Subscribing is a smart move!
You can subscribe to this board after you log in or create your free account.
Invite a Co-worker
Send a co-worker an invite to the portal.Just enter their email address and we'll connect them to register. After joining, they will belong to the same company.
Send Invite Cancel
Contact Support
Submit a support request for additional assistance with EcoStruxure IT software.
Select your language from the translate dropdown in the upper right.
The intent of this document is to provide a security handbook covering relevant best practices and information for EcoStruxure IT Gateway.
Note: This page is targeted at the latest Gateway release, however is applicable to older versions.
Table of Contents
- Overview
- Security considerations
- EcoStruxure IT Gateway in a secure network environment
- Application security
- Application vulnerabilities
- Physical security
- EcoStruxure IT data center and network security
Overview
The EcoStruxure IT platform is security hardened with a mandatory two-factor authentication and high encryption standards. Your data is securely transported to the EcoStruxure IT platform using the EcoStruxure IT Gateway, which uses an outbound connection to ensure no one can compromise your environment.
EcoStruxure IT Gateway is a software application that runs on a standard Windows or Linux operating system.
It is best practice to keep operating systems up to date and patched regularly in accordance to vendor recommendations.
System requirements for EcoStruxure IT Gateway
Security considerations
Security hardening
The EcoStruxure IT Gateway is intended to be accessed from within a secure network, and not over the internet. Therefore, do not make the web UI accessible via the internet.
Regularly apply available operating system patches and security updates to the Gateway server.
Follow the recommended hardening guidelines for the operating system.
Refer to Gateway default ports when configuring the firewall.
Do not allow local operating system login access to the Gateway server, except for IT administrators.
Use SNMPv3 instead of SNMPv1 and enable encryption and authentication whenever possible. Use HTTPS instead of HTTP for NetBotz devices. Use SCP instead of FTP for firmware updates and device configuration. Even when these devices are on a private network, using a secure protocol as part of a defense-in-depth strategy is recommended.
By default, none of the protocols for communicating with the end devices are active. They are enabled by adding new device credentials. The only external ports enabled are:
-
443 for the web application, both inbound for the Gateway web UI, and outbound to communicate with the EcoStruxure IT web application. This can be changed at install to use another port if desired.
- 162 and 1062 for SNMP traps.
Outbound Connection
Schneider Electric is committed to keeping your data secure and private, even before it leaves your site. All connections from the EcoStruxure IT Gateway to our cloud are validated using an industry standard 2048 bit RSA certificate and data is encrypted in transit using 256 bit AES encryption.
To avoid compromising the security of your site, the EcoStruxure IT Gateway uses an outbound connection through Port 443, and only communicates to EcoStruxure IT cloud using 40.84.62.190, 23.99.90.28, 52.230.227.202, 52.177.161.233, and 52.154.163.222.
The communication from this outbound connection is always initiated by the Gateway. The Gateway connects to our cloud at regular intervals to check for messages, and then performs actions based on those messages.
Infographic: Learn more about how EcoStruxure IT applies updates to your infrastructure
Authentication
All requests coming from the Gateway are signed using a unique private key created on installation and stored in the gateway, making it impossible to impersonate it.
Auto Updates
The EcoStruxure IT Gateway features an auto-update functionality ensuring that the software security patching happens automatically and that the Gateway is always up-to-date.
During the update, the Gateway continues to communicate sensor data and alarms to the cloud, minimizing downtime.
Password policy
There is no default password for the EcoStruxure IT Gateway. Upon first launching system, the user is required to set the admin password.
In Gateway version 1.9 and newer, strict password enforcement is in place. It is recommended to update your password after upgrading and to update your password periodically since passwords do not automatically expire.
Strong passwords are enforced when you first create your password and when you change your password. You are not required to change your existing password after updating your Gateway.
The EcoStruxure IT Gateway password policy requires:
- At least 10 characters in length
- At least 3 of the following 4 types of characters:
- Lower case letters (a-z)
- Upper case letters (A-Z)
- Numbers (0-9)
- Special characters (Example: !@#$%^&*)
- No more than 2 identical characters in a row (Example: aaa is not allowed)
Permissions
Application
There is only one permission level on the Gateway. The Gateway UI is intended for application administrators only. This user has the ability to:
- Create, delete, and change passwords for users, but cannot change usernames
- Configure device discoveries
- View sensor and alarm information from discovered devices
- Configure Gateway communication
IT administration
A local administrator account on the operating system of the Gateway server is required in order to install the software, perform the other security hardening activities, and to retrieve log files if necessary.
The Linux installer creates a non-login gateway account under which the applications runs. This service also performs database backups.
On Windows, the service runs as the gateway account, and the network services account performs database backups.
Windows
- Local administrator permissions for clean install or manual update
- The gateway account and the network services account need permissions for running the Gateway software and performing an auto-update or an update initiated from ITE.
Linux
- root or sudo capable user required for clean install or manual update
- The root user and the non-login gateway user need permissions for running the Gateway software and performing an auto-update or an update initiated from ITE.
Software updates can be done three ways:
-
Auto update - When this option is selected in the EcoStruxure IT web application, software updates are automatically pushed to the Gateway. No additional user accounts or interaction is required.
-
Cloud initiated - Software updates are initiated by a user logged into the EcoStruxure IT application. No additional user accounts or interaction is required.
-
Local, manual - A local operating system administrator may also download the software update to the Gateway server and manually run the installer.
Decommissioning
To decommission a Gateway server, it is recommended that you re-image the machine. This will erase all data and set all operating system settings back to their defaults.
If re-imaging is not possible, first run the uninstaller, then make sure the data is removed from the install location using a secure erase utility. This will remove the application, data, and certificate.
Log in to the organization's EcoStruxure IT account and remove the association with the Gateway from the account.
EcoStruxure IT Gateway in a secure network environment
Multiple Networks
EcoStruxure IT Gateway is designed to be part of a secure network architecture. It is recommended to have critical IT power and cooling devices on a private network segregated from the corporate network.
In this scenario, the server the Gateway is installed on should have two network adapters, one connected to the private network, and the other connected to the corporate network. This allows the Gateway to access both the devices on the private network and EcoStruxure IT Expert or Asset Advisor in the cloud. It also allows a client computer on the corporate network to access the IT Gateway's user interface do tasks like device discoveries.
See how to configure multiple network adapters
Private Network
It is important to have critical equipment on a private network as an additional layer of security. Some devices on the private network might use insecure protocols like Modbus TCP that do not support encryption or authentication.
Proxy Service
The Gateway acts as a proxy between the two networks, which allows a client connected to the corporate network to securely open the user interface of a device on the private network.
To connect to a device from the Gateway user interface, go to Devices, and click a specific device; click Details, and then the IP address of the device.
Application security
Schneider Electric is committed to securely develop and test against security threats to ensure cstomer data safety. Furthermore, Schneider Electric continuously employs a rotating number of 3rd party certified hackers to perform detailed penetration tests of the entire EcoStruxure IT platform.
Security training
All new EcoStruxure IT software developers attend a mandatory security training which is given upon hire and every year after that. Additionally, they can choose to enroll in a White Hat Hacker training to receive the Ethical Hacker certification.
Peer review
Any change to the EcoStruxure IT platform is subjected to a mandatory peer review where code and infrastructure changes are reviewed by at least one other engineer in order to validate code quality, security and performance.
All changes are tracked using a version control system (GIT) to ensure history, traceability and audit tracking.
Separate Environment
EcoStruxure IT testing environments are physically isolated from the Production environment.
Application vulnerabilities
Dynamic Vulnerability Scanning
Schneider Electric uses several third-party security tools to continuously dynamically scan the EcoStruxure IT platform for vulnerabilities. Schneider Electric maintains a committed security team to handle results and work with engineering teams to remediate issues.
Static Code Analysis
All changes to source code are continuously scanned for bugs, security and license issues via static analysis tooling. Any source code change which doesn’t meet the EcoStruxure IT standards will be returned to the development team for improvement.
Third Party Security Penetration Testing
Schneider Electric continuously employs a rotating number of third party certified hackers to perform detailed penetration tests on all components of EcoStruxure IT (gateway, mobile and web app).
When new features are released, mission statements are handed to security experts to verify feature security.
Learn more about our security test report sharing policy
Incident Response
The Schneider Electric Corporate Product Cyber Emergency Response Team (CPCERT) has defined vulnerability management processes to ensure efficient incident response.
To report an incident, please contact your local Customer Care Center and include:
- Product line
- Vulnerable version
- Vulnerability type [CWE ID, if available]
- Organization name
- Email adress
- Phone number
- Country
If you’re a researcher, please report a cybersecurity vulnerability here.
All vulnerability disclosures are reported on the Schneider Electric Cybersecurity Support Portal.
XSS Protection (Incident Validation)
In accordance with industry best practices, we use strict procedures for output sanitization of all user input. This is enforced in part by static code analysis and also by using well known, tried and tested third party frameworks.
Physical security
To maintain security throughout the deployment lifecycle, Schneider Electric recommends reviewing the following considerations.
Note: Different deployments may require different security considerations.
This document provides general security guidance to help you decide on an appropriate secure deployment based on your specific security requirements.
Deploy equipment in a secure location
Custodians should secure equipment from unauthorized physical access.
- Access should be restricted to those who require access to maintain the equipment.
- Restricted areas should be clearly marked for authorized personnel only.
- Restricted areas should be secured by locked doors.
- Access to the restricted areas should produce a physical or electronic audit trail.
Secure access to equipment
Deploy equipment in a rack or cage that can be locked with a suitable key, or other physical methods. This will prevent access to the physical device.
Description of Risk
Attackers with physical access to covered equipment can access the device(s) without authorization.
Recommendations
Physical security must be in place to control physical access to restricted areas and facilities containing devices. Devices should be locked behind cabinets or protected by physical restraints that prevent unauthorized access or removal from restricted areas. Access to areas containing covered equipment should only be granted to personnel who require access based on their job function.
Restricted areas should display signs that clearly indicate access is for authorized personnel only. Facilities containing covered devices should give minimum indication of their purpose, with no obvious signs identifying the presence of related functions.
Physical access control devices, such as key card readers, doors and cabinet locks, should be tested prior to use and on a periodic basis (e.g. annually). Resource custodians should produce physical or electronic audit trails to record all personnel's physical access to restricted areas for security incident investigation. Inventory of who has physical access to control devices should be regularly reviewed, and any inappropriate access identified during the review should be promptly removed.
EcoStruxure IT data center and network security
Physical security
Facilities
The EcoStruxure IT servers are hosted in the United States on the Microsoft Azure Cloud, which is ISO 27001, HIPAA, FedRAMP, SOC 1, and SOC 2 certified.
Learn more about Microsoft Azure facilities, premises and physical security
Network security
Logical Access
Access to the EcoStruxure IT Production Network is restricted by an explicit need-to-know basis, utilizes least privilege, is monitored, and is controlled by our Operations Team. Employees accessing the EcoStruxure IT Production Network are required to use multiple factors of authentication.
DDoS
As EcoStruxure IT is running on Microsoft Azure, Schneider Electric leverages their always-on traffic monitoring, and real-time mitigation of common network-level attacks, providing the same defenses utilized by Microsoft’s online services.
Third Party Security Penetration Testing
Schneider Electric continuously employs a rotating number of 3rd party certified hackers to perform detailed penetration tests of the entire EcoStruxure IT platform.
Learn more about our security test report sharing policy
Monitoring
EcoStruxure IT is maintained and operated by a core DevOps team with extremely high standards for cyber security and data privacy. All parts of the EcoStruxure IT system are continuously monitored and scanned for potential security vulnerabilities or privacy issues.
The DevOps team is on-call 24/7 and able to react promptly to newly discovered threats or issues.
Encryption
Encryption in Transit
All connections to the EcoStruxure IT cloud are validated using an industry standard 2048 bit RSA certificate and data is encrypted in transit using 256 bit AES encryption.
For Android versions prior to 7.0, Schneider Electric can only guarantee 128 bit AES encryption due to limitations in the Android platform.
Encryption at Rest
EcoStruxure IT data is encrypted using 256 bit AES encryption.
Availability and Continuity
Uptime
EcoStruxure IT maintains a publicly available system-status webpage which includes system availability details, scheduled maintenance, service incident history, and relevant security events.
Redundancy
All components of the EcoStruxure IT platform are deployed in high availability configuration to eliminate single point of failure. All data is backed up to separate storage to prevent data loss.
Didn't find what you are looking for? Ask our Experts
Create your free account or log in to subscribe to the board - and gain access to more than 10,000+ support articles along with insights from experts and peers.