Is it safe to put a CBAS system on my LAN?
Controller Access and Management
Unlike typical operating systems, the operating system on Computrols controllers does not allow files to be uploaded or executed. There are basically only three “interfaces” that can be used for automation or control via Ethernet:
Web Access
Protected by username/password combo. This does not run on a publicly available web server, which means that there are no known exploits. It does not allow upload or modification of files, which means that the worst-case scenario for an attack would involve a temporary denial of service attack (any device connected to a network are susceptible to this attack).
CBAS
Optionally protected by 128-bit authentication (AES). The controller key resides on a secure dongle which cannot be read from by any other program, nor can a device be placed between the dongle and the PC to snoop communications or provide any useful information about the 128 bit key. A dongle must be attached to the computer running CBAS. Each distributor receives a different dongle, making it impossible to control the controllers of other distributors.
DDCC
Used in the factory to load the firmware and web pages. It requires the use of a 128-bit authentication (AES) dongle – keyed to the specific controller. This software is not released to the public, but rather used in the original manufacture of the controllers.
Since the controllers do not make use of a normal operating system, and do not allow upload (except through authenticated software in the factory), it is highly improbable that a virus or worm could be spread – the source code of the controller would have to be recompiled by the programmers and burned onto the controller, requiring authentication.
With all of these security features Computrols Ethernet controllers are significantly safer than standard PC’s. For further security, each of the services mentioned is on a fixed port that can be completely blocked by the subnet router.
CBAS Access and Management
The CBAS software uses a username/password system, making it simple to control access to every point, resource type, and feature in the system.
Data is stored locally on a hard drive in a password protected database, as well as in specific binary files. One-click database backups are possible, however the backed up database is still password protected. Attempts to change the binary files would very likely necessitate reversion to an earlier backup since the probable outcome would be total corruption of the database.
History, if configured, can be stored on every point, log in, and activity performed. The history can be erased (if the user is given sufficient privileges), but cannot be changed except by editing binary files using proprietary compression and integrity protection techniques.
There are no standard hardware protections on the CBAS DPU. It is assumed that the computer will be running in a secured location – the possibility of a “sledgehammer” hack cannot be counteracted through software means.
Similarly, there is no protection against administrators logging in to the system, since they must have the power to upgrade or uninstall the software. However, this does require the user to have administrative rights.
- Was this article helpful?
- Yes 1 people found this article helpful.
- No 0 people did not find this article helpful.
- Give us feedback
