Data logger security
Data logger security concerns include:
- Collection of sensitive data
- Operation of critical systems
- Networks that are accessible to many individuals
Some options to secure your data logger from mistakes or tampering include:
Sending the latest operating system to the data logger. See Updating the operating system for more information.
Disabling unused services and securing those that are used. This includes disabling HTTP Hypertext Transfer Protocol. A TCP/IP application protocol.,
HTTPS Hypertext Transfer Protocol Secure. A secure version of HTTP.,FTP File Transfer Protocol. A TCP/IP application protocol., Telnet A software utility that attempts to contact and interrogate another specific device in a network. Telnet is resident in Windows OS., and Ping A software utility that attempts to contact another device in a network. network services (Device Configuration Utility > Deployment > Network Services tab). These services can be used to discover your data logger on an IP network.
FTP, Telnet, and Ping services are disabled by default.
Setting security codes (see following information under "Security Codes").
Setting a PakBus/TCP password. The PakBus ® A proprietary communications protocol developed by Campbell Scientific to facilitate communications between Campbell Scientific devices. Similar in concept to IP (Internet Protocol), PakBus is a packet-switched network protocol with routing capabilities. A registered trademark of Campbell Scientific, Inc. TCP password controls access to PakBus communications over a TCP/IP link. PakBusTCP passwords can be set in Device Configuration Utility Software tool used to set up data loggers and peripherals, and to configure PakBus settings before those devices are deployed in the field and/or added to networks..
Disabling FTP or setting an FTP username and password in Device Configuration Utility.
Setting a PakBus encryption (AES-128) key in Device Configuration Utility. This forces PakBus data to be encrypted during transmission.
/HTTPSor creating a
.csipasswdfile to secure HTTP
/HTTPS(see Creating a .csipasswd file for more information).
Enabling HTTPS and disabling HTTP. To prevent data collection via the web interface, both HTTP and HTTPS must be disabled.
Using a public/private key pair for SFTP authentication. Load a .PEM format file through the Device Configuration Utility Settings Editor > Advanced tab.
Tracking Operating System, Run, and Program signatures.
Encrypting program files if they contain sensitive information (see CRBasic help
FileEncrypt()instruction or use the CRBasic Editor File menu, Save and Encrypt option).
Hiding program files for extra protection (see CRBasic help
Monitoring your data logger for changes by tracking program and operating system signatures, as well as CPU
, USR, and CRDfile contents.
Securing the physical data logger and power supply under lock and key.
All security features can be subverted through physical access to the data logger. If absolute security is a requirement, the physical data logger must be kept in a secure location.
Transport Layer Security (TLS) is an internet communications security protocol. TLS settings are necessary for server applications, not for client applications.
Example server application instructions include:
- HTTPS server
Example client application instructions include:
Use the Device Configuration Utility to enable and set up TLS. See Deployment > Datalogger > TLS tab.
The data logger employs a security scheme that includes three levels of security. Security codes can effectively lock out innocent tinkering and discourage wannabe hackers on all communications links. However, any serious hacker with physical access to the data logger or to the communications hardware can, with only minimal trouble, overcome the five-digit security codes. Security codes are held in the data logger Settings Editor An editor for observing and adjusting settings. Settings Editor is a feature of LoggerNet|Connect, PakBus Graph, and Device Configuration Utility..
The preferred methods of enabling security include the following:
- Device Configuration Utility Software tool used to set up data loggers and peripherals, and to configure PakBus settings before those devices are deployed in the field and/or added to networks.: Security codes are set on the Deployment> Datalogger tab.
- Network Planner Campbell Scientific software designed to help set up datal oggers in PakBus networks so that they can communicate with each other and the LoggerNet server. For more information, see https://www.campbellsci.com/loggernet.: Security codes can be set as data loggers are added to the network.
Alternatively, in CRBasic the
SetSecurity() instruction can be used. It is only executed at program compile time. This is not recommended because deleting
SetSecurity() from a CRBasic program is not equivalent to
(0,0,0). Settings persist when a new program is downloaded that has no
Up to three levels of security can be set. Valid security codes are 1 through 65535 ( 0 confers no security). Security 1 must be set before Security 2. Security 2 must be set before Security 3. If any one of the codes is set to 0, any security code level greater than it will be set to 0. For example, if Security 2 is 0 then Security 3 is automatically set to 0. Security codes are unlocked in reverse order: Security 3 before Security 2, Security 2 before Security 1.
Functions affected by security codes
|Function||Security code 1 set||Security code 2 set||Security code 3 set|
|data logger program||Cannot change or retrieve||All communications prohibited|
|Writable variables cannot be changed|
|Setting clock||unrestricted||Cannot change or set|
|Public table||unrestricted||Writable variables cannot be changed|
See Security(1), Security(2), Security(3) for the related fields in the Settings Editor.
For additional information on data logger security, see: