Versions Compared

Old Version 5

changes.mady.by.user admin

Saved on

compared with

New Version Current

changes.mady.by.user admin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Introduction

FrameworX was designed to enable applications on mission Our platform caters to mission-critical systems , in various segments, including Energy, with NERC requirementsin sectors like Energy, Oil & Gas, and Pharma with FDA requirements, and various other segments. Independently of regulations requirements, all applications, small to large, HMI to IoT, benefits from the stable, reliable infra-structure and strong security protections inherent. to the platform. This section will address some of those . Whether meeting NERC or FDA standards, it provides a stable, secure infrastructure from HMI to IoT. This section delves into key features.

On this page:

Table of Contents
3
maxLevel2
stylenone



Security Highlights

Security and Reliability

We prioritize stability and security throughout our platform's design, from technology selection to module architecture.


Easy Configuration and Maintenance

Our platform offers secure, straightforward configuration and maintenance for various scenarios, ensuring scalability and consistency.


Operational Stability

Operational stability is guaranteed with our platform's 100% managed code implementation, featuring robust exception handling and seamless failure recovery.


Redundancy and Availability

For high availability, our platform offers redundancy with a proven hot-standby system for real-time databases, alarms, and historians, catering to diverse network setups.



FDA 21 CFR Part 11 and NERC

The software platform has a range of security and compliance features that can be used to help organizations meet the requirements of FDA 21 CFR Part 11. It is important to note that compliance is an ongoing process, and therefore, organizations should regularly monitor and update their systems and policies to ensure adherence to the standards established by the FDA.

The platform was also designed following the applicable recommendations from NERC CIP, such as the CIP- 007-1-Cyber Security-System Management.

Title 21 CFR Part 11 is the part of Title 21 of the Code of Federal Regulations that establishes the United States Food and Drug Administration (FDA) regulations on electronic records and electronic signatures (ERES).

Part 11, as it is commonly called, defines the criteria under which electronic records and electronic signatures are considered trustworthy, reliable, and equivalent to paper records.

Listed below and described are some security-related features available in the product:

Panel
bgColor#ffffff

  • Access Control: Security technique that regulates who or what can view or use resources in a computing environment.

  • Password Encryption: System administrator does not possess access to the user password. They are encrypted before being stored.

  • Maximum and Minimum Age for Password: A feature that imposes a minimum password age before allowing its change, and a maximum age before expiring.

  • Required Password changing: Forces the user to alter his password after the first login has been made.

  • User Name and Password Minimum Length:

<<<<add info>>>>

  • Establishes minimum requirements for passwords.

  • Block on Invalid Login Attempt: Blocks User after reaching maximum number of invalid logins attempted.

  • Store Password History: A range of the last 0-5 passwords can be stored to make sure User does not repeat an already used one.

  • Auto Log Off: User is logged off the system for inactivity or expiration date.

  • Audit Trail Data: Security-relevant chronological record, set of records, that provide documentary evidence of the sequence of activities that have affected at any time a specific operation.


For detailed Explanation on how to add security management in project consist with these rules, go  to the page FDA 21 CRT Compliance page, under the chapter Security, Users and Roles.

For addition information on NERC CIP-007-1 -Cyber Security-System Management, go to the page NERC CIP Overview.



Built-in .NET Security

The FactoryStudio FrameworX development is based built on the .NET , using managed code, following security guidelines, where the development with .NET managed code must follow the .NET rules. There are specific guidelines followed for specific modules. For example, the Alarms adherence to the FDA guidelines are followed, for Electrical device communications with the IEC61850, or the other IEC are followed. Below are the main FS-Security topics and some basic information about them.

Link to Microsoft information about Security in .Net:

https://docs.microsoft.com/en-us/dotnet/standard/security/

framework, following strict security protocols. Each module adheres to specific guidelines aligned with its function, such as FDA compliance for the Alarms module and adherence to standards like IEC61850 for modules handling electrical device communications.

Below are the main security topics along with essential details about each.

Tip
titleSecurity at the Core Level

Security

must be implemented

implementation is ingrained at the core

, not

level rather than being applied externally.

the Platform Moduleshave

The platform's modules incorporate built-in security

related

components designed from

the core.

their very core.

For more detailed insights into security in .NET, refer to Microsoft's documentation available at: Microsoft .NET Security Information




Communication Security

Communication between modules

The cryptography Cryptography plays a crucial role in securing communication between external modules — processes out of TServer: and TServer, encompassing processes such as ScriptTaskServer, DataAccess, Devices, TRichClient, SmartClient, ModuleInfo, TraceWindow, PropertyWatch, etc — and TServer uses basically two classes:and PropertyWatch. Two primary classes are employed for this purpose:

     a) System.Security.Cryptography.RSACryptoServiceProvider RSACryptoServiceProvider (Asymmetric, KeySize: 1024): Performs Facilitates asymmetric encryption and decryption using utilizing the RSA algorithm implementation of the RSA algorithm provided by the cryptographic service provider cryptographic service provider (CSP). 

     bb)  SystemSystem.Security.Cryptography.Rijndael (KeySize: 256)

Note 1: No external program gets access to the TServer without

: Utilized for encryption and decryption, Rijndael operates with a key size of 256 bits.

It's essential to note:

  1. External programs can only access TServer after undergoing validation/authentication. TServer
answers
  1. responds to external
programs only after validation
  1. requests only following validation/authentication
via
  1. , accomplished either through user/password authentication or Windows Authentication.
Note 2: 
  1. "RSACryptoServiceProvider" is
used to generate "
  1. utilized for generating private/public keys, while "
;  "
  1. Rijndael"
is used to encrypt/decrypt the data and it uses "
  1. handles the encryption/decryption process, leveraging the aforementioned private/public keys
" described above
  1. .
 

  • Note 3: The data are only compressed if block size is over 16000 bytes. The compression is GZIP". "ModuleInformation" displays estimated values of each connection. WCF adds some bytes while sending data, so the values in "ModuleInformation" are estimated.

    • Note 4: 
    2. Data compression is employed only if the block size exceeds 16000 bytes, utilizing the GZIP compression method. The ModuleInformation feature offers estimated values for each connection, considering that WCF may introduce additional bytes during data transmission.
    3. ".NET Framework applications should
    use
    1. utilize the TLS version supported by the operating system (OS)
    supports
    1. ."
    FS
    1. FactoryStudio does not manually
    set
    1. configure the TLS
    version using the configuration of the operating system (OS).Note 5: Remote access by
    1. version but rather relies on the OS's configuration.
    2. Remote access via WebAccess services (third-party
    program
    1. programs or modules)
    will use http or https consuming the
    1. utilizes either HTTP or HTTPS to consume available web services
    available
    1. .


    Communication with web clients

    HTML5

    can use

    provides flexibility in choosing between "http" or "https/ssl" protocols.

    The compression will be configured on "IIS" and it will be GZIP". 

    Further, you can setup your application to have mandatory long, as well various forms with custom authorization, like IP filterer, or Location, among other.

    Secure  WebGateway 

    The TWebGateway is a tool included in the platform to allow to route data across different security Network zones, like moving that from the Level 2, the factoryFloor, to Level 4, the enterprise. 

    It also

    You can configure compression settings like GZIP on the IIS server. Moreover, you can implement custom authorization methods such as IP filtering or location-based authentication, along with mandatory session settings. 

    Secure WebGateway 

    The TWebGateway is a crucial part of our platform, enabling smooth data transfer across different security network zones. It serves as a bridge, moving data from lower levels, like the factory floor (Level 2), to higher levels such as the enterprise (Level 4).

    Acting as a protective barrier, the TWebGateway shields internal networks from insecure traffic. Enterprises rely on it to guard employees and users against potential threats from malicious web traffic, websites, viruses, and malware.

    prevents unsecured traffic from entering an internal network of an organization. It is used by enterprises to protect their employees/users from accessing and being infected by malicious web traffic, websites and virus/malware. 



    Files and Execution Protection

    License/Softkey

    The "License/Softkey"

    uses

    feature employs the .NET class System.Security.Cryptography.Rijndael

    (symmetric, KeySize: 256)

    , utilizing symmetric encryption with a key size of 256 bits.

    Digital signature

    All assemblies created by Tatsoft are signed digitally.

    Project format (Configuration protection) 

    All project

    configuration is

    settings, including security measures like cryptography, power recovery, and user/password protections, are stored in a relational database (.tproj file)

    with all security and protections like cryptography, power recovery and Users/passwords

    . The

    Scripts and Displays have the

    source code and

    the

    compiled binaries for Scripts and Displays are also stored in

    the same .tproj

    this file.

    It makes the project easy to manage and deploy. 

    This centralized storage method streamlines project management and deployment, making access and maintenance easier.



    User Authentication and Permissions

    User Authentication

    The Our platform supports Integration offers integration with various systems for user authentication:

    Microsoft ActiveDirection, Widows
    Panel
    bgColor#ffffff
    • Microsoft Active Directory and Windows Authentication
    Connection with
    • LDAP server connection
    Using the built
    • Built-in Users Database
    Connection with external Databases or User Authentication
    • External databases or user authentication servers


    Active-Directory / Windows Authentication

    When using

    Enabling Windows Authentication

    ,

    bypasses the project

    will not use the User list configured in the project, only the policies, and this management is controlled by Windows. The Windows User that is logged into the computer will be the one used in the system. 

    's configured user list, relying on Windows policies instead. Windows manages user authentication directly, utilizing the currently logged-in Windows user for system access.

    LDAP

    When

    using

    LDAP is used, the project

    will not use the User list configured in the project, just the policies and this management is controlled by

    ignores its configured user list and relies on policies managed by Windows and the LDAP Server. Authentication is handled by both Windows and the LDAP Server

    . The External User that is logged in

    , with the external user logged into the LDAP Server

    will be the one used in the

    being utilized within the system.

    Runtime Users

    Dynamically create

    The system dynamically generates users and

    store

    stores their credentials in SQL databases.

    Get users from Active-

    It seamlessly integrates with Active Directory or third-party

    system for

    systems to retrieve users, enabling integrated security

    or

    and unified login capabilities.


    Roles, Permission and Policies

    Group and User Permissions

    Total

    Our users have complete flexibility to define privileges based on groups or specific

    users

    individuals. Permissions can be

    global

    set globally or

    tied to a specific display, object

    linked to particular displays, objects, or input

    action

    actions, offering granular control over access levels.


    User Policies

    Identification

    Our platform offers a comprehensive array of user management features, including identification policies, session duration

    ,

    control, automated logoff

    , e-sign,

    mechanisms, electronic signature capabilities, and robust audit-trail

    , and a complete set of user management features are available. 

    functionality.




    Database Injection Protection

    In the database, calling Stored Procedure, there is a great concern about this part of "injection", because if parameters are passed as plain text in SQL Statement, the "injection" could be possible. Against this we use the .NET API where parameters are added to a list, making it impossible to code injection.




    Security External Validation

    Regularly the platform is accessed by Veracode, or third-party companies, on penetration testing report, gap analysis, and various other topics.

    Any issues that would prevent a 100% approval are corrected.




    In this section...

    Page Tree
    root@parent
    spaces93DRAF