backward compatible with all officially released and supported options. Please see the
separate PA SCN document for specific compatibility clauses.
With Enterprise Core or Premium installed, every end user must install the new Remote
Access utility, Secure Connect, on a desktop or laptop. The Secure Connect utility can be
downloaded directly from the Security Center’s Resources area.
Operating Systems and software versions that are not explicitly listed are not supported.
Please note that in some cases, a Honeywell Forge Cybersecurity Suite component upgrade
also requires an upgrade to the Operating System. For example, upgrade to the database may
need an upgrade to an Oracle-supported Operating System.
RELEASE MEDIA CONTENTS
CS-HFCSE100en-2006A 18
Table 2 Installation, upgrade, and update matrix
From product and version To product and version
New installation – SC and DB
Honeywell Forge Cybersecurity Suite
1909/1911 (Nov 2019) – SC and DB
Honeywell Forge Cybersecurity Suite 2003
(Mar 2020) – SC and DB
Honeywell Forge Cybersecurity Suite 2003
(Mar 2020)– Prerequisites
Honeywell Forge Cybersecurity Suite 1911
(Nov 2019) – SC and DB
Honeywell Forge Cybersecurity Suite 2003
(Mar 2020)– SC and DB
New installation – CS Honeywell Forge Cybersecurity Suite 1911
(Nov 2019) – CS
ICS Shield R500.1, R501.1 – CS Honeywell Forge Cybersecurity Suite
1909/1911 (Nov 2019) – CS
Honeywell Forge Cybersecurity Suite 1909
(Nov 2019) – CS
Honeywell Forge Cybersecurity Suite 1911
(Nov 2019) – CS
Honeywell Forge Cybersecurity Suite 1911
(Nov 2019) – CS Not needed
New installation – RAB ICS Shield R501.1
ICS Shield R500.1 – RAB ICS Shield R501.1
ICS Shield R501.1 – RAB Not needed
New installation – RAG Honeywell Forge Cybersecurity Suite 2003
(Mar 2020)
ICS Shield R500.1, R501.1, R510.2 Honeywell Forge Cybersecurity Suite 2003
(Mar 2020)
Honeywell Forge Cybersecurity Suite 2003
(Mar 2003) – RAG Not needed
New installation – Session Recording Honeywell Forge Cybersecurity Suite 1911
(Nov 2019) – Session Recording
ICS Shield 500.1, R501.x – Session Recording Honeywell Forge Cybersecurity Suite 1911
(Nov 2019) – Session Recording
RELEASE MEDIA CONTENTS
CS-HFCSE100en-2006A 19
From product and version To product and version
Honeywell Forge Cybersecurity Suite 1909
(Nov 2019) – Session Recording
Honeywell Forge Cybersecurity Suite 1911
(Nov 2019) – Session Recording
Honeywell Forge Cybersecurity Suite 1911
(Nov 2019) – Session Recording Not needed
New installation – Hyper Tunnel Honeywell Forge Cybersecurity Suite
1909/1911 (Nov 2019) – Hyper Tunnel
ICS Shield R500.1, R501.x – Hyper Tunnel Honeywell Forge Cybersecurity Suite
1909/1911 (Nov 2019) – Hyper Tunnel
ICS Shield R510.x, Honeywell Forge
Cybersecurity Suite 1909 (Nov 2003) –
Hyper Tunnel
Not needed
Secure Connect Not needed as it is included in and managed
by the SC distribution
VNC Player Not needed as it is included in and managed
by the SC distribution
New installation – VSE
Honeywell Forge Cybersecurity Suite 2003
(Mar 2020)– VSE
Honeywell Forge Cybersecurity Suite 2003
(Mar 2020)– Prerequisites
ICS Shield R500.1 – VSE Honeywell Forge Cybersecurity Suite 2003
(Mar 2020)– VSE
ICS Shield R501.1 – VSE
ICS Shield R510.1 – VSE
ICS Shield R510.2 – VSE
Honeywell Forge Cybersecurity Suite 2003
(Mar 2020)– VSE
ICS Shield R510.2 – VSE Honeywell Forge Cybersecurity Suite 2003
(Mar 2020)– VSE
Honeywell Forge Cybersecurity Suite 1909
(Nov 2019) – VSE Not supported
Honeywell Forge Cybersecurity Suite 1911
(Nov 2019) – VSE
Honeywell Forge Cybersecurity Suite 2003
(Mar 2020)– VSE
RELEASE MEDIA CONTENTS
CS-HFCSE100en-2006A 20
From product and version To product and version
New installation – VSP ICS Shield R510.1
ICS Shield R500.1, R501.1 – VSP ICS Shield R510.1
ICS Shield R510.1 – VSP Not needed
New installation – Passive Discovery SRV Honeywell Forge Cybersecurity Suite 2003
(Mar 2020) – Passive Discovery SRV
New installation – Active Discovery SRV Honeywell Forge Cybersecurity Suite 2006
(Jun 2020) – Active Discovery SRV
New installation – Active Discovery PL Honeywell Forge Cybersecurity Suite 2003
(Mar 2020) – Active Discovery PL
ICS Shield R500.1, R501.1 – Active Discovery
PL
Honeywell Forge Cybersecurity Suite 2003
(Mar 2020) – Active Discovery PL
ICS Shield R510.1, R510.2 – Active Discovery
PL
Honeywell Forge Cybersecurity Suite 2003
(Mar 2020) – Active Discovery PL
ICS Shield R510.3+ – Active Discovery PL Honeywell Forge Cybersecurity Suite 2003
(Mar 2020) – Active Discovery PL
New installation – Reports Honeywell Forge Cybersecurity Suite 2003
(Mar 2020) – Reports
New installation – Options(*)
Honeywell Forge Cybersecurity Suite 2003
(Mar 2020) – Options(*)
Honeywell Forge Cybersecurity Suite 2003
(Mar 2020) – Prerequisites
ICS Shield R510.3 Honeywell Forge Cybersecurity Suite 2003
(Mar 2020) – Options(*)
Honeywell Forge Cybersecurity Suite 1911
(Nov 2019) – Options(*)
Honeywell Forge Cybersecurity Suite 2003
(Mar 2020) – Options(*)
New installation – Hardening Compliance Honeywell Forge Cybersecurity Suite 2006
(Jun 2020) – Hardening Compliance
(*) Options are backward-compatible, except stated otherwise, and their update/upgrade is
performed through the Security Center’s user interface.
RELEASE MEDIA CONTENTS
CS-HFCSE100en-2006A 21
Table 3 Supported Product Lines list
Product Line name and version
Remote Services Self-Monitoring 4.6.1
Acronis Backup and Restore 1.2.0
Availability Only 1.0
Automated Data Export 2.0
Carbon Black 1.0.0
Cisco Network Devices 2.6.1
Control Firewall 1.1.0
Controllers 1.14.0
Controllers – TDC 1.8.0
Domain Controller 1.1.0
Experion – TPS 1.6.0
File Scout 1.0.0
McAfee MOVE 1.9.0
PHD 1.3.0
Safety Manager 1.0.0
Server-Station 2.8.0
Splunk Reverse Tunnel 1.1.0
VSE Automated Data Export 1.5.0
VSE Supplemental 1.5.0
VSE Utilities 3.2.1
Virtualization 1.4.1
Windows Supplemental 2.18.1
WSUS 3.5.10
RELEASE MEDIA CONTENTS
CS-HFCSE100en-2006A 22
3.3 New installations and upgrades
Installations and upgrades to the Center are performed by trained and experienced
Honeywell personnel.
Installations, upgrades, and updates to the Site can be performed by trained customer
personnel as well as trained Honeywell personnel.
NOTE
Prior upgrading a VSE that is already using Active Asset Discovery – do contact a
Honeywell Representative as there may exist specific upgrade requirements and
processes.
Contact the Honeywell Global Technical Assistance Center or your Honeywell Representative
to prepare for and discuss the installation or upgrade of the Honeywell Forge Cybersecurity
Suite 2006 (Jun 2020) software.
SPECIAL CONSIDERATIONS
CS-HFCSE100en-2006A 23
4. Special Considerations
4.1 Known to exist in this version
The following system issues are known to exist for this version of the Honeywell Forge Cybersecurity
Suite. If available, a workaround is also provided.
Contact your relevant Honeywell Global Technical Assistance Center for more information.
• We added here only the Honeywell Forge Cybersecurity Suite 2006 (Jun 2020). Please also refer
to Honeywell Forge Cybersecurity Suite2003 (Mar 2020) SCN for more known items.
• Experion security logs events collection does not work for nodes in a workgroup.
• Acronis backup information not collected for offline devices.
• Automatic installation of PowerShell and PowerCLI fails on VSE version BigDipper (ER4.8).
Please upgrade to HFCS 2003 VSE ER7.1.23.
4.2 Fixed from previous versions
• The RAG now successfully securely connects to the SC database.
Identified in Honeywell Forge Cybersecurity Suite 2003 (Mar 2020) and ICS Shield R510.4.
• Collected data now show a complete list of compliance properties.
Identified in Honeywell Forge Cybersecurity Suite 2003 (Mar 2020).
• Guest accounts, also with non-default name, now correctly identified on domain controllers.
Identified in Honeywell Forge Cybersecurity Suite 2003 (Mar 2020).
SOFTWARE AND HARDWARE SPECIFICATIONS
CS-HFCSE100en-2006A 24
5. Software and Hardware Specifications
This chapter provides information about the software and hardware specifications for the
Honeywell Forge Cybersecurity Suite 2006 (Jun 2020).
Governing guidelines for Honeywell for determining software recommendations
Google Chrome Enterprise
Mozilla Firefox
Microsoft Edge Spartan (2014-2019) – not supported
Microsoft Edge Anaheim (2020-later) – not yet supported
Windows 10 Professional and version 1903
Windows Server 2016 Standard and version 1607
Windows Server 2019 Standard and version 1809
Microsoft is moving to a “Modern Lifecycle Policy” that affects deployments in the cloud, and
to some extent, also on-premise deployments.
5.1 Honeywell Forge Cybersecurity Suite 2006 (Jun 2020) guest minimal and recommended sizing
If the Customer plans to only use the Remote Access functionality of the Honeywell Forge
Cybersecurity Suite, such as in the Enterprise Core offering, then the minimal size is enough.
Otherwise, such as for Enterprise Premium and Site offerings, please use the recommended
size.
Table 4 Minimal and recommended hardware
Component Name VM Host Ordinal Number
Guest OS and Requirements
OS Additions
Client machines
(laptops, desktops)
N/A Any officially Microsoft
supported Windows 64-
bit OS
Implementation
dependent and like
Terminal Server
SOFTWARE AND HARDWARE SPECIFICATIONS
CS-HFCSE100en-2006A 25
Component Name VM Host Ordinal Number
Guest OS and Requirements
OS Additions
Terminal Server VM Host #1 Upgrade:
• Windows Server 2016 Standard
New:
• Windows Server 2016 Standard
• Windows Server 2019 Standard
CPUs:
• 8 cores (min1)
• 16 cores (rec2)
Memory:
• 32 GB (min)
• 64 GB (rec)
Storage:
• 100 GB (OS)
• 200 GB (data, different than CS)
Internet Explorer 11
(for PL Distribution
only)
At least one of:
• Firefox 76 and later
• Chrome 83 and later
1 min – minimum 2 rec – recommended
SOFTWARE AND HARDWARE SPECIFICATIONS
CS-HFCSE100en-2006A 26
Component Name VM Host Ordinal Number
Guest OS and Requirements
OS Additions
Application Server
Remote Access
Gateway
VM Host #1 Upgrade:
• Windows Server 2016 Standard
New:
• Windows Server 2016 Standard
• Windows Server 2019 Standard
CPUs:
• 8 cores (min)
• 16 cores (rec)
Memory:
• 16 GB (min)
• 32 GB (rec)
Storage:
• 150 GB (OS)
• 1 TB (data, on a different physical disk from CS)
IIS
Crystal Reports
runtime 2011, 32-bit
ActivePerl 5.28, 64-
bit (optional)
Oracle 12.2.0.1
Client, 32-bit
SOFTWARE AND HARDWARE SPECIFICATIONS
CS-HFCSE100en-2006A 27
Component Name VM Host Ordinal Number
Guest OS and Requirements
OS Additions
Database Server VM Host #2 Upgrade:
• Windows Server 2016 Standard
New:
• Windows Server 2016 Standard
• Windows Server 2019 Standard
CPUs:
• 8 cores (min)
• 16 cores (rec)
Memory:
• 32 GB (min)
• 64 GB (rec)
Storage:
• 150 GB (OS)
• 50 GB (logging)
• 1 TB (min, data)
• 2 TB (data, on a different physical disk from VSEs)
Oracle 12.2.0.1
Server, 64-bit
SOFTWARE AND HARDWARE SPECIFICATIONS
CS-HFCSE100en-2006A 28
Component Name VM Host Ordinal Number
Guest OS and Requirements
OS Additions
Communication
Server
Remote Access
Bridge
VM Host #1 Upgrade:
• Windows Server 2016 Standard
New:
• Windows Server 2016 Standard
• Windows Server 2019 Standard
CPUs:
• 4 cores (min)
• 8 cores (rec)
Memory:
• 8 GB (min)
• 16 GB (rec)
Storage:
• 100 GB (OS)
• 200 GB (min, CS data only)
• 500 GB (CS data only on a different physical disk than TS and SC)
N/A
SOFTWARE AND HARDWARE SPECIFICATIONS
CS-HFCSE100en-2006A 29
Component Name VM Host Ordinal Number
Guest OS and Requirements
OS Additions
Support VSE (Virtual
Security Engine, used
by Honeywell GTAC)
VM Host #2 Upgrade:
• Windows Server 2016 Standard
New:
• Windows Server 2016 Standard
• Windows Server 2019 Standard
CPUs:
• 4 cores (min)
• 8 cores (rec)
Memory:
• 8 GB (min)
• 16 GB (rec)
Storage:
• 100 GB (OS)
• 200 GB (data, on a different physical disk than DB)
N/A
SOFTWARE AND HARDWARE SPECIFICATIONS
CS-HFCSE100en-2006A 30
Component Name VM Host Ordinal Number
Guest OS and Requirements
OS Additions
Center VSE (Virtual
Security Engine,
located next to the
Security Center)
VM Host #2 Upgrade:
• Windows Server 2016 Standard
New:
• Windows Server 2016 Standard
• Windows Server 2019 Standard
CPUs:
• 4 cores (min)
• 8 cores (rec)
Memory:
• 8 GB (min)
• 16 GB (rec)
Storage:
• 100 GB (OS)
• 500 GB (data, on a different physical disk than DB)
N/A
Reports Center
Hardening
Compliance
VM Host #3 New:
• Windows Server 2016 Standard
• Windows Server 2019 Standard
CPUs: • 8 cores (min)
• 16 cores (rec)
Memory: • 8 GB (min)
• 32 GB (rec)
Storage: • 100 GB (OS)
• 1TB (OS)
N/A
SOFTWARE AND HARDWARE SPECIFICATIONS
CS-HFCSE100en-2006A 31
Component Name VM Host Ordinal Number
Guest OS and Requirements
OS Additions
Regional Remote
Access – Remote
Access Gateway
VM Host #4 Upgrade:
• Windows Server 2016 Standard
New:
• Windows Server 2016 Standard
• Windows Server 2019 Standard
CPUs:
• 4 cores (min)
• 16 cores (rec)
Memory:
• 8 GB (min)
• 32 GB (rec)
Storage:
• 100 GB (OS)
• 500 GB (data)
N/A
SOFTWARE AND HARDWARE SPECIFICATIONS
CS-HFCSE100en-2006A 32
Component Name VM Host Ordinal Number
Guest OS and Requirements
OS Additions
Regional Remote
Access – Remote
Access Bridge
VM Host #4 Upgrade:
• Windows Server 2016 Standard
New:
• Windows Server 2016 Standard
• Windows Server 2019 Standard
CPUs:
• 4 cores (min)
• 16 cores (rec)
Memory:
• 8 GB (min)
• 32 GB (rec)
Storage:
• 100 GB (OS)
• 500 GB (data, optional)
N/A
Site VSE (Virtual
Security Engine that
supports up to 1000
remote access only
assets
OR
300 full monitoring
assets
OR
100 full risk
monitoring assets)
VM Host #5 See §5.2 below N/A
SOFTWARE AND HARDWARE SPECIFICATIONS
CS-HFCSE100en-2006A 33
Component Name VM Host Ordinal Number
Guest OS and Requirements
OS Additions
VSP (Virtual Security
Proxy)
VM Host #??? Upgrade:
• Windows Server 2016 Standard
New:
• Windows Server 2016 Standard
• Windows Server 2019 Standard
CPUs:
• 4 cores (min)
• 8 cores (rec)
Memory:
• 8 GB (min)
• 16 GB (rec)
Storage:
• 100 GB (OS)
N/A
5.2 VSE Sizing Guidelines
Deployment Type OS CPUs RAM Storage
Existing Risk
Management
customers upgrading
to Site
• Windows 10 Professional 1903 and later
• Windows Server 2016 Standard
4 CPUs (min)
8 CPUs (rec)
8 GB (min)
16 GB (rec)
100 GB (OS)
200 GB
(data)
Existing ICS Shield or
Cybersecurity Suite
customers that
upgrade and keep
current deployment
• Windows 10 Professional 1903 and later
• Windows Server 2016 Standard
2 CPUs (min)
4 CPUs (rec)
4 GB (min)
8 GB (rec)
100 GB (OS)
200 GB
(data)
SOFTWARE AND HARDWARE SPECIFICATIONS
CS-HFCSE100en-2006A 34
Deployment Type OS CPUs RAM Storage
Existing ICS Shield or
Cybersecurity Suite
customers that
upgrade and upgrade
to Enterprise
Premium
• Windows 10 Professional 1903 and later
• Windows Server 2016 Standard
4 CPUs (min)
8 CPUs (rec)
8 GB (min)
16 GB (rec)
100 GB (OS)
200 GB
(data)
New customers
installing Site
• Windows Server 2016 Standard and later
4 CPUs (min)
8 CPUs (rec)
8 GB (min)
16 GB (rec)
100 GB (OS)
200 GB
(data)
New customers
installing Enterprise
Core
• Windows Server 2016 Standard and later
2 CPUs (min)
4 CPUs (rec)
4 GB (min)
8 GB (rec)
100 GB (OS)
200 GB
(data)
New customers
installing Enterprise
Premium
• Windows Server 2016 Standard and later
4 CPUs (min)
8 CPUs (rec)
8 GB (min)
16 GB (rec)
100 GB (OS)
200 GB
(data)
New customers
installing High
Volume Enterprise
Premium
• Windows Server 2016 Standard and later
8 CPUs (min)
16 CPUs (rec)
16 GB (min)
32 GB (rec)
100 GB (OS)
200 GB
(data)
5.3 Virtualization host recommended sizing
Table 5 Minimal and recommended hardware for virtualization
SOFTWARE AND HARDWARE SPECIFICATIONS
CS-HFCSE100en-2006A 35
Component Name ICS Shield Components Sizing Hardware Models
VM Host #1
(Application
Server)
Base:
• Application Server with Remote Access Gateway
• Communication Server with Remote Access Bridge
• Support VSE
Optional:
• Terminal Server
• Streaming Services
2x10 CPUs
8x16GB RAM
8x600GB RAID10
4 Gbit NICs
MZ-PCVM19
VM Host #2
(Database Server)
Base:
• Database server
Optional:
• Center VSE
2x10 CPUs
8x16GB RAM
8x600GB RAID10
4 Gbit NICs
MZ-PCVM19
VM Host #3
(Reports)
Base
• Reports
• Hardening Compliance
2x10 CPUs
8x16GB RAM
8x600GB RAID10
4 Gbit NICs
MZ-PCVM19
VM Host #4
(Regional Hub)
Base
• Remote Access Gateway
• Remote Access Bridge
2x10 CPUs
8x16GB RAM
8x600GB RAID10
4 Gbit NICs
MZ-PCVM19
VM Host #5..n
(per Remote Site)
Base:
• VSE (up to 1000 remote access only assets OR 300 full monitoring assets OR 100 full risk monitoring assets)
Optional:
• Additional VSEs, to support more assets.
• McAfee ePO Server or Symantec SEPM Server
• Microsoft SUS Server
10 CPUs
4x8GB RAM
2x600GB 15K
2x1.2TB RAID1
1Gbit NIC
MZ-PCVMM4
SOFTWARE AND HARDWARE SPECIFICATIONS
CS-HFCSE100en-2006A 36
Component Name ICS Shield Components Sizing Hardware Models
VM Host #5..n
(per Remote Site)
Base:
• VSP
4 CPUs
2x8GB RAM
4x300GB RAID5
2 Gbit NICs
MZ-PCSV67
VM Host #6..n
(per area in a
Remote Site)
Base:
• Passive Asset Discovery Service
And/Or • Active Asset Discovery
Service
4 CPUs
2x8GB RAM
2x1TB RAID1
2 Gbit NICs
MZ-PCSV66
Optional:
NE-NICS04
MZ-PCVC42
CS-HFCSE100en-2006A
© 2020 Honeywell International Sàrl
Honeywell Process Solutions
1250 W Sam Houston Pkwy S #150, Houston, TX
77042
Honeywell House, Skimped Hill Lane
Bracknell, Berkshire, RG12 1EB
Building #1, 555 Huanke Road, Zhangjiang Hi-
Tech Park,
Pudong New Area, Shanghai, China 201203
www.honeywellprocess.com
Honeywell Connected Enterprise
715 Peachtree Street NE Atlanta, GA 30308
www.honeywell.com