How to Keep Your Data Safe with PakBus^® Encryption: Part 2

In this second blog article in the series, I'll share with you additional practical steps that you can take to keep your automated monitoring platform secure. If you missed my first article about PakBus encryption or want to review it again, please read How to Keep Your Data Safe with PakBus^® Encryption: Part 1.

Secure Your Programs and Connections

Every access point matters. To secure your system:

• Lock down all unused interfaces, including ports, terminal access, Telnet, PakBus, FTP, and HTTP.
• Encrypt or protect data logger programs to prevent unauthorized changes.

Lock Down the Terminal Menu

The terminal menu offers deep system access, so lock it down by completing the following steps:

1. Set all three security codes (see the previous article).
2. Enable PakBus security.
   1. Use the Device Configuration Utility (DevConfig) to set or change the PakBus Encryption Key on the automated monitoring platform. On models with a UID, encryption may already be enabled. If so, the default key is the UID.
   2. Ensure the same key is configured in your communications software (e.g., LoggerNet).
   3. (Optional) On supported models/firmware versions, you may specify the key programmatically or via CRBasic using an instruction or setting. Check your model’s manual.
   4. After enabling the encryption, unencrypted PakBus commands will be rejected unless explicitly exempted via EncryptExempt() in CRBasic.
3. Disable or tightly control Telnet access.

Control Telnet Access

Unchecked Telnet can expose vulnerabilities.

• Disable Telnet if you don’t need it.
• If required, allow access only from trusted networks.
• Enforce three-level security protections.

How to Disable Telnet

1. Open DevConfig and connect to your automated monitoring platform.
2. Navigate to Deployment → Network Services (or equivalent) in the configuration tool.
3. Locate the service for Telnet (might be labeled “Telnet Enabled”) and uncheck (disable) it.
4. Click Apply (or Save/Send) to send the updated settings to the data logger.

If Telnet Is Required

1. Restrict Telnet access by filtering IP addresses.
   1. In DevConfig (or your network settings), locate the IP filtering section (for example, “IP Broadcast Filtered” or “IP Filter”) and configure it to allow only trusted IP addresses or address ranges (for example 192.168.1.0/24) or use network firewall rules external to the data logger.
   2. Apply and send the settings to the data logger.
2. Ensure the three-level security codes are configured on the data logger so that communications (including Telnet) are subject to credential checks.
3. Where supported, consider using a more secure remote shell protocol (such as SSH) instead of Telnet. Check your data logger’s OS documentation for support.

Secure BMP and PakBus/TCP Connections

When using BMP or PakBus over TCP/IP:

1. Enable all available PakBus-related security features (as described above).
2. Restrict IP access to trusted hosts.
   1. Using DevConfig or the Settings Editor, navigate to the Network Services/Trusted Hosts/IP Filtering section. (Exact menu labels depend on your automated monitoring platform model.)
   2. Choose the option to allow only specified addresses (or equivalent) if available.
   3. Add the IP addresses or ranges of your trusted systems (e.g., your LoggerNet servers, authorized access points). Be mindful of wild-card support or restrictions. (Some models allow only a limited number of entries.)
   4. Apply and send the updated configuration to the data logger.
   5. For added security, ensure that unspecified/unknown IP addresses are blocked or filtered (either via the data logger settings or via external network/firewall rules).
3. For PakBus/TCP router mode:
   1. If your data logger is acting as a PakBus/TCP router (or is connected via a PakBus/TCP client configuration, such as using the cloud-based Konect PB Router), apply network restrictions.
      1. Use external firewall or network gateway rules to restrict access to the PakBus/TCP communications port(s).
      2. If your network allows it, limit the TCP port(s) used so only those required are open.
   2. Ensure that the data logger’s internal security settings (security codes, PakBus addresses, encryption keys) are correctly configured so only authorized sessions succeed.
   3. Always consult your specific data logger’s manual for supported filtering and routing options because features and menu names may vary.

Make FTP Transfers Safe

Mismanaging FTP creates common risks. To mitigate these:

• Disable FTP if not needed.
• If enabled, limit it to secure internal networks.
• Always require usernames and passwords.
• Use FTPS (secure FTP) for encrypted transfers.

How to Disable FTP

1. Open DevConfig or the equivalent settings tool for your automated monitoring platform.
2. Navigate to the tab where network services are configured (often Deployment → Network Services).
3. Locate the FTP service (or “FTP Server” option) and uncheck or disable it.
4. Apply the updated settings to the automated monitoring platform.

If FTP Is Required

Note: This is not recommended unless necessary.

1. Enable authentication/restrict access.
   1. In DevConfig, locate the FTP settings section (if available) and enable authentication (so that login credentials are required).
   2. Apply the settings.
2. Create and manage user accounts.
   1. If your model supports user accounts for FTP access, define strong usernames and passwords for each account. Note: Consult your specific model’s manual.
3. Restrict access to trusted networks.
   1. In DevConfig or your network settings, configure IP address filtering/firewall rules so that FTP access is allowed only from trusted networks.
   2. Avoid exposing FTP services directly to the public internet.
4. Use a secure alternative (FTPS/SFTP) instead of plain FTP.
   1. When supported by your automated monitoring platform model and OS version, configure uploads/transfers using FTPS (FTP over TLS) or SFTP (SSH-based).
   2. Disable or avoid using plain FTP if possible. Use a compatible client (such as FileZilla or WinSCP) and ensure the certificate or key-based authentication is configured properly.
   3. Apply and test the settings.

Protect Web and HTTP Access

If your device provides web services:

• Turn off the HTTP server unless required.
• Restrict access to trusted IP ranges.
• Manage accounts with .csipasswd.
• Use HTTPS for encrypted web traffic.

How to Disable the HTTP Server

1. Open DevConfig or Settings Editor for your automated monitoring platform.
2. Navigate to the network/web server settings (for example Settings → General or Network Services/Deployment → Web Server) depending on your model.
3. Locate the setting for HTTP Enabled (or equivalent) and set it to 0/Disabled (or uncheck Enable HTTP Server if your UI uses that wording).
4. Apply the settings to the data logger.

If Web Access Is Required

1. Restrict IP access.
   1. Use IP filtering or firewall rules to allow web access only from trusted IP ranges (your internal network) and block public internet access.
2. Configure user accounts.
   1. In DevConfig (or the Account Manager section of the Web Server settings), define user accounts, passwords, and access levels. The automated monitoring platform supports a .csipasswd file for HTTP/Web API user credentials.
   2. Create strong credentials (e.g., webadmin: AdminPass789, viewer: ReadOnlyPass321).
   3. Apply the changes to the data logger.
3. Enable HTTPS (secure web server).
   1. If your model supports HTTPS, find the HTTPS Enabled (or similar) setting and enable it. There may be settings for HTTPSPort.
   2. If required by your firmware/model, configure or load an SSL certificate for encrypted traffic.
   3. Disable or avoid using the plain HTTP service. Set HTTP Enabled to 0.
   4. Access the web interface using https://[logger-IP-address]:[port].
4. Change the default ports. (This step is optional but recommended.)
   1. For improved security, consider changing the default HTTP/HTTPS ports from 80/443 to a non-standard port (if your model allows).
   2. Document the port changes for authorized users and update the firewall rules accordingly.

Note: Menu names, features, and availability may vary depending on your automated monitoring platform model and firmware version. Always consult the specific manual for your model.

Conclusion

I hope you found this information helpful. No single step can eliminate every security risk, but combining multiple safeguards—from physical protections to encrypted communications—creates a layered defense that makes your system much more resilient. By securing your Campbell Scientific automated monitoring platform, you're not only protecting your data but also strengthening the entire monitoring network.

Remember to look for the next blog article in the series for more information.

Do you need help setting this up? Please reach out to our application engineers or sales engineers, as we are happy to help you.