Web security#

Fidelix substation uses same communication protocols as internet devices are commonly using. That enables flexible communication in both local and internet environment.

Use of common protocols gives many benefits but it is also causing a risk of unauthorized access to system and installation persons must be aware of this.

As factory setting users SYSTEM and FX2020 and SSH servers have default passwords. They should be changed to unique passwords.

Length of passwords is essential to security and so AT LEAST six character passwords should be used especially in devices which have connection to internet.

Additional security may be achieved by defining webVision authentication key. It affects communication between substations and webVision and also communication between substations.

Authentication is available since Fx version 11.42 and webVision version 8.75.07.

Settings has also firewall page where you can hide unnecessary services or limit their visibility to certain addresses.

Firewall settings allow you to define settings for following functions:

  • Web server, TCP port 80

    Browser based user interface. Local display works even when this port is disabled. Note! Limiting internet access to specified addresses only is recommended.

  • webVision, TCP port 1235

    Users: webVision, OPC server, global points and synchronization of sub stations. Note! Authentication key should always be used when communicating over internet. Note! Limiting internet access to specified addresses only is recommended.

  • SMTP server, TCP port 25

    User: Alarm forwarding between sub stations. Note! No user checking and unlimited internet access is forbidden.

  • Time server, UDP port 123

    User: Time synchronization between sub stations. Note! No user checking and unlimited internet access is forbidden

  • BACnet IP, UDP port 47808

    User: BACnet communication. Note! No user checking and unlimited internet access is forbidden

  • Ping

    Used for testing network.

  • Maintenance (Ftp TCP port 21 and Telnet TCP port 23)

    Used for file transfer. Note! Limiting internet access to specified addresses only is recommended. Note! Public addresses are disabled if default password is used.

  • OpenPCS, TCP port 23042

    Used for sending IEC programs to sub station. Note! No user checking and unlimited internet access is forbidden

Since version 11.50.20 firewall has default limitation which allows connections from private IP addresses only (except for browser connections).

Access with CE browser is now disabled as default in Fx3000. It may be enabled in Settings - System setup page.

Manual commands from webVisoin 7 are now disabled as default. They may be enabled in Settings - System setup page.

When internet is used then best security level is achieved by using VPN connection either with TosiBox router or with built in VPN server of internet modem.