| Role-based access |
Role-based access aligned with security policies and urgent actions, at the hardware and software level |
| Basic user access control |
User access control based on basic authentication mechanisms (password) |
| User access control with hidden display |
User access control based on mechanisms that visually hide the introduction of keys with asterisks or other mechanisms |
| Multi-factor user access control |
User access control based on robust PKI authentication mechanisms (access token or biometrics) |
| Network communications control |
Control of users and devices in access to the network allowing monitoring their actions and gathering detailed information on their communications. Establishing VPNs or other control mechanisms, such as bandwidth limitation |
| Equipment use control |
Control of equipment use (laptops, mobile devices, ...) to restrict access to information through encryption and blocking of malware and malicious traffic |
| Account management |
System to create / modify / delete user accounts / groups and establish permissions, as well as identify users / groups. Configuration of login attempts to lock the account for a set time, lock it after a period of inactivity and terminate the session. Ability to limit the use of concurrent sessions and message notification capability in authentication. |
| PKI infrastructure |
Public Key Infrastructure (PKI) that will provide digital certificates that allow encryption operations. These will be used for the verification and authentication of the different parties involved in an electronic exchange. |
| Hardware and software inventory |
Obtain data from both Hardware and Software equipment in order to form a dynamic inventory. Manage an inventory of hardware and software either automated or manual. |
| Access control policy |
User and group policy that will define access for each type of information established and assignment of permissions by profiles and groups |
| Reporting of events and communication to responsible parties |
The ability to provide continuous notifications and alerts on security events to responsible personnel based on threshold definitions for the different types of alerts established. |
| Physical security in the installation of devices |
Provide technical recommendations in the places where the devices are going to be installed in terms of temperature, humidity, electromagnetic interference (EMI), radiation, vibrations, gases and any other agent that may affect their correct concurrent operation and message notification capacity in authentication. |
| Reliable updates |
Capability of security updates that do not impact the availability of the protected system through compatibility checks performed prior to database / component and process control system software / configuration updates. |
| Network event correlation analysis |
Analysis according to built-in rules for network event correlation |
| Hardware Security Keys |
U2F key system or physical security keys that add an additional layer of security to access accounts, protecting against targeted attacks that take advantage of cryptography to verify identity and login. It also recognizes logging into a legitimate service. These security keys can be connected to the device via USB-A, USB-C, Lightning, NFC, and Bluetooth. |
| Configuration control |
Design and maintenance of configuration standards. Configuration change management. Configuration status evaluation |
| Device control |
Ability to control devices automatically (CD, DVD, USB, etc.). Allow blocking or adjusting filters and extended permissions, as well as setting the permissions of a local / remote user to access the given device\'s hardware and software installed on it. |
| Host-based firewall |
Host-based firewall and network attack blocker |
| Industrial DPI for anomaly detection |
Monitoring of communications to and from the PLC and control of the commands and values of the technological process parameters and alerts the operator (via HMI integration) of malicious security or suspicious changes in the technological process parameters. |
| Inspect endpoint logs |
Availability of \"log\" files of accesses and events with the capacity to analyze the registers that allow the creation of rules to inspect them and configure, for example, a heuristic analyzer for the event registers. |
| SIEM integration |
SIEM integration allows you to configure the settings to export the application logs to third party events, aggregation systems based on protocols such as syslog. |
| White list in discovery mode |
White list; detection only mode (not locked but logged) |
| Whitelist in prevention mode |
White list; prevention mode (lock) |
| Security log |
Log that allows you to view the events that have been recorded by the application components and that indicate that a protected computer may be compromised |
| Separation of environments |
I go to production. Security tests in different environments. Segmentation of the environments at the network level, Data disaggregated in the testing environment and in the development environment. |
| Redundancy system |
Redundancy capacity of energy, communications, storage and services necessary for the operation |
| Backup system |
Backup and restore system to implement backup policy |
| File integrity monitoring |
File integrity monitor that allows you to monitor specified file ranges in real time and receive notifications about file operations performed on monitored files. |
| Centralized management of security policies |
The ability to set different protection settings for different nodes and groups |
| Detection of use of default passwords |
Default password detection when connecting to devices - You can track the use of default passwords to access or connect to certain types of devices |
| Certificate use policy |
Policy that identifies Certification Authorities (CA), Registration Authorities (RA), applicants, subscribers and trusted third parties. As well as the characteristics of the certificates, such as their validity, own uses, unauthorized uses, issuance and revocation processes |
| Data Protection |
Information encryption capacity at rest and in transit. Destruction of obsolete information. Protection of the backup and data recovery process. Information classification. Prevention of data leaks in an active way and without losing productivity. Inspection of multiple types of files and protocols regardless of whether the information is transmitted encrypted or not. Both visible and invisible mechanisms so that in case of information leakage, the person responsible can be identified. Authorization control for the use of external devices or file transfer repositories in the cloud. |
| Industrial network event log (forensic analysis) |
Forensic tools: secure monitoring and logging of industrial network events |
| Verification of integrity of software and hardware code |
Verification of the software and hardware of the device to verify that its integrity has not been compromised, comparing the current state with the reference data collected during the compatibility test |
| Verify PLC integrity |
PLC integrity check |
| Network communication visualization |
Communication monitoring system of network devices, identifying industrial protocols used, bandwidth use and end points on a network map with the ability to categorize by levels in purdue |
