Introduction

Our platform caters to mission-critical systems in sectors like Energy, Oil & Gas, and Pharma. Whether meeting NERC or FDA standards, it provides a stable, secure infrastructure from HMI to IoT. This section delves into key features.

On this page:



Security Highlights

Security and Reliability

We prioritize stability and security throughout our platform's design, from technology selection to module architecture.


Easy Configuration and Maintenance

Our platform offers secure, straightforward configuration and maintenance for various scenarios, ensuring scalability and consistency.


Operational Stability

Operational stability is guaranteed with our platform's 100% managed code implementation, featuring robust exception handling and seamless failure recovery.


Redundancy and Availability

For high availability, our platform offers redundancy with a proven hot-standby system for real-time databases, alarms, and historians, catering to diverse network setups.



FDA 21 CFR Part 11 and NERC

The software platform has a range of security and compliance features that can be used to help organizations meet the requirements of FDA 21 CFR Part 11. It is important to note that compliance is an ongoing process, and therefore, organizations should regularly monitor and update their systems and policies to ensure adherence to the standards established by the FDA.

The platform was also designed following the applicable recommendations from NERC CIP, such as the CIP-007-1 - Cyber Security-System Management.

Title 21 CFR Part 11 is the part of Title 21 of the Code of Federal Regulations that establishes the United States Food and Drug Administration (FDA) regulations on electronic records and electronic signatures (ERES).

Part 11, as it is commonly called, defines the criteria under which electronic records and electronic signatures are considered trustworthy, reliable, and equivalent to paper records.

Listed below and described are some security-related features available in the product:

  • Access Control: Security technique that regulates who or what can view or use resources in a computing environment.

  • Password Encryption: System administrator does not possess access to the user password. They are encrypted before being stored.

  • Maximum and Minimum Age for Password: A feature that imposes a minimum password age before allowing its change, and a maximum age before expiring.

  • Required Password changing: Forces the user to alter his password after the first login has been made.

  • User Name and Password Minimum Length: Establishes minimum requirements for passwords.

  • Block on Invalid Login Attempt: Blocks User after reaching maximum number of invalid logins attempted.

  • Store Password History: A range of the last 0-5 passwords can be stored to make sure User does not repeat an already used one.

  • Auto Log Off: User is logged off the system for inactivity or expiration date.

  • Audit Trail Data: Security-relevant chronological record, set of records, that provide documentary evidence of the sequence of activities that have affected at any time a specific operation.


For detailed Explanation on how to add security management in project consist with these rules, go to the page FDA 21 CRT Compliance page.

For addition information on NERC CIP-007-1 - Cyber Security-System Management, go to the page NERC CIP Overview.



Built-in .NET Security

FrameworX development is built on the .NET framework, following strict security protocols. Each module adheres to specific guidelines aligned with its function, such as FDA compliance for the Alarms module and adherence to standards like IEC61850 for modules handling electrical device communications.

Below are the main security topics along with essential details about each.

Security at the Core Level

Security implementation is ingrained at the core level rather than being applied externally. The platform's modules incorporate built-in security components designed from their very core.

For more detailed insights into security in .NET, refer to Microsoft's documentation available at: Microsoft .NET Security Information



Web Client Communication Security

HTML5 provides flexibility in choosing between "http" or "https/ssl" protocols.

The production servers will use HTTPS, but the allowing http connection on development, simplifies the early state of the projects.

The HTTPS uses TLS security. 

The TSecureGateway is a crucial part of our platform, enabling smooth data transfer across different security network zones. It serves as a bridge, moving data from lower levels, like the factory floor (Level 2), to higher levels such as the enterprise (Level 4).

Acting as a protective barrier, the TSecureGateway shields internal networks from insecure traffic. Enterprises rely on it to guard employees and users against potential threats from malicious web traffic, websites, viruses, and malware.



Files and Execution Protection

License/Softkey

The "License/Softkey" feature employs the .NET class System.Security.Cryptography.Rijndael, utilizing symmetric encryption with a key size of 256 bits.

Digital signature

All assemblies created by Tatsoft are signed digitally.

Project format (Configuration protection) 

All project settings, including security measures like cryptography, power recovery, and user/password protections, are stored in a relational database (.dbsln file). The source code and compiled binaries for Scripts and Displays are also stored in this file. This centralized storage method streamlines project management and deployment, making access and maintenance easier.



User Authentication and Permissions

User Authentication

Our platform offers integration with various systems for user authentication:

  • Microsoft Active Directory and Windows Authentication
  • LDAP server connection
  • Built-in Users Database
  • External databases or user authentication servers

Active-Directory / Windows Authentication

Enabling Windows Authentication bypasses the project's configured user list, relying on Windows policies instead. Windows manages user authentication directly, utilizing the currently logged-in Windows user for system access.

LDAP

When LDAP is used, the project ignores its configured user list and relies on policies managed by Windows and the LDAP Server. Authentication is handled by both Windows and the LDAP Server, with the external user logged into the LDAP Server being utilized within the system.

Runtime Users

The system dynamically generates users and stores their credentials in SQL databases. It seamlessly integrates with Active Directory or third-party systems to retrieve users, enabling integrated security and unified login capabilities.


Roles, Permission and Policies

Group and User Permissions

Our users have complete flexibility to define privileges based on groups or specific individuals. Permissions can be set globally or linked to particular displays, objects, or input actions, offering granular control over access levels.


User Policies

Our platform offers a comprehensive array of user management features, including identification policies, session duration control, automated logoff mechanisms, electronic signature capabilities, and robust audit-trail functionality.




Database Injection Protection

In database operations involving stored procedures, there is a significant concern about SQL injection. SQL injection can occur if parameters are passed as plain text within SQL statements, which could allow malicious code to be executed. To prevent this, we use the .NET API, where parameters are added to a command object’s parameter list. This approach makes SQL injection impossible by safely handling user input.




Security External Validation

Regularly the platform is accessed by Veracode, or third-party companies, on penetration testing report, gap analysis, and various other topics.

Any issues that would prevent a 100% approval are corrected.




In this section...

  • No labels