Recommended actions

PME is designed for a defense in depth security strategy, in compliance with IEC 62443, the global standard for industrial automation control system security. A defense in depth strategy is a multi-layered approach to cybersecurity with intentional redundancies to increase the security of a system as a whole.

The different defense in depth layers can be described as:

• Data Layer (includes access control and encryption of data)
• Application Layer (includes antivirus software and application hardening)
• Host Layer (includes patch implementation, user authentication)
• Network Layer (includes IPsec, intrusion detection system)
• Perimeter Layer (includes firewalls, VPN)
• Physical Layer (includes guards, switches, locks, ports, physical access)
• Policies

To help secure your system, you must take specific actions for the different layers and at every stage of the project life-cycle. The following shows the actions we recommend to help secure your system, organized by life-cycle stage:

NOTE: The list of recommended actions below is not a complete list of possible cybersecurity measures. It is meant to be a starting point to improve the security of your system. Consult with cybersecurity experts to plan, install, configure, administer, and decommission your system based on your needs.

Life-cycle Stage	Layer	Recommended Action
Planning	Data Layer	Obtain security certificates.
	Application Layer	Obtain antivirus and application allowlisting software.
	Host Layer	Plan user access.
	Network Layer	Plan your network security.
	Perimeter Layer	Plan to install PME in an intranet environment. Plan IP port use.
	Physical Layer	Plan your site security.
	Policies	Plan for the implementation of cybersecurity standards.
Installing, Upgrading	Application Layer	Install antivirus and application allowlisting software. Verify install file integrity and authenticity. Protect the System Key. Apply PME updates.
	Host Layer	Install latest updates for OS and SQL Server. Check computer for cybersecurity issues.
	Network Layer	Install your network security measures.
Configuring	Data Layer	Install security certificate. Set up encrypted database communication for Distributed Database architectures
	Application Layer	Configure application allowlisting software. Configure antivirus software on your SQL Server.
	Host Layer	Configure PME users and user groups. Customize user account privileges. Restrict Windows login permissions for the PME server. Change the SQL Server Express sa account password. Configure session timeout settings. Do not install or use a web browser on the server computer.
	Network Layer	Set up your network security.
	Perimeter Layer	Disable unused IP ports.
	Physical Layer	Disable unused hardware ports.
Administering	Data Layer	Renew security certificate. Securely store the system key.
	Application Layer	Apply PME updates. Verify update file integrity and authenticity.
	Host Layer	Apply OS and SQL Server updates. Review user accounts on a regular basis.
	Network Layer	Keep network security up-to-date.
	Physical Layer	Keep computer hardware secure.
	Policies	Perform security audits
Decommissioning	Host Layer	Decommission your system at the end of its life.