Beijer ELECTRONICS SER0072 iX Cyber Security Extension User Guide

Quick start guide
iX CyberSecurity Extension V1.1.8
SER0072 – iX CyberSecurity Extension

Function and area of use

This document provides guidelines when working with the iX CyberSecurity Extension.
The document explains the new extensions like password complexity check, password expiration, lock/unlock users, enable/disable USB port, enable/disable VNC server as well as the AuditTrail Database surveillance.

About this document

This quick start document should not be considered as a complete manual. It is an aid to be able to startup a normal application quickly and easily.
Copyright © Beijer Electronics, 2023
This documentation (below referred to as ‘the material’) is the property of Beijer Electronics. The holder or user has a non-exclusive right to use the material. The holder is not allowed to distribute the material to anyone outside his/her organization except in cases where the material is part of a system that is supplied by the holder to his/her customer. The material may only be used with products or software supplied by Beijer Electronics. Beijer Electronics assumes no responsibility for any defects in the material, or for any consequences that might arise from the use of the material. It is the responsibility of the holder to ensure that any systems, for whatever applications, which is based on or includes the material (whether in its entirety or in parts), meets the expected properties or functional requirements. Beijer Electronics has no obligation to supply the holder with updated versions.
Use the following hardware, software, drivers and utilities in order to obtain a stable application:
In this document we have used following software and hardware

• iX Developer 2.40 SP7, 2.50 ,iX Developer 2.20 SP2
• X2 series, C2 series and iX PC RT (iX Runtime)

For further information refer to

• iX Developer Reference Manual (Maxx831)
• iX Developer User´s Guide (Maxx832)
• Beijer Electronics knowledge database, HelpOnline

This document and other quick start documents can be obtained from our homepage.
Please use the address [email protected] for feedback.

The iX CyberSecurity Extension

The following chapter describes what new functionalities are implemented in this example project and how to utilize and configure it.
4.1 Password Complexity Check
Each time a user logs in, his password is checked for complexity.
The password has to contain a lower case character, an upper case character as well as a special character and a number. Additionally the minimum password length is checked.
The minimum password length is pre-configured to 8 characters but can be adjusted via the non- volatile TAG “iMinimumPasswordLength”.
4.2 Default Users and Passwords
There are two default users “Administrator” and “Super”. As both of them are belonging to at least one group that is configured hidden, these default users are hidden and not removeable.
The login of a hidden users is described later in this document – in the section “Login PopUp”
The default password for the users Administrator and Super is “123qwe.,”
New users are created with the default password, the same applies for a password reset.
Thus after reset of a password or after adding a user these users are forced to modify their password according to the password complexity rules at next login.
The default password for new (added) users can be changed inside the script of the “UsersDialog”.

4.3 Password History
The password history is preset to “6” – meaning a user isn´t allowed to use any of his previous 6 passwords when changing his password. The password depth of the implemented password history can be configured in line 75 of the scriptmodule.

4.4 Login Popup
The custom Login PopUp offers the possibility to login both normal and hidden users.
Normal users can be selected in the ComboBox whilst hidden users are not shown.
To login a hidden user one has to click on the text “Login” → the Combobox will be hidden and a normal AnalogNumeric will offer the possibility to type in the name of the hidden user.
To switch back to normal mode simply click on “Login” again.

At first time login and after a password reset users will be forced to change the password.

After a wrong login attempt the user will be hinted how much tries are left and how long a user will be will be locked out. The TAG “iLimitOfWrongInputs“ is preset to 3 and the TAG “iLockoutMinutes” is preset to 10, both TAGs are non-volatile and can be adjusted in the “Settings” screen.

By selecting “Extend Session” each user can decide to extend his “Session time” resulting in a later timeout after xxx minutes inactivity.

The button “Edit users” is only operable for Administrators or members of the Super group.
It will lead to the “UsersDialog” described later in this document.
4.5 ChangePassword
The change password dialog is shown after the first login of a user or after a password reset.
It can also be opened on the “HomeScreen”.

4.6 UsersDialog – add/modify Users
Via the “UsersDialog” new users can be added and existing users can be modified. High level users like Administrators or Super user can modify the groups a user is belonging to as well as decide whether the users password should expire or not. Selecting “Unlimited Login Attempts” disables that a user is locked when the “iLimitOfWrongInputs“ count is exceeded.
The non-volatile TAG “PwdExpireDays” is preset to 30 days but can be adjusted in the “Settings” screen

A new user is always added with the default password. When the password of an existing user is reset the default password is assign too.

4.7 Settings screen
This screen should only be accessible for Administrators/Super users.
On that screen one can lock/unlock users, enable/disable the USB port, enable/disable the VNC server as well as backup/restore the actual user/security settings from/to USB.
Furthermore a couple of default settings can be adjusted.
All parameters are non-volatile thus saved in an own SQLite database.

“Backup Users to USB” saves the internal User Setting File to USB – provided that USB is enabled and a USB stick plugged/replugged after enabling. The User Setting File contains all the user specific settings including UserGroups and encrypted Password. “Restore Users from USB” restores the User Setting File from USB – provided that USB is enabled and a USB stick plugged/replugged after enabling. The existing User Setting File is overwritten and both Passwords and UserGroup assignments are restored from that file.
The settings on “Settings Screen”:

Users
Lockout Minutes| 5-240| See chapter 4.3 Login Popup
Limit Of Wrong Inputs| 3-10| See chapter 4.3 Login Popup
Maximum Password Length| 8-12| See chapter 4.1 Password Complexity Check
AuditTrailStorage Days| 90-180| See chapter 4.10 AuditTrail Surveillance
User Login Session| 5-2880| Logout users after XXXX minutes of inactivity.

4.8 HomeScreen
Via the “HomeScreen” users can be logged in and out, the user password can be changed and DateTime can be adjusted. The “AuditLog” and the “Settings” Screen can be called and (for test-purposes only) a test user “ksr” can be logged in and the current user can be removed. Button “Remove Current User”: Pre- configured users can never be removed at Runtime!

4.9 Enable/Disable USB port
The USB port can be enabled or disabled via the “Settings” Screen.
The actual state is shown on top of each screen – a green LED indicates the USB being enabled.

The functionality to enable/disable the USB port is implemented via a DLL “iX_MassStorage.dll” that is added in the Referenced Assemblies of the project. (see section Referenced Assemblies of that document).

As the DLL accesses the registry each change of the USB port state needs the USB stick to be unplugged (if plugged when disabling) or unplug/plug (if plugged when enabling).

4.10 Enable/Disable VNC Server
The VNC server can be enabled or disabled via the “Settings” Screen.
The actual state is shown on top of each screen – a green LED indicates the VNC server being enabled. If a VNC client is connected the small PopUp on the top left is shown.

4.11 AuditTrail Surveillance
In the AuditTrail settings as well as in the TAGs editor one can adjust what user actions should be logged to the AuditTrail Database. The preset AuditTrail settings are Logging strategy “FDA” and Database size of 5MB. This creates a buffer of ~80.000 entries (depending on what is logged). Inside the script module “SCM_CyberSecurity” an Audit Buffer Timer is implemented checking the AuditTrail Database every 10 minutes. The cyclic check deletes entries older than the value of the nonvolatile TAG “iAuditTrailStorageDays”. The TAG “iAudit Trail Storage Days” is preset to 90 days but can be adjusted in the “Settings” screen.  The “AuditTrail” screen can be reached via the “HomeScreen”.

Built-In Auditlog texts:

loged out automatically – this entry logs the new min setting
Edit Users| XXX1) removed| User XXX1) was removed from the system
Security User Action| XXX1) locked by YYY2)| User XXX1) was locked by the current user
Security User Action| XXX1) failed login attempt| Wrong password for user XXX1) entered
Security User Action| XXX1) locked – too much failed attempts| When a user has tried to login too many times with wrong password he is locked out for an adjustable time
Message| Description| Additional Information
---|---|---
Security USB Stick| USB Stick Enabled| USB stick was enabled by the current user
SecurityUSBStick| USB Stick Disabled| USB stick was disabled by the current user
Security USB Stick| USB Stick Disabled due to logout| USB stick was disabled automatically on user logout
VNC Service| XXX1) activated VNC| The current user activated the VNC Server
VNC Service| XXX1) terminated VNC| The current user terminated the VNC Server
VNC Service| VNC terminated due to logout| The VNC Server was terminated automatically on user logout

1. XXX = The selected user from list
2. YYY = The current user

4.12 Scriptmodule SCM_CyberSecurity
This script module contains most of the CyberSecurity functionalities.
The most important methods are:
public bool Check Password Complexity(string sPWD, bool bShowMessage)
public bool Check User Name(string s User name, bool bShow Message)
public int Get Expiration Enabled(string sUser)
private void Set Expiration Enabled(string user, int iVal)
private void CheckPasswordExpiration()
public bool AddNewUser(string sUser, string sPWD, List lGrps, int Enable Expiration)
public bool EditUserGroups(string sUser, List lGrps, int Enable Expiration)
public bool Remove_User(string sUser, bool bLogout)
public bool ChangeUserPWD(string oldPWD, string newPWD, string confirmPWD)
private void ReadiXUserData()
private void ReadiXUserDataFromXML(){
public string GetUserGroups(string userName)
public List ReadLockedUnlockedUsers()
public bool Login User(string sUser, string sPwd)
private bool WriteUserData(string sUser, bool bIncrementWrongInputs)
private bool GetUserData(string sUser, out DateTime LastWrongTry, out int NoOfWrongInputs)
private bool TryChangeUserPWD(string sUser, string oldPWD)
private bool TryChangeUserPWD(string sUser, string oldPWD)
public void BackupSecuritySettings()
public void RestoreSecuritySettings()
private void DeleteOldAuditEntries()
public void enableUSBStick(bool enable, bool logoutSilent)
private void ReadSystemSettings()
public void VncServer_Start ()
public void VncServer_Stop (bool bLogout)
4.13 Referenced Assemblies
There are two DLLs added to the example project:
– “iX_MassStorage.dll”: needed for enabling/disabling the USB port
– “OpenNETCF.Net.dll”: needed to check whether a VNC client is active.

Adding CyberSecurity Functionality

The following chapter describes how to import and integrate the different parts of the
CyberSecurity extension into an existing project.
The implementation of the various additional CyberSecurity features consist of different parts:
– Microsoft TextBox control
– Additional TAGs
– Script module “SCM_CyberSecurity”
– Screens
– Referenced Assemblies/DLLs
If you intend to have the Audit Trail logging running you have to insert this module via “Insert” menu → “Audit Trail”

5.1 Add the TextBox Control in iX Developer
The TextBox control (of Microsoft .NET Framework – Namespace System.Windows.Forms)
needs to be added to the iX ToolBox of iX Developer. Follow these steps:

1. Open the unpacked project.
2. Open the “Objects” menu and select “Add Control”.
3. Browse the TextBox control and tick the checkbox, OK.

The TextBox control is utilized in the “Login” and “Change Passwords” PopUps to display *** instead of readable characters.
5.2 Import CyberSecurity TAGs**
Follow the steps to add the TAGs used in the CyberSecurity extension to your project:

1. Unpack the enclosed example ZIP-file to a temporary folder.
2. Start iX Developer and open your project.
3. Navigate to the “Tags” editor → Tab “Tags” and select “Import” →”Import complete taglist”
4. Choose “Excel file” as Import module, navigate to the temporary folder, where you unpacked the ZIP-file and select “CyberSecurity_Tags.xls” → “Import”
5. Select “All Items” → “OK”

5.3 Import SystemTags
Follow the steps to add the SystemTags used in the CyberSecurity extension to your project:

1. Start iX Developer and open your project.
2. Navigate to the “Tags” editor → Tab “Tags” and select “Add” → “Add System Tag”
3. Add the SystemTags “Minute” and “Current User” to your project.

5.4 Import the project parts
Follow the steps to add the enclosed screens and the script module to your iX project:

1. Unpack the enclosed example ZIP-file to a temporary folder.
2. Start iX Developer and open your project.
3. In the Project Explorer, right-click in the lower left corner (1. in the picture)
4. In the list, select Import… (2. in the picture)
5. Navigate to the temporary folder, where you unpacked the ZIP-file and select SCM_CyberSecurity.neo, click [Open].
6. Settings.neoxaml, click [Open].
7. UsersDialog.neoxaml, click [Open].
8. PopUp_ChangePassword.neoxaml, click [Open].
9. Login_Popup.neoxaml, click [Open].
10. HomeScreen.neoxaml, click [Open].
11. Extend_Session_PopUp.neoxaml, click [Open].
12. backgroundScreen.neoxaml, click [Open].
13. AuditLog.neoxaml, click [Open].
14. Answer Yes to the following questions.

Tip:
The Import supports multi-selection utilizing the “CTRL” button when selecting files – thus you can import all project parts in one step.
If you have imported the “Background Screen” it has to be re-assigned to the screens where you want to use it. (“HomeScreen”, “Settings”, “AuditLog”)
When importing project parts to iX 2.20 SP2 you have to confirm all version hints with “Yes”.

5.5 Add the Referenced Assemblies to the project
Follow the steps to add the Referenced Assemblies to your iX project:

1. Unpack the enclosed example ZIP-file to a temporary folder.
2. Start iX Developer and open your project.
3. Navigate to the “Project” menu → “Referenced Assemblies” Navigate to the temporary folder, where you unpacked the ZIP-file and select “Add” “iX_MassStorage.dll”, click [Open].
4. “Add” “OpenNETCF.Net.dll”, click [Open].
5. → “OK”

5.6 Compatibility to iX 2.20 SP2
To cover the changes that have taken place from iX 2.2.0 SP2 until iX 2.40 SP7 and reach code compatibility, preprocessor commands are used in different project parts.
When you imported the project parts to iX 2.20.SP2 you typically get errors like that:

This is because some Namespaces have been changed and/or enhanced with additional methods, properties or methods/overloads.
The definition of the preprocessor commands is always located before the namespace.

You will find these preprocessor commands in line 28 of the following project parts
– Scriptmodule SCM_CyberSecurity
– Script of Screen “UsersDialog”
– Script of Screen “PopUp_ChangePassword”
– Script of Screen “Extend_Session_PopUp”
To switch to the iX 2.20 SP2 code one simply has to remove the comment // in front of the line “#define …” in line 28 of the above project parts.

5.7 Activating CATSecurity
To cover the special network security implemented via the so called CATControls another preprocessor command is inserted in two scripts. This is a special setting for one customer and it obviously makes no sense to activate it without having the CATControls installed.
The definition of the preprocessor commands is always located before the namespace.

You will find these preprocessor commands in line 29 of the following project parts
– Scriptmodule SCM_CyberSecurity
– Script of Screen “PopUp_ChangePassword”
To activate CATSecurity code one simply has to remove the comment // in front of the line “#define …” in line 29 of the above project parts.

Security Configuration

This chapter explains where and how to define normal and special user groups both in the Security Editor and inside script parts.
6.1 Security Groups
In the Security Editor → Tab “Groups” you define your Security Groups and whether users of a groups should be invisible at Runtime.
Invisible users password never expires (but for sure can be changed).

6.1.1 Important Information when using other group names
If you use other user group names than the group names used in the imported screens you need to uncheck the old ones from the buttons that comes with the imported screens. See example below.
Otherwise those security groups (that are configured in any button) will be added automatically after rebuild (even if they first were deleted or renamed from the Security menu).

6.1.2 Disable lock/unlock for specific security groups
Inside the scriptmodule “SCM_CyberSecurity” you can define 3 security groups whose members should not be lockable/unlockable in the “Settings” screen.
Set the groupname to something unusual for groups that are not used – e.g.: string sGroup3 = “XXXXXXXXXX”;
A groupname must not be “” or string.Empty !!

6.2 Security Users
In the Security Editor → Tab “Users” you define your Security User and to what groups they should belong to. To build up a hierarchy, include the highest user in all groups, the next level user in all groups but the highest and so on.

The default password for the users in this example project is “123qwe.,”
But you can choose any passwords you want – we suggest to use a password that doesn´t fullfil the password complexity rules in order to force a user to change his password at first login.
The default password for new (added) users can be changed inside the script of the “UsersDialog” PopUp. (see chapter 4.2)

About Beijer Electronics

Beijer Electronics is a multinational, cross-industry innovator that connects people and technologies to optimize processes for business-critical applications. Our offer includes operator communication, automation solutions, igitalization and support. As experts in user-friendly software, hardware and services for the Industrial Internet of Things, we empower you to meet your challenges through leading-edge solutions.
Beijer Electronics is an Ependion company. Ependion (formerly Beijer Group) is listed on the NASDAQ OMX Nordic Stockholm Mid Cap list under the ticker EPEN. www.ependion.com
7.1 Contact us
Global offices and distributors

References

• Contact us - Beijer Electronics
• Help online - tree view - Beijer Electronics

Read User Manual Online (PDF format)

Download This Manual (PDF format)

Download this manual  >>