WEBs CIPer Model 50 – USER GUIDE
21 31-00198—01
Secure Boot – Increased Cyber Security
The CIPer Model 50 is an IIoT (Industrial Internet of Things) device.
Its benefits and typical deployments include network access as well as browser access via Intranet and Internet.
Beginning with the firmware of this release, the CIPer Model 50 will only boot and run authenticated WEBs N4
firmware. This is achieved by a firmware signature.
To achieve the best possible cyber security, please note the following:
1) Read and apply the Honeywell General Best Practices (31-00129), which you will find
on the WEBs Building Forum
2) It is not possible to downgrade the released WEBs N4 firmware to a previous and older
firmware version due to Cyber Security reasons.
3) Operate controllers either in internal networks, or use a coded VPN connection for
internet access, to limit attacks from external Internet users.
4) Recommend your customers (network domain owners) to make use of HTTPS for
secure web-browser access to the controller.
5) Recommend your customers (network domain owners) to obtain a certificate from a
Certification Authority, and download this certificate into the controller.
6) If a web-access outside a VPN is to be realized, it should be handled through a firewall
with appropriate “Whitelisting”, although a VPN is strongly recommended, because it is the
best way to provide secure and encrypted communications to the controller.
7) Close all ports on the Internet router/gateway, and only open those ports that are
mandatory for operation or maintenance, to minimize the attack surface.
8) BACnet (e.g. port 47808) should never be exposed to the Internet, not even through a
firewall, but should only be exposed on internal networks or via a VPN, because the BACnet
protocol does not have security built-in.
9) Never use the default passwords, because they are widely available and are therefore
easily guessed.
10) Use “strong” passwords, because modern password "crackers" can break simple
passwords in a matter of minutes.
11) Never operate CIPer controllers unprotected on open Internet.
NOTE: “Whitelisting” stands for allowing explicit IP-Addresses or MAC addresses of dedicated and trusted PCs
to access the controller behind the firewall and router.
To Next Page
Loading...
