Skip to content

Security best practices - octoplant server

The following documentation includes security best practices for your octoplant server. We recommend that these be implemented by your IT department or octoplant administrator.

  • Do not expose the octoplant server to the internet The octoplant server does not need to accept client connections from outside of the internal firewall network. Therefore, we recommend that you:

    • Restrict inbound communication to your internal customer network.
    • Leverage your VPN connection to allow client applications to access the octoplant server when your computer is outside of the internal network.
    • Restrict inbound connections to the octoplant server. While the octoplant server does need to send information to the octoplant pro hub (outbound connection), inbound connections should be restricted.

  • Use antivirus software

    • Always follow your IT department's guidance on running of antivirus / malware detection software.

  • Privileges

    • Review necessary user privileges to install and run the octoplant server.

    • Observe the least privilege principle:

      • Restrict users and applications to only the permissions and access they need to perform octoplant tasks.
      • Implement strong access controls to ensure that only authorized personnel can access the octoplant server.
      • Use strong, unique passwords or, preferably, implement multi-factor authentication (MFA) for octoplant server access wherever is possible.

  • Leverage your already existing LDAP server

    • We recommend that you use your centralized LDAP server, if available, to manage accounts and passwords.

    • If you have a centralized LDAP server, leverage the features of your identity management system to help manage accounts within. Security risks are reduced by:

      • all of your user accounts being handled in one place (password change frequency, complexity)
      • passwords not being stored in octoplant

  • Only communicate with automation devices using properly configured octoplant agents

    • Isolate automation devices in the OT network and ensure all processing required by octoplant is addressed using communications from the octoplant server to its agents running in the OT network. The octoplant server can be in the business network while the agents are in the OT network.

  • Remove client applications from the server

    • Eliminate client applications on the server to reduce the risk of hackers using the client applications to alter something about the data in the server archive.

  • Review the roles assigned within octoplant

    • Ensure that users only have access to what they need.
    • Review who has been assigned an admin role inside octoplant and ensure that only appropriate personas have been given this role.

  • Use a dedicated Windows user to execute our services

    • Ensure that only your dedicated Windows user (and some accounts for installing updates) has full access to the server archive.

  • Network segmentation

    • Isolate the octoplant server in a dedicated network segment, DMZ or VLAN to prevent unauthorized access and external attacks.
    • Implement firewall rules to restrict communication to necessary octoplant systems only.

    • Monitor network traffic in and out of your octoplant server. octoplant applications communicate using various open ports. If you see other traffic, review:

      • client to server
      • server to agent
      • any other ports

  • Ensure physical security of the octoplant server

    • Ensure the physical security of the octoplant server by restricting access to server rooms or data centers and using locks and access controls.

  • Access revocation

    • Implement a process for revoking access promptly when employees leave the organization or no longer require access to the octoplant server. For example: enable octoplant's LDAP features to your existing Active Directory.

  • Regular auditing and compliance

    • Conduct regular security audits and compliance assessments to ensure that the octoplant server meets industry-specific regulations and security standards.

  • Logging and monitoring

    • Enable comprehensive logging for the octoplant server and regularly review logs for signs of unauthorized access or unusual activities.
    • Implement security information and event management (SIEM) systems to centralize log data for analysis.

  • Standardized documentation

    • Maintain detailed documentation of the octoplant server's configuration, security settings, and access controls.

  • Intrusion detection and prevention

    • Deploy intrusion detection and prevention systems (IDS/IPS) to monitor network traffic for suspicious activities and block them when necessary.

  • SMB/UNC connections when using Image Service

    • Consider the usage of SFTP instead of SMB because it's more secure and doesn't occupy certain Windows resources (scalability).