User Manual
Connect Device - On-Premise Gateway Security
4
10 | 19
A6V11852371_en_h
● To verify the authenticity of the gateway, each Connect Device is required to
register and authenticate with Building Operator using a 32-digit unique
Activation key before it can be used for normal operation.
● Software applications that are hosted on the Connect Device are stored in
registered private containers. Access to containers is granted only via
authenticated tokens to authorized users.
● As a part of initial setup, a login to the Connect web application is required
where:
– User is forced to change default admin (administrator) password when
logging in for the first time.
– Strong password is required with at least 8 characters, upper-case and
lower-case letters, numbers, special characters.
● As a part of the initial setup, a login to the Building Operator Discovery web
application is required where:
– User is forced to change default admin (administrator) password when
logging in for the first time
– Strong password is required with at least 9 characters, upper-case and
lower-case letters, numbers, special characters.
– In addition to admin user, Building Operator Discovery employs gw user.
– Deactivating or changing passwords on the user accounts for gw will lead
to misconfiguration of Connect Device resulting in loss of connectivity to the
Building Operator.
– admin user can backup and/or restore any Building Operator Discovery
project.
– To set up remote access endpoints, user is required to login to the Connect
web application.
Network Security
Initial setup of Connect Device with the first login will prompt the user to choose
between single or separate network mode. Understanding the two modes and
choosing the correct option for your building is important step in mitigating cyber
risk and ensuring a secure network.
Separate network mode (Recommended) is for installations where IT and OT are
separate independent networks. This means that the Building Automation has a
LAN network independent of the IT network. In separate network mode, Connect
Device utilizes the built-in firewall feature, separating the IT network traffic (WAN)
from OT network traffic (LAN) of the building automation. See figure 3. Customer
must use this option when the OT network is not protected by a customer provided
corporate firewall, and customer is responsible for property configuring the firewall
to secure their network.
Fig. 3: Separate Network Mode
Single network mode is for installations with a converged IT/OT corporate
network. Converged IT/OT network means that the Building Automation network
shares the same WAN as the IT network. In this mode, the system relies on a
customer provided corporate firewall to protect the IT/OT network. See figure 4.
Choosing this mode requires the customer to secure their network as Single
Network mode does not utilize the Connect Device’s built-in firewall, instead
connects to the IT/OT network as a normal IT device.