Best Practices for Security on RIO Systems: Part 1 Recommended

Überblick

This article introduces the 'recommended' set of best practices for securing RIO systems. These are practices that most users should follow. The 'recommended' practices don't require an extensive investment in time or cost, and provide a lot of basic protection to RIO systems. Each best practice is organized into a separate section of this document. Links relevant to each of the recommended best practices, such as reference designs and knowledgebase articles, are presented within the section for each best practice. Each best practice will also be labelled with one of the following four tags to identify which layer as defined in the overview documentation is affected: [Network], [Physical], [OS], [Application]. This article is a part of the Best Practices for Security on RIO Systems documentation. You can return to the overview for this set documentation at: Overview of Best Practices for Security on RIO Systems.

Contents

Network Firewall [Network]

The first recommended best practice is to use a software or hardware firewall to protect the host pc in the RIO system. For maximum security, it's best to use both a hardware and a software firewall. To learn more about firewalls, refer to the following documentation:

Microsoft Knowledgebase: How to choose a firewall

 

Back to top

Operating System Updates and Accounts [OS]

In addition to setting up a network firewall, it's important to keep the operating system on the host pc updated with the latest security patches. For Windows systems, the Windows Update feature can be enabled to keep the operating system up to date. Refer to the following documentation:

Microsoft Knowledgebase: Windows Update

It's also important to setup and use a Standard User Account on Windows systems. If using the default Administrative account, intruders able to gain access to the operating system have the potential to do much more to the host pc. By setting up and using a Standard account, users are limited to the functionality they require. A Standard account would make it more difficult for an intruder to compromise the system. Refer to the following documentation:

Microsoft FAQ: User accounts: frequently asked questions

 

Back to top

Malware Protection [OS]

In addition to using a standard account and updating the operating system, it's useful to setup and run Anti-Virus software on the host pc. Anti-Virus software can detect and clean infections on the host pc. Refer to the following documentation: 

Microsoft Knowledgebase: What is antivirus software?

NI Linux Real-Time-based devices such as the CompactRIO system also include Security enhanced Linux (SELinux) which make possible to add mandatory access control directly on the OS. SELinux defines the access and transition rights of users, applications, processes, and files on the system through security policies. To know more about SELinux please read the white paper Addressing Access Control Security in LabVIEW RIO Devices.

Figure 1: Mandatory Access Control Using Security Enhanced Linux (SELinux)

 

Back to top

VI Passwords [Application]

Passwords can be set on VIs which contain sensitive data or important algorithms. By setting up good passwords on VIs, it makes it more difficult for attackers to infiltrate and compromise your application. VIs without passwords can be copied by attackers and analyzed to glean implementation algorithms or data, and can aid attackers in disrupting an application. 

To set a password on a VI, open the VI and navigate through File » VI Properties. In the dialog box that opens, select Protection from the drop down Category list. On this page, you can select Password-protected to set a password for the VI. 

Figure 2: Dialog for password-protecting a VI

 

Back to top

Build EXEs [Application]

In addition to setting passwords, it's a recommended best practice to build both the host pc code and Real-Time code into EXEs. On the host pc, it's useful to remove the source code and rely solely on the EXE. This way, if an attacker gains access to the host pc, it will take far more work to steal or disrupt the host pc application. If the source code is present on the host pc, an attacker can potentially copy the exposed VIs and use the information to reverse-engineer the host side application or disrupt the host pc application. 

On the Real-Time controller, running the code as an RTEXE offers many security and performance benefits over running the real-time application in interactive mode. When the code is run in interactive mode, the host pc has development access to the RIO device. If an attacker is able to compromise the host pc, running a Real-Time application in interactive mode allows the attacker to very easily modify or disrupt the real-time application. Interactive mode also utilizes a lot more bandwidth on the network as there is a significant overhead in executing a real-time application in interactive mode. The increased network bandwidth used for interactive mode  provides a larger attack space for attackers as well.

To build the host pc code into an EXE, refer to the following LabVIEW help documentation:
Building a Stand-Alone Application

To build the real-time code into an RTEXE, refer to the following LabVIEW help documentation: 
Building a Stand-Alone Real-Time Application (RT Module)
.

 

Back to top

VI Server Access [Network]

If VI Server is enabled, it's important to ensure that the permissions and settings are carefully managed to prevent unauthorized users from accessing and executing potentially malicious LabVIEW code on the host pc or real-time target. To access VI Server settings for the host pc, in the LabVIEW development environment, navigate through Tools » Options and select the VI Server category in the dialog that appears.

For the real-time controller, use the project explorer to access the VI server settings. First, add the RIO target to the project, then right-click on the real-time controller and select Properties as shown in Figure 2. You can then the select VI Server category and begin managing the VI Server settings with the dialog shown in Figure 3.

Figure 3: Accessing VI Server properties for a CompactRIO

 

Figure 4: VI Server configuration page

For more information on configuring the VI Server and using VI Server in applications, please refer to the following help documentation: 

Configuring the VI Server

Creating a VI Server Application

 

Back to top

NI Auth [Network]

In addition to VI server, it's also important to manage the NI Auth settings on the host pc an on the RIO device. NI Auth helps secure access to a device via MAX and the Web Configuration and Monitoring tool. If left unsecured, the Web-based Configuration and Monitoring tool allows one to access and edit files on a RIO device in addition to providing the ability to reboot the RIO device. Similarly, one can also use MAX to install or uninstall drivers from the RIO device and reboot the RIO device. For protection from unauthorized use of MAX and the NI Web-based Configuration and Monitoring tool, it's critical that you properly setup NI Auth settings.

Note: To enable NI-Web Based Configuration and Monitoring on a RIO device, you must have NI Web-based Configuration and Monitoring and NI System Configuration network support installed to the device. 

The easiest way to access and set an NI Auth password is to rely on the Web-based Configuration and Monitoring interface. To reach the interface on the RIO device, open a web browser and navigate to http://<RIO_ip.addr>:3580 or http://<RIO_ip.addr>, where <RIO_ip.addr> is the IPv4 address of the RIO device. The second URL will work only if using LabVIEW Real-Time 2010 or later. To reach the interface on the host pc, open a web browser and navigate to http://<host_ip.addr>:3580 or http://localhost:3580, where <host_ip.addr> is the IPv4 address of the host pc. 

Figure 5: The NI Web-based Configuration and Monitoring interface to a RIO device

Once you have accessed the Web-based Configuration and Monitoring interface, select Login from the blue banner at the top. You will then be presented with a prompt to enter the user name and password. The default user name is "admin" and the default password is simply blank. 

Figure 6: The default login to NI Auth

After logging in using the default credentials, select the lock and key icon from the banner on the left edge of the Web-based Configuration and Monitoring interface to access the security configuration page. Refer to Figure 6 for the icon. You can use the security configuration page to configure NI Auth settings on the host pc and RIO device. The first step is to change the default password for the admin account to something other than a blank password to prevent attackers from gaining easy access. You can then create other user accounts and organize user accounts into groups. You have the ability to set permissions on a user and/or group basis. Ultimately, you want to use NI Auth to limit each user's ability to use the Web-based Configuration and Monitoring Tool to the specific activities that each user/group is responsible for. 

Figure 7: Accessing the security configuration page

After configuring the NI Auth account, when the cRIO is accessed via MAX, you will be prompted for valid credentials to view the installed software on the target. Additionally, the options to Set Permissions and Log In, as illustrated in Figure 7, direct users to the login prompt on the Web Based Configuration and Monitoring Tool. Users will have to enter valid credentials and can then set permissions using the security configuration page as discussed above. 

Figure 8: Accessing NI-Auth via MAX

 

Back to top

Enabling SSL [Network]

It's important to manage the transfer of data between the host pc and the RIO device. By default, data is passed between the host pc and the RIO device without encryption. If an attacker gains access to the network between the host pc and the RIO device, the attacker could rely on a network packet sniffer to easily read the data being passed between the host pc and RIO device. Furthermore, the attacker could modify the data, or worse insert erroneous data. The recommended method to secure data between the host pc and the RIO device is to rely on an SSL enabled Web Service. 

Note: To rely on SSL enabled Web Services to securely transfer data between the host pc and the RIO device, you must have NI Application Web Server, Run-Time Engine for Web Services, and SLL Support for LabVIEW RT installed to the RIO device. If you are using the RIO device to connect to an SSL enabled web service, you must also have HTTP Client and HTTP Client with SLL Support installed.

To enable SSL, navigate to the Web Configuration and Monitoring Tool as described in the NI Auth section. Select the icon with the globe and the computer to access the Web Server Configuration page. You can enable SSL encryption for both the System and the Application Web Servers as shown in Figure 8. The System Web Server hosts the Web-based Configuration and Monitoring Tool. Securing the System Web Server secures all the communication to the Web-based Configuration and Monitoring Tool, such as filenames and locations when uploading or downloading files to/from the RIO device. The Application Web Server hosts and Web Services you build, and can be used to secure application data that you are passing between the host pc and the RIO device.

This article will not discuss how to build Web Services; please refer to Overview: Web-based Communication with a LabVIEW Application (Real-Time, Windows) and Tutorial: Creating and Accessing a LabVIEW Web Service (Real-Time, Windows) for more information about LabVIEW Web Services. 

Note: The SSL enabled System Web server resides on port 3581. The URL to access the SSL enabled System Web Server is https://<IP_Address>:3581, where <IP_Address> is the IPv4 address of the RIO device or host pc with an SSL enabled System Web Server. Currently, accessing the SSL enabled web service is only supported via Internet Explorer. Other web browsers will return an error. The SSL enabled Application Web Server resides on port 8081, and can be accessed by navigating to https://<IP_Address>:8081, where <IP_Address> is the IPv4 address of the host pc or RIO device which is hosting the web service. 

Figure 9: Enabling SSL on the System and Application Web Servers

Refer to Securing the Web Server with SSL for more information on setting up an SSL enabled web service to securely transfer data between the host pc and RIO device. 

 

Back to top

Disable the open FTP Server [Network]

By default, there is an unsecured and open FTP server on RIO devices. Securing the FTP server prevents attackers from otherwise accessing, uploading to, downloading from, or modifying the file system on the RIO device. For details on securing the FTP server, refer to Best Practices for Security on RIO Systems: Disable Real-Time FTP Server

 

Back to top

Internal Network [Network]

If you are running a critical process with a RIO device, host the RIO device on an internal, protected network. This denies attackers easy network access to the RIO device. Exposing the RIO device to the Internet opens the door for many more attackers to assault the RIO system. 

 

Back to top

FPGA Bounds Checking [Application]

Since the FPGA serves as a gate between all the real-world I/O and the Real-Time controller, it is meaningful to implement bounds checking on the FPGA. This way, if attackers are able to compromise the host pc or real-time applications and begin to send erroneous commands to the FPGA, you can still protect hardware and sensors downstream of the RIO device. By saturating outputs on the FPGA, you can ensure that the outputs fall within safe bounds such that hardware is not damaged. Implementing saturation and bounds checking will vary based on the hardware and sensors downstream of the FPGA. 

 

Back to top

FPGA Safe States [Application]

In addition to implementing bounds checking on the FPGA, it is also useful to implement an FPGA watchdog over the Real-Time application. If there is an error in the Real-Time application, you can have the FPGA default to a "safe state". 

Please refer to Fail-Safe Control Reference Design for CompactRIO for an implementation of the FPGA watchdog functionality. 

 

Back to top

Summary

The best practices presented here are meant to be employed by most users when developing a RIO system consisting of a host pc and a RIO device that has a real-time controller. The measures outlined here provide basic security on a number of layers in the RIO system. For additional security needs, please refer to the Optional Best-Practices: Best Practices for Security on RIO Systems: Part 2 Optional. You can return to the central site for best practices for security on RIO systems at: Overview of Best Practices for Security on RIO Systems

Back to top