Cybersecurity Guidelines

Introduction

NubisNet EDGE Gateway has been designed with cybersecurity in mind. As such, the product offers a number of features for addressing cybersecurity risks. The Cybersecurity Recommendations below have been devised to help users deploy and maintain the product in a manner that minimizes cybersecurity risks. These recommendations are not intended to provide a comprehensive guide to cybersecurity, but rather to complement customers’ existing cybersecurity programs.

Eaton is committed to minimizing any cybersecurity risk in its products and to making them more secure, reliable and competitive by deploying cybersecurity best practices.

The following whitepapers are available for more information on general cybersecurity best practices and guidelines:

• Cybersecurity Considerations for Electrical Distribution Systems (WP152002EN)
• Best Practices Checklist Reminder (WP910003EN)

Security Instructions

Intended Use & Deployment Context

NubisNet IoT-Gateway is an interface module between local field busses like Modbus-TCP and the public internet.

NubisNet IoT-Gateway communicates with the MQTT protocol over the internet to a Brightlayer Industrial Machinery dashboard tenant.

Asset Management

Keeping track of your software and hardware assets is a pre-requisite for effectively managing cybersecurity. Eaton therefore recommends the creation of an asset inventory that uniquely identifies each important component. To facilitate this, NubisNet IoT-Gateway supports the following identifying information:

• Manufacturer
• Product line
• Product name
• Serial number
• MAC address
• Firmware version
• OS version
• Bootloader version

Identifying information for the device can be read on physical labels on the device. Software version information (FW, OS, bootloader) can be retrieved from the “Home” webpage on the WEB-GUI. To discover the device in a LAN and change its IP settings, use the NubisNet Assist tool.

Risk Assessment

Eaton recommends conducting a risk assessment to identify and assess any foreseeable internal and external risks to the confidentiality, availability and integrity of the system/device and its environment. Any such assessment should be conducted in accordance with the applicable technical and regulatory frameworks, such as IEC 62443 and NERC-CIP. The risk assessment should be repeated periodically.

Physical Security

An attacker with unauthorized physical access can cause serious disruption to system/device functionality. Additionally, Industrial Control Protocols don’t offer cryptographic protections, making ICS and SCADA communications especially vulnerable to confidentiality breaches. Physical security thus provides an important layer of defense in such cases. The NubisNet IoT-Gateway is designed to be deployed and operated in a physically secure location. Eaton recommends the following best practices to physically secure your system/device:

• Securing the facility and equipment rooms or closets by means of access control mechanisms such as locks, entry card readers, guards, mantraps, CCTV, etc., as appropriate.
• Restricting physical access to any cabinets and/or enclosures containing a NubisNet IoT-Gateway and the associated system. Any such access should be monitored and logged at all times.
• Restricting physical access to the telecommunication lines and network cabling to protect against any attempts to intercept or sabotage communications. To this end, we recommend using metal conduits for the network cabling between equipment cabinets.
• The NubisNet IoT-Gateway supports the following physical access ports:
  • RJ-45 Ethernet port
  • micro-USB port
  • SD card slot

  Access to these ports should therefore be restricted.

• Having access to the physical interfaces of the NubisNet IoT-Gateway allows a user to perform a factory reset as well as change the settings over update via SD card.
• Physical access to the device MUST be restricted. Using internal debug interfaces (not reachable from outside the device) can also allow an attacker to read credentials stored in the device.
• Having access to the SD card can allow the user to view data that are logged via the local data logging functionality of the device.

A physical port lock is recommended.

Do not connect removable media (e.g., USB devices, SD cards, etc.) for any operation (e.g., firmware upgrade, configuration change, or boot application change) unless the origin of the media is known and trusted.

• Before connecting any portable device through a USB port or SD card slot, scan the device for malware and viruses.

Do not remove power during firmware update and factory reset operations. Doing so might render the device inoperable.

Account Management

Logical access to the system/device should be restricted to legitimate users, who should be assigned only those privileges necessary to complete their roles/functions. Additionally, customers should also consider implementing the following best practices:

• Ensuring that default credentials are changed upon first login. NubisNet IoT-Gateway should not be deployed in production environments with default credentials, as the latter are publicly known.
• No account sharing – Each user should be provided with a unique account, and accounts and passwords should not be shared. The product’s security monitoring/logging features are designed based on single-user accounts. Allowing users to share credentials therefore weakens security.
• Restricting administrative privileges – Attackers often seek to gain control of legitimate credentials, especially those used to access highly privileged accounts. Administrative privileges should thus only be assigned to accounts that are specifically designated for administrative duties and not intended for regular use.
• Leveraging the roles / access privileges to grant users tiered access in line with business/operational needs, following the principle of least privilege (by allocating users only that level of authority and access to system resources that is required to perform their role).
• Performing periodic account maintenance (removing unused accounts).
• Ensuring that password length, complexity and expiration requirements are appropriately set, particularly for all administrative accounts (e.g., a minimum of 10 characters, a mix of upper- and lower-case and special characters or as otherwise stipulated by the customer’s policies).
• Enforcing session time-outs after a period of inactivity.

For the first login (also after a factory reset) the NubisNet IoT-Gateway admin account can be accessed using default credentials. The user is forced to change those credentials when logging in. To avoid man-in-the-middle attacks, make sure that you are connected via a direct Ethernet connection to the device when first logging in.

The NubisNet IoT-Gateway supports setting up user accounts via the “UserManagment” setting page.

• The privilege management of users is access-based. The granularity is a single page/module/functionality. Users can have the right to view and/or modify settings and data that belongs to a certain page.
• By default, an admin user is set up with default login credentials. When first logging in, the user is prompted to change the default credentials.
• An admin is a user with the right to create/delete/modify other users.
• An admin account must always exist i.e. the last admin account cannot be deleted.
• The admin accounts can set up other user accounts and set up their access rights. They can add new admins by creating a user with admin rights.

Up to 8 admins/users can be set up.

Network Security

The NubisNet IoT-Gateway supports network communication with other devices in its environment. This capability may present certain risks if not configured securely. Eaton recommends the following best practices to help secure the network. Additional information about various network protection strategies is available in the Eaton white paper Cybersecurity Considerations for Electrical Distribution Systems (WP152002EN).

Eaton recommends segmenting networks into logical enclaves, denying any traffic between segments except that which is specifically allowed, and restricting any communication to host-to-host paths, e.g. by using router ACLs and firewall rules, see general guidelines in Guidelines on Firewalls and Firewall Policy (NIST SP 800-41 Rev. 1). This helps to protect sensitive information and critical services and creates additional barriers in the event of a network perimeter breach. At a minimum, a utility Industrial Control Systems network should be segmented into a three-tiered architecture (as recommended by Guide to Industrial Control Systems (ICS) Security (NIST SP 800-82 Rev. 2)) for better security control.

Communication Protection

The NubisNet IoT-Gateway provides the option to encrypt its network communications. Please ensure that the encryption options are enabled. You can secure the product’s communication capabilities by taking the following steps:

• In order to disallow HTTP connections (which will implicitly only allow HTTPS connections) block port 80 in the Firewall settings.
• Use OpenVPN to connect to a VPN network.

Eaton recommends opening only those ports that are required for operations and for the protection of the network communication by means of network protection systems, such as firewalls and intrusion detection systems / intrusion prevention systems. Use the information below to configure your firewall rules to allow the access needed for NubisNet IoT-Gateway to operate smoothly.

• The HTTP server runs via port 80 (HTTP) and 443 (HTTPS).
• The Configuration server runs via port 8001.
• I/O driver servers such as CODESYS NetVars. The existence of those servers depends on the installed hardware and licences and can differ from device to device. All installed services are listed in the “Service” drop-down list when adding a new rule.
• Services such as the DHCP server. The existence of those services depends on the installed hardware and licences and can differ from device to device. All installed services are listed in the “Service” drop-down list when adding a new rule.
• A centralized list of enabled port is not available.

Best Practice

Eaton recommends to

• turn on the firewall on the NubisNet IoT-Gateway and
• restrict access to necessary ports only.

Note: When the firewall is activate the default rule is that all incoming requests are blocked, unless a Static Rule is added to allow that request.

When no I/O communications are configured the only necessary port which should be opened on the firewall is the port 443 and restrict access to that port to the local network, as shown in the following image.

Note: Activating the firewall and not allowing access to port 443 will lock any user out from accessing the WEB-GUI.

When I/O communications are used those ports must be opened by adding another Static Rule to the firewall configuration of the NubisNet IoT-Gateway. It is recommended to add one rule for each I/O communication and be as restrictive as possible in the rule’s definition.

Modbus TCP Slave/Server

The Modbus TCP Slave/Server service is always active on the NubisNet IoT-Gateway, regardless if input and/or output variables are defined or not, hence the NubisNet IoT-Gateway is always listening on the TCP port 502. Following best practice advice in last section, one should only open the TCP port 502 in the firewall to allow connections from Modbus TCP Master/Clients, when such an I/O communication is required for the system’s use cases.

Logging and Event Management

• Eaton recommends logging all relevant system and application events, including all administrative and maintenance activities.
• The logs should be protected from tampering and other risks to their integrity (for example, by restricting the permissions to access and modify them, by transmitting them to a security-information and event-management system, etc.).
• The logs should always be retained for a reasonable and appropriate length of time.
• The logs should be regularly reviewed. A reasonable review frequency should be selected, taking into account the sensitivity and criticality of the system/device and any data it processes.

Logging is performed in the Event Log. The Event Log records events that occurred during the runtime of the system for all its components (system, drivers, services, editor, hardware etc.)

Events are categorized into five levels: debug, info, warning, error and fatal error. Events are timestamped.

The Event Log is not persistent over reboots. Persistently logging the Event Log locally is not possible. Exporting the Event Log can be performed over the “Download” button on the Event Log GUI

Vulnerability Scanning

It is possible to install and use third-party software with the NubisNet IoT-Gateway NN-GW-100-…. Any known critical or high severity vulnerabilities on third party component / libraries used to run software/applications should be remediated before putting the device/system into production.

• Eaton recommends running a vulnerability scan to identify known vulnerabilities for software used with the product. For COTS components (e.g., applications running on Windows), vulnerabilities can be tracked on the National Vulnerability Database (NVD), available at https://nvd.nist.gov.
• Keep software updated by monitoring security patches made available by COTS vendors and installing them as soon as possible.

Note: Many compliance frameworks and security best practices require a monthly vulnerability review. For many non-COTS products vulnerabilities will be communicated directly through the vendor site.

Malware Defenses

Eaton recommends deploying adequate malware defenses to protect the product as well as the platforms used to run it.

Secure Maintenance

The device includes the Diagnostics page that contains diagnostic services such as interface info, a ping utility, a DNS lookup utility, the ability to sniff network traffic, viewing all running system tasks on the OS and a debugging tool for the local data logging functionality.

Note: Enabling of <ports/services> is provided for diagnostic purposes only and shall not be left enabled.

Best Practice

Update device firmware prior to putting the device into production. Thereafter, apply firmware updates and software patches regularly.

Eaton publishes patches and updates for its products to protect them against vulnerabilities that are discovered. Eaton encourages customers to maintain a consistent process to promptly monitor for and install new firmware updates.

Firmware updates can be deployed via two methods:

• GUI: the user can select a .cup file via the Update GUI
• SD card: The user can copy a file named update.cup to the folder “NubisNet” on the SD card, insert it to the device and press the reset button while the device is operating (NOT while the device is booting).

Please check Eaton’s cybersecurity website for information bulletins about available firmware and software updates. Eaton Download Center

Business Continuity / Cybersecurity Disaster Recovery

Eaton recommends that customers incorporate NubisNet IoT-Gateway into their business continuity and disaster recovery plans. Customers should establish a business continuity plan and a disaster recovery plan and should periodically review and, where possible, test it. As part of the plan, all important system/device data should be backed up and securely stored, including:

• Updated firmware for NubisNet IoT-Gateway. The standard operating procedure should be to update the back-up copy as soon as the latest firmware is updated.
• The current configuration.
• Documentation of the current permissions / access controls, if not backed up as part of the configuration. The following section describes the failure states and back-up functions in detail:

Failed states

• System failing to boot (no Ethernet link and no GUI), possible reason: failed update process, hardware failure. Cannot be recovered.
• Reboot loop (Ethernet interface loses and gains link repeatedly), possible reason: failed update process. May be recovered via factory reset.
• GUI failing to load (404 or 500 error): possible reason: failed update process, system bug. May be recovered via factory reset.
• Fatal error, reason: see Event Log message.

The user should backup any crucial configurations and apply them after a factory reset to restore the state of the device after a failure.

Sensitive Information Disclosure

Eaton recommends that any sensitive information (i.e., information about connectivity, log data or personal information) that may be stored by NubisNet IoT-Gateway be adequately protected through the deployment of organizational security practices.

Decommissioning or Zeroisation

It is a best practice to purge data before disposing of any device containing data. Guidelines for decommissioning are provided in Guidelines for Media Sanitization (NIST SP 800-88 Rev. 1). Eaton recommends that products containing embedded flash memory be securely destroyed to ensure that the data are unrecoverable.

Embedded Flash Memory on Boards and Devices

Eaton recommends the following methods for disposing of motherboards, peripheral cards such as network adapters, or any other adapter containing non-volatile flash memory.

• Clear: Where possible, the device should be reset to the original factory settings. To reset the NubisNet IoT-Gateway see Factory reset section.
• Purge: If the flash memory can be easily identified and removed from the board, it may be destroyed independently of the board that contained it. Otherwise, the whole board should be destroyed.
• Destroy: The device should be shred, disintegrated, pulverized or incinerated by burning it in a licensed incinerator.