Danfoss keeps the focus on IT Security

CVE:
Short for Common Vulnerabilities and Exposures, is a list of publicly disclosed computer security flaws.  

DDOS:
Distributed Denial of Service: this term is used when 100 000s of remote devices attack a single device on the net web. This is a highly effective attack on a system. Not even large corporations and security organizations can maintain operations during such attacks. These attacks have been measured to include 400+ Terabits/second attack rates, which simply floods out the connection to the device. This cannot be mitigated at any level at other than the internet backbone.   

There is no cheap defence against these kinds of attacks and the only effective way of mitigating these attacks is to avoid them, by hiding.   

Remote Exploit:
One can assume that all software that faces the internet will contain exploits. Therefore, researchers are continually searching for these, and when found, the software providers create patches that mitigate the exploit. It is therefore extremely important to update software and keep it updated with the latest versions to prevent vulnerabilities in the system.  

For example older Systems Managers used the 1.12.1 version of Nginx, where several vulnerabilities were discovered, and patched, thus the newest System Manager version 3.1.9 now uses the 1.21.0 version of Nginx, which currently has no known vulnerabilities. Therefore, it is important to upgrade to the latest Danfoss release – the release numbers may have increased after the writing of this document because new exploits are continually discovered.

1. Devices should always be fully updated to the latest available software versions, issued by Danfoss. In every newer version, there might be some security updates, which are explained in the appendix.
2. Ensure that the device is always protected from direct internet exposure.  (Install network devices behind a firewall)

This course is meant to offer a basic understanding about few upcoming European Cybersecurity Regulations, and their relation to the added Product security of the System Manager AK-SM 800A.

https://event.on24.com/wcc/r/4542217/9DD4DD6F9BA5CA9B3DABDA48E088158A

After this training, you will understand why cybersecurity is important, and you will be aware about related upcoming regulations.
Furthermore, you will know about some product security requirements, and how to use the added product security in the AK-SM 800A with the latest Software release of 4.0.

Start to split your network into zones/segments. To have Danfoss devices placed on a separate network will reduce the attack surface.

This is in general a practice to consider in your network, independently of which devices you use.

The segmentation could even be extended to micro segmentation, so in case, one device is compromised, it will not spread to the rest of the network.

See below typical Segmented Network example:

Always place Danfoss systems and devices behind firewalls and other security protection appliances that limit access to only authorized remote connections. Building a highly protected network that helps prevent outside access is the most critical line of defence against cyberattacks.

We recommend that you follow these guidelines:

• Limit access to the networks on which Danfoss devices are placed.
• Ensure that Danfoss systems and devices are not accessible from the internet, unless placed behind firewalls and other security protection appliances.
• Restrict external network connectivity to your systems and devices.
• Continually monitor for events that might indicate attempted unauthorized access.
• Limit access to internal networks where devices reside.
• Isolate control and safety system networks and remote devices from the business network.

For a secure connection/access you can also use a VPN connection.

Implement secure methods for remote users to access your network. Require all remote users to connect and authenticate through a single, managed interface before conducting software upgrades, maintenance, and other system support activities.

When there is a need for accessing devices from remote locations it is important that the exposure of the device is limited as much as possible. The following solutions present ways of protecting the device and network while providing the flexibility to access the device, remotely.

Fixed IP on the mobile devices: 

Using fixed IP addresses on remote mobile devices is the simplest solution to maintaining remote access to the system while maintaining full security of the device against hostile attacks - it also protects the device against DDOS attacks. 

Proxy solutions are more complex to set up; however, they offer greater security as well as the ability to provide a proper valid SSL (Secure Sockets Layer) certificate for access to the system. The proxy system exposes an authenticated system access to the internet, and this authenticated access will take the worst part of any system attacks, protecting the System Manager from being compromised.  

The proxy can use methods such as authenticators, 2-factor authentication, and other security mechanisms to make sure that only authorized access is allowed.

The proxy is IP locked to the firewall that is protecting the System manager, and all mobile clients, use random IP addresses, and authenticate to the proxy (usually using certificates, 2-factor authentication, or the like), creating a strong validation of the client.

All hostile clients are denied direct access by the firewall and the proxy as it cannot supply the required credentials to talk to the proxy.  

This means that the proxy will endure most of all security attacks, and in the worst case the proxy will be DDOS and local access to the system manager is still possible.

Alsense can provide this solution via a VPN (Virtual Private Network) based connection, or via an IP-bound proxy solution, where the connection can be limited to the Alsense cloud system - again minimizing the exposure of the system to the internet, allowing Alsense to provide the system protection.

Alsense is a Danfoss cloud solution for accessing System Managers, and much more. This solution provides the same as the proxy solution, however, it is managed by Danfoss, and as such does not need the client to implement, nor maintain and operate the proxy.

Access to industrial networks, should be performed via authentication/audit logs, e.g., VPN or firewalls, so that access can be audited, and thus security events can be investigated if one occurs. Minimize the chances of data breaches by monitoring and auditing system events 24/7. Use intrusion detection systems, intrusion prevention systems, antivirus software, and usage logs to detect data breaches or incidents in their earliest stages.

As a good practice we suggest the use of networking monitoring software for any unusual traffic alerts, unsuccessful access attempts etc. Guidelines are vast right from general IT requirements covered in ISO 27001 to specifics in IEC 62443 and can be found in these international Standards.

A plant or machinery is usually operated by more than one person, so central user administration is therefore recommended.

Change default passwords at commissioning and use the product to create user access levels.

This is particularly important for administrator accounts and control system devices. Use role-based access with multifactor authentication to help prevent security breaches and provide a log of access activity.

Users should avoid sharing passwords, as this can help with auditing of access, and prevents passwords from being leaked out to the population in general. A shared password usually ends up being known by everyone and prevents auditing of security issues.

Consider adding password security features, such as an account lockout that activates when too many incorrect passwords are entered.

Basics:

• Whitelisting mechanisms provide additional protection against undesired applications or malware, as well as unauthorized changes to installed applications.

• Whitelisting software creates or contains a list of programs and applications that are allowed to run on the PC.

Use whitelisting to define what Apps, IPs etc. are allowed, as whitelisting is the strongest form of security control as it blocks attempts to by-pass it. However, if for any reason whitelisting is not a viable option, then if possible, implement a blacklist to block known security issues, but knowing that blacklists can be circumvented easily.

Blacklisting is a basic access control mechanism that allows blocking unwanted elements (email addresses, users, passwords, URLs, IP addresses, domain names, file hashes, etc.), except those explicitly mentioned. Those items on the list are denied access.

Blacklisting can help prevent known viruses, spyware, Trojans, worms, and other kinds of malware from accessing your system.

Often, using blacklisting and whitelisting together is the ideal option. You can use different approaches at different levels of your infrastructure and even use both within the same level.

Many organizations use both blacklisting and whitelisting for different parts of their security strategies. For example, controlling access to a computer or an account using a password is whitelisting. Only those with the password are allowed access, and all others cannot get in. Many of those same organizations also run anti-malware programs that use a blacklist of known malware to block harmful programs.

Provide cybersecurity training to your employees to help keep your organization secure. Explain phishing emails, infected attachments, malicious websites, and other methods that attack them directly.

While this is not just a cybersecurity issue, it is important to put physical controls in place so that no unauthorized person can access your equipment. Keep all controllers in locked cabinets and limit access to any connected devices.