Cybersecurity Reference

This section contains reference information related to cybersecurity.

Data encryption

At Rest

PME encrypts the passwords of its user accounts, as well as the Windows and SQL Server accounts using SHA-512 and AES-256 cryptography. PME uses a unique encryption key for each installation. The key is generated during the installation of PME. The PME installer offers functionality for exporting/importing encryption keys for the installation of PME clients or system upgrades.

The power monitoring data that is collected by PME, and system configuration data are not encrypted.

In Transit

PME uses Transport Layer Security (TLS) 1.2 for an encrypted, authenticated connection using HTTPS between the server and the web clients. Both self-signed and authority issued certificates are supported. PME is installed with a self-signed certificate and a self-signed certificate is configured automatically. We recommend that you replace this with a security certificates from a Certificate Authority (CA).

The communication between PME and connected monitoring devices is not encrypted.

PME accounts

The following types of accounts are required for a PME system:

PME Users

A user account in PME provides access to the system. There are 3 different types of users - standard users, Windows users, and Windows groups. Each user has an access level, which determines the actions the user is allowed to perform in PME. There are no pre-configured user accounts or user groups in the system. One supervisor account is created with a user defined password during the installation of the software. Additional user accounts and groups must be created manually after installation. Users are created and managed through User Manager. PME supports Windows Active Directory integration for Windows users and groups.

TIP: Use Windows users and groups to take advantage of Windows account security features such as maximum login attempts or minimum password requirements.

Windows accounts used by PME

PME uses Windows accounts for report subscriptions and database maintenance. The accounts are created automatically during the installation of the software. The accounts share the same password, which is set at install time and can be changed at any time through the installer.

If PME is configured to use Windows Integrated Authentication, then an additional Windows account is required for database access. This Windows account is also used to run the PME services and the IIS Application Pools. This account must be created manually and account details must be provided during the installation of the software.

See Windows accounts for more information.

SQL Database server accounts

If PME is configured to use SQL Server Authentication, then SQL server accounts are required for database access. The accounts are created automatically during the installation of the software. The accounts share the same password, which is set at install time and can be changed at any time through the installer.

If SQL Server Express is installed with SQL Server Authentication, through the PME installer, a sa account with a unique, default password is created automatically during install. The password can be changed at any time through SQL Server Management Studio.

See SQL Server accounts for more information.

EcoStruxure Web Services account

If EcoStruxure™ Web Services (EWS) are used, data exchange credentials must be defined. The credentials consist of a single username and password. The EWS credentials are set manually in the Web Applications > SETTINGS > Security > Integrations > EWS Server area of the software.

PME Services

PME uses a number of services to perform the background server tasks. The services use the Local Service and NT AUTHORITY\System accounts, or the Windows account used for Windows Integrated Authentication, if that is configured.

See PME Windows services for more information.

Network shares

PME Engineering Clients and Secondary servers require that the Power Monitoring Expert folder on the PME server is shared with change and read permissions. This file share must be manually set up before installing Engineering clients or Secondary servers. See Create a file share for Engineering clients and Secondary servers for more information.

Session timeout

PME automatically times out inactive client sessions. Web Applications clients are logged out and Windows application clients (Vista, Designer, Management Console) are locked after a period of inactivity. The timeout period is configurable, it is set to 20 minutes by default. See Web Applications settings for details on how to set the timeout.

To restart or unlock the session you must enter the login credentials. A session is considered inactive, if none of the following actions are detected:

• Mouse movement
• Mouse click
• Keyboard activity
• Touch screen activity

NOTE: If custom content links are added to the Web Applications framework, then the custom content must either implement the idle detection, or activity on that content is not registered and the web client session can time out unexpectedly. See Adding idle detection to custom Web Application links for details.

System integration security

Specify which third-party web resources are allowed to either embed (frame) the PME web applications, or to which the PME web applications can redirect requests. This is configurable in the PME Web Applications settings. See Web Applications settings for details on how to set authorized hosts.

Specify which web applications of PME needed to integrate with third-party systems based on the generated links. The generated links are authenticated. This is configurable in the PME Web Applications settings. See Web Applications settings for details on how to generate links.