Security
Each component of the Lenze solution is designed to offer safe and secure remote access to industrial equipment worldwide for remote troubleshooting, programming and monitoring.
Explore how Lenze ensures a safe, reliable and trustworthy IIoT solution:
- X4 Remote sevices, servers and security controls
- x500, browser and app security
- How data protection is covered
- Information security management & ISO 27001
Want to know more about the security of our solution? Download our Lenze Security Whitepaper here.
------------------------------------
As a supplier of both hardware, the x500, and a cloud solution, the X4 Remote, it is our responsibility to give our customers the knowledge and tools to help them make the best decisions to keep their installations secure. This article will give insight into the most important security-related aspects of Lenze’s products and can be used to harden your Lenze environment against cybercrime.
X4 Remote
X4 Remote is used to gain access to your machines and their data. You can log in from any device that has access to the Internet, including mobile phones, tablets and laptops. Within X4 Remote, there are several important aspects to consider.
Accounts
Your X4 Remote account is used to authenticate yourself to our systems. In the first place, you use a username (i.e. an email address) and a password to log in. It is crucial that you choose a password that is hard to guess, long and unique. Generally speaking, to be safe you need a password that is at least 12-15 characters long. See how to register with a password or how to change the password of an existing account.
Besides a strong password, it is recommended to enable two-factor authentication (2FA). This means that you not only need a username and password to log in, but also a one-time code that can be generated with a specific mobile phone. See how to set up 2FA for your account and how to enforce 2FA for all users in your company for additional details.
Every time you log in X4 Remote, you request a temporary Access Token, which can be used for up to one week, meaning you do not need to enter your credentials every time you access X4 Remote on the same device. It is good policy to regularly sanitise which Access Tokens are active for your account. You can do this through the following steps:
- Go to the X4 Remote if you’re not already there.
- Click on your account name, then [My profile].
- Go to [Login and security] and choose which sign in you would like to remove.
- Click on more options then [Remove] to remove that access token.
Rights and permissions
Every user within your company has a specific set of permissions governing what they can and cannot do. You should strive to always ensure users only have the permissions they need to do their job (a.k.a. the principle of least privileges). See how to configure roles and permissions for existing users for more information. When inviting new users to your company, take a moment to consider the implications of giving people too many permissions; They might have access to confidential information or they might (accidentally) remove users, devices or services. See how to invite users with a specific set of permissions for more information.
The x500
The x500 is the edge hardware most compatible with X4 Remote. It has a built-in firewall separating your machine components from your corporate network. This separation ensures maximum security as machine components can not interfere with corporate assets, and vice versa. Even outdated software (i.e. Windows XP) can still be used safely, as long as it is insulated by the x500’s firewall.
Local firewall
The x500 needs to be allowed access to X4 Remote to set up its connections needed for remote access, Cloud Logging, etc. Because opening incoming ports is inherently dangerous and error-prone, we have designed the x500 to only need outgoing port 443 to function properly. If this port is open, the x500 will attempt to contact X4 Remote servers for HTTPS, MQTT (over TLS) and VPN traffic. If opening port 443 is too permissive for your local IT department, it is also possible to whitelist specific Lenze domain names in your local firewall. More information can be found here.
x500 firewall
As a router, the x500 has many options relating to network traffic and firewall, it is important that you are aware of the security implications of these. By default, the x500’s firewall is configured to be as strict as possible, but it is possible to allow access to the Internet or to the corporate network. The x500 also contains a web interface, which can be used to locally configure the router’s network settings. Note that it is good policy to change the default password to a unique strong password.
Firmware upgrades
The x500 receives multiple new firmware versions every year, and while most of these do not contain security updates, some of them contain software updates or changes to encryption. Upgrading your installation to the latest version is trivial to maintain the security of your Lenze environment. During the upgrade, the router may reboot or briefly lose network connectivity and therefore we cannot automatically upgrade x500s.
Conclusion
Keeping your installations secure is our number one priority, and therefore we think it imperative to share our knowledge on how to harden your Lenze environment. In the end, every case is different, but everyone must be aware about the control they have to minimize the cybersecurity risks.