How would I go about ensuring that all the network traffic between the OPTO22 Epic and the other devices (Groov-Epic, Groov-Rio, Allen-Bradley PLCs) is encrypted between devices?
How would I go about ensuring that all the network traffic between the OPTO22 Epic and the other devices (Groov-Epic, Groov-Rio, Allen-Bradley PLCs) is encrypted between devices?
You have to ensure that you are using protocols that support encryption.
Depends on what sort of traffic and how deep you want to dive in.
Wireshark on a hub.
Talk to your IT dept about managed switches and checking via those.
If you are using Node-RED, it forces you to use https:
For Allen-Bradley, you will need to check with them if they support https (back to Wireshark or your IT guys).
Do you have a shell license for each EPIC/RIO?
Last time I checked, EPIC and RIO have the wireguard vpn available in the apt repositories, which offers state of the art cryptography and well-audited source code.
For each EPIC and RIO
$ sudo apt-get update and enter your shell account password.$ sudo apt-get install wireguard and enter your shell account password.When each device is running wireguard, use their VPN addresses for communication, and that traffic is encrypted, regardless of the protocol of encapsulated packets.
There’s a less convenient method of connecting each EPIC/RIO to an OpenVPN VPN. Groov Manage on the EPIC/RIO can set up the OpenVPN client, but the server configuration is out of scope, and the server will provide the client configuration.
Allen-Bradley PLCs may or may not have an option for encrypted communication. Can you provide more details about the Allen-Bradley PLCs? I’d check Allen-Bradley’s website and Ignition’s website, if that’s how you’re interfacing.
As Beno replied, if you wish all network traffic between devices to be encrypted, only use protocols and transport mechanisms that support end-to-end encryption.
For groov EPIC and RIO, see below for a few examples (not exhaustive).
For other devices like Allen-Bradley, that will be wholly dependent on the device and its support for encrypted protocols.
For out-of-the-box encrypted protocols on groov devices, here are examples:
For client/server methods:
For pub/sub methods:
As noted by Indigo, there are other methods that can be installed and configured through the EPIC and RIO optional Shell interface (including Wireguard). These options generally require more setup and are not managed through the built-in groov Manage application.
In the case of devices that do not support encrypted protocols, I suggest taking advantage of the segmented network interfaces on groov EPIC. This allows you to place non-encrypted devices on one network interface (a private, trusted network), and the other network interface on a broader network (shared, untrusted network). This approach isolates the unencrypted traffic to a known, private “zone” yet is still accessible to applications running on the EPIC (PAC Control, CODESYS, Node-RED, Ignition, etc.). Then, traffic that needs to be shared with other applications on the shared, untrusted network occurs over encrypted network protocols like those noted above.
I’d also recommend reviewing this Cybersecurity Design and Best Practices guide, which covers much of what I’m describing here:
https://www.opto22.com/support/resources-tools/documents/2310-groov-epic-cybersecurity-design-and-best-prac
Other cybersecurity resources can be found here:
https://www.opto22.com/products/cybersecurity
I hope this helps. As always, we’re here to answer further questions, and I am happy to discuss and demonstrate these architectures live on a Zoom call.
Cheers, -Benson