Security issues of Domat products with Ethernet interface

Apart from the TCP and UDP port numbers listed below, some of the products may support non-IP protocols for device detection in a local network and setting of the IP address and other IP parameters. It is supposed that the products are separated from the Internet (or any other non-secure network) by an IP router which is routing TCP and UDP protocols only.

IPCB.1, IPCT.1

Industrial computer with OS Windows XP Embedded or Windows 7 Embedded. Part of the system is the Windows Firewall. By default, the following ports are used:

TCP
12345    SoftPLC Runtime – access to the process data using SoftPLC Link
80           Web panel

Usually, a program for remote control is installed, such as UltraVNC or remote Windows desktop. It is recommended to operate the process station in a separated, secure network, and protect the remote access (if used) by a VPN. Mapping of TCP ports to a public IP address for the web access is not recommended.

IPLC201, IPLC301, MXPLC

Process stations based on Beck IPC@CHIP. The PLCs do not have a firewall. By default, the following ports are used:

TCP
12345    SoftPLC Runtime – access to the process data using SoftPLC Link
80           Web server
20, 21    FTP server (for configuration and program upload)

UDP
8001      detection of MiniPLC in Platform Config

For service purposes, the PLC listens on

TCP
23           Telnet

It is recommended to operate the process station in a separated, secure network, and protect the remote access (if used) by a VPN. Mapping of TCP port 80 to a public IP address for the web access is not recommended, the web server may be attacked by bots and it was experienced that frequent connection attempts had blocked the Etherent interface. Even if the port number for web access (80) can be changed in the CHIP.INI file, it is not a protection against this type of attacks.

IPLC500, IPLC510, MXPLC with MXL board

Process stations with OS Linux. It has a firewall which is configured automatically (by a script), so if e.g. the SoftPLC Link port number (12345 by default) is changed, the firewall is reconfigured so that the new port number is available. By default, the following ports are enabled in the firewall configuration:

TCP
12345    SoftPLC Runtime – access to the process data using SoftPLC Link
22           SCP server (for program upload and file transfer)

UDP
8002      system services

Mapping of TCP port 12345 to a public IP address is a common practice, however, a more secure solution is an external router supporting VPN.

Runtime SoftPLC

Program or service running on Windows XP, 7, 8, 10. By default, the following ports are used:

TCP
12345    SoftPLC Runtime – access to the process data using SoftPLC Link

Web panel

Program or service running on Windows XP, 7, 8, 10. By default, the following ports are used:

TCP
8080      Web server – port number can be changed in the web server configuration

A HTTPS protocol can be used rather than the HTTP protocol.

UCWEB

Web interface for integrated room controllers. By default, the following ports are used:

TCP
80           Web server – port number can be changed in the web server configuration
20, 21    FTP server (for configuration and HTML files upload)
771         RealPort – only if enabled in the web interface. Direct access to the controller serial bus for service purposes.

Although the web access is protected by a password, it is recommended to protect the access from the Internet using a VPN. Changing of the web server port number is not a security measure.

UC150, UC250, UI5…, UI6…

Room units and controllers with Ethernet interface and Modbus TCP communication.

TCP
80           Web server for setup and diagnostics
502         Modbus TCP server

The web access is not protected by a password, however, it can be disabled by a DIP switch. Modbus TCP is a protocol which is unsecured by its nature. The room units and controllers are suitable for deployment in internal (technological), secured networks only! It is not acceptable to map the TCP port 502 to a public IP address!

RcWare Vision

Process visualisation software (SCADA).

TCP
8990      Data access for other RcWare Vision stations or for a web server.
80           Web server for RcWare Vision (only if web access using Internet Information Server (IIS) is configured)

The web access is protected by user name an password, however, it is necessary to focus on the security setting of the IIS server. The port number (80 by default) can be changed in the IIS settings. See IIS help for details. It is advised to run the IIS on a separate server in a DMZ rather than on the SCADA computer where RcWare Vision is installed.

Merbon DB (formerly RcWare DB FB)

Database for large trend data storage for monitoring systems, e.g. RcWare Vision. The port numbers listed below may be changed in the configuration file, see Merbon DB installation manual.

TCP
9876      Port for data access (API)
11112    Web inferface for administration

The TCP 9876 port for client PLC and SCADA access is usually mapped on a public IP address at distributed systems.  To increase security, it is recommended to use e.g. a stateful firewall, and set up access limitation from whitelisted IP addresses only. The web interface for database management is protected by username and password, it is advised to allow access from the internal network only.

ECIO2

I/O module with Modbus TCP communication and Modbus TCP/RTU router functionality.

TCP
80           Web server for setup and diagnostics
502         Modbus TCP server

The web access is not password-protected. Modbus TCP is a protocol which is unsecured by its nature. The device is suitable for deployment in internal (technological), secured networks only! It is not acceptable to map the TCP port 502 to a public IP address!

M020, M025, M031, M035

Ethernet to serial converters, terminal servers; interfaces M0…5 also have Modbus TCP/RTU router functionality. The devices are powered by Ethernet controller, Digi ME. All ports listed below except for TCP 443 may be enabled or disabled in the web setup, and are enabled by default!

TCP
23           Telnet server for configuration
80           Web server for configuration (protected by username and password)
443         Secured web server (https:) for configuration (can not be disabled)
502         Modbus TCP (only if the Industrial Automation profile is set)
513         rlogin (Remote Login)
514         rsh (Remote Shell)
515         LPD (Line Printer Daemon)
771         RealPort – virtual COM port for serial data tunelling over the network
1027      encrypted RealPort

UDP
161         SNMP
2362      Device detection for IP address and other parameters setting (ADDP)

These devices are suitable for demanding industrial applications. However, when configuring NAT or routing, it is advised only to map the ports which are necessary for the system functionality.

M036

A simple Modbus TCP/RTU router.

TCP
80           Web server for configuration
502         Modbus TCP
20, 21    FTP server (for configuration and upload of html files, fixed username and password)

The web access is not password-protected. Modbus TCP is a protocol which is unsecured by its nature. The device is suitable for deployment in internal (technological), secured networks only! It is not acceptable to map the TCP port 502 to a public IP address!

M090

Modbus TCP/DALI converter

TCP
80           Web server for configuration
502         Modbus TCP
20, 21    FTP server (for configuration and upload of html files, fixed username and password)

The web access is not password-protected. Modbus TCP is a protocol which is unsecured by its nature. The device is suitable for deployment in internal (technological), secured networks only! It is not acceptable to map the TCP port 502 to a public IP address!

HT100, HT101, HT110

User interface – HMI panels (terminals) for SoftPLC Link (HT100, HT101), and Modbus TCP (HT110). Web and FTP access may be disabled by a DIP switch for increased security.

TCP
80           Web server for configuration (IP address etc., menu, firmware)
20, 21    FTP server (for configuration and upload of html files)

In normal operation, the panels initiate outgoing connection to the SoftPLC runtimes (HT100, HT101) or to Modbus servers (HT110). Incoming connections from the Internet to the panel should not be necessary then.

mark100, mark120, mark125, mark150, IMIO…, ICIO…

Process stations (PLC) based on ARM Cortex with OS FreeRTOS. The mark… range limits the number of used services to decrease security risks.

TCP
80           Web server, if enabled. Predefined usernames and passwords for different access levels.
12346    SSCP protocol for data access, program upload, and PLC configuration, protected by configurable username and password

Port number for SSCP (default 12346) can be changed in the PLC configuration. The protocol is suitable for data transfer over the Internet. To increase security it is advised to use a router with access limitation e.g. according to client IP addresses, or to use a VPN.

mark220, mark320, markMX

Process stations (PLC) based on MPC5200 with OS Linux. The mark… range limits the number of used services to decrease security risks.

TCP
22           SSH to access Linux
80           Web server, if enabled. Predefined usernames and passwords for different access levels.
12346    SSCP protocol for data access, program upload, and PLC configuration, protected by configurable username and password

Port number for SSCP (default 12346) can be changed in the PLC configuration. The protocol is suitable for data transfer over the Internet. To increase security it is advised to use a router with access limitation e.g. according to client IP addresses, or to use a VPN.

Other links of interest:

Network security at building control systems