What about security?

We’re all concerned about security in automation and data exchange. And we should be.


factory_carousel_1000x300.png

4 ways groov helps you keep systems secure:


 

Encryption

groov products use the same security protocol layer your bank does. You’ll see the https when you log on.

Authentication

You control access to software in the groov EPIC system and the groov Edge Appliance through user authentication.

Separate systems

Independent network interfaces keep your control network separated from your computer network.

HMI content options

You determine what each user can see and do in groov View. Build separate pages and assign users to user groups.

 

Ultimately, it’s your responsibility to make sure that only the people and software who should have access can get into your network and your control system.

groov helps you do that. Scroll down to see Best Practices.

 

 

ethernet_cables_207p.png

1. Make sure your company computer network is properly protected.

You and your IT department have to take care of this one. There’s lots of information available online about network security and the internet; make sure it comes from a reliable source. You may also want to contact a reliable security firm to take a close look at your situation. Pay special attention to wireless network security.

Require passwords (or API keys, for software users) for access to data and equipment, and set up company standards so everyone is clear on how, when, and why this data should be used.

MQTT logo

2. Minimize incoming communications with MQTT.

Ignition Edge in the groov EPIC System and the groov Edge Appliance simplifies security for IoT applications with the MQTT transport protocol and Sparkplug payload (groov Enterprise license required).

With MQTT, all data is handled by a single source—an MQTT broker—which can be located on premises or in the cloud. Devices can publish data to the broker and subscribe to data the broker handles. In both cases, communication is outgoing only, not incoming. Typically firewalls allow outgoing communication without special configuration, since it carries far less of a security threat than incoming communication. Data communications are more secure and easier to set up. Read more about MQTT/Sparkplug.

vpn_connection2_207p.png

3. For remote access to your groov, use a VPN.

A virtual private network (VPN) gives you the best security when you’re accessing your groov EPIC system or groov Edge Appliance remotely, whether for system configuration, troubleshooting, or using a groov View HMI to monitor and control systems.

We recommend using a VPN with your groov mobile interface any time you access your systems or equipment over the internet. For more details, see the Guide to Networking groov (PDF).

segmented_networks_207p.png

4. Separate your control network from your computer network.

The groov EPIC processor and the groov Edge Appliance feature two independent wired Ethernet interfaces. Use them.

Plug your control network in one and your computer network in the other. Because these two interfaces are independent, someone who views your groov interface can see and do only what’s in the interface. They cannot gain access to the controller or device itself. (For more on how this works, see Guide to Networking groov.)

If you have groov Server for Windows, you can use separate network interface cards (NICs) in the PC running groov Server to accomplish the same thing.

Union_Township_groov_interface_on_HTC_390h-(1).png

5. Build a simple interface.

One of the advantages of a groov View operator interface is that it doesn’t dump your full HMI onto a mobile screen. Instead, you build your own interface to include only the data and controls you really need on a mobile device.

groov View gives you two tabs to work in when building your HMI: one for PCs and tablets, and one for phones. Start in the one that most of your users will have. The other one is built automatically, but you’ll want to move things around, change labels or sizes, or remove elements you don’t want to have shown. For example, you can make a detailed trend visible on a PC or large-screen HDTV in the factory, but not on a smartphone’s small screen.

Keep it simple and start small. You can always add more information and controls if they’re really needed.

user_rights_stick_people_207p-(1).png

6. Assign groov HMI user rights wisely.

You can set four levels of access for your groov View HMI users: Admin, Editor, Operator, and Kiosk. For software APIs, choose Editor. Most of your human users will likely be Operators. If you’re an OEM or machine builder, Kiosk plus iOS options let you lock down a tablet so it can be used only for your HMI.

You can also assign Operators and Kiosk users to groups to limit the pages they see. For example, a factory operator may need to control equipment in a process, but a manager may only need to see production data. Create separate pages for control and monitoring; restrict user access by group. Let people see and control only what they need to.

lock_key_phone_207p.png

7. Be grateful for HTTPS.

All browser interaction with groov EPIC and the groov Edge Appliance is protected by Transport Layer Security (TLS), the current standard for encrypting data that’s passed over the Internet. The combination of HTTP and the security layer is HTTPS, which you’ll see when you type the address for your groov. That’s what your bank uses, too.

Note that HTTPS protects browser interaction with groov, but that communication between groov and system controllers does not use this layer (except for the groov EPIC processor, which is in the same unit). That’s why we recommend you separate your control network from the network that has internet access.

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).