Security and Compliance

Introduction

FrameworX was designed to enable applications on mission critical systems, in various segments, including Energy, Oil&Gas, Pharma with FDA requirements, and various other segments. Independently of regulations requirements, all applications, small to large, HMI to IoT, benefits from the stable, reliable infra-structure and strong security protections inherent. to the platform. This section will address some of those features.

S Security - Communication between FS modules

The cryptography between external modules — processes out of TServer: ScriptTaskServer, DataAccess, Devices, TRichClient, SmartClient, ModuleInfo, TraceWindow, PropertyWatch, etc — and TServer uses basically two classes:

     a) System.Security.Cryptography.RSACryptoServiceProvider (Asymmetric, KeySize: 1024): Performs asymmetric encryption and decryption using the implementation of the RSA algorithm provided by the cryptographic service provider (CSP). 

     b) System.Security.Cryptography.Rijndael (KeySize: 256). 

• Note 1: No external program gets access to the TServer without validation/authentication. TServer answers to external programs only after validation/authentication via user/password or Windows Authentication.

• Note 2: "RSACryptoServiceProvider" is used to generate "private/public keys";  "Rijndael" is used to encrypt/decrypt the data and it uses "private/public keys" described above. 

• Note 3: The data are only compressed if block size is over 16000 bytes. The compression is GZIP". "ModuleInformation" displays estimated values of each connection. WCF adds some bytes while sending data, so the values in "ModuleInformation" are estimated.

• Note 4: ".NET Framework applications should use the TLS version the operating system (OS) supports." FS does not manually set the TLS version using the configuration of the operating system (OS).

• Note 5: Remote access by WebAccess services (third-party program or modules) will use http or https consuming the web services available. 

FS Security - iOS - SCADA HMI Client

"SCADA HMI Client" (iOS) can use “http” or “"https/ssl". The compression is configured on "IIS". While configuring "iDataPanel Service" and "iDataPanelImages Virtual Directory", there is an input called "Compression" to enable. The compression is GZIP". 

FS Security - HTML5

HTML5 can use "http" or "https/ssl". The compression will be configured on "IIS" and it will be GZIP". 

FS Security - License/Softkey

"License/Softkey" uses the .NET class System.Security.Cryptography.Rijndael (symmetric, KeySize: 256).

FS Security - Digital signature

All assemblies created by Tatsoft are signed digitally.

FS Security - WebGateway

A WebGateway is a type of security solution that prevents unsecured traffic from entering an internal network of an organization. It is used by enterprises to protect their employees/users from accessing and being infected by malicious web traffic, websites and virus/malware. The TWebGatewayService is an executable file that works in association with IIS(Internet Information Services).

FS Security - Users/Groups/Policies (Built in, Active Directory\Windows Authentication, LDAP)

Group and User Permissions

Total flexibility to define privileges based on groups or specific users. Permissions can be global or tied to a specific display, object, or input action.

Runtime Users

Dynamically create users and store credentials in SQL databases. Get users from Active-Directory or third-party system for integrated security or unified login.

User Policies

Identification policies, session duration, control, automated logoff, e-sign, audit-trail, and a complete set of user management features are available.

FDA and NERC Regulated Applications

FactoryStudio allows delivering applications in conformance with Title 21 CFR Part 11, and it was designed following the applicable recommendations from NERC, such as the CIP- 007-1-Cyber Security-System Management.

Security at the Core Level

Security must be implemented at the core, not applied externally. FactoryStudio modules have built-in security related components designed from the core.

Active-Directory / Windows Authentication

When using Windows Authentication, the project will not use the User list configured in the project, only the policies, and this management is controlled by Windows. The Windows User that is logged into the computer will be the one used in the system.

LDAP

When using LDAP, the project will not use the User list configured in the project, just the policies and this management is controlled by Windows and the LDAP Server. The External User that is logged in the LDAP Server will be the one used in the system.

FS Security - Project format (Configuration protected) 

All project configuration is stored in a relational database (.tproj file) with all security and protections like cryptography, power recovery and Users/passwords. The Scripts and Displays have the source and the compiled binaries stored in the same .tproj file. It makes the project easy to manage and deploy. 

FS Security - Food and Drug Administration (FDA)

Title 21 CFR Part 11 is the part of Title 21 of the Code of Federal Regulations that establishes the United States Food and Drug Administration (FDA) regulations on electronic records and electronic signatures (ERES).

Part 11, as it is commonly called, defines the criteria under which electronic records and electronic signatures are considered trustworthy, reliable, and equivalent to paper records.

Listed below and described are some security-related features available in the product:

• Access Control: Security technique that regulates who or what can view or use resources in a computing environment.

• Password Encryption: System administrator does not possess access to the user password. They are encrypted before being stored.

• Maximum and Minimum Age for Password: A feature that imposes a minimum password age before allowing its change, and a maximum age before expiring.

• Required Password changing: Forces the user to alter his password after the first login has been made.

• User Name and Password Minimum Length: <<<<add info>>>>

• Block on Invalid Login Attempt: Blocks User after reaching maximum number of invalid logins attempted.

• Store Password History: A range of the last 0-5 passwords can be stored to make sure User does not repeat an already used one.

• Auto Log Off: User is logged off the system for inactivity or expiration date.

• Audit Trail Data: Security-relevant chronological record, set of records, that provide documentary evidence of the sequence of activities that have affected at any time a specific operation.

FS Security - Database security, Authentication and SQL Injections

In the database, calling Stored Procedure, there is a great concern about this part of "injection", because if parameters are passed as plain text in SQL Statement, the "injection" could be possible. Against this we use the .NET API where parameters are added to a list, making it impossible to code injection.

FS Security - Assess

Veracode validation. Last validation on May 2019, passed 100%.

FS Security - Communication between Client and Server 

Link to explanation of our cryptography methods:

       https://partners.tatsoft.com/dl/AYQP5LsLw3/FPD-CommunicationbetweenClientsandServer.pdf_

Microsoft - .NET Security

Link to Microsoft information about Security in .Net:

https://docs.microsoft.com/en-us/dotnet/standard/security/

• How did you assess FactoryStudio security (threat modeling, penetration testing, etc.)? Was Factory Studio security assessed by a third-party company?

Vera code assessment for Shell Oil first time 2016 and last time in May 2019. FactoryStudio passed 100%.

• Do you have any certifications and/or reports that would demonstrate the validation of Factory Studio security level (penetration testing report, gap analysis, etc.)?

Vera code assessment for Shell first time 2016 and last time in, May 2019. FactoryStudio passed 100%.

• When was the last security assessment done and who made it ?

Vera code assessment to Shell first time 2016 and last time in , May 2019. FactoryStudio passed 100%.

On this page: