2.8.3. Networks and security for data at rest and data in transit
All enCore device data is written and stored on the SD card in the device. This data is also called data
at rest. To prevent unauthorized access, the configuration data is encrypted starting with basic
system version 03-39-A. Write access is only possible after authentication with user name and
password. The security switch (SSW) also prevents manipulation of the device.
Data-in-transit is the data that is transferred between an enCore device and e.g. a control station
in a public or trusted network or between enCore device and enSuite e.g. when transferring data
during parameterization of the device. The communication between the enCore device and enSuite
is carried out via MMS (Manufacturing Messaging Specification), which is encrypted since Basic
System 03-39-A to prevent data from being read by other network users.
The encryption is carried out using the TLS (Transport Layer Security) transmission protocol. The
enCore device uses a self-signed certificate to authenticate itself to enSuite each time an MMS
connection is established. The devices are always delivered without a certificate, which is
automatically created when the enCore device is put into operation and announced to enSuite
during the first MMS connection. This certificate is retained until it is changed / deleted manualy.
To increase security, we recommend changing this certificate on the enCore device or on the remote
operation panel before regular operation and having the device create an up-to-date certificate with
administrator and user passwords set up. The certificate information can also be viewed on the
enCore device or the remote operation panel. Details on the use of certificates will follow later in
this document.
Other protocols that are also used in the enCore devices - e.g. Modbus - transmit data partly in plain
text. If possible, use the secure variant of a protocol. To increase security, also use a firewall as
described in the next section. Supported data protocols are shown in the following table. Not all
options are included in every enCore device.
We recommend using a VPN connection whenever you need a secure data connection, but
no secure protocol is supported for data transmission. Nous recommandons d'utiliser une
connexion VPN chaque fois que vous avez besoin d'une connexion de données sécurisée,
mais aucun protocole sécurisé n'est pris en charge pour la transmission des données
To Next Page
Loading...
