Network Security
Introduction
The EcoStruxure Panel Server is not designed to withstand direct exposure to the public Internet. It must be installed at least behind Network Address Translation (NAT) or preferably behind multiple firewalls. For more information, consult the following websites:
Network Segmentation
The EcoStruxure Panel Server is a gateway. It creates a bridge between different networks. Network segmentation helps ensure cyber defense. To enhance network segmentation, Panel Server Universal and Advanced feature two Ethernet ports. They can be leveraged in separate mode to have one port dedicated to Information Technology (IT) and one port dedicated to Operational Technology (OT). Network segmentation allows you to keep OT and IT networks segmented, as network packets are not forwarded from one side to the other.
It is recommended to configure the network in separate mode (for more information about network settings, see DOCA0172•• EcoStruxure Panel Server - User Guide).
This allows you to connect the Panel Server to :
-
Downstream OT devices via Modbus TCP on one Ethernet port.
-
Upstream IT PC with SCADA and commissioning software applications on the other Ethernet port.
HTTPS and Modbus are available on Panel Server Ethernet interfaces (ETH1, ETH2) and Wi-Fi.
The following table presents the default setting for each interface:
|
Interface |
Modbus |
|
|---|---|---|
|
Ethernet in switched topology |
Activated |
|
|
Ethernet in separated topology |
ETH1 port |
Activated |
|
ETH2 port |
Deactivated |
|
|
Wi-Fi infrastructure |
Deactivated |
|
|
Wi-Fi access point |
Not available |
|
It is recommended to disable the Modbus service on networks where it is not used. For more information about service activation, see DOCA0172•• EcoStruxure Panel Server - User Guide.
Product Web Server Certificate
To support HTTP secure communications, the EcoStruxure Panel Server is equipped with an X.509v3 certificate by default. This certificate helps ensure the integrity and confidentiality to set up HTTPS communication.
Web browsers only recognize certificates for public web sites. Since the Panel Server is installed in a Local Area Network (LAN), web browsers cannot distinguish one Panel Server from another one. Therefore, a security message appears on the web browser when connecting to the Panel Server.
A direct wired connection helps secure the communication path with the Panel Server. For more information about first access to EcoStruxure Panel Server webpages through PC, see DOCA0172•• EcoStruxure Panel Server - User Guide.
SFTP Server Key Fingerprint
If you publish your data to a SFTP server, make sure that the key fingerprint, displayed when configuring the server address, matches your server SFTP key.
If you renew the SFTP key on your server, the Panel Server will not be able to send the files anymore, as the connection will not be authenticated. You must re-configure the publication for the Panel Server to record the new SFTP key fingerprint.
Wireless Network
Radio protocols are vulnerable to physical security breaches. For example, a Denial of Service attack can jam the radio signal with a powerful radio emitter located in the vicinity.
It is therefore recommended to adapt your physical security to the criticality of the information which relies on radio protocols. To this purpose, the wireless networks (Wi-Fi and IEEE 802.15.4) can be permanently disabled in the Panel Server. If you are confident that you will never need wireless networks (Wi-Fi and IEEE 802.15.4), and only in this case, you can permanently disable them. For more information about permanent and concurrent deactivation of the wireless networks, see DOCA0172•• EcoStruxure Panel Server - User Guide.
It is recommended to:
-
Use the install code to discover wireless devices. For more information, see DOCA0172•• EcoStruxure Panel Server - User Guide
-
Perform the commissioning of IEEE 802.15.4 wireless devices in a place secure from rogue radio transmitters, such as an administrator room.
For Wi-Fi network, it is recommended to use WPA2 (Wi-Fi Protected Access version 2) protocol.
Remote Access (VPN)
The Panel Server provides a remote access feature that allows the Schneider Electric Customer Care Center (CCC) to connect to the Panel Server webpages.
Access is not enabled by default and requires the firewall to enable the connection. For more information, refer to Expected Endpoints.
The remote access feature relies on a layer 3 VPN that, by design, does not provide access to the network, but only to the Panel Server. In addition, only HTTPS is authorized to be tunneled via this VPN.
Connected Devices
It is recommended to regularly check the list of devices connected to the IEEE 802.15.4 network of the Panel Server. In the case of an unknown connected device, locate it and remove it. You can also rebuild the network and reconnect only identified devices.