Cybersecurity

Cybersecurity Guideline

Use this product inside a secure industrial automation and control system. Total protection of components (equipment/devices), systems, organizations, and networks from cyber attack threats requires multi-layered cyber risk mitigation measures, early detection of incidents, and appropriate response and recovery plans when incidents occur. For more information about cybersecurity, refer to the Pro-face HMI/IPC Cybersecurity Guide.

https://www.proface.com/en/download/manual/cybersecurity_guide

WARNING

POTENTIAL COMPROMISE OF SYSTEM AVAILABILITY, INTEGRITY, AND CONFIDENTIALITY Change default passwords at first use to help prevent unauthorized access to device settings, controls and information. Disable unused ports/services and default accounts, where possible, to minimize pathways for malicious attacks. Place networked devices behind multiple layers of cyber defenses (such as firewalls, network segmentation, and network intrusion detection and protection). Apply the latest updates and hotfixes to your Operating System and software. Use cybersecurity best practices (for example: least privilege, separation of duties) to help prevent unauthorized exposure, loss, modification of data and logs, interruption of services, or unintended operation. Failure to follow these instructions can result in death, serious injury, or equipment damage.

 

Security Features Provided

The following cybersecurity features are provided by this product. These features provide security capabilities which contribute towards protecting the product from potential security threats:

• Security (User Management)
  The Security feature secures objects and screens from unauthorized users. Log in with a valid user name and password to access secured objects and screens. You can access a secured object or screen, only if you have a security level equal to or greater than the security level set to that object or screen.
  Overview
• Password Management (Complex Password Policy, Password Expiration)
  You can select complex user password policy and set password expiration.
• Target Settings
  Specify the security level required to transfer the project file and display the Hardware Configuration screen.
  Target Settings
• Operation Log
  Maintaining a log of operations performed on your project is useful in analyzing the cause of problems, such as confirming the operation performed before the error is detected.
  Overview
• Project File Password (Open & Transfer)
  To add security to projects, add a project password, required to open or transferring a project.
  Preventing Unauthorized Changes to a Project
• Database Encryption (Alarm, Logging, Recipe, Operation Log)
  You can encrypt the saved alarm history, logging data, recipe data, and operation log in database.
  Properties (All Alarms)
  Properties (Operation Log)
  Properties (All Loggings)
  Properties (Recipe Control)
• Export File Modification Detection by Hash Code
  You can check the code which is used to detect a modification in the exported file by using Export File Validation tool.
  Exporting and Importing Alarms
  Exporting and Importing Logging Settings and Logging Data
  Exporting Operation Logs
• IPsec Transferring
  You can use IPsec encrypted transfer via Ethernet to prevent unauthorized access. The Internet Engineering Task Force (IETF) developed and designed Internet Protocol Security (IPsec) as an open set of protocol standards that make IP communication sessions private and secure. The IPsec authentication and encryption algorithms require user-defined cryptographic keys that process the communication packets in an IPsec session.
  Transferring a Project over Ethernet with IPsec

For Secure Applications

This section explains some points to securely configure applications.

To build a secure network for unauthorized access prevention

• Build a communication environment using encrypted communications (ex. VPN). You can use Pro-face Connect to build an encrypted communication environment.
  Configuring Pro-face Connect
• Check that the network is secured before communication is established and data is transferred through the Ethernet.
• Select a transfer option that is not based on Ethernet communication (ex. USB Cable or FileSystem).
  Transferring a Project over an USB Cable
  Transferring a Project with the File System
  If you need transfer option based on Ethernet communication, we recommend to use IPsec.
  Transferring a Project over Ethernet with IPsec
• Open the port for data communication only when you use the communication service.
• Protect your PC with a firewall and make sure it is used on a trusted secure network.
• Install the display unit on a trusted secure network and protect the display unit with a firewall.

• We recommend you use more secure security policy based on AES when connecting to the OPC UA Server.
  Connecting to OPC/UA Server

• If you are connecting to an FTP server, we recommend that you use FTPS (FTP over SSL/TLS).

• Use a trusted FTP server or IP address.

To prevent impersonation in Display Unit

• Use the Security features.
• Use the auto logout feature.
• Give an appropriate security level for unlocking to limited users (allow only users with administrator rights to unlock, and so on).
• Password is not asked for the below operations:
• External Device operation block - Upload (USB Storage/SD Card)
• External Device operation block - Download (USB Storage/SD Card)
• Display the Hardware Configuration

Set the security level for the Switches which are used for above operations.

• When using Web Viewer to connect to the display unit, do not touch the [***] button to display the password. The displayed password will become visible to all connected display units and Web Viewer clients.

When Using SP5000 Series Open Box (Windows 10 IoT Enterprise Model), IPC Series, or PC/AT

• Use runtime only on a trusted PC.
• Do not log in to Windows with an account that has administrator rights, except when transferring project files or performing other operations that specifically require administrator rights.
• Use the security features in Windows (set a password, use the auto-logout feature, etc.).
• Set secure passwords and security for the administrator account for your project.

To protect information from alteration

• Harden your PC following the best cybersecurity practices (antivirus, updated operating systems, strong password policies, Application Allow Listing software, etc.) using the following guideline:
  https://www.pro-face.com/trans/en/manual/1087.html
• Carefully manage your own data.
• Protect your project by adding a project password.
  Preventing Unauthorized Changes to a Project
• When using transfer option based on USB Cable or Ethernet Cable, enable [Security Setting] in [Transfer Method]. For detail procedures, refer the following.
  Transferring a Project over Ethernet with IPsec
  Transferring a Project over an USB Cable
  Transferring a Project over Ethernet
• Do not execute screen editing software with Windows administrator rights.

• Use screen editing software only on a trusted PC.