Secure way to download PAC Project


#1

We have EPIC connected to our company network.
It is obvious that, anyone from our company who knows IP address of EPIC, and who has PAC Control Software can modify/download a strategy. I see this as security issue.

And another one, If anyone has KepserverEx, and decided to get data from EPIC, as long as they know IP Address and standard PAC port. They will be able to stream data.

Is there a way to some sort of password protect this?


#2

Regarding the first part, don’t save an archive to the controller. Without an archive, no one can really change the program unless they already have the program. Unless they just want to completely wipeout whatever is on the controller, I suppose they can load up whatever they want.

On some network switches there is a way to block access to certain ports/IPs except from asigned IPs. perhaps that would work?

Just tossing ideas out there.


#3

Sounds like you are looking for network isolation - basically put your control network on a separate network and use a router/firewall to control access. There are a few ways to do this, you may want to talk to your IT people for assistance if you can.

VLAN may be a good option as you may already have all the hardware you need for that. Or you can physically separate using a different network switch, add a router with a firewall between this switch and your company LAN, and set up firewall rules to only allow the trusted machines access. If you have shell access and the skills, you could even adjust the firewall in the EPIC itself to only allow trusted machines. I don’t think that option is available from the web interface, maybe a feature request…


#4

Do “unauthorized” people on your office network need to have access to the controller(s) at all?


#5

The dual Ethernet ports feature of groov EPIC is one of the strongest security aspects of the system.
It would pay to look closely at your network and how the two ports are currently connected (if at all).

You should setup your groov EPIC to only have ETH port 0 connected to your trusted network and ETH port 1 to connect to your untrusted network.

A trusted network is any network where you know exactly who has access to it, for example, an IT-managed corporate network.

An untrusted network is any network where you don’t know who has access to it, like the internet.

It is important to note that groov EPIC does not route traffic between network interfaces. It does not have router functionality. This adds to security as each port is isolated from the other. Access is controlled via the firewall.
Speaking of the firewall, you can adjust the open ports and the network they use, so be sure to check the settings and make any adjustments you feel fit.

Here are some notes for best practices for groov EPIC network security.

Networks

• Configure your groov EPIC to use the ETH0 Ethernet network interface for your trusted network.

• Use ETH1 for any untrusted network. Configure exceptions in the system’s firewall only if required for your application.

• Configure the system’s firewall in groov Manage to close all unneeded network ports on all network interfaces.

Users

• Don’t simply make every user an Admin. Use the different level settings to set each user to the right privileges.

• Have all your users create long and difficult passwords or better still use a passphrase, and don’t write them down anywhere.

• Use a VPN if you require remote network connections over untrusted networks.

• To prevent unauthorized access to the groov EPIC processor, always log out of any ID that has
administrator privileges.

• If you are running your groov View HMI on an external monitor, always put it in Kiosk mode so that only groov View is accessible.

Other Best Practices

• If you need a completely closed system (for example, if you are an OEM using groov EPIC in your machine), after you have finished development, disable all ports in the firewall and unplug any Ethernet cables.

If someone attempts to connect an Ethernet cable to the EPIC to try to access the system from their computer, the ports will be closed and all network access will be denied. Only an authorized user with administrator privileges can access groov Manage through the built-in display to reopen needed ports and gain network access.

• Whenever possible, use authenticated and encrypted outbound data communication methods. For example, use MQTT to publish data to an MQTT broker. Outbound data communication methods help you:

– Reduce open inbound network ports

– Eliminate man-in-the-middle exploits

– Prevent exposing sensitive credentials over the network

We will be putting together these notes and more in a security learning lesson on https://training.opto22.com/ as soon as we can.


#6

Well, we have a lot of facilities world wide, and we share the same VPN. And I make my groov view dashboard Public, once they have my IP address, they can use it to download PAC Control Strategy.


#7

Hi Ben,

Thank you for listing all that.

Both Network in groov EPIC are on Secured IT manage network. 1st Port is connect machine VLAN and 2nd Port connected to company network, that all employees have access to.

Noted that: groov EPIC does not have routing capability. I always got that question from IT.

There is one solution I am thinking. I should open port 22001 only when I do a download to PAC. but the problem is, I communicate with other PAC thru scratchPAD. - I should decide to use a work around - use Node read PAC Read/Write to communicate with other EPIC. (or is it practical to use MQTT?)


#8

This is one good trick, I need to start practicing this.
I always set to Save to Flash after Download in Strategy Option - thinking that I may need it in case I lost original strategy.


#9

If you are saying:
company manage switch -> myself managed switch -> EPIC Ethernet Port.

Manage Network Switch is cheap now.
Will this work? I have not manage a switch before.
Will our company DHCP still work on my groov EPIC?
Logically, will the company switch sees it like there is no another switch in between?


#11

Hi Eugene. You stated:

> Well, we have a lot of facilities world wide, and we share the same VPN. And I make my groov view dashboard Public, once they have my IP address, they can use it to download PAC Control Strategy.

Actually, this is not true. Just because someone has the IP address of EPIC does not mean they can download a strategy. To do that, port 22001 must be open to inbound traffic.

If following Ben’s instructions, you wouldn’t open port 22001 on the Untrusted Network interface on ETH1 which is connected to your corporate LAN. Only leave the default port 443 open, which ports all traffic to the authentication service on EPIC. Then, only authorized users can connect to groov Manage or groov View (set up user accounts appropriately) over a TLS encrypted connection.

We are more than happy to help you create as secure a system as possible for your application, so keep the questions coming.

-Benson


#12

Hi Benson,

True, I can close 22001 port. But, I manage multiple EPIC on different center, each center has a shopfloor, one port of epic connect to shopfloor, the other to company IT/employee network, so I remain port 22001 open so I can work on individual strategy and able to download it. But anyone from my colleague who also knows Opto 22, can alter the strategy, without me knowing it.


#13

Eugene- My advice would be to open port 22001 on either Ethernet interface when you need to work with your strategy over the network. Then close it when you’re done. This will prevent anyone from attempting to download a new strategy or otherwise connecting to the control engine within EPIC.

To do so, log into groov Manage on your EPIC with your Admin credentials (which will be an authenticated, encrypted connection). Navigate to the Firewall, change your setting based on the task you’re performing (open the port for PAC Control development; close the port when done). Save your settings, and you’re done.

If you’re worried about accidentally leaving port 22001 open after development, configure a Node-RED flow on EPIC to port scan itself. If 22001 is open, send an email, text, Tweet, or whatever you like at whatever interval you can endure.

Granted, while the port is open during your development, your control engine on EPIC is vulnerable. If this is unacceptable, consider setting up 3rd network interface; a WPA2-secured WiFi network through EPICs USB port that’s completely separate with only WiFi credentials you know. Open port 22001 on this interface only. Then, a rogue player would have to first hack the secured WiFi network before having the opportunity to connect with PAC Control.

Relative to communicating to the Scratchpad on other PACs in your system, those comms occur over port 2001, not 22001. Furthermore, if the request for Scratchpad registers originates from the EPIC, no open inbound ports on EPIC are required. All requests from EPIC to PACs are outbound, and responses come back over the established connection.

I hope this helps. -Benson


#14

If you have shell access on your EPIC, you should have the ability to setup an SSH tunnel. It will be TCP in TCP which sucks, but it should work. Then you can lock down 22001 and open SSH.

Search for “SSH tunnel local port forward putty”. That should get you on your way.