Cybersecurity

Cybersecurity Guideline

Use this product inside a secure industrial automation and control system. Total protection of components (equipment/devices), systems, organizations, and networks from cyber attack threats requires multi-layered cyber risk mitigation measures, early detection of incidents, and appropriate response and recovery plans when incidents occur. For more information about cybersecurity, refer to the Pro-face HMI/IPC Cybersecurity Guide.

https://www.proface.com/en/download/manual/cybersecurity_guide

WARNING

POTENTIAL COMPROMISE OF SYSTEM AVAILABILITY, INTEGRITY, AND CONFIDENTIALITY

Change default passwords at first use to help prevent unauthorized access to device settings, controls and information.
Disable unused ports/services and default accounts, where possible, to minimize pathways for malicious attacks.
Place networked devices behind multiple layers of cyber defenses (such as firewalls, network segmentation, and network intrusion detection and protection).
Apply the latest updates and hotfixes to your Operating System and software.
Use cybersecurity best practices (for example: least privilege, separation of duties) to help prevent unauthorized exposure, loss, modification of data and logs, interruption of services, or unintended operation.

Failure to follow these instructions can result in death, serious injury, or equipment damage.

Security Features Provided

The following cybersecurity features are provided by this product. These features provide security capabilities which contribute towards protecting the product from potential security threats:

Security (User Management)
The Security feature secures objects and screens from unauthorized users. Log in with a valid user name and password to access secured objects and screens. You can access a secured object or screen, only if you have a security level equal to or greater than the security level set to that object or screen.
Overview
- Password Management (Complex Password Policy, Password Expiration)
  You can select complex user password policy and set password expiration.
- Target Settings
  Specify the security level required to transfer the project file and display the Hardware Configuration screen.
  Target Settings
Operation Log
Maintaining a log of operations performed on your project is useful in analyzing the cause of problems, such as confirming the operation performed before the error is detected.
Overview
Project File Password (Open & Transfer)
To add security to projects, add a project password, required to open or transferring a project.
Preventing Unauthorized Changes to a Project
Database Encryption (Alarm, Logging, Recipe, Operation Log)
You can encrypt the saved alarm history, logging data, recipe data, and operation log in database.
Properties (All Alarms)
Properties (Operation Log)
Properties (All Loggings)
Properties (Recipe Control)
Export File Modification Detection by Hash Code
You can check the code which is used to detect a modification in the exported file by using Export File Validation tool.
Exporting and Importing Alarms
Exporting and Importing Logging Settings and Logging Data
Exporting Operation Logs
IPsec Transferring
You can use IPsec encrypted transfer via Ethernet to prevent unauthorized access. The Internet Engineering Task Force (IETF) developed and designed Internet Protocol Security (IPsec) as an open set of protocol standards that make IP communication sessions private and secure. The IPsec authentication and encryption algorithms require user-defined cryptographic keys that process the communication packets in an IPsec session.
Transferring a Project over Ethernet with IPsec
The IPC Series and PC/AT use TLS communication instead of IPsec.
Transferring a Project over Ethernet
Prevention of Unintended Operations
To help prevent performance issues or unintended operations caused by large files, warnings are displayed in the following situations:
- When opening a project file larger than 500 MB
- When browsing or importing a file or object larger than 100 MB (for example, an image file, symbol file or compound object)
Tampering Detection for Project and Compound Object Files
To protect against unauthorized modifications, the following integrity checks are performed automatically when a file is opened:

Project files
- Digital signature verification
- Hash verification
Compound Object files
- Digital signature verification
- Hash verification
- Checksum verification

For Secure Applications

This section explains some points to securely configure applications.

Note: Security related messages appear in the Feedback Zone's [Security Warnings] tab. Review messages and take required corrective action to reduce your cybersecurity risk.

To build a secure network for unauthorized access prevention

Build a communication environment using encrypted communications (ex. VPN). You can use Pro-face Connect to build an encrypted communication environment.
Configuring Pro-face Connect
Check that the network is secured before communication is established and data is transferred through the Ethernet.
Select a transfer option that is not based on Ethernet communication (ex. USB Cable or FileSystem).
Transferring a Project over an USB Cable
Transferring a Project with the File System
If you need transfer option based on Ethernet communication, we recommend using IPsec.
Transferring a Project over Ethernet with IPsec
Open the port for data communication only when you use the communication service.
Protect your PC with a firewall and make sure it is used on a trusted secure network.
Install the display unit on a trusted secure network and protect the display unit with a firewall.
We recommend using more secure security policy based on AES when connecting to the OPC UA Server.
Connecting to OPC UA Server
If you are connecting to an FTP server, we recommend that you use FTPS (FTP over SSL/TLS).
Use a trusted FTP server or IP address.

To prevent impersonation in Display Unit

Set the security level for the Switches which are used for above operations.

Use the Security features.
- Use the auto logout feature.
- Give an appropriate security level for unlocking to limited users (allow only users with administrator rights to unlock, and so on).
Password is not asked for the below operations:
- External Device operation block - Upload (USB Storage/SD Card)
- External Device operation block - Download (USB Storage/SD Card)
- Display the Hardware Configuration
When using Web Viewer to connect to the display unit, do not touch the [***] button to display the password. The displayed password will become visible to all connected display units and Web Viewer clients.

When Using SP5000 Series Open Box (Windows 10 IoT Enterprise Model), IPC Series, or PC/AT

Use runtime only on a trusted PC.
Do not log in to Windows with an account that has administrator rights, except when transferring project files or performing other operations that specifically require administrator rights.
Use the security features in Windows (set a password, use the auto-logout feature, etc.).
Set secure passwords and security for the administrator account for your project.

To protect information from alteration

Harden your PC following the best cybersecurity practices (antivirus, updated operating systems, strong password policies, Application Allow Listing software, etc.) using the following guideline:
https://www.pro-face.com/trans/en/manual/1087.html
Carefully manage your own data.
Protect your project by adding a project password.
Preventing Unauthorized Changes to a Project
When using transfer option based on USB Cable or Ethernet Cable, enable [Security Setting] in [Transfer Method]. For detail procedures, refer to the following.
Transferring a Project over Ethernet with IPsec
Transferring a Project over an USB Cable
Transferring a Project over Ethernet
Do not execute screen editing software with Windows administrator rights.
Use screen editing software only on a trusted PC.