I/A Series Niagara G3 Hardening Guide - Tips to Secure an I/A Series Niagara G3 System
TAC I/A Series
I/A Series Niagara G3 Systems
This Lessons Learned describes how to implement security best practices in a Niagara G3 system. While it is impossible to make any system completely impenetrable, there are many ways to build up a system that is more resistant to attacks. In particular, this document describes how you can help make a Niagara G3 system more secure by carefully configuring and using:
- Accounts and Permissions
- TLS/SSL and Certificate Management
- Other Settings and External Factors
Please note that while all of these steps should be taken to protect your Niagara G3 system, they do not constitute a magic formula. Many factors affect security – and vulnerabilities in one area can affect security in another; it doesn’t mean much to configure a system expertly if your ENC/JACE is left physically unsecured where anyone can access it.
Upgrade to one of the maintenance builds that include enhancements to increase the security of I/A Series Niagara G3 systems. Before updating any system, make sure to review the build included documentation to understand the behavioral impacts of the security enhancements.
- 3.5.406 (also referred to as AX-3.5u4) or higher
- 3.6.406 (also referred to as AX-3.6U4) or higher
- 3.7.106 (also referred to as AX-3.7u1) or higher
The Niagara G3 system uses passwords to authenticate "users" to a station or platform. It is particularly important to handle passwords correctly. If an attacker acquires a user’s password, they can gain access to the Niagara G3 system and will have the same permissions as that user. In the worst case, an attacker might gain access to a Super User account or platform account and the entire system could be compromised.
Here are some of the steps that can be taken to help secure the passwords in a Niagara G3 system:
- Change the Default Platform Credentials
- Use Strong Passwords
- Enable the Account Lockout Feature
- Expire Passwords
- Use the Password History
- Use the Password Reset Feature
- Leave the "Remember These Credentials" Box Unchecked
Account Management and Permissions
A Niagara G3 station has accounts, represented by users in the UserService. It is important that these accounts are properly managed. Failure to do so can make it easier for an attacker to penetrate the system, or make it more difficult to detect that an attack has occurred.
Some steps to help correctly manage user accounts are listed below.
- Use a Different Account for Each User
- Use Unique Service Type Accounts for Each Project
- Disable Known Accounts When Possible
- Change System Type Account Credentials
- Assign the Minimum Required Permissions
- Use Minimum Possible Number of Super Users
- Require Super User Permissions for Program Objects
- Use the Minimum Required Permissions for External Accounts
Niagara G3 stations offer several authentication policy options. These options determine how a client talks to the station and how the user’s password is transmitted to the station for proof of identity. Be sure to use the strongest authentication policies to increase protection for user passwords, keeping those accounts safer from attacks.
The following steps ensure the strongest authentication is used.
- Use "Digest" Authentication in the FoxService
- Set the FoxService Legacy Authentication to "Strict"
- Use "cookie-digest" Authentication in the WebService
TLS/SSL & Certificate Management
Transport Layer Security (TLS) and Secure Sockets Layer (SSL) provide communication security over a network by encrypting the communication at a lower level than the actual data being communicated. This allows secure transmission of unencrypted data (for example, the username and password in fox Basic authentication) over an encrypted connection.
Using SSL protects data from anyone who might be eavesdropping and watching network traffic. It also provides proof of identity, so that an attacker cannot impersonate the server to acquire sensitive data. When possible, always use SSL.
Niagara G3 provides several opportunities for using SSL. Starting in NiagaraG3-3.7, a number of additional options are available. You should use these options whenever they are feasible. The Niagara G3 SSL options are listed below:
- Enable Platform SSL Only (3.7 only)
- Enable Fox SSL Only (3.7 only)
- Enable Web SSL Only
- Enable SSL on Other Services
- Set Up Certificates
NOTE: In NiagaraG3-3.6, SSL for the Web is a licensed feature and requires the crypto module installed, and the CryptoService added in the station. In NiagaraG3-3.7, SSL is built in for non-JACE2/4/5 (ENC-410/520) hosts, and does not require a license. For NigaraG3-3.7 on non-JACE2/4/5 (ENC-410/520) hosts, remove the crypto module and replace it with the cryptoCore, daemonCrypto and platCrypto modules.
In addition to the settings discussed in previous sections, there are a few general settings to configure in order to secure a Niagara G3 system. These don’t fall under a specific category like SSL or passwords, but are nonetheless important to security.
- Disable FTP and Telnet
- Disable Unnecessary Services
- Blacklist Sensitive Files and Folders
- Update Niagara G3 to the Latest Release
In addition to station and platform settings, there are some external factors to consider when securing a Niagara G3 system.
- Install ENC/JACEs in a Secure Location
- Make Sure that Stations Are Behind a VPN
Click on the link to download the NiagaraAX Hardening Guide for more details.