What about security?
We’re all concerned about security in automation and data exchange. And we should be.
4 ways groov helps you keep systems secure:
Ultimately, it’s your responsibility to make sure that only the people and software who should have access
can get into your network and your control system.
groov helps you do that. Scroll down to see Best Practices.
Best practices for security with groov
1. Make sure your company computer network is properly protected.
You and your IT department have to take care of this one. There’s lots of information available online about network security and the Internet; make sure it comes from a reliable source. You may also want to contact a reliable security firm to take a close look at your situation. Pay special attention to wireless network security.
Require passwords (or API keys, for software users) for access to data and equipment, and set up company standards so everyone is clear on how, when, and why this data should be used.
2. Minimize incoming communications with MQTT.
Ignition Edge in the groov Box simplifies security for IoT applications with the MQTT transport protocol and Sparkplug messaging (groov Enterprise license required).
With MQTT, all data resides in a single source—an MQTT broker—which can be located on premises or in the cloud. Devices can publish data to the broker and subscribe to data the broker holds. In both cases, communication is outgoing only, not incoming. Typically firewalls allow outgoing communication without special configuration, since it carries far less of a security threat than incoming communication. More secure and easier to set up.
3. For remote access, use a VPN.
A virtual private network (VPN) gives you the best security when you’re monitoring or controlling remotely.
We recommend using a VPN with your groov operator interface any time you access your systems or equipment over the Internet. For more details, see the Guide to Networking groov (PDF).
4. Separate your control network from your computer network.
The groov Box has two independent wired Ethernet interfaces. Use them.
Plug your control network in one and your computer network in the other. Because these two interfaces are independent, someone who views your groov interface can see and do only what’s in the interface. They cannot gain access to the controller or device itself. (For more on how this works, see Guide to Networking groov.)
If you have groov Server for Windows, use separate network interface cards (NICs) in the PC running groov Server to accomplish the same thing.
5. Build a simple interface.
One of groov’s advantages is that it doesn’t dump your full HMI onto a mobile screen. Instead, you build your own interface, including only the data and controls required for a large screen or a small screen.
groov Build gives you two tabs to work in: one for PCs and tablets, and one for phones. Start in the one that most of your users will have. The other one is built automatically, but you’ll want to move things around, change labels or sizes, or remove elements you don’t want to have shown. For example, you can make a detailed trend visible on a PC or large-screen HDTV in the factory, but not on a smartphone’s small screen.
Keep it simple and start small. You can always add more information and controls if they’re really needed.
6. Assign groov user rights wisely.
You can set four levels of access for your users: Admin, Editor, Operator, and Kiosk user. For software APIs, choose Editor. For human users, most will likely be Operators. If you’re an OEM or machine builder, Kiosk plus iOS options let you lock down a tablet so it can be used only as your HMI.
You can also assign Operators and Kiosk users to groups to limit the pages they see. For example, an operator may need to control equipment in a process, but a manager may only need to see production data. Create separate pages for control and monitoring; restrict user access by group.
Let people see and control only what they need to.
7. Be grateful for HTTPS.
All browser interaction with groov is protected by Transport Layer Security (TLS), the current standard for encrypting data that’s passed over the Internet. The combination of HTTP and the security layer is HTTPS, which you’ll see when you type the address for your groov. That’s what your bank uses, too.
Note that communication between the groov Box or groov Server and system controllers does not use this layer; HTTPS protects browser interaction with groov. That’s why we recommend you separate your control network from the network that has Internet access.
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/) We take security seriously. For example, see our response to the Heartbleed bug.