Intended Use and IT Security Instructions

This section provides crucial security information and recommendations to help you configure your Welotec Substation Computer for optimal security in your deployment.

Intended Use

This section specifies the intended use and essential operating conditions for your Welotec Substation Computer (hereinafter referred to as “Computer”).

The Computer is designed for being used as a platform for deploying industry-specific applications including but not limited to HMI, Engineering Workstations, Substation Gateways and SCADA systems. Its primary function is to act as a bare-metal server or virtualization host system to provide the infrastructure application deplyoment.

The intended use of the Computer is strictly defined by the following conditions and requirements:

Physical Security and Installation Environment

  • Enclosure: The Computer must be permanently installed within a secure and controlled enclosure such as a 19” rack which protects against external damage and unauthorized access.

  • Controlled Access: Access the installation location must be restricted to authorized personnel only. Physical security measures (e.g., key locks, access control systems) are mandatory.

  • Environmental Conditions:

    • Temperature: The Computer must operate within the specified ambient temperature and humidity range as outlined in the technical specifications. Adequate ventilation or active cooling within the enclosure must ensure these limits are not exceeded.

    • Vibration and Shock: The Computer must be mounted securely within the enclosure to minimize exposure to excessive vibrations and mechanical shock, adhering to the manufacturer’s specifications.

    • Cleanliness: The inside of the enclosure must be kept free of dust, debris, and contaminants that could impair cooling or lead to electrical shorts.

EMC compliant electrical Installation and Power Supply

This product is designed to meet relevant EMC standards when installed according to the following instructions. Failure to adhere to these instructions may result in the equipment failing to meet compliance standards and can cause interference with other devices. The installer is responsible for ensuring the EMC conformity of the final system.

  • Power Supply: The Computer must be connected to a dedicated stable and filtered power supply within the specified voltage range. To ensure operational reliability and meet relevant EMC requirements, the power source must provide adequate filtering against surges, transients, electrical fast transients (EFTs), and conducted RF noise common in rolling stock environments. An Uninterruptible Power Supply (UPS) is highly recommended to protect further against power fluctuations and outages.

  • Wiring: All wiring connecting to the Computer must comply with applicable wiring standards, be properly insulated, strain-relieved, and protected against mechanical damage.

  • Grounding: The unit must be properly grounded according to the installation manual, typically via a low-impedance connection to the control cabinet’s central grounding point.

Functional Safety

This unit is not certified as a standalone component for functional safety applications (e.g., SIL, PL).

Intended Use: The unit is intended for standard control and monitoring. It must not be used as the sole or primary controller for safety-critical functions.

System Integration: Safety-related control logic must be executed by dedicated, certified safety controllers (e.g., Safety PLC, safety relays). This unit may be used to supervise or monitor a safety system (e.g., for HMI visualization or data logging) via a non-safety-rated communication channel, but it must not be part of the safety-critical control loop. The failure of this unit must not lead to a loss of the primary safety function.

Qualified and Trained Personnel

  • Installation, Configuration, and Maintenance: All installation, configuration, maintenance, troubleshooting, and repair activities on the Computer and its connections within the control cabinet must be performed exclusively by qualified, trained, and authorized technical personnel. This personnel must possess proven expertise in  electrical systems, IT hardware, and cybersecurity best practices.

  • Security Awareness: All personnel interacting with the Computer or the network it is connected to must receive regular training on IT security awareness including password policies and reporting suspicious activities.

Software and Configuration

  • Operating System: Only the pre-installed or manufacturer-approved operating system (OS) version may be used. The OS must be regularly updated with security patches provided by the manufacturer or OS vendor, after thorough testing in a non-production environment.

  • Secure Configuration: The Computer’s operating system, firmware, and installed applications must be configured according to secure hardening guidelines, including disabling unused services, ports, and protocols, and enforcing strong password policies.

  • Secure Boot: Where supported Secure Boot must be enabled to prevent the loading of unsigned or malicious bootloaders.

Network Segmentation and “Defense in Depth” IT Security Principles

  • Network Isolation: The Computer and the OT network must be logically and, where feasible, physically separated from the IT network and the internet. This typically involves dedicated industrial network switches, firewalls, and separate cabling.

  • Defense in Depth: A multi-layered security approach (“Defense in Depth”) must be implemented for the entire system. This includes:

    • Network Security: Industrial Firewalls (e.g., Next-Generation Firewalls) at network boundaries, strict firewall rules (whitelist approach – only allow explicitly required traffic), VLANs for segmentation.

    • System Security: Operating system hardening (minimum services, disabled unnecessary ports), regular security updates, robust antivirus/anti-malware solutions specifically designed for industrial environments, and strong password policies.

    • Application Security: Secure configuration of all applications, disabling default credentials, and ensuring application-level security features are enabled.

    • Data Integrity: Measures to ensure data integrity and availability (e.g., backups, redundant systems where appropriate).

    • Physical Security: see above

  • Access Control: Remote access to the Computer (if required) must be strictly controlled, using secure connections, multi-factor authentication, and granular user permissions. Unnecessary remote access functionalities must be disabled.

  • Logging and Monitoring: The Computer and connected network devices should implement logging of security-relevant events. Centralized monitoring and alerting systems are recommended for timely detection of anomalies.

Non-Intended Use

Any use of the Computer that deviates from the conditions described including but not limited to:

  • Operation outside the specified environmental limits.

  • Operation outside of a secure enclosure and controlled environment

  • Installation or maintenance by unqualified personnel.

  • Direct connection to unsecured corporate networks or the internet without adequate protective measures.

  • Installation of unauthorized software or operating systems.

  • Bypassing or disabling of security features (e.g., firewall, antivirus, Secure Boot). is considered non-intended use and may result in:

  • Damage to the Computer or the system.

  • Compromised data security and integrity.

  • Serious personal injury or death.

  • Failure to comply with regulatory requirements.

Exposed Interfaces and Services

The following interfaces are exposed:

Interface

Comment

LAN1 … n

Depending on configuration and SFP-type

LOM

Lights-Out-Management

USB1 … 5

Console

Console Redirect

VGA

Available services highly depend on Operating System type and version.

Security Reccomentations

Use Secure Boot

Secure Boot is a crucial security feature that helps protect your system from malware and unauthorized operating systems during the boot process. It’s a component of the Unified Extensible Firmware Interface (UEFI) that ensures only trustworthy software, signed with a digital certificate, loads when your system starts. Without Secure Boot, malicious programs or unsigned operating systems could load unnoticed before the actual operating system, compromising your system’s integrity and security.

We highly recommend to enalbe Secure Boot - please refer to “BIOS” section of the manual for further details

Enable Storage Encryption

Storage encryption is a critical security measure that protects your sensitive data by rendering it unreadable to unauthorized parties, even if they gain physical access to your storage device. In today’s interconnected world, where devices can be lost, stolen, or compromised, ensuring the confidentiality of your information is paramount.

Windows (using BitLocker with TPM)

Windows’ built-in BitLocker encryption leverages the TPM to securely store the encryption key, making the process largely automatic and secure.

  • Check TPM Status: Ensure that the TPM chip is enabled in the UEFI/BIOS settings

  • Open BitLocker Drive Encryption: Search for “BitLocker” in the Windows search bar and select “Manage BitLocker.”

  • Turn on BitLocker: Select the drive you wish to encrypt (typically your C: drive) and click “Turn on BitLocker.”

  • Follow the Wizard: Windows will guide you through the process. Since a TPM is present, it will typically automatically use the TPM to store the encryption key. You will be prompted to save a recovery key (e.g., to a Microsoft account, a USB drive, or print it) – this is crucial in case you ever need to access your data if the TPM is reset or unavailable.

  • Start Encryption: The encryption process will begin in the background. You can continue using your computer during this time.

Standard Linux OS (using LUKS with TPM consideration):

Linux uses LUKS (Linux Unified Key Setup) for full disk encryption. Integrating it with a TPM for automatic unlocking at boot can be more involved than BitLocker but offers similar benefits. This typically involves tools like clevis or systemd-cryptenroll.

  • Install Necessary Tools: You’ll need cryptsetup for LUKS and potentially tpm2-tools and clevis (or similar TPM integration tools) if you want to bind your LUKS key to the TPM for automatic decryption.

  • Encrypt the Drive (during OS Installation or manually):

    • During Installation: Most Linux distributions (e.g., Ubuntu, Fedora) offer an option to “Encrypt the disk” during the installation process. This is the simplest way to set up LUKS.

    • Manually (Post-Installation): If encrypting an existing drive or a secondary drive, you would use cryptsetup luksFormat /dev/sdXy to format the partition for LUKS, followed by cryptsetup luksOpen /dev/sdXy my_encrypted_drive and then creating a filesystem on the opened device.

  • Bind LUKS Key to TPM (Optional, for automatic unlock):

    • This is the step that utilizes the TPM. Tools like clevis can be used to “bind” a LUKS passphrase (or a key slot) to the TPM. This allows the system to automatically unlock the encrypted volume at boot if the TPM verifies the system’s integrity.

    • The exact commands vary, but it generally involves generating a new LUKS key slot and then using a TPM-binding tool to store the key in the TPM and configure the system to use it for unlocking.

  • Update Boot Configuration: Ensure your bootloader (e.g., GRUB) is configured correctly to handle the encrypted root partition and, if used, to leverage the TPM for unlocking.

For both operating systems, it’s essential to:

  • Backup your recovery keys/passphrases: Without them, your data can be permanently lost if there’s a hardware failure or you forget your primary password.

  • Understand the implications: While encryption provides strong security, proper handling of keys and adherence to security best practices are still crucial.

Other Operating Systems

Please refer to te documentation of the OS for further details

Use Strong Passwords

Strong passwords are the first line of defense against unauthorized access. If you want to use password based access it is reccomended to:

  • Change factory default passwords on first login

  • Use passwords with a minimum length of 12 characters or more

  • Use a combination of uppercase and lowercase letters, numbers, and special characters (e.g., !@#$%^&*)

  • Do not use easily guessable patterns, such as sequences (e.g., “123456”, “abcdef”), repeated characters (e.g., “aaaaaa”), or dictionary words

Vulnerability Handling

Welotec has implemented a Coordinated Vulnerability Disclosure Policy - please visit the following site for further details: https://welotec.com/pages/coordinated-vulnerability-disclosure-policy