Keep your data secure

 

groov RIO helps you build a secure system for data communications

Traditional control and SCADA systems seldom manage security. Their proprietary networks and protocols may keep out those who don’t know the system. But their data stays locked inside, unable to be used to improve processes, demonstrate compliance, or inform business decisions—unless it goes through an expensive maze of PCs, PLCs, and middleware. 

New edge I/O products like groov RIO unlock that data and make it readily available by incorporating open standards from both automation and information technology fields. Open standards and connection to the internet, however, magnify the need for system security and data integrity.

How does groov RIO help you keep devices and data secure? By:

  • Giving you control over user accounts for authentication and permissions, including LDAP support
  • Encrypting data
  • Incorporating a configurable device firewall and security certificates
  • Offering VPN access
  • Including MQTT for more efficient and secure data communications

User accounts and authentication

Security starts when you first connect to groov RIO through your web browser. groov RIO has no default login, so you must create your own Admin account in order to access RIO. The username and password for this account are secure, and there is no way to retrieve them. 

If other authorized people need access to your groov RIO, you can create additional user accounts for them, assigning or denying access to individual features (for example, the Node-RED editor) for each account. groov RIO requires user authentication whenever someone tries to log in. You can also set global and individual user session timeouts.

In addition, with firmware 3.0 or higher, groov RIO supports centralized user management through LDAP (lightweight directory access protocol). When you configure your groov RIOs to connect to your LDAP-compatible directory service, your IT staff can strengthen security by managing users and groups from one spot, together with other devices on the network. Using the LDAP option can help satisfy data integrity requirements in regulated industries and make it much easier to set up and manage edge I/O at scale.

Data encryption

Out of the box, groov RIO uses HTTPS to encrypt all communications. Your connections to groov RIO from your computer or mobile device are encrypted, as is the data RIO communicates to on-premises or cloud-based software, systems, and services.

When you use Node-RED to create data flows or enable MQTT to upload data to an MQTT broker, you can choose to use either non-encrypted or SSL/TLS-encrypted data. For security, choose SSL/TLS encryption.

 

Configurable device firewall 

Networks typically have firewalls. While they protect the network, they also inhibit the flow of data between networks (for example, between your company network and an internet service).

Individual devices with their own device firewalls provide more flexibility. Used with a network firewall, they can reduce the need for protections at the network level (keeping the network more open) or provide another security layer. Used without a network firewall—for example, on a factory floor—they help secure the device and its data.

groov RIO’s device firewall gives you control over which ports are open for incoming connections to the services listening on each port number. For example, you should disable the ports of unused protocols.

Security certificates

Out of the box, groov RIO uses a self-signed security certificate to verify the groov RIO’s identity to other devices. You can also choose to upload security certificates from your IT department or a certificate authority. 

VPN access

groov RIO offers support for virtual private network (VPN) access to the unit. As an OpenVPN client, groov RIO can offer authenticated remote access to its data over a more secure, virtual point-to-point connection.

MQTT 

Using MQTT’s publish/subscribe data communication method reduces security concerns by using outbound, device-originated connections only. That means groov RIO always originates the connection to the broker, eliminating open inbound ports in firewalls. Once the connection is established, data can travel in both directions. Learn more about MQTT.


Questions?

See how groov RIO fits in your system architecture.
Contact an engineer today

See more resources on cybersecurity in automation and IIoT applications 

Get groov RIO now!

 
Part Number    Description
GRV-R7-MM1001-10  -  groov RIO MM1 universal edge I/O, 8 multifunction signals, 2 Form C relays, no Ignition
GRV-R7-MM2001-10  -  groov RIO MM2 universal edge I/O, 8 multifunction signals, 2 Form C relays, expanded memory, Ignition Edge 8 pre-installed
GRV-R7-I1VAPM-3  -  groov RIO EMU, energy monitoring edge I/O module, 64 channels of power and energy data