Connectivity FAQ

Abstract

The questions and answers below reflect some of the most asked questions related to Hubgrade Wastewater Plant Performance and the Hubgrade Sewer Performance modules connectivity, and their answers. The questions are divided into the following 4 categories.

  • Security - Security related questions and concerns.

  • Business - Questions related to business continuity, billing and legislation

  • Operation - Questions relating to daily operation and implementation.

  • OPC-Bridge - Questions related to the optional but recommended free implementation bridge.

Security

Q: What encryption and algorithms are used

A: All connections from users to UI are made via HTTPS (certificate issued by Amazon RSA 2048M03) encrypted and authenticated using TLS 1.2, ECDHW_RSA with P-256 and AES_128_GCM.

For OPC-UA an algorithm suite that uses SHA256 for the signature digest and 256-bit Basic as the message encryption algorithm, commonly known as Basic256Sha256 is used (Standard OPC UA specification, highest security level).

Q: Has the solution undergone any external third-party security testing i.e. Penetration Testing?

A: Hubgrade Wastewater Plant Performance module undergoes internal and external periodic security tests including scans for known vulnerabilities, best practice on secure implementations tests, and penetrations tests.

Q: Is the vendor/supplier/partner organisation certified to security standards such as ISO 27001, Cyber Essentials Plus etc.

A: The IT infrastructure that Amazon Web Services (AWS) provides to its customers is designed and managed in alignment with best security practices and a variety of IT security standards. The following is a partial list of assurance programs with which AWS complies: SOC 1/ISAE 3402, SOC 2, SOC 3, FISMA, DIACAP, and FedRAMP, PCI DSS Level 1 ISO 9001, ISO 27001, ISO 27017, ISO 27018 Source: https://docs.aws.amazon.com/whitepapers/latest/aws-overview/security-and-compliance.html

Q: What measures are in place to ensure only the intended users have access and that actions made by users are logged?

A: The end-user entirely manages who has an account and the access rights of each account. Changes are logged and are visible on each functions parameter history. Users are authenticated by user/password. OPC UA connections are authenticated by mutually trusted X.509 certificates with the addition of username and password.

Q: We don’t want a connection from our PLC network to the internet, can we still use Hubgrade Wastewater Plant Performance module?

A: Yes absolutely, by placing the OPC-bridge in a DMZ, the connections will be terminated in the DMZ, and no connections are now present directly between the PLC/OPC network and Hubgrade Wastewater Plant Performance module.

Q: What is a DMZ?

A: In computer networks, a DMZ (demilitarized zone), also sometimes known as a perimeter network or a screened subnetwork, is a physical or logical subnet that separates an internal local area network (LAN) from other untrusted networks, usually the internet. There are various ways to design a network with a DMZ. The two basic methods are to use either one or two firewalls

Q: What kind /brand of firewall should I use?

A:The function of the firewall is to keep your network onsite secure and separated from other networks, ie. the Internet, and only allow specific connections, as for ex. the connection to Hubgrade. Most, if not all, firewalls can do this, and will work fine with the Hubgrade Wastewater Plant Performance module.

Q:What are the security measures that are in place? / :Do you comply with ZZXXYYYY

A: We have several policies and procedures to ensure the safety of our customers, and the quality of our daily workflow, including the list below

1. “Veolia cyber security policy” that includes: - Risk assessment - Security procedures - Vulnerability tracking and ongoing mitigation - Security review (corp IT)

2. External security review (last performed Jan 2020) - Architecture Review - Penetration testing (aka black and white hat) - Organisational interview

  1. Quality assurance ISO9001 of processes; Development, Test, Release and Operations

4. Amazon (AWS) Platform security layers and certifications https://docs.aws.amazon.com/whitepapers/latest/aws-overview/security-and-compliance.html

Q:How is the division of responsibilities between Veolia Water Tech/Hubgrade and AWS?

A: AWS calls this a Shared Responsibility Model, where AWS handles everything except everything above the software-layer.

Q:Has Krüger implemented security measures to monitor and protect the infrastructure in AWS?

A: In order to verify the integrity of the environment we use services such as AWS Config (Continuously monitoring of changes that doesn’t violate internal security policies) and AWS CloudTrail (API level auditing of calls made by users and AWS services). Furthermore we continuously scan our images for known vulnerabilities in our repositories. The standard for the entire environment is ‘least privileged access’.

Q: Do we allow user access with multifactor authentication?

A: Yes, it is possible to use multifactor authentication to access our system, however it does require a separate Single Sign-On (SSO) integration such as Microsoft Azure Entra, Okta or similar.

Q: What protocol is used with SSO?

A: Either SAML or OIDC (OpenID Connect) is used for SSO.

Q: What encryption is used for SSO?

A: It depends on the implementation of the SSO, however in general the encryption is done with a public/private key pair between Hubgrade Wastewater Plant Performance and the SSO provider.

Q: What encryption is used for the database?

A: The database is encryption at rest with AES-256, and in transit with TLS 1.3.

Q: How are the cryptographic keys managed?

A: The cryptographic keys are managed by AWS Key Management Service (KMS) and are rotated regularly.

Q: Would it be possible to have customers managed the encryption key for data at rest?

A: No, this is not possible.

Business

Q: What business continuity and disaster recovery plans/procedures are in place should there be any issues with the connection or assets hosted at the site?

A: Hubgrade Wastewater Plant Performance module provides optimised setpoints every 2 minutes for the on-premise SCADA/PLCs to execute. In case of connection issues the on-premise controls (PLC system) continues the operation (without optimised setpoints from Hubgrade Wastewater Plant Performance module ), until the connection is reestablished.

Q: I understand the Cloud service is based on AWS. Will I receive additional costs from Amazon Web Services?

A: The usage and maintenance of the AWS cloud is included in the SaaS-fee, as well as the periodical update of the Hubgrade Wastewater Plant Performance module optimisation features and the user interface.

Q: Is Hubgrade Wastewater Plant Performance module GDPR compliant?

A: Yes, Hubgrade Wastewater Plant Performance module complies with GDPR. This is included in the “Hubgrade Wastewater Plant Performance module General Terms and Conditions of Service” document.

Q: Has Veolia Water Tech or Hubgrade Wastewater Plant Performance module any certifications ?

A: Hubgrade is certificated ISO 9001:2015, this is a quality assurance on following processes (free translation): Development, Test and release to production, Operation, Security procedures and monitoring, Project Management and business governance management.

Operation

Q: With Hubgrade, should I have a new visualisation window/monitor?

A: The user interface of the Hubgrade Wastewater Plant Performance module is accessed from a browser. This means that you don’t have to have a separate monitor, but you could have it, if it is internally required. Please note that access to the internet is required in order to reach the user interface.

Q: What will be the amount of transmitted / received data?

A: In general the data transferred is low, as only integers are transferred in a json context, but an exact volume depends on factors such as: number of nodes, frequency of transfers and naming conventions, so the exact bandwidth used is only a rough guess. Most plants will be able to run with 512kb (measured on a dedicated line), but in practice any stable internet connection is usable.

Q: What specific domains must be allowed in the firewall, in order for our users to see the Hubgrade Wastewater Plant Performance website?

A: The following domain must be allowed from the network, your users will be browsing the HPP website from:

  • (*).cloud.kruger.dk - The main Hubgrade Wastewater Plant Performance website. along with other HPP related services.

  • googletagmanager.com - Is a tag management system (TMS) that allows you to quickly and easily update measurement codes and related code fragments collectively known as tags on your website or mobile app.

  • gstatic.com - Is a domain utilized by Google to host various static content, such as images, CSS, or JavaScript. The activity of the domain is safe, and it should not be thought of as dangerous, as it increases the network speed for users, as well as overall bandwidth usage.

  • maps.googleapis.com - A bit of Google technology that helps you take the power of Google Maps and put it directly on your own site. It lets you add relevant content that is useful to your visitors and customise the look and feel of the map to fit with the style of your site.

Q: How can you ensure availability? What is the architecture of the solution?

A: Resilience and redundancy is achieved by using a platform design based on continarised services with self healing actions (for ex. a breakdown in a backend component will generate an isolate reload of the specific service and non responding service are restarted in a new container) Furthermore, all vital backend services are redundantly located in different availability zones (physical separated data centers), AWS redundancy…

OPC-Bridge

Q: What is an OPC-bridge?

A: The OPC Bridge is a software component that acts as a mediator between the Hubgrade Wastewater Plant Performance module and the plant’s local OPC UA infrastructure. It facilitates the exchange of data - measurements, optimized set points, watchdogs and communication validation - between the plant and Hubgrade.

The port (TCP-52520): Used for communication with Hubgrade OPC server shall be open for outgoing traffic

The port HTTPS (TCP-443). Used by OPC Bridge to update the Hubgrade server in case of tag mappings or data errors.

Q: What are the hardware and software requirements for the OPC-Bridge?

A:The actual hardware requirement depends on the number of data points, and their frequency, but for a minimum plant, the requirement is that the server has a free capacity for the Hubgrade software of, minimum 2GB RAM and 10 GB disk

We recommend that the OPC-Bridge is installed on a Microsoft Windows Server 2016 (or later). The Windows 10 operating system is fully supported as well, but due to its nature as a workstation OS, a server version is recommended.

Q: Can OPC-Bridge run on the “Windows 10 IoT Enterprise LTSC” ?

A: The OPC-Bridge is able to run on a standard Windows 10, but has not been tested on and for Windows 10 IOT*. The OPC-bridge is basically a Java JAR packed inside an exe installation file.

Q: Can OPC-Bridge be configured to run only with an ip address?

A: In short: Yes, but it has some disadvantages that it is important to be aware of. The cloud OPC service is placed behind a set of load balancers, that in case of problems with the Cloud OPC service is able to route traffic to a working instance of the service. This type of redundancy is lost if the ip number is used instead of the dns name. During service windows and updates on the platform, customers that use the ip address only, will experience significant longer outages. The following ip adresses is used by our OPC service:

  • 79.125.67.56

  • 79.125.6.6

  • 34.243.105.104

  • 46.137.13.19

Q: Do we have to use the OPC-Bridge?

A: The short answer is: We strongly recommend using the OPC-Bridge.

The more details answer is, that it is completely free to use whatever piece of software the fits the customer, as long as they are able to match the local tags to the tags in the cloud OPC server, connected with the security vice strongest possible connection (ie. maximum encryption using both username/password and certificates. They should also be able to import the cloud OPC-UA service server certificate into their solution in order to verify the identity of our server. The above might sound complicated and require a lot of work… and that’s why we made the OPC-Bridge :)

Q: Isn’t it a security risk that the software can be downloaded, tested and exploited publicly?

A: It is on our risk assesment, but it is considered a low risk. This is because we patch it regurlarly and the software it is based on is made by a company that is specialized in OPC communications. The company is also OPC Foundation certified. The OPC Foundation SDK is tested regularly by ‘white hat hacking’.

Q: Will OPC Agents/ OPC-Bridge be able to reconfigure the SCADA system?

A: No - only set tag data is allowed changes and it is a ‘virtual tag’ that is then handled by added WATCHDOG code at the PLC before beeing used.

**Q: “Does OPC Bridge store data? **

A: No, it does not store any data, only configuration like credentials, configuration to OPC-servers, tags etc.

Backup of OPC-Bridge

Q: How do I make a backup of the OPC-Bridge?

A: You can zip the whole folder, that way you have what is needed to restore the transfers and your certificates. The folder is by default located in “C:\ProgramData\KrugerOpcBridge\”. Duing installation it is possible to specify another name.

If you only want the most essential files (configuration, and certificates), you only need to backup the file “bridgesetup.json”, and the folder “PKI”

Restore of OPC-Bridge

Q: How do I restore DATA transfers in the OPC-Bridge from the backup

A: If you want to restore the DATA transfers, you can settle with replacing the file called “Bridgesetup.json” in “C:\ProgramData\KrugerOpcBridge”.

  • Stop the opc-bridge service in windows by clicking the start menu and search for services.

  • Open services and find the OPC-bridge service in the list, it will be named KrugerOpcBridge with a version number “eg. KrugerOpcBridge348”.

  • Rightclick on it and choose “stop service”.

  • Copy the Bridgesetup.json file from your backup and replace the existien one in “C:\ProgramData\KrugerOpcBridge”.

  • Rightclick on the service again and choose “start service” and you are done.

Q: How do I restore the whole OPC-Bridge from the backup

A: If you want to restore the whole opc-bridge, transfers and certificates then you need to do the following.

  • Install the opc-bridge.

  • When the opc-bridge is installed, go to services “just like in the previous step” and stop the service.

  • Go to “C:\ProgramData\” and remove the KrugerOpcBridge folder.

  • Place the KrugerOpcBridge folder from your backup into “C:\ProgramData\”.

  • Start the service and you are done.