Security Considerations

This section provides detailed security recommendations to help you configure your Welotec IIoT Edge Gateway for optimal security in your IIoT deployment.

Exposed Interfaces and Services

In factory default the following interfaces and services are exposed and accessible:

Interface

Services Listening

Factory Default Setting

Comment

LAN1

SSH-Server

Static IP address: 192.168.2.1/24

This is the only interface with preconfigured static IP address.

LAN2 … n

SSH-Server, DHCP-client

DHCP client ready to obtain IP configuration

This is the only interface that uses DHCP out-of-the-box.

Local Console

CLI

CLI

With attached keyboard and display

COM1

CLI

CLI redirected to COM port

/

Then LAN interface can be configured individually to a static IP-configuration or to obtain IP configuration from a DHCP server. Access Local Console as well as Console Redirect to COM-ports can be deactivated in configuration.

Device Security Features

Secure Boot and Encrypted Storage

Edge Gateways provide Secure Boot and the system and user data storage is fully encrypted with help of the TPM of the device. Boot partition is plain text and all of the boot data is secured against tampering with strong cryptographic signatures. Check the release notes about models and versions supporting this feature.

Firewall

The firewall of the device allows to limit the communication of the device to the necessary minimum for your use case. Please refer to Firewall Section for further details.

Security updates and patch management

Welotec is providing updates for the egOS regularly. Please refer to OS Updates Section for futher details.

Security Recommendations

Passwords

Strong passwords are the first line of defense against unauthorized access. You can disable Password based access to the device and only use SSH-host key authentication. If you want to use password based access it is reccomended to:

  • Change the factory default password on first login

  • Use passwords with a minimum length of 12 characters or more

  • Use a combination of uppercase and lowercase letters, numbers, and special characters (e.g., !@#$%^&*)

  • Do not use easily guessable patterns, such as sequences (e.g., “123456”, “abcdef”), repeated characters (e.g., “aaaaaa”), or dictionary words

Network Segmentation

Network segmentation is a critical security practice that involves dividing a network into smaller, isolated subnets or zones. This approach limits the impact of a security breach by preventing an attacker from moving laterally through the network and accessing critical systems. In an IIoT environment, this is crucial for protecting sensitive industrial control systems (ICS) and other operational technology (OT) assets. Use the Welotec IIoT Edge Gateway’s networking capabilities to create separate network segments. Methods for implementing segmentation:

  • VLANs (Virtual LANs): Create VLANs to segment network traffic at Layer 2. This allows you to isolate devices on the same physical network.

  • Subnets: Use IP subnets to divide the network at Layer 3. This provides logical separation and allows for different routing and firewall policies.

  • Firewall Rules: Configure the gateway’s firewall to control traffic flow between different segments. Implement strict rules to allow only necessary communication and block all other traffic.

  • Routing: Use static routes or dynamic routing protocols to control how traffic is routed between segments. Ensure that routing is configured to enforce security policies.

Secure remote access

Welotec is providing a software solution to enable Secure Remote Access: VPN Security Suite Please visit our homepage for further information.

Physical security of the device

  • Place the device in a locked cabinet or implement other physical security measures to avoid manipulation of the device

  • Limit the access to the device by disabling local login using the device ‘set_local_console’-command

Vulnerability Handling

Welotec has implemented a Coordinated Vulnerability Disclosure Policy - please visit the following site for further details: https://welotec.com/pages/coordinated-vulnerability-disclosure-policy

Secure Diposal

To securly dispose the device please reset it to factory defaults using the options provided here: Factory reset. This will delete all configuration, containers and user data on the device.