Obtain security certificates

PME uses Transport Layer Security (TLS) 1.2 for an encrypted, authenticated connection using HTTPS between the server and its web clients. Both self-signed and authority issued certificates are supported. PME is installed with a self-signed certificate and a self-signed certificate is configured automatically. We recommend that you replace this with a security certificates from a Certificate Authority (CA).

You also need a certificate for the database server computer to use an encrypted connection between PME and the SQL database server in a Distributed Database architecture installation. See Set up encrypted database communication for Distributed Database architectures for more information on this topic and for links to Microsoft articles with certificate requirements for SQL server computers.

See Data encryption for information on data encryption, at rest and in transit, in PME.

Obtain antivirus and application allowlisting software

PME can be used with antivirus (AV) software.

PME can be used with application allowlisting software products such as McAfee Application Control software. See Configure application allowlisting software for more information.

NOTE: AV software can have a significant impact on system performance if not set up correctly. In particular, SQL Server performance can be affected if data and log files are not excluded from on-access scans. See Configure antivirus software on your SQL Server for more information.

Plan user access

Define a list of user accounts, access levels, and access permissions for your PME system. See PME accounts, Network shares, and Session timeout for more information.

Plan your network security

Determine the network security measures for your IT and device networks to provide your desired level of security.

This can include:

  • use of industrial firewalls
  • use of intrusion detection and prevention systems (IDS, IPS)
  • application of ISO27001 (Information Security Management System Standard [=policies and procedures])
  • managing wireless access and remote access
  • device security
  • deep packet inspection firewalls
  • physically securing device access

Determine what level of expertise will be required to deploy and maintain the network architectures and security measures. Plan to have this expertise available for the system deployment and maintenance.

Plan to install PME in an intranet environment

PME is designed for an intranet environment within a secured network infrastructure. PME is NOT designed for direct Internet connection.

Plan IP port use

Determine which IP ports are required and which ones can be disabled. See IP Ports for details on PME port requirements.

Plan your site security

Determine the hardware locking measures required to provide your desired level of security.

This can include:

  • personnel access restrictions to server locations
  • physical locking of the computer, for example with a cable
  • cementing the USB drive
  • removing the CD-ROM drive
  • tools such as McAfee® Enterprise Policy Orchestrator (ePO) suite of products
  • industrial, security hardened PCs such as the Magelis Box

Define workarounds and alternatives for cybersecurity-imposed restrictions, for example, for USB and CD-ROM drive access.

Plan for the implementation of cybersecurity standards

Consider implementing cybersecurity standards such as:

  • IEC62443, the global standard for industrial automation control system security.
  • ISO27001, a specification for an information security management system.