Security recommendations

In order for Nerve to operate in a secure manner, there is a set of measures that needs to be taken by implementers of Nerve. The information below is split into secure installation, operation and disposal, each focusing on the measures that need to be taken. The current state of the Nerve system in regards to the measure is also summarized.

Secure installation

The measures described here need to be taken into consideration in the planning phase of the environment.

Installation

Measure
Provide physical protection against physical access to the device to avoid an unauthorized user accessing sensible data on the disk.

Network connection

On the node the wan interface is used for the connection to the Management System. The communication towards the Management System uses HTTPS to ensure protection and is always initiated from the node, never from the Management System.

Measure
Place the node behind a firewall allowing access to port 443. If workloads provide access to additional ports, the workloads should be hardened to prevent unauthorized access and the firewall configuration should be adapted.

To ensure compatibility with fieldbus (Profinet, Modbus), communication towards the machine network is not encrypted.

Measure
Limit physical access to the network cables in order to protect the network within the machine. Whenever possible, select a secure connection to devices.

By default the networks in Nerve are isolated and no monitoring is implemented. Island mode can be achieved by resetting the network configuration on the node.

Measure
Ensure a process during network design to limit traffic crossing boundaries to the strict minimum.

Secure operation

The measures described here need to be taken into consideration when setting up the Nerve system for operation and during the operation of the system.

User management and permissions

In Nerve authentication is implemented in the Management System and on the node using email and password. The user accounts for the node and the Management System are not synchronized and must be managed separately.

The Management System can use its own user management system or can be connected to an LDAP server providing the necessary information for authentication and allowing the use of an already implemented password policy. In case of delegation, the LDAP groups can be mapped to the roles in the Management System. The nodes cannot be connected to an external user management system.

A minimum set of password requirements is used in the Management System. The lifetime of a password cannot be enforced in the Management System, as password lifetime restrictions are not considered best practice anymore. The Management System enforces the following password policy:

At least one uppercase letter
At least one lowercase letter
At least one number
Minimum length of seven characters

Stronger password requirements or lifetime restrictions can be done by delegating authentication to an LDAP or Active Directory server with the desired configuration. Also, support the use of long passwords by deploying appropriate password stores.

Measures
Select local user management or LDAP server synchronization based on the available infrastructure, security policy and password policy.
Periodically review all user accounts and remove the ones which are not needed anymore.

The Management System does not have a default password. When users are created they receive an email instructing them to create a new password on a dedicated page. Passwords are transmitted only over HTTPS and not stored in clear text.

The Nerve system implements user management, associated with a fine-grained Role Base Access Control system (RBAC). This is meant to prevent unauthorized operations by following the least privileged rule.

Measures
Implement a process to define the roles as needed for operation (e.g. admin, operator, etc.) with the minimum possible number of access rights. The permissions for each role and the assignment of the roles to the different users should be reviewed periodically, at least once a year.
Consider the necessity for user access to audit logs when defining roles and permissions.

Management System operations

The Management System needs certificates to encrypt communication with nodes over HTTPS. The node is based on Debian and only accepts the certificate authority root certificates provided by Debian. The certificates used by the Management System are provided by the user when deployed on premise or by LetsEncrypt when hosted by TTTech Industrial.

Measures
Ensure a periodic (e.g. 90 days) and timely renewal of the certificates of the Management System if the Management System is hosted on premise.
Develop and implement a backup mechanism for the Docker volumes of the Management System when operating the Management System on premise.

Node operations

Measure
Integrate the onboarding of a Nerve node into the machine commissioning procedure. Add a manual verification of the serial number to the procedure.

The node authenticates itself to the Management System using a serial number as the identifier and a secure ID as the password.

The number of remote sessions to the node can be limited. The limit of sessions is configurable per connection.

Measure
Implement a process to define and enforce a limited number of parallel sessions for each connection in the Management System.

The Nerve node can be configured to collect logs from Docker workloads.

Measure
Implement adequate logging when creating control workloads.

Secure disposal

The disk used by the Nerve node stores information in clear text, no encryption is used.

Measure
Remove the disk from the node before disposal and wipe it with adequate tools or ensure physical destruction.

Support contact

In case of a security issue concerning Nerve, write an issue through the TTTech Industrial support portal to contact customer support.

Select New Request.
Select Nerve Edge Computing.
Select Nerve Product Security
Select Nerve Product Security Report
Fill in the fields.
Select Submit.