Security and networking

Owned by Piotr Wierzchowski
Last updated: Jun 08, 2022
3 min read

 

 

IoT Hub

The IoT Hub is an Azure PaaS solution for managing sensor data information streams. As such, it requires a feed from factories and connectivity to Logix. As the corporate and Azure networks are separate connectivity needs to be established.

User Authentication and Session Management.

LogiX Application suite is implemented as a set of Single Page Applications with stateless server-side APIs. Sessions are managed in the frontend layer and are implemented according to OpenID Connect Session Management specifications. The implementation uses JWT tokens that are:

● Self-contained with expiration date

● Configured to be signed with RS256 algorithm.

● Generated when user is authenticated

● Contains user info obtained during the authentication

● User authentication is delegated to Azure AD.

Access Control Architecture within the LogiX Application

● LogiX defines permissions per functions or function groups in application.

● Permissions can be restricted for specific resources (e.g.: Plant/Line/Machine).

● Permissions are organized in hierarchical form – parent permission inherits all child permissions.

● RBAC model is implemented - permissions are assigned to groups of users.

● Access control is enforced at API level

● Users are provisioned by integration with Azure AD

Types of data available in the PackOS application are as follows:

  1. Data from Factory

    1. Set of raw machine counters and signals needed for KPI’s calculation (performance related signals).

    2. No user data other by login information is transferred from factory (login information is managed by Domain Controller and is part of signed JWT token)

    3. No commercially sensitive data other than signals and counters mentioned above is transferred from factory level.

  2. Master Data

    1. Imported into the PackOS application through files (Orders, Materials, and Work Calendar information).

    2. Files are not persisted in PackOS, data from files is encrypted in the SQL Server Database and available only for authorized users.

  3. Metadata and Configuration Data

    1. Simplified factory structure needed to add semantic to raw signals. (assignment of signals to the machines and machines to the line)

    2. Business rules to transform data from raw signals into information about production state and metrics.

  4. Necessary information about users of PackOS system needed for:

    1. Authorizing users, Audit user activity, Support notifications

  5. Data at rest

    1. Data in the database is encrypted at rest by Azure SQL Server Transparent Data Encryption

    2. User credentials are not stored within the application – authorisation is delegated to Azure AD.

  6. Data in transit

    1. Communication between components is made with TLS v1.2 (as specified in the networking architecture)

 

Audit information gathered in PackOS application.

  1. Changes to the infrastructure is audited by Azure standard monitoring

  2. Audit trail information of user activities is persisted within the LogiX database.

  3. Audit trail information contains data of all events concerning:

    1. User authentication

    2. User-made changes in

      1. Permissions granted or revoked to other users

      2. Master data (e.g. changes in factory structure, machine states, order details, etc.)

 

Database Security

Application components connect to the databases using dedicated accounts Data files are encrypted at rest by SQL Server Transparent Data Encryption.