Data logger security

Data logger security concerns include:

Collection of sensitive data
Operation of critical systems
Networks that are accessible to many individuals

Some options to secure your data logger from mistakes or tampering include:

Sending the latest operating system to the data logger. See Updating the operating system for more information.
Disabling unused services and securing those that are used. This includes disabling HTTP Hypertext Transfer Protocol. A TCP/IP application protocol., HTTPS Hypertext Transfer Protocol Secure. A secure version of HTTP., FTP File Transfer Protocol. A TCP/IP application protocol., Telnet A software utility that attempts to contact and interrogate another specific device in a network. Telnet is resident in Windows OS., and Ping A software utility that attempts to contact another device in a network. network services (Device Configuration Utility > Deployment > Network Services tab). These services can be used to discover your data logger on an IP network.

NOTE:

FTP, Telnet, and Ping services are disabled by default.

Setting security codes (see following information under "Security Codes").
Setting a PakBus/TCP password. The PakBus ® A proprietary communications protocol developed by Campbell Scientific to facilitate communications between Campbell Scientific devices. Similar in concept to IP (Internet Protocol), PakBus is a packet-switched network protocol with routing capabilities. A registered trademark of Campbell Scientific, Inc. TCP password controls access to PakBus communications over a TCP/IP link. PakBusTCP passwords can be set in Device Configuration Utility Software tool used to set up data loggers and peripherals, and to configure PakBus settings before those devices are deployed in the field and/or added to networks. Also called DevConfig..
Disabling FTP or setting an FTP username and password in Device Configuration Utility.
Setting a PakBus encryption (AES-128) key in Device Configuration Utility. This forces PakBus data to be encrypted during transmission.
Disabling HTTP/HTTPS or use the data logger Accounts Editor in Device Configuration Utility Network Services, under the Deployment tab to secure HTTP/HTTP.
Enabling HTTPS and disabling HTTP. To prevent data collection via the web interface, both HTTP and HTTPS must be disabled.
Using a public/private key pair for SFTP authentication. Load a .PEM format file through the Device Configuration Utility Settings Editor > Advanced tab.

Maximum key file size: 4 KB public, 4 KB private
Key exchange methods: diffie-hellman-group1-sha1, diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha1, diffie-hellman-group-exchange-sha256
Host key types: ssh-rsa, ssh-dss
Supported ciphers: aes256-ctr, aes192-ctr, aes128-ctr, aes256-cbc, aes192-cbc, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, arcfour, arcfour128, none

Tracking Operating System, Run, and Program signatures.
Encrypting program files if they contain sensitive information. See CRBasic help FileEncrypt() or use CRBasic Editor > File > Save and Encrypt.
Hiding program files for extra protection. See CRBasic help FileManage() instruction.
Monitoring your data logger for changes by tracking program and operating system signatures, as well as CPU, USR, and CRD file contents.
Securing the physical data logger and power supply under lock and key.

WARNING:

All security features can be subverted through physical access to the data logger. If absolute security is a requirement, the physical data logger must be kept in a secure location.

TLS

Transport Layer Security (TLS) is an internet communications security protocol. TLS settings are necessary for server applications, not for client applications.

Example server application instructions include:

HTTPS server
DNP3()

Example client application instructions include:

HTTPGet(), HTTPPut() and HTTPPost()
EmailRelay()
EmailSend() and EmailRecv()
FTPClient()

Use the Device Configuration Utility to enable and set up TLS. See Deployment > Datalogger > TLS tab.

Security codes

The data logger employs a security scheme that includes three levels of security. Security codes can effectively lock out innocent tinkering and discourage wannabe hackers on all communications links. However, any serious hacker with physical access to the data logger or to the communications hardware can, with only minimal trouble, overcome the five-digit security codes. Security codes are held in the data logger Settings Editor An editor for observing and adjusting settings. Settings Editor is a feature of LoggerNet>Connect, PakBus Graph, and Device Configuration Utility..

The preferred methods of enabling security include the following:

Device Configuration Utility Software tool used to set up data loggers and peripherals, and to configure PakBus settings before those devices are deployed in the field and/or added to networks. Also called DevConfig.: Security codes are set on the Deployment> Datalogger tab.
Network Planner Campbell Scientific software designed to help set up datal oggers in PakBus networks so that they can communicate with each other and the LoggerNet server. For more information, see https://www.campbellsci.com/loggernet.: Security codes can be set as data loggers are added to the network.

Alternatively, in CRBasic the SetSecurity() instruction can be used. It is only executed at program compile time. This is not recommended because deleting SetSecurity() from a CRBasic program is not equivalent to SetSecurity(0,0,0). Settings persist when a new program is downloaded that has no SetSecurity() instruction.

Up to three levels of security can be set. Valid security codes are 1 through 65535 ( 0 confers no security). Security 1 must be set before Security 2. Security 2 must be set before Security 3. If any one of the codes is set to 0, any security code level greater than it will be set to 0. For example, if Security 2 is 0 then Security 3 is automatically set to 0. Security codes are unlocked in reverse order: Security 3 before Security 2, Security 2 before Security 1.

Functions affected by security codes
Function	Security code 1 set	Security code 2 set	Security code 3 set
data logger program	Cannot change or retrieve		All communications prohibited
Settings editor and Status table	Writable variables cannot be changed
Setting clock	unrestricted	Cannot change or set
Public table	unrestricted	Writable variables cannot be changed
Collecting data	unrestricted	unrestricted

See Security(1), Security(2), Security(3) for the related fields in the Settings Editor.

For additional information on data logger security, see: