The following test cases were validated on XMPro v4.1.13 on Windows Server 2019.
Home > Edge > Manufacturing Edge > Guides > Dell Validated Design for Manufacturing Edge - Design Guide with 5 Independent Software Vendors > Cybersecurity for XMPro
The following test cases were validated on XMPro v4.1.13 on Windows Server 2019.
Save the File Key, as it will be needed later.
Place in C: drive for optimal results.
Helpful Tips: After navigating to App Designer, the web page should be unlicensed. Test 5: Activate Licenses shows how to obtain a license.
Creating a Company and Company Admin allows you to use the XMPro Products in a segmented operation. Having separate users allows for each user to be accountable for the changes they make.
Ensure that the Create new company check box is selected.
Helpful Tips: If you do not receive an email, check your SMTP server configuration.
In order to start using XMPro Products (for the first time or to renew a license), you need to activate their licenses. Perform the following steps to activate the license:
Helpful Tips: If your SMTP server can reach out to XMPro, it may send the request directly to XMPro.
Helpful Tips: If you are deploying your Stream Host on a different server than your DSD, ensure that you have the .NET Core 5.0+ installed.
Encrypting data in transit to database from XMPro allows XMPro logs and config changes to be visible to only those authorized.
Helpful Tips: It is also helpful to Encrypt data at rest in a database.
Encrypting data at rest makes database contents unreadable unless you have the authorization and keys to decrypt.
The following test cases were validated on XMPro v4.1.13 on Windows Server 2019.
Authentication proves an individual’s, service’s, process’s, or device’s identity with some type of credentials. XMPro uses emails to create subscription-based accounts for their platform. XMPro has included SSO integration with Microsoft ADFS and Azure for their next version update and you can find the configuration steps in their documentation.
Create multiple users to add to your company can help segment the roles within the company. Ensure that each user is unique. Users can have the same name but their XMPro company username should be unique. Users can also have more than one account to their work email, but they need to have a separate XMPro login.
Helpful Tips: Check your SMTP server logs to diagnose errors regarding transmission failures and adjust your XMPro SMTP Server settings accordingly if the issue is on the XMPro end. You can set up company admin to auto-approve user requests.
XMPro gives the opportunity to customize passwords. XMPro comes with five requirements: At least “One lowercase character”, “One uppercase character”, “One numeric character”, “One special character”, and “eight characters minimum”. Defining stronger password settings helps to reduce the risk of compromised accounts. XMPro provides minimal authenticator feedback, which avoids giving attackers too much information.
Helpful Tips: For this test, temporarily take note of passwords so you remember and do not misspell them.
Authorization grants permission and access to resources based on their proven (authenticated) identity. XMPro uses a form of Role-Based Access Control (RBAC), but each individual Data Stream Designer and App Designer can choose who has access to their Use Cases and Apps.
Delete users' controls who have access to XMPro’s Web Application in addition to the User roles. Delete user accounts after the user no longer requires access to XMPro.
Confirm that the + button for collection takes you to the categories page, so you cannot create a collection.
Helpful Tips: Note that for App Designer, the User privilege cannot delete an App, but the Design User can; therefore, when configuring the Custom User, it is useful to copy the privileges of the User, not the Design User. This is why the Custom User cannot delete an App.
Accounting methods track user activity and record the activity in logs such as in audit trails.
When patching XMPro and updating licenses, ensure that you are updating to the correct version, and verify using the following steps.
Audit trails allow professionals to re-create the events leading up to a security incident.
<section name=”xmpro” type=”XMPro.Configuration.Configuration, XMPro.Configuration” />
near the top of the page. <xmpro configProtectionProvider...>
section near the bottom and notice that it is encrypted. !--<section name=”xmpro” type=”XMPro.Configuration.Configuration, XMPro.Configuration” />-->
. <xmpro configProtectionProvider...>
section. Notice that the information has been decrypted. <server...>
block. enableLogging="true"
before the >
next to serverUUID
if not there already. .\aspnet_regiis.exe -pe "xmpro" -app /xmprosubscriptionmanager -prov RsaProtectedConfigurationProvider
<!--<section name=”xmpro” type=”XMPro.Configuration.Configuration, XMPro.Configuration” />-->
to <section name=”xmpro" type=”XMPro.Configuration.Configuration, XMPro.Configuration” />
and Save. Helpful Tips: This file gets large, so log rotation is recommended. Log rotation can be added to avoid missing log data or filling up storage on the host. Also, it is useful to export logs to a more persistent store for future analysis.
SELECT ADAudit.[Changes].ADAudit.UserId FROM AD.dbo.AuditTrail ADAudit
. Helpful Tips: You can use a similar method for Data Stream designer, but Data Stream Designer already has audit logs and timelines displayed in the application.
Helpful Tips: It is possible to export the logs.
Time Stamps are essential to accountability, and they identify when changes occurred, or events happened. Insights into the timeline of your assets cannot also boost security but when analyzed and optimized, it can boost productivity. In the case of XMPro it seems that Time is not synched with the product server, but with the desktop you are running the service on. The test below shows the verification and configuration of this attribute with data stream designer.
Helpful Tips—If deploying XMPro products on different servers, ensure that their clocks are synced so when analyzing logs, there is no confusion.
Create a username and password.
Hostname and IP are for the Splunk Server.
Helpful Tips: If deploying Splunk on containers such as Docker, ensure to expose the receiver and forwarder port in addition to HTTPS during deployment (for example, (receiver) 9997 and (forwarder) 8089: “-p 8089:8089 -p 9997:9997”). If the error message in Forwarder Management is a licensing issue, update Splunk licenses. Ensure that when adding file path, include the log file and not just the directories.
Confidentiality prevents the unauthorized disclosure of data. XMPro’s data streaming pipeline is as follows: Asset > Stream host > Data Stream Designer (XMPro). By default configuration, the second leg of the pipeline's communication between Stream Host > Data Stream Designer is encrypted using HTTPS. However, the communication from an Asset > Stream Host may not be encrypted. Although unencrypted communication has been the norm in the OT environment, as part of Defense-in-depth, it is important to consider encrypting the traffic of OT Asset protocols. The following tests explore suggestions on how this can be implemented with XMPro.
Helpful Tips: Ensure that your server certificate subject and/or SAN (Subject alternate name) matches the hostname/FQDN or IP address in your Server Endpoint URL.
Ensure that if you input an FQDN into Host, it is recognized by the Stream Host Server in its Hosts file.
See Use Mosquitto as an MQTT Broker to deploy your own Secure Mosquitto broker.
As part of defense-in-depth, OS hardening is a way to make the operating system that the applications sit on more secure than its default installation. This helps eliminate vulnerabilities from default and weak configurations. This section makes a few recommendations to harden the system running XMPro.
Some OS hardening tips include:
The Industrial Demilitarized Zone or IDMZ is a boundary that exists to create a buffer within a production environment or facility (OT) and between and the ICS (industrial control systems) IT or business/enterprise systems. These layers have different security requirements and do not trust each other and so the IDMZ creates/is a boundary that uses network and application security controls to manage the flow of data between these untrusted zones. It is important to consider rules that pertain to the IDMZ because vulnerabilities and threats that affect the OT and IT are not the same; it would be disastrous if these incidents sprawl into the others network where neither is adequately prepared to handle the incident.
IDMZ (Industrial Demilitarized Zone) This test shows the firewall rules for deployment of XMPro implemented in an IDMZ architecture. XMPro in the IT network can be separated by its products, the products do not have to be on the same host. For this test, OPC UA protocols and MQTT were used, and both secure configurations and insecure configurations of the protocols were tested.
Description | Source network | Source device | Destination network | Destination device | Port | Application |
Allow Stream Host to access OT protocols (OPCUA and MQTT) | IDMZ | Stream Host | OT | OPC UA Server | TCP 4840 | opc-base opc-ua-acknowledge |
IDMZ | Stream Host | OT | MQTT Server | TCP 1883 | mqtt | |
IDMZ | StreamHost | OT | MQTT Server Secure | TCP 8883 | ssl | |
Allow Stream Host to access XMPro using HTTPS | IDMZ | StreamHost | IT | XMPro | TCP 443/8443 | ssl |
Helpful Tips: The Application attributes correlate to Palo Alto Firewalls and may be different from your network firewall. Ports from MQTT and OPC UA are default ports for the servers and brokers that we use. Most protocol analyzers recognize 4840 as a UA discovery protocol. Part of defense-in-depth will be to not use default ports; however, internal employees should be aware of the ports.
This is a theoretical use case to duplicate data from the OT Network into a mirror database hosted in IDMZ so that Stream Host is not reaching directly into the OT network from the IDMZ. Stream Host has database agents that allow you to pull data from different types of databases.
OT Protocols -> 1) Convergence platform -> 2) Historian -> 3) Mirror DB -> 4) SH -> 5) XMPro