Index | Prev | Next

Security precautions

Whether you are protecting assets in a single building or in a large, multi-site application, station security is critical. The practical implementation of a secure device network relies on basic common sense.
Image Do not connect any station directly to the Internet. If you need remote access, use a VPN (Virtual Private Network) solution where your devices are protected behind a fire wall, but remotely accessible. Your VPN solution should incorporate RSA (Rivest-Shamir-Adleman) two-factor authentication.
Image Do not share accounts. Always log in as yourself.
Image Do not create a certificate (and key pair) on a local computer and download the certificate into the User Key Store of each remote controller. Each host requires its own unique certificate, public and private keys, which should be generated by the controller and should reside only in the controller or on a backup medium that is physically protected. Transmitting a certificate with its private key exposes the key to the risk of capture during transmission.
Image Do not commission a remote controller over the Internet. If it becomes necessary to replace a controller, physically travel to the location, take the controller off the network, connect a cross-over cable, and import the backed-up stores. While the Key and Trust Stores are backed up with the station, they are not part of a station copy.
Image Do not mix secure platforms with platforms that are not secure on the same network. All controllers and Supervisor stations must be secure.
Image Do not use self-signed certificates. In a CA-signed certificate, the Issued By property is not the same as the Subject.
Image Do not use default passwords or passwords that can be easily guessed by attackers, such as birth dates, short words, and real words. Use different passwords for each entity. For example, use different usernames and passwords for your system password, platform credentials and station credentials. Implement strong passwords and change them frequently. Store and use passwords securely, strictly controlling access to file systems.
Image Do not rely on an NTP (Network Time Protocol) server that you do not directly control. If your Niagara network depends on an external NTP server for the time of day, and that server is compromised or spoofed, your Niagara system may be harmed. For example, locks may be turned off, the alarm system disabled, etc. If you use an NTP server, it must be an internal server that is physically controlled by your trusted organization.
Image
 Be warned. If your Niagara system is dependent on an external weather service, and if that weather service is compromised or spoofed, any logic in your system that uses the temperature for heating or cooling, or any other purpose may be harmed.
   
 CAUTION: Protect against unauthorized access by restricting physical access to the computers and devices that manage your building model. Set up user authentication with strong passwords, and secure components by controlling permissions. Failure to observe these recommended precautions could expose your network systems to unauthorized access and tampering. 

Related Links

  • About station security (Parent Topic)

    • Index | Prev | Next