Follow along with the 4th installment of the groov Manage video and blog series as we focus on the Security button in the groov Manage menu.
This week brings you the fourth installment of walking through the groov Manage menu options found on a groov EPIC. In case you missed it, you might want to catch up on the previous three menu options we've covered so far: Accounts, Network, and System. Now, you'll be ready to dive into the Security features.
Watch groov Manage: Security.
Cybersecurity is at the top of everyone's mind, so why is it the fourth option we are looking at in this series, and not the first? As mentioned in last week's blog, when commissioning a new groov device, the common practice is to set it up in the following order:
- Create an administrator account.
- Set the hostname.
- Set the system time.
- Generate your server certificate.
And so here we are at step four. The Security menu button has four options behind it, so let's take a look at them...
Web Server Certificate - groov devices are secure out of the box. They come from the factory with HTTPS enabled and a self-signed certificate that is linked to the default hostname of your EPIC. All groov default hostnames follow the convention of opto-xx-yy-zz where x,y & z are the last three octets of your EPIC's ETH0 MAC address.
That will be fine to get you started, but all browsers will bring up an initial connection warning screen informing you that they cannot confirm the validity of that certificate (remember, it is self-signed from the Opto 22 factory—it's not, and indeed cannot be, a CA or Certificate Authority signed certificate). So, we'll create a new certificate to replace the factory-installed one.
As Step 2 above indicates, and Part 2 of this blog series on Networking covered, you should have already changed your default hostname to something more memorable, like "MyEpic".
Now, you need to create a new server certificate with your new hostname. That's simple; click "Create Certificate" under Certificate Management, complete the form, and you're done! You've now created a new, updated self-signed certificate for your EPIC. Not only that, but because you set your timezone and clock in step 3, you have also "reset the clock" on your certificate expiration date!
Now's a good time to go ahead and download your certificate and install it into your PC's Trusted Certificate Store so you won't get that scary browser warning screen anymore. We've made a handy certificate video on exactly how to do this.
If you'd prefer not to use self-signed certificates, but rather an official CA-signed one, we've got you covered here, too. One of the options in this section is to download a Certificate Signing Request or CSR. You can send this file to your IT department, and they'll be able to send you back a valid CA-signed server certificate you can upload back to your EPIC.
The big deal with this simple process is that you don't need to deal with long and convoluted command-line parameters or OpenSSL tools to generate, store, and upload your TLS/SSL certificates!
Also tucked away in this menu option is a rather mind-blowing security feature: the firewall. If you want a quick refresher on what a firewall is and how they work from a high level, check out my firewall blog from way back in 2019. (Yes, it all still applies today.)
The firewall is a really big deal. There are very few PLCs or IPCs on the market today that offer a built-in device firewall, and beyond that, one that gives you full control over what ports and protocols are allowed via the different network interfaces. And it's all done smoothly through an interface in the groov Manage menu system.
When you combine our Part 2 blog post on Networking (specifically the section about Port Redirects) with the firewall, you have great power to extend strong cybersecurity practices to other legacy PLCs on your OT network.
Using these two groov Manage menu options, you can open just the ports your automation team requires to access the legacy PLC as and when needed. Combined with our first week's blog on account management, you will have complete control over who is accessing the firewall options.
As you can probably tell, these first four groov Manage menu options are the foundation for commissioning and securely setting up your groov device on your factory floor. But I feel just as much at home with control signals and wiring up our modules. So be sure and subscribe to the OptoBlog to hear about the super helpful features that exist behind menu option 5, the I/O status, which I'll cover in next week's blog.
Till then,
Cheers Mate.
-Ben