User Guide
Category Description
Network Security
Eaton Green Motion Building supports network communication with other devices in the environment. This
capability can present risks if it’s not configured securely. Following are Eaton recommended best practices to
help secure the network. Additional information about various network protection strategies is available in Eaton
Cybersecurity Considerations for Electrical Distribution Systems [R1].
Eaton recommends segmentation of networks into logical enclaves, denying traffic between segments except that
which is specifically allowed, and restricting communication to host-to-host paths (for example, using router ACLs
and firewall rules). This helps to protect sensitive information and critical services and creates additional barriers
in the event of a network perimeter breach. At a minimum, a utility Industrial Control Systems network should be
segmented into a three-tiered architecture (as recommended by NIST SP 800-82[R3]) for better security control.
Communication Protection: Eaton Green Motion Building provides encryption of its network communications.
This encryption is always activated and there is no need to configure it.
•
Secure protocol usage HTTPS
•
TLS/SSL configuration by default
•
Secure cipher suites TLS 1.2 by default
Eaton recommends opening only those ports that are required for operations and protect the network
communication using network protection systems like firewalls and intrusion detection systems / intrusion
prevention systems. Use the information below to configure your firewall rules to allow access needed for
Eaton Green Motion Building to operate smoothly
•
TCP port 53 shall be open to allow DNS
•
TCP port 80 shall be open for HTTP (Nginx, webpage)
•
TCP port 8082 shall be open to allow TCP/UDP
•
TCP port 5355 shall be open to allow LLMNR (TCP/UDP)
•
TCP port 67 shall be open to allow DHCP server
•
TCP port 443 shall be open to allow OCPP connection with CPO backend
4G modem connected through serial USB to CPU, use point-to-point protocol (ppp). It is recommended to use
4G IoT SIM cards which support below security features to provide internet connectivity between the charging
station and server.
Recommended Security features
•
To use a private Access Point Name (APN) while installing Green Motion Building and commissioning the Charging
network manager.
•
To utilize 4G SIM service providers that provide an option to encrypt the data communications using either a
Virtual private network (VPN) or IPSec protections to enable Universal integrated circuit card (UICC) pin to prevent
unauthorized access to network.
Logging and Event Management
•
Eaton recommends logging all relevant system and application events, including all administrative and
maintenance activities.
•
Logs should be protected from tampering and other risks to their integrity (for example, by restricting permissions to
access and modify logs, transmitting logs to a security information and event management system, etc.).
•
Ensure that logs are retained for a reasonable and appropriate length of time.
•
Review the logs regularly. The frequency of review should be reasonable, taking into account the sensitivity and
criticality of the system | device and any data it processes.
•
Logs are available from Eaton Charging network manager, for further details, please see technical documentation or
contact your local support team.
Malware Defenses
Eaton recommends deploying adequate malware defenses to protect the product or the platforms used to run the
Eaton product.
4
EATON Cybersecurity recommendations - Green Motion AC EV chargers