Vpecr 05en022 v04r001 Ref Icsdefendersetup

VPE
Controls and Robotics

Specification 05EN022
ICS Defender Configuration Guide
WPE PPE GAPE
Released Date: 3/21/2022

Copyright © 2022 All Rights Reserved. Stellantis North America - VPE Controls & Robotics
Proprietary Notice
This document comprises legally protected subject matter proprietary to Stellantis North America, and is
loaned on the basis of confidential relationship. All use and disclosure are strictly controlled. Reproduction
is prohibited without the permission of Stellantis North America.
Disclaimer of Liability
Stellantis North America has developed specifications and standards that are governed by applicable
national, regional and local codes. In the event of a conflict between the specification document and the
code document, the code document will prevail.
Supplier agrees to engineer, build integrate and deliver its functioning assembly system using the pre-
determined Stellantis North America specifications whenever possible. Supplier further agrees that in the
absence of a Stellantis North America specification, supplier will submit a formal outlined request stating
reason & reference for use of an alternative specification to Stellantis North America specifying group.
The Specifying Group reserves the right to amend or terminate any portion of program defined
specifications or arrangements at Stellantis North America sole discretion.
We have reviewed the contents of this publication to ensure consistency with the hardware and software
described. Since variance cannot be precluded entirely, we cannot guarantee full consistency. However,
the information in this publication is reviewed regularly and any necessary corrections are included in
subsequent edition revisions.
Copyright © 2022 All Rights Reserved, Stellantis North America – Vehicle Process Engineering Controls
& Robotics
2 of 37
VPECR_05EN022_v04r001_REF__ICSDefenderSetup.docx Released Date: 3/21/2022
Table of Contents - Summary
To access a specific section referenced, hold the “CTRL” key and select the page
number when prompted via the fly-over text box.
1. Document Purpose .............................................................................................................................................5

2. Additional Support ..............................................................................................................................................5
3. Document Conventions ......................................................................................................................................5
4. Accessing the Web GUI ......................................................................................................................................7
5. Logging into the ICS Defender ......................................................................................................................... 11
6. Common WebGUI Interactions ......................................................................................................................... 13
7. Configuring the ICS-Defender NAT .................................................................................................................. 14
8. Changing the Default Interface Assignments ................................................................................................. 16
9. VLANS ................................................................................................................................................................ 17
10. Adding 1:1 NAT Rules ....................................................................................................................................... 23
11. Add Firewall Rules ............................................................................................................................................ 23
12. Adding Aliases .................................................................................................................................................. 29
13. Additional Configuration .................................................................................................................................. 30
14. References ......................................................................................................................................................... 31
15. Archiving ............................................................................................................................................................ 32
16. Revision Index ................................................................................................................................................... 33
3 of 37
Table of Contents - Detail
To access a specific section referenced, hold the “CTRL” key and select the page
number when prompted via the fly-over text box.
1. Document Purpose .............................................................................................................................................5

2. Additional Support ..............................................................................................................................................5
3. Document Conventions ......................................................................................................................................5
3.1. Abbreviations ................................................................................................................................................................... 5
3.2. Configuration Settings ...................................................................................................................................................... 5
3.3. Throughout the document there are tables which contain settings found on each configuration page. The numbers in the
list correspond to the number (location) on the graphic. If there are items on the graphic that are not included in the table, they
are t be left at the default setting. .................................................................................................................................................. 5
3.4. Subnet MASK to CIDR Quick Reference .......................................................................................................................... 6
4. Accessing the Web GUI ......................................................................................................................................7
5. Logging into the ICS Defender ......................................................................................................................... 11
6. Common WebGUI Interactions ......................................................................................................................... 13
6.1. Applying Changes .......................................................................................................................................................... 13
6.2. Context Help / Additional Information ............................................................................................................................. 13
7. Configuring the ICS-Defender NAT .................................................................................................................. 14
7.1. Setup Wizard ................................................................................................................................................................. 14
7.2. Configuring Basic ICS-Defender Settings for NAT .......................................................................................................... 15
8. Changing the Default Interface Assignments ................................................................................................. 16
9. VLANS ................................................................................................................................................................ 17
9.1. Adding a VLAN .............................................................................................................................................................. 17
9.2. Assign VLANS to an Interface ........................................................................................................................................ 18
9.3. Change VLAN Names .................................................................................................................................................... 19
9.4. Adding a Bridge Interface ............................................................................................................................................... 20
9.5. Enable the DHCP Server on the Combined .................................................................................................................... 22
10. Adding 1:1 NAT Rules ....................................................................................................................................... 23
11. Add Firewall Rules ............................................................................................................................................ 23
11.1. HTTPS (443) .................................................................................................................................................................. 25
11.2. HTTP (80) ...................................................................................................................................................................... 26
11.3. ICMP (Ping) ................................................................................................................................................................... 27
11.4. DHCP (67) ..................................................................................................................................................................... 28
12. Adding Aliases .................................................................................................................................................. 29
13. Additional Configuration .................................................................................................................................. 30
13.1. Allowing VLAN to VLAN Communication ........................................................................................................................ 30
14. References ......................................................................................................................................................... 31
14.1. Program Specifications & Deliverables ........................................................................................................................... 31
14.2. Program Templates........................................................................................................................................................ 31
14.3. ME Specifications........................................................................................................................................................... 31
14.4. BOIG Specifications ....................................................................................................................................................... 31
14.5. Miscellaneous documentation ........................................................................................................................................ 31
15. Archiving ............................................................................................................................................................ 32
15.1. Native Format ................................................................................................................................................................ 32
15.2. Microsoft SharePoint (PDF)............................................................................................................................................ 32
15.3. Program Jump Drive (PDF) ............................................................................................................................................ 32
16. Revision Index ................................................................................................................................................... 33
16.1. Revision v00r000 ........................................................................................................................................................... 33
4 of 37
1. Document Purpose
This document is designed to provide instruction for configuration of the Stellantis (Formerly FCA) NAT
with the ICS-Defender.
2. Additional Support
ICS-Defender support is available at ICS-Defender Support
3. Document Conventions
3.1. Abbreviations
Abbreviation Full Description

ICS Industrial Control System
NIC Network Interface Card
RA Remote Access
NAT Network Address Translation
1:1 One to One (a type of NAT)
LAN Local Area Network
WAN Wide Area Network
NTP Network Time Protocol
DHCP Dynamic Host Configuration Protocol
CIDR Classless Inter Domain Routing
CA Certificate Authority
VLAN Virtual Local Area Network
VPN Virtual Private Network
SSL Secure Socket Layer
TLS Transport Layer Security
VoIP Voice over Internet Protocol
CIP Common Industrial Protocol (EtherNet/IP)
3.2. Configuration Settings
3.3. Throughout the document there are tables which contain settings found on
each configuration page. The numbers in the list correspond to the number
(location) on the graphic. If there are items on the graphic that are not included
in the table, they are to be left at the default setting.
Example Table
# Setting Value
1 Enable Checked
2 Description Example: VLAN101
3 IPv4 Configuration Type Static IPv4
5 of 37
4 IPv6 Configuration Type None
3.4. Subnet MASK to CIDR Quick Reference
Subnet Mask CIDR Notes

255.255.255.255 /32 Single IP Address
255.255.255.254 /31 Unusable
255.255.255.252 /30 2 Useable IP Addresses
6 of 37
4. Accessing the Web GUI
IMPORTANT: It is very important to change the default password when creating a configuration
for ICS-Defender.
Secure configurations should include multiple user levels and multiple passwords for those levels.
To perform an initial setup of the ICS-Defender, it’s necessary to change the IP address of the PC being
used during the configuration process. Details for setting the IP address for various Microsoft Windows
operating systems can be found at this link. Follow the instructions which reference how to setup the IP
address, the following link explains the process for multiple operating systems in detail.
https://support.microsoft.com/en-us/windows/change-tcp-ip-settings-bd0a07af-15f5-cd6a-363f-
ca2b6f391ace
1. Select Start , then select Settings > Network & Internet

2. Select Ethernet
7 of 37
3. Click the Ethernet network to configure (typically will be the laptop Ethernet port)
Note: the name of the Ethernet adapter will likely have a different name
4. Under IP assignment, select Edit
8 of 37
5. Under Edit IP settings, select Manual
6. Make sure IPv4 is enabled (if it is already enabled, skip to step 7)

7. Set the following values, no other settings are needed beyond what’s shown. Then Click Save to
continue.
9 of 37
8. After connecting an Ethernet RJ45 cable from the PC/Laptop (being used to configure the ICS-
Defender), to the LAN port (IGB0), launch a web-browser and enter the ICS-Defender factory
default IP address of https://192.168.200.1
Note: it’s important to use the https:// before the IP address as some web browsers will not
automatically try a secure connection.
When connecting to an un-configured ICS-Defender, web browsers may indicate an unsecure

connection. This notice is normal as the current configuration of the security appliance doesn’t
contain the necessary settings to prevent the warning. If this screen does not appear, continue
to the next section.
The way this web page is displayed will vary depending upon the web browser being used. In
the following example, the web browser is Chrome or a Chromium based browser. Other
browsers may vary slightly when prompting the user to continue.
Click “ADVANCED” and select “Proceed to 192.168.200.1 (unsafe)”.
10 of 37
5. Logging into the ICS Defender
Initial screen on a factory default ICS-Defender. If the ICS-Defender to be configured is not factory default
(meaning it’s been logged into at least once previously), proceed to the next page. Otherwise, read the
terms of use and click “Get Started” to accept and transition to the login page.
11 of 37
When browsing to the WebGUI, the initial screen is a login screen.
For the username enter “admin” and for the password, enter “icsdefender”. Since this is the first time
visiting the WebGUI, the Setup Wizard will begin automatically and resembles the picture below.
12 of 37
6. Common WebGUI Interactions
6.1. Applying Changes
When making adding or making changes in the configuration via the ICS-Defender WebGUI, in
many cases, after the change is saved, the WebGUI will require that the changes be “applied”. The
change is saved, but has not “gone live” in ICS-Defender yet.
Once the changes are applied, they become active. ICS-Defender will display a confirmation that
the changes have been applied successfully. Click the X on the right side of the confirmation to
close it.
6.2. Context Help / Additional Information

The information icon will appear in various locations through the WebGUI. When
clicked, additional information about a given topic will be displayed.
13 of 37
7. Configuring the ICS-Defender NAT
7.1. Setup Wizard
Use the SIMPLE NAT WIZARD button to begin configuration of the ICS-Defender NAT
14 of 37
7.2. Configuring Basic ICS-Defender Settings for NAT
Once connected to the ICS-Defender and at the simple NAT wizard, several items must be
configured. A hostname is required, and changing the admin password to something other than
the default is highly recommended.
The LAN address should be left at the default. The WAN address should be changed to static and
set to the IP address provided by ICT.
# Settings Value
Host Name Device Name from WD package.
Admin Password Recommended: Enter a new password if using the default
Confirm Admin Password Recommended: Confirm the new password
WAN→Interface Mode Static
WAN→IP Address IP Address of the ICS-Defender on the WAN (ICT) Network
WAN→Subnet Mask 24
WAN→Upstream Gateway Gateway IP Address of the Upstream ICT Router
LAN→IP Address 192.168.200.1
LAN→Subnet Mask 24
15 of 37
8. Changing the Default Interface Assignments
To use more than just WAN and LAN interfaces, or to change which physical NIC each interface is on,
navigate to Interfaces→Assign. Select the Network port to use from the dropdown on the right, and click
OPT1 is a local management port, and should be connected to igb1, not a VLAN
16 of 37
9. VLANS
9.1. Adding a VLAN
Navigate to Interfaces→(assign)→VLANs and click to add a VLAN
Under Parent Interface, select the LAN interface, enter a numeric VLAN ID and enter the
description in the description field. In this example, the “parent interface” is IGB0.
Click
Do this for each VLAN that needs to be created.
# Settings Value
Parent Interface Igb0 (xx:xx:xx:xx:xx:xx) - lan
VLAN Tag (ID) Example: 400
VLAN Priority 0
Description A description of the VLAN
17 of 37
9.2. Assign VLANS to an Interface
After all of the VLANS have been added, navigate to Interfaces→(assign)→Interface
Assignments. The newly created VLAN(s) should show up under Available network ports.
Click the button on the right to assign them.
Note: OPT1 is a local management port, and should be connected to igb1, not a VLAN
The ICS-Defender will confirm the addition of the new Interface using the selected VLAN
18 of 37
9.3. Change VLAN Names
Once all of the VLAN(s) have been added, view the Interfaces dropdown from the main menu.
Each of the VLAN(s) created will be assigned a default name of “OPTx” where x is the numeric
order they were created.
While adding the VLAN(s) under Interfaces→<assign>→Interface Assignments during the step
Assign VLANs to an Interface the names can be changed by clicking the name of the Interface as
shown below with the OPT3 interface. The interface names can also be changed after they are
created by returning to the Interfaces→<assign>→Interface Assignments as shown below.
Return to Interfaces→<assign>→Interface Assignments and continue to rename all of the VLAN

interfaces with a name that more accurately reflects its use. Example: If the VLAN ID is 112,
change the description of the interface to VLAN112.
# Settings Value
Enable Checked
Description Example: VLAN112
IPv4 Configuration Type Static IPv4
IPv6 Configuration Type None
IPv4 Address Example: 10.138.12.1
CIDR / Subnet Mask 24
IPv4 Upstream Gateway None
19 of 37
Click to complete the changes.
Note: *** This process needs to be repeated for every VLAN connected to the ICS-Defender.
Note: *** No IP address assigned to VLAN 101 . The interface should be enabled ONLY.
Enable OPT1 Interface

Navigate to Interfaces>OPT1. Check the box enable the and click
9.4. Adding a Bridge Interface

Navigate the Interfaces>(assign)>Assign>(assign)>Bridges. Click
Select OPT1 and VLAN101 and members of the interface, add description and click
# Settings Value
Member Interfaces OPT1, VLAN101
Description Combined
20 of 37
Navigate to Interfaces>Assign. Add a new virtual interface for the Bridge.
# Settings Value
Enable Checked
COMBINED
Description
IPv4 Configuration Type Static IPv4
IPv6 Configuration Type None
IPv4 Address 10.138.1.1
CIDR / Subnet Mask 24
IPv4 Upstream Gateway None
21 of 37
9.5. Enable the DHCP Server on the Combined
Navigate to Services > DHCP Server. In the Interface selection bar, select the COMBINED
interface. Click ENABLE and enter the Start and End of the DHCP address Range. Leave all other
selections at their default. Click
# Setting Value
Enable Checked
Range 10.138.1.101-10.138.1.254
22 of 37
10. Adding 1:1 NAT Rules
To add NAT rules, navigate back to the simple NAT wizard Firewall→NAT→Simple NAT Wizard. Select
the Simple NAT Wizard tab, and click Add 1:1 NAT.
Select WAN as the Northbound Interface, and pick the VLAN interface created in the previous step as the
southbound interface. Add a northbound (external) and southbound (internal) IP address and a
description. Click Add 1:1 NAT.
# Settings Value
Northbound Interface WAN
Southbound Interface Example: VLAN400
Northbound IP Address Example: 10.105.24.26
Southbound IP Address Example: 10.19.40.10
Description Name of the device on the controls network (Ex: S10_PLC)
Repeat this process for all necessary NAT entries. Once completed, click APPLY.
11. Add Firewall Rules
23 of 37
To allow management of the ICS-Defender to occur from the programming port and the management
VLAN, navigate to Firewall→Rules→Floating, and click
24 of 37
11.1. HTTPS (443)
Select LAN , OPT1 , VLAN 101 and Combined interface from the list by holding CONTROL and
clicking on each one.
# Settings Value
Interface Select LAN, OPT1 , VLAN 101 and COMBINED
Direction Any
Address Family IPv4
Protocol TCP
Source Any
Destination This Firewall (self)
Destination port range from HTTPS (443) to HTTPS (443)
25 of 37
11.2. HTTP (80)
Repeat the process above, selecting a Destination Port Range of HTTP (80)
26 of 37
11.3. ICMP (Ping)
Repeat the process for the ICMP protocol. To multi-select, hold the CTRL key and click each item
to select it.
# Settings Value
Interface Select LAN, OPT1 , VLAN 101 and COMBINED
Direction Any
Address Family IPv4
Protocol ICMP
ICMP subtypes Any
Source Any
Destination This Firewall (self)
27 of 37
11.4. DHCP (67)
Navigate to Firewall>Rules>Floating. Add a firewall rule with the following values. Hold Control
and Click to select multiple interfaces.
# Setting Value
Interface OPT1, VLAN101, COMBINED
Direction any
Address Family IPv4
Protocol UDP
Source Single host or alias 0.0.0.0
Destination Single host or alias 255.255.255.255
Destination Port 67
28 of 37
12. Adding Aliases
To add an alias for all IP address ranges assigned to VLANs on the controls network, navigate to
Firewall→Aliases, and click
Enter a name and a description in the properties section. Change the type to Networks. For Network type
aliases, entries are specified in CIDR format for subnets or fully qualified domain names (FQDN) for
single addresses. Add the IP range of the first VLAN to the Network or FQDN field, then click Add
Network as many times as is necessary to add the IP ranges of the rest of the VLANs. Descriptions can
also be added to each entry if desired.
Note: The address ranges end in zero such as 10.138.1.0 and are followed by the subnet mask in CIDR
notation. Please see the table Subnet Mask to CIDR Quick Reference for the conversion.
29 of 37
13. Additional Configuration
13.1. Allowing VLAN to VLAN Communication
To allow users connected to the programming port and associated VLAN, navigate to
Firewall→Rules→Floating and click Add.
Set the following configuration options to the values specified in the table below.
# Settings Value
Interface Select all VLANs, OPT1 and COMBINED
Direction Any
Address Family IPv4
Protocol Any
Source Any
Destination Single Host or Alias
Alias Controls
30 of 37
14. References
The following documents are referenced:
14.1. Program Specifications & Deliverables

This section identifies the referenced Programs Specific Specifications & Deliverables:
No table of contents entries found.
14.2. Program Templates

This section identifies the referenced Templates:
14.3. ME Specifications
This section identifies the referenced ME Specifications:
14.4. BOIG Specifications

This section identifies the referenced BOIG Specifications:
14.5. Miscellaneous documentation

This section identifies the referenced miscellaneous documentation:
31 of 37
15. Archiving
This document is digitally archived in in the following locations:
15.1. Native Format

Stellantis North America representatives attached to a corporate server can obtain the document in
its native format by clicking the following link:
• Not available at time of publishing
15.2. Microsoft SharePoint (PDF)

From an Internet browser, click the following link:
15.3. Program Jump Drive (PDF)

Representatives with a Program jump drive can obtain the document by clicking the following link:
32 of 37
16. Revision Index
Listed within this section is the revision history of the document:
16.1. Revision v04r000

Author: Mustafa Alfkaiki – VPE Controls and Robotics
Coordinator: shawn.korns@stellantis.com
Date: March 25, 2022
• Initial release.
• Stellantis logo update, typ. All pages.
16.2. Revision v04r001

Author: Mustafa Alfkaiki – VPE Controls and Robotics
Coordinator: shawn.korns@stellantis.com
Date: March 25, 2022
• Updated sections to correctly display in the Table of Contents
• Updated Pictures to accurately represent the written words
33 of 37
Appendix A. APPENDIX A
Using the ICS Defender

Dynics provides a configuration tool to quickly create ICS-Defender configurations based on a MECR
spreadsheet, after the NAT table has been filled by ICT. After launching the application, this screen
should appear. Excel spreadsheet must include ICT IP Request Form sheet!
To convert a spreadsheet either drag and drop the file or click the right side to open a dialog. The optional
template file is not used at this time.
34 of 37
After the desired file has been converted, the tool will display the system configuration.
The configuration can now be saved to a flash drive or to the local computer.
When saving to USB, the configuration will be stored in a config.xml file, which can be loaded on an ICS-
Defender by plugging it into one of the front USB ports and rebooting the unit.
35 of 37
When saved to the local computer, the configuration will be saved to an XML file that can be loaded on an
ICS-Defender by connecting to the web UI and navigating to System > Backup & Restore.
36 of 37
Confidential and Proprietary information

Vpecr 05en022 v04r001 Ref Icsdefendersetup

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Vpecr 05en022 v04r001 Ref Icsdefendersetup

Uploaded by

Copyright:

Available Formats

VPE

Controls and Robotics

ICS Defender Configuration Guide

WPE PPE GAPE

Released Date: 3/21/2022

1. Document Purpose .............................................................................................................................................5

1. Document Purpose .............................................................................................................................................5

Abbreviation Full Description

3.2. Configuration Settings

3.4. Subnet MASK to CIDR Quick Reference

Subnet Mask CIDR Notes

1. Select Start , then select Settings > Network & Internet

4. Under IP assignment, select Edit

6. Make sure IPv4 is enabled (if it is already enabled, skip to step 7)

When connecting to an un-configured ICS-Defender, web browsers may indicate an unsecure

Click “ADVANCED” and select “Proceed to 192.168.200.1 (unsafe)”.

6.2. Context Help / Additional Information

Return to Interfaces→<assign>→Interface Assignments and continue to rename all of the VLAN

Enable OPT1 Interface

9.4. Adding a Bridge Interface

11. Add Firewall Rules

14.1. Program Specifications & Deliverables

No table of contents entries found.

14.2. Program Templates

No table of contents entries found.

No table of contents entries found.

14.4. BOIG Specifications

No table of contents entries found.

14.5. Miscellaneous documentation

No table of contents entries found.

15.1. Native Format

15.2. Microsoft SharePoint (PDF)

15.3. Program Jump Drive (PDF)

16.1. Revision v04r000

16.2. Revision v04r001

Using the ICS Defender

You might also like