Security Notices for the Edge Gateway
Important
For security reasons, it must be noted when operating the CODESYS Edge Gateway that the functionality it contains can result in unexpected attacks. As the central link between the CODESYS Automation Server and an existing PLC network, the Edge Gateway represents a potential risk for such attacks. Therefore, the operator has to take appropriate measures to protect it against unauthorized access.
For effective protection, it is necessary that the following security measures are taken before the functionality is activated (and therefore before the Edge Gateway is started).
Tip
For more information on security and 0_Global: Produkt CAS see: Security für den CODESYS Automation Server
The Edge Gateway allows the CODESYS Automation Server and all clients, which establish a connection via the CODESYS Automation Server (CODESYS, web visualization/browser), to have full access to all services that the runtime system provides via communication interfaces.
Firewall
The Edge Gateway shall be operated in a PLC network only. The Edge Gateway has to be able to access to the PLCs in this network. However, effective protection (firewall) is required for remote access (Internet) to the PLCs and to the Edge Gateway.
The gateway port of the Edge Gateway (default setting: 1217) must not be accessible remotely (Internet).
Configuration
The Edge Gateway shall be configured in a secure environment only. The CODESYS Automation Server Connector used for this has to be located in a trusted network environment.
During operation, you have to make sure that any unauthorized configuration of the Edge Gateway is not possible.
The following settings make it easier to create a secure environment for the Edge Gateway. Both settings are specified in the configuration file Gateway.cfg, also in combination with each other.
Restrict the accessibility of the gateway: Normally, the gateway is accessible on every IP address of the computer. To enable a secure configuration, it may be necessary for the gateway to be accessible only under one specific IP address. This can be done by means of the following setting in
Gateway.cfg:[CmpGwCommDrvTcp]LocalAddress=<IP address>Example for
IP address:127.0.0.1Restrict the accessibility of the gateway to specific communication peers: Normally, the gateway accepts all connection requests. To enable a secure configuration, it makes sense that the gateway only allows connections from specific clients, depending on the network configuration. This can be done by means of the following setting:
[CmpGwCommDrvTcp]PeerAddress=<IP address or network base address>There are three different configuration options for this:
The setting is not available: The gateway allows connections from all clients.
The setting is assigned to a specific IP address: The gateway only allows connections from the client that has this IP address.
The setting is assigned to a network base address: The gateway allows connections from all clients in this network. The network base address is the smallest possible address in the local network. The address can be calculated as follows:
<local IP address> AND <subnet mask> = <network base address>
Access to the Edge Gateway device
The file system on the device where the Edge Gateway is running has to be protected against unauthorized access. Confidential information (configuration, certificates, access data, etc.), which must not be read or modified by unauthorized persons, is stored there.
Connection to the CODESYS Automation Server
After successful connection to the CODESYS Automation Server, the server gets full access via an encrypted tunnel to all available PLCs in the Edge Gateway network. Should this result in additional security threats to the operation of the facility, then these have to be assessed and addressed specifically.
For more information, see: Connecting an Edge Gateway to the Server and Entering PLCs