A Public Key Infrastructure (PKI) supports the distribution and identification of public encryption keys used to protect the
exchange of data over networks, such as the Internet. PKI verifies the identity of the other party and encodes the actual
data transmission. Identity verification provides non-repudiated assurance of the identity of the server. Encryption provides
confidentiality during network transmission. Requiring signed code modules ensures that only expected code runs in the system.
To provide secure network communication using PKI,
Niagara supports TLS (Transport Layer Security) versions 1.2 and 1.3.
NOTE: TLS versions 1.0 and 1.1 are still supported for backwards compatibility, but disabled by default. They are no longer recommended
as they are not considered secure.
Each
Niagara installation automatically creates a default certificate, which allows the connection to be encrypted immediately. However,
these certificates generate warnings in the browser and
Workbench and are generally not suitable for end users. Creating and signing custom digital certificates allows a seamless use of TLS
in the browser, and provides both encryption as well as server authentication.
Beyond communication security, each module of computer code that runs in the system is protected with a digital signature.
Added program objects require this signature or they do not run.
NOTE: Verifying the server, encrypting the transmission and ensuring that only signed code runs do not secure data stored on a storage
device. You still need to restrict physical access to the computers and controllers that manage your building model, set up
user authentication with strong passwords, and secure components by controlling permissions.
Niagara supports and uses secure communication and signed code by default. You do not need to purchase an additional license.
Security is an ongoing concern. While you will find much valuable information in the secure communication topics, expect future
updates and changes.