Overview – Security
Security is included for free with all of the product features of Open Automation Software. However, there are several security considerations you need to review to ensure your data is not improperly accessed or modified.
At its most basic, hardware security means ensuring your server infrastructure cannot be physically accessed by unauthorized users, and has redundant power supplies for uninterrupted operation. This can be accomplished either on site or by utilizing 3rd party hosting facilities.
File System and OS Security
At the next level above hardware security are the servers’ file system and operating system.
- Whether you are using Windows or Linux, be sure to only allow access to log in and configure the operating system with a valid account.
- Never distribute the system administrator or root user account credentials to anyone who is not managing server installations or performing maintenance on the server.
- Disable remote logins in your operating system by unauthorized administrators
OAS stores server configuration files in directories of your choosing. Be sure only OAS server administrators have access to these directories and files. You can locate where these files are stored in the OAS Configuration Application under Configure > Options and selecting Default Files.
At the most basic transport level, be sure to only allow access to the OAS server ports from only authorized systems and users. This can be done using built-in operating system firewalls or external firewalls on your company network. The following are default ports used by OAS which can be changed in the OAS Configuration Application under Configure > Options, then select Networking:
- 58724 : Legacy server administration and server-to-server WCF communications
- 58725 : Web product and REST API communications
- 58727 : Server administration and server-to-server TCP communications
- 58728 : OAS OPC UA Server Port
For secure one-way communications between OAS servers, see our documentation on setting up a Unidirectional Network Gateway.
For secure Web and REST API communications, enable SSL within OAS and apply a certificate on the HTTP listener. Learn more here.
Securing communications drivers can be done using the specific settings of each, utilizing either secure credentials as well as 3rd party issued certificates, or both.
Open Automation Software incorporates several protection safeguards within the software routines and verification with Security Code Scan to analyze vulnerability patterns.
Secure Data Transport
- All service to service and client to service communications from .NET assemblies use a custom packet encryption that is not publicly known to protect against threats exposed to open encryption libraries.
- Packets are additionally compressed to a binary stream.
SAST – Static Application Security Testing
OAS utilizes Security Code Scan on all code used to create the OAS Engine and applications before deployment. Security Code Scan detects vulnerability patterns and has a comprehensive list of rules to follow when coding. This helps enforce good coding practice to protect against security risks.
When logging OAS Tag data to an external database, it is recommended that you use a unique credential for each database and to not use the database administrator credential (e.g. ‘sa’ on MS SQL Server). In this way you can limit OAS Data Logging Groups from reading and writing to only the databases and tables required for your desired functionality.
See documentation on Data Logging Groups for more information.
Feature Security and Authorization
Every feature within OAS can be secured, even down to the individual Tags and Tag Groups. This is accomplished using the OAS Security Groups and Users features. In a production system, always create the groups, users, and access rules you require, then disable all features on the Default Security Group.
Other resources for Security: Programmatic Access Security Groups