Visual BACnet™ Security

Avatar
Optigo Networks
  • Updated
Follow

Security is of the utmost importance for Optigo Networks, which has adopted several best practices to ensure the security of customer data. These security practices are continuously being reviewed and improved upon.

The following are the major highlights of the security practices for Visual BACnet™:

Visual BACnet™ Cloud Hosting

  • Information in this section is for Visual BACnet hosted by Optigo Networks. Privately hosted Visual BACnet solutions may have different characteristics.

  • Visual BACnet™ is hosted on Amazon Web Services (AWS) EC2 instance(s) and all data resides in AWS S3 storage. Other than specific regional web proxy servers, all Visual BACnet AWS EC2 instance(s) and S3 data centres are located in the United States of America.

  • All network traffic to and from Visual BACnet servers (e.g. app.visualbacnet.com) is encrypted using TLS with a certificate issued by ZeroSSL Certificate Authority (CA).

  • All data is encrypted in-flight using secure HTTPS connections.

  • Network ports that are open on AWS EC2 instance(s) to the Internet are:
    • 80 (HTTP) (redirect to 443) and 443 (HTTPS).

  • Security is enforced on AWS using AWS IAM best practices.

  • Access to AWS EC2 instance(s) is limited only to select Optigo staff, for deployment and provisioning via SSH using AWS IAM roles, that assigns a different pre-shared key for each individual staff member.

  • Access to AWS S3 storage is managed by secret keys.

Visual BACnet™ Application

  • Visual BACnet does not require nor process any Personally Identifiable Information (PII), except for information part of the login process such as email address & host IP address.

  • User authentication is protected by password. Minimum password strength is enforced. Password must be at least 8 characters, have at least one upper case letter, one lower case letter, and one digit or special character.

  • All passwords are stored using hashed and salted techniques.

  • Accounts are automatically locked upon 5 sequential unsuccessful login attempts.

  • All user credit card information is securely managed and stored on the Stripe online payment service.

  • All user activities (e.g. logins, uploads, downloads, views) are logged and reviewed regularly.

  • All user (packet capture) files are stored in AWS S3 storage using anonymized filenames to remove any descriptive information (e.g. customer name, location name, date).

  • All Optigo Networks' staff receive regular training on privacy and security (e.g. sensitivity of user data, best practices regarding passwords and user accounts).

Visual BACnet Capture Tools

  • Optigo Networks provides several variations of the Optigo Capture Tools:
    • Software for Windows
    • Software for Linux: Ubuntu, CentOS & RedHat
    • Raspberry Pi based device (w/ DIN-rail mount)

  • The software application versions (Windows & Linux) are installed and run on
    a PC or virtual machine.
  • The hardware version runs on a Raspberry Pi running Alpine Linux OS.

  • All versions (hardware and software) do not call home nor require Internet access except for uploading collected PCAP files. Automatic capturing (e.g. recurring scheduled capture) is an optional feature.

  • PCAP file upload uses an outbound only API with TLS1.2 encrypted
    transmission.

  • Data is stored in a pcap/pcapng format. Please click on this IETF linkfor further
    information on this format. Before automatically uploading to Visual BACnet, capture files are temporarily stored in the following locations: ​
    • Windows: C:\Program Files (x86)\Optigo Capture Tool\data\pcap
    • Linux: /opt/OptigoCaptureTool/data/pcap

  • The Capture Tool software application runs as a service on port 4000.

  • The management and configuration of the Capture Tool is accessed through a web browser with
    self-signed SSL version 3, with authentication requiring a username and password. The user is encouraged through a prompt to update password on every login if the default password is not changed.

  • Password must be at least 8 characters, have at least one upper case letter, one lower case letter, and one digit.

  • Users/organizations can replace the self-signed certificate.

  • The BACnet Capture Tool device (hardware) has only the following ports
    opened:
    • 80 (http)
    • 443 (https)
  • The Capture Tools (both variants) only capture packets on standard BACnet
    ports (UDP 47808 to 47823) and user defined ports.

  • Further information on the Capture Tool software installation can be found ​here​.

  • Both the MS/TP and IP network physical capture tools' hardware has been security scanned.

Please direct any additional questions to info@optigo.net

Related articles

Comments

0 comments

Please sign in to leave a comment.