Web security#

Fidelix substation uses same communication protocols as internet devices are commonly using. That enables flexible communication in both local and internet environment.

Use of common protocols gives many benefits but it is also causing a risk of unauthorized access to system and installation persons must be aware of this.

As factory setting users SYSTEM and FX2020 and SSH servers have default passwords. They should be changed to unique passwords.

Length of passwords is essential to security and so AT LEAST six character passwords should be used especially in devices which have connection to internet.

Additional security may be achieved by defining webVision authentication key. It affects communication between substations and webVision and also communication between substations.

Settings has also firewall page where you can hide unnecessary services or limit their visibility to certain addresses.

Firewall settings allow you to define settings for following functions:

  • Web server, TCP port 80

    Browser based user interface. Local display works even when this port is disabled. Note! Limiting internet access to specified addresses only is recommended.

  • webVision, TCP port 1235

    Users: webVision, OPC server, global points and synchronization of sub stations. Note! Authentication key should always be used when communicating over internet. Note! Limiting internet access to specified addresses only is recommended.

  • SMTP server, TCP port 25

    User: Alarm forwarding between sub stations. Note! No user checking and unlimited internet access is forbidden.

  • Time server, UDP port 123

    User: Time synchronization between sub stations. Note! No user checking and unlimited internet access is forbidden

  • BACnet IP, UDP port 47808

    User: BACnet communication. Note! No user checking and unlimited internet access is forbidden

  • Ping

    Used for testing network.

  • Maintenance (Sftp TCP port 22 and SSH TCP port 22)

    Used for file transfer. Note! Limiting internet access to specified addresses only is recommended. Note! Public addresses are disabled if default password is used.

  • OpenPCS, TCP port 23042

    Used for sending IEC programs to sub station. Note! No user checking and unlimited internet access is forbidden

When internet is used then best security level is achieved by using VPN connection either with TosiBox router or with built in VPN server of internet modem.