It is estimated that by 2025, more than 75 billion devices will be connected to the internet[1]^. This is not just computers and smartphones, but also fridges, thermostats, cars and almost any other device that can be used for monitoring something in some way. Households are an obvious use, but also in industries transportation, manufacturing, logistics and retail. Undoubtedly having devices connected to the internet is convenient and can provide useful data for analytics, scheduling, security and even shopping. But there is also a dark side of such accessibility – cyber-attacks and hacking.

ComAp’s products can be connected to the internet for remote monitoring and management using services like WebSupervisor and we ensure that our products are nowadays being built to provide our customers with high levels of security including fulfilling the ISA62443, level 2 International Security Compliance Institute Standard when necessary.
 

The remote monitoring of ComAp products allows our customers to save time, save money, and provides reliable data for making crucial business decisions. However, these advantages require our products to be connected to the internet. Security has always been a focus at ComAp, so our customers can rest assured ComAp always has and always will take the security of customers data and equipment seriously.

Some ComAp products still in use are more than 20 years old and these legacy devices were developed in years when there was very different situation regarding cyber security and the requirements for online services were different.

Therefore, when using these devices today, external cybersecurity measures must be applied to adjust these devices to the current environment. The key measure is to not expose the web and/or MODBUS interfaces directly to public networks.

More recently developed products have the latest cybersecurity needs by design and in this way, we ensure that the platform fulfills relevant security standards. Security by design means that when we begin a new product development process, we start with the question “what are the requirements for cybersecurity?” As part of this process, we have developed five essential criteria for security.
 

All new ComAp firmware is secured by encryption. This prevents any firmware from being uploaded into non-genuine or modified ComAp products. It also means that the controller will not accept any non-encrypted firmware when someone tries to upload it.
 

Communication through public networks (Ethernet, Internet, AirGate) is bidirectionally secured by a ComAp-developed ciphering[2] technology CCS[3]. ComAp’s proprietary ciphering technology is based on proven cryptographic algorithms, and it has been audited by an external security audit company, and it passed penetration tests successfully.
 

ComAp’s controllers feature brute force attack detection during the user authentication process. If an attack is detected, the control unit is gradually blocked by prolonging the time between individual attempts to sign in – similar to a mobile phone preventing a user to access the phone if the PIN is entered incorrectly too many times.
 

ComAp controllers, use authentication of unique user accounts similar to the way cyber security systems in the information technology work. All user access is logged, and any activity under a particular login is recorded. This secures tracking of all user activities in the control device but also enables highly flexible access rights management for controller administrators.
 

If an administrator loses access to the controller, a robust mechanism to retrieve the administrator access is used. This mechanism is based on a digital signature unique to the controller and requires double-factor authentication. Access can only be granted by ComAp. This prevents forgery and misuse by a non-authorized person.
 
 

We update firmware for our products for various reasons, including updating to any new security protocols, to add new features or to fix any bugs that may have been identified.
We recommend all our customers to update their controllers’ firmware to the latest version as soon as practical for their application. The software updates are available on the products’ pages on our website. Installing the new firmware is easy, and our technical support department can provide any assistance you might need.
 

All ComAp controllers have a default password. This default password should be changed immediately upon installation of the controller. Do not choose a password that is easily guessed. If you need help changing the default password, consult the product manual or contact ComAp’s technical support department.
 

We recommend to use multiple accounts and give users minimum levels of access needed to perform his/her job functions. Individual login credentials also ensure that any actions or changes made while a user is logged in can be recorded and monitored.
 

Recently there was a security issue found in the web server interfaces with certain older ComAp products. The issue has been fixed with new firmware, but it shows that it is important to ensure that the firmware in any ComAp controller is kept up to date.

The issue concerned older models of InternetBridge-NT, IB-COM, and IB-Lite. The issue was rooted in using an HTTP POST request instead of an HTTP GET request. When accessing a web page in a controller using a POST request without data, (instead of a GET request) the authentication with access code was bypassed, and the requested page was returned without a need to enter the Access Code. However, password protection for writing setpoints was not affected.

We have fixed the issue in InternetBridge-NT and IB-COM firmware. However, IB-Lite is an outdated product and we recommend replacing it with a newer controller solution (e.g. InteliLite 4 and plugin ethernet module). Your local contact representative can recommend which product is most suitable for your application.

Certain ComAp controllers include an integrated IB-COM module. We recommend updating these controllers to the latest firmware. These products include: InteliGen NTC BaseBox, InteliSys NTC BaseBox, InteliSys Gas and InteliSys GSC. The latest firmware for these controllers is available from the individual product pages on our website.

Any affected products shipped after the firmware release will include the latest firmware update automatically.

If you have any concerns or questions about your ComAp products, please contact your local ComAp representative. Their details can be found here: https://www.comap-control.com/contact-us/comap-worldwide
 
Products affected by security issue (described in the paragraph above) found in the web server interfaces, when using old firmware:

 
Links to the firmware update download, solving the security issue mentioned:

 

 

---