Although Stratus ztC Edge
Security is often a balance between protection and ease of use. ztC Edge
The information below provides security hardening guidance based on Version 7.1 of CIS Controls, which are hardening recommendations developed by the Center for Internet Security (CIS), a community-driven nonprofit that leads and is recognized for best practices for securing IT systems and data. CIS Benchmarks are also used to validate and create a baseline for a secure product. A list of CIS Controls is included below in Best Practices and Standards of Standards Organizations.
The information below also provides hardening guidance based on industrial control systems cyber security standard ISA/IEC 62443, which was originally created by the International Society of Automation (ISA) and continues to be developed by the International Electrotechnical Commission (IEC). ISA/IEC 62443-4-2 has differing levels of security based on the sensitivity of data or intended threat actor adversary, and by implementing the recommendations and applying mitigating controls assists in achieving compliance for the required security level. A summary of ISA/IEC 62443-4-2 requirements is included below in Best Practices and Standards of Standards Organizations.
This help topic contains the following sections:
The following sections describe security guidelines for ztC Edge systems.
While implementing the security hardening guidelines, consider the following:
Any administrator making networking or communication changes to the system should be knowledgeable about the ports or protocols used by Stratus Redundant Linux.
Connect the ztC Edge system only to networks with trusted devices, or to networks where devices require explicit permissions to communicate with each other. For more information on network segmentation, see the NIST special publications 800-125B and 800-39. For information about which Ethernet networks are available on ztC Edge systems, see Network Architecture.
Enable IP tables packet filtering for the system, and block all ports that are not used in normal operation. Malicious actors can leverage a potential security vulnerability on an unused interface as a backdoor. Limit the exposure by enabling IP tables for unused ports.
For details on how to implement IP tables, see Managing IPtables.
Create individual user accounts for each user authorized to access the system, and consider each user's role in the usage of the device. Maintaining individual user accounts also permits auditability or nonrepudiation, that by log review it can be determined which user accessed the device or made configuration changes.
For details on how to configure user settings, see Configuring Users and Groups.
You must change the default passwords for the system.
The ztC Console prompts you for a new admin password upon deployment. The password policy of the ztC Console requires that your password meets the following conditions:
The host operating system prompts you for a new root password upon the first login. When changing the root password for the host operating system, you must manually change it on both nodes. For details, see Accessing the Host Operating System.
For more information about controlling the quality of passwords in the host operating system, see Advanced Security Guidelines.
Limit each user's access to features applicable to their position or role.
Implementing least privilege prevents a non-privileged user from accessing services above their role.
For details on how to configure roles that define the privileges for each user, see Configuring Users and Groups.
Active Directory integration presents a single point for centralized authentication and authorization. With Active Directory, you can create group policies for password complexity that are enforced based on your local security policy.
For details on how to add a ztC Edge system to an Active Directory domain, see Configuring Active Directory.
Synchronization of time is important, as it provides a centralized reference point to ensure that operation and security processes work within the same time frame. Time referencing allows for confidence in the time of check and time of use when updating applications and ensuring that keys and certificates are still valid based on the time and date.
When you log on to a ztC Edge system for the first time, enable the Network Time Protocol (NTP) service to automatically set the system clock . Configure NTP to reference a known and trusted NTP server. For details, see Configuring Date and Time.
By default, the ztC Console is configured to support only secure connections with the HTTPS protocol.
Enabling HTTPS on the ztC Edge system prevents common web security attacks to provide a level of confidentiality for each web session. HTTPS encrypts web session traffic, provides data integrity, and increases the overall security of the web traffic.
When HTTPS is enabled, it supports only TLSv1.2, which is currently the strongest encryption suite recommended. Ciphers include:
Also enable secure, encrypted connections when using a mail server or other types of server software. For information about configuring and enabling an encrypted connection for the mail server on a ztC Edge system, see Configuring the Mail Server.
The ztC Edge system comes with a self-signed SSL certificate, but this may be updated to any purchased or supplied certificate. Changing the SSL certificate allows the root of trust to be updated to the customer specification.
Simple Network Management Protocol (SNMP) is a standard protocol for receiving alarms, sending traps, and monitoring system status. SNMP draws upon system-defining information that is stored in hierarchically configured management information bases (MIBs).
For security reasons, a customer may wish to disable SNMP at the host level in ztC Edge systems. If needed, you can disable all SNMP connections by adding rules to IPtables (see Managing IPtables) to block UDP ports 162, 161 and 199 and TCP ports 162 and 199.
Alternatively, you can use the SNMP Restricted configuration, which disables SNMP v1 and v2 in the SNMP configuration files, and configures only SNMPv3. For details, see Configuring SNMP Settings.
Backups are important to have in case a security event occurs; a unit can be returned to a known good state for continuous operation. Any backups taken should be stored in a secure location.
To back up a VM and its guest operating system, see Exporting a Virtual Machine . To restore the identical VM with the same SMBIOS UUID, system serial number, and MAC addresses as the original VM, see Replacing/Restoring a Virtual Machine from an OVF File.
To back up the ztC Edge system preferences that you configured on the Preferences page, you can save the settings to a local storage device or to the cloud. For details, see Saving and Restoring System Preferences .
On redundant, dual-node ztC Edge systems, each node also serves as a backup for the other node. If a node fails, you can replace a node in a system that is currently licensed, and the system automatically restores the node with an exact copy of the Stratus Redundant Linux software and the virtual machines from the running node.
For details, see Creating an ALSR Configuration.
Implement auditing by a local policy to regularly collect and manage logs of events needed to detect, understand, and recover from a cyber attack.
The Audit Logs page displays a log of user activity in the ztC Console. To open this page, click Audit Logs in the left-hand navigation panel. (To display information about events on the ztC Edge system, see The Alerts History Page.)
Log information contains:
You can also display information about audit logs by using snmptable (for details, see Obtaining System Information with snmptable).
Use logs for continuous monitoring of the ztC Edge system. To ensure prompt service in the event of a service call, also enable support notifications and periodic reporting for your system to keep Stratus informed about your system's health. For details, see Configuring Remote Support Settings.
Configure the Login Banner Notice to include important notifications to ztC Console users. For details, see Configuring the Login Banner.
Upgrade Stratus Redundant Linux on a regular basis to prevent security vulnerabilities from being exploited due to out-of-date components. Refer to your local security policies for information about frequency and methods.
The Upgrade Kits page in the ztC Console allows you to upload and manage upgrade kits that you use to upgrade the system to newer versions of the Stratus Redundant Linux software. You can also copy an upgrade kit to a USB medium in order to use the medium when reinstalling the system software.
To open the Upgrade Kits page, click Upgrade Kits in the left-hand navigation panel in the ztC Console.
For information about upgrading the Stratus Redundant Linux software, see Upgrading Stratus Redundant Linux Software Using an Upgrade Kit. For information about creating a USB medium, see Creating a USB Medium with System Software.
Install each ztC Edge system in a secure location to prevent malicious users from accessing the nodes.
Secure each location with an auditable system to identify which personnel entered the area to identify malicious users.
Physical security is an important addition to tamper detection and alerting for any device, including ztC Edge nodes.
The following sections describe advanced security guidelines for ztC Edge systems.
When setting passwords, recommendations include:
Modify the pam_pwquality.so module with the appropriate settings. For example, use settings similar to the following:
The previous example sets the following values:
To restrict the password history, add or modify the pam_pwhistory.so module with the appropriate settings. For example, using settings similar to the following:
For more information about password policies in the host operating system, see the CentOS documentation:
Continually monitor the audit logs to view which users have logged on to the machine and if they are still active.
Identify the users that are currently operating the system to legitimize and audit their usage.
Continually perform a network-based analysis for antivirus or malware detection.
Your network-based intrusion detection system supplements the ztC Edge capability to support verification of the intended operation of security functions. The detection system should search for anomalous network traffic and require investigation to validate any malicious intent.
Several /etc/ssh/sshd_config parameters limit which users and groups can access the system by SSH. If none of the following parameters are present in the file, edit the file to set one or more of them to limit access:
AllowUsers
The AllowUsers parameter gives the system administrator the option of allowing specific users to use SSH to access the system. The list consists of space separated usernames. This parameter does not recognize numeric user IDs. To restrict user access further by permitting only the allowed users to log in from a host, the entry can be specified in the form of user@host.
AllowGroups
The AllowGroups parameter gives the system administrator the option of allowing specific groups of users to use SSH to access the system. The list consists of space separated group names. This parameter does not recognize numeric group IDs.
DenyUsers
The DenyUsers parameter gives the system administrator the option of denying specific users from using SSH to access the system. The list consists of space separated usernames. This parameter does not recognize numeric user IDs. If a system administrator wants to restrict user access further by specifically denying a user's access from a host, the entry can be specified in the form of user@host.
DenyGroups
The DenyGroups parameter gives the system administrator the option of denying specific groups of users from using SSH to access the system. The list consists of space separated group names. This parameter does not recognize numeric user IDs.
Restricting which users can remotely access the system using SSH will help ensure that only authorized users access the system.
MaxAuthTries
The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure.
Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy. For example:
IgnoreRhosts
The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication.
Setting this parameter forces users to enter a password when authenticating with SSH. For example:
HostbasedAuthentication
The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts by using .rhosts or /etc/hosts.equiv with successful public key client host authentication. This option applies only to SSH Protocol Version 2.
Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection. For example:
For more information about sshd_config parameters, see the sshd_config(5) manual page.
The information in this topic is based on the following best practices and standards.
CIS controls is a prioritized set of best practices created to stop the most pervasive and dangerous threats of today. It was developed by leading security experts from around the world and is refined and validated every year. Further details may be found on the CIS website: https://www.cisecurity.org.
The CIS controls are:
Foundational
Organizational
ISA/IEC 62443-4-2
ISA/IEC 62443-4-2 details technical component requirements (CRs) associated with seven foundational requirements (FRs) for meeting control system capability security levels. Further details may be found on the IEC website: https://www.iec.ch/
The foundational requirements are:
1. Identification and authentication control (IAC)
Identification of users is used in conjunction with authorization mechanisms to implement access control for a component. Verifying the identity of users requesting access is necessary to protect against unauthorized users from gaining access to the component. Authorization is from access control lists for different users that log in and authenticate with passwords into the ztC Edge system.
2. Use control (UC)
Once the user is identified and authenticated, the component must restrict the allowed actions to authorized use of the component. The ztC Edge system has defined roles that implement the concept of least privilege. Creating multiple users with varying levels of access control also defines the authorized use of the component.
3. System integrity (SI)
The integrity of the device should not be compromised, both the software and the physical components in operational and non-operational states. The ztC Edge system implements secure boot which verifies that the unit is being booted or started from a trusted state, along with software components' digital signatures validated prior to an upgrade. Ensuring system integrity is important to protect against the unauthorized manipulation or modification of data or system.
4. Data confidentiality (DC)
The purpose is to ensure the confidentiality of information on communication channels and in data stored in repositories to protect against unauthorized disclosure. The ztC Edge system has HTTPS with TLS v1.2 for web communication, as well as SSH and SMTP with encryption, ensuring that information is protected from malicious persons.
5. Restricted data flow (RDF)
Restricted data flow is the segmentation of the control system through zones and conduits to limit the unnecessary flow of data. The ztC Edge network architecture supports the routing and switching as determined by the configuration of networking for the management of information flow as determined by the installed system engineer. Leveraging the networking capabilities of the ztC Edge system allows for network segmentation to limit data flow.
6. Timely response to events (TRE)
Although a system may begin operation in a secure state, vulnerabilities and security events can occur. The ztC Edge system has a Product Security Incident Response (PSIR) team to react to security incidents and report findings while solving issues in a timely manner. The ztC Edge system has alert logs that can be used to notify the appropriate channels for configuration changes that may indicate a security incident. The logs contain enough information for forensics, and these e-alert notifications are emailed.
7. Resource availability (RA)
The aim of this control is to ensure that the component is resilient against various types of denial of service events. The high availability of the ztC Edge system is the foundation of an “always on” state. It is imperative that industrial control systems maintain a high availability state as there potentially are life safety impacts to systems. With a built-in virtualization and availability layer, automated data protection, and application recovery, Stratus Redundant Linux significantly reduces the dependence on IT for virtualized computing at the edge. Its self-protecting and self-monitoring features help reduce unplanned downtime and ensure the continuous availability of business-critical industrial applications.
Product Support and Downloads