Security Capabilities

Security Features

Security features have been built in the PowerTag Link gateway to make sure that the PowerTag Link gateway operates properly and behaves accordingly to its intended purpose.

The key features are:

User account management
Authentication and authorization controls of user access when accessing to the product resources from EcoStruxure Power Commission (EPC) software or from the webpages
Secure communications between the PowerTag Link gateway and its associated wireless sensors and devices (supporting confidentiality and integrity)
Configurable security services and settings
Firmware update mechanism

These features will provide security capabilities which will protect the product from potential security threats, that could disrupt the product operation (availability), modify information (integrity) or disclose confidential information (confidentiality).

The security capabilities features are intended to mitigate the inherent threats which are linked with the usage of the PowerTag Link gateway in an Operational Technology environment.

However, the effectiveness of these capabilities will depend on the adoption and application of the:

Recommendations provided in this chapter to cover the commissioning, operation, maintenance, and decommissioning of the PowerTag Link gateway
Recommended Cybersecurity Best Practices

Supported Protocols

The PowerTag Link gateway supports the following protocols:

HTTPS for configuration through configuration tools and embedded webpages
Modbus TCP for communications with other OT devices
DHCP for network IP addressing
DNS for network name resolution
SNTP for time synchronization
DPWS for network discovery
SMTPS for email sending
Wireless communications using radio frequency communication ISM band 2.4 GHz

Potential Risks and Compensation Controls

Area	Issue	Risk	Compensating controls
User accounts	Default account settings are often the source of unauthorized access by malicious users.	If you do not change the default password, unauthorized access can occur.	Change the default password to help reduce unauthorized access.
User accounts	User credentials are stored as unencrypted text in the device.	If a malicious user gained access to your device, they could extract user credentials from storage media.	Store devices that are not in service in an access-controlled or monitored location.
Secure protocols	Modbus and some IT protocols (SNTP, DHCP, DNS, SNTP, and DPWS) are unsecure. The device does not have the capability to transmit data encrypted using these protocols.	If a malicious user gained access to your network, they could to intercept communications.	For transmitting data over an internal network, physically or logically segment the network. For transmitting data over an external network, encrypt protocol transmissions over all external connections using an encrypted tunnel, TLS wrapper or a similar solution.
Secure protocols	HTTP is unsecure.	If a malicious user gained access to your network, they could compromise the security of your local network.	Configure meter to use these web protocol settings: HTTPS HTTPS with HTTP Redirect.
Wireless radio communication	During paring window, unauthorized radio devices may try to join the network	If a rogue device gained access to your network, they could eavesdrop the communication of your wireless network or create a Denial of Service.	Reduce commissioning window to limit the exposure.
Wireless radio communication			Once the pairing is performed, consult the list of paired devices in the PowerTag Link gateway configuration and to make sure that the listed devices contains no unexpected or rogue devices.