Security best practices - octoplant server

The following documentation outlines security best practices for your octoplant server. We recommend that these measures be implemented by your IT department or a designated octoplant administrator.

• Do not expose the octoplant server to the internet. The octoplant server does not require client connections from outside the internal firewall.

  We recommend:

  • Restricting inbound communication to your internal customer network.
  • Using a VPN to allow client applications to connect to the octoplant server when outside the internal network.
  • Restricting inbound connections to the octoplant server. While outbound communication with the octoplant pro hub is required, inbound traffic should be minimized.

• Use antivirus software

  • Follow your IT department's guidelines for installing and maintaining antivirus or malware detection tools.

• Privileges

  • Review required user privileges for installing and operating the octoplant server.

  • Apply the principle of least privilege:

    • Grant only the minimum permissions necessary for users and applications.
    • Enforce access controls to ensure only authorized personnel can access the server.
    • Use strong, unique passwords, or preferably, enable multi-factor authentication (MFA) where possible.

• Leverage your existing LDAP server

  • If available, use your centralized LDAP server to manage user accounts and passwords.

  • Centralized identity management enhances security by:

    • Enforcing consistent password policies (e.g., complexity and expiration)
    • Avoiding password storage within octoplant

• Use properly configured octoplant agents to communicate with automation devices

  • Isolate automation devices in the OT network and route communications through octoplant agents. The octoplant server can reside in the business network, while agents operate in the OT network.

• Remove client applications from the server

  • Avoid installing client applications on the server to reduce the risk of unauthorized data manipulation.

• Review roles assigned within octoplant

  • Ensure users only have access to what is necessary for their role.
  • Regularly review admin role assignments and limit them to appropriate personnel.

• Use a dedicated Windows user to run octoplant services

  • Restrict full access to the server archive to a dedicated Windows user and authorized update accounts only.

• Network segmentation

  • Place the octoplant server in a dedicated network segment, DMZ, or VLAN to minimize attack surfaces.
  • Define firewall rules to restrict access to essential octoplant systems.

  • Monitor network traffic in and out of the server. octoplant uses various open ports—investigate any unexpected traffic, such as:

    • Client-to-server
    • Server-to-agent
    • Other unknown ports

• Ensure physical security of the octoplant server

  • Restrict physical access to server rooms or data centers using locks and access control systems.

• Access revocation

  • Establish a process to revoke access when employees leave the organization or no longer need access. For example, enable octoplant's LDAP integration with Active Directory.

• Regular auditing and compliance

  • Perform regular security audits and compliance checks to ensure adherence to industry standards and regulations.

• Logging and monitoring

  • Enable detailed logging on the octoplant server and review logs regularly for suspicious activity.
  • Consider using a Security Information and Event Management (SIEM) system to centralize and analyze log data.

• Standardized documentation

  • Maintain up-to-date documentation covering server configuration, security settings, and access control policies.

• Intrusion detection and prevention

  • Use intrusion detection and prevention systems (IDS/IPS) to monitor for and block unauthorized activities.

• SMB/UNC connections when using Image Service

  • Prefer SFTP over SMB for improved security and better scalability by avoiding limitations in Windows-based resource handling.