Additional Material
Making data analysis painless
Key to any technology is having the system do what you want it to do. We have put a lot of effort into ensuring that, as well as making the data connection process to ASC as straightforward as possible, users are able to utilise the apps with minimal issues. Here are a few example.
With IAS being a web based platform, is there any risk of interception?
We use HTTPs - Hyper Text Transfer Protocol Secure, which ensures that any communication between user and the IAS is encrypted. So even if interception was to occur, the encryption of the data would keep the data secure.
What security features have been implemented around logging in to IAS?
Users can only log in to IAS via trusted external sources, such as Gmail, LinkedIn, and if they are part of an organsiation that is registered with IAS, then they can log in with their Microsoft work credentials. There is no option for users to make an account with specific IAS log in details, thus ensuring that usernames and passwords are kept only by those trusted external providers.
How does Intelligent Plant ensure that apps cannot mishandle client data?
When a user starts an app for the first time, they will go through to an authorisation page where they can select any data sources that have been made available to them by their organisation's administrator. This authorisation is to give the app permission to view the selected data sources, thus giving the user total control on what data apps can and cannot see. The user can also modify or revoke the authorisation that they have given to the app.
Additionally, organisation administrators issue permissions to users so that they can only see data that they need to see, thus reducing the risk of data being exposed unwillingly.
How do data queries work?
When a user performs a data query, ASC will query the historian and return that data back to the app store, which is then shown to the user. The important point to note here is that data does not get stored in the cloud, ASC only acts as a messenger between the user and the organisation's historian. This is what sets us apart from other organisations - you are always in control of your data.
How often do you perform penetration testing?
To ensure that any potential security vulnerabilities on IAS are identified before they can be exploited, penetration testing is performed annually. If any issues are found, we aim to resolve ASAP.
Architecture
What does a typical architecture look like for IAS use?

The above diagram illustrates a typical architecture. App Store Users (internal and external) can only access business data from the Industrial App Store through the secure App Store Connection.
There are firewall requirements:
BN Firewall
-
TCP Port 443 open to outbound traffic from computer hosting App Store Connect to https://appstore.intelligentplant.com
-
TCP Port 443 open to outbound traffic from user workstation to authentication provider - Microsoft Azure Active Directory: https://login.microsoftonline.com
App Store Connect Host Computer
-
TCP Port 443 open to outbound traffic
PIN Firewall
-
Site specific. To support access to Process Data, open TCP port 443 to inbound traffic from App Store Connect to required historians.
PCN Firewall
-
Site specific. No direct App Store Connect access required.
We are independently audited against ISO 9001 and ISO 27001 for our quality and cyber security continuous improvement processses. - SkyHigh Networks have also recently risk-assessed the App Store.
We don't store or transmit credit card data, so are not required to be PCI compliant, we have no equity or debt in the US SEC, so are not required to be SOX compliant. We believe we operate to a standard above ISO27001 and have an audit to verify that we meet this standard.
Yes. Penetration tests are performed annually - any security problems are reported and fixed as soon as possible.
Azure, Microsoft
Currently: Azure - Europe (Dublin) - may extend to other continents at a later date.
Service network is Azure hosted and not a business connected network, we allow only trusted IP addresses to connect for maintenance. The industrial app store is designed to allow data to flow without having full network access for clients and for us as well.
We do not store any login credentials in the Industrial App Store. Instead, we delegate all authentication to trusted external providers such as the Microsoft Identity Platform.
We use role-based access control (RBAC) to manage access to client data; RBAC rules are defined and stored using the App Store Connect that resides on the client's network rather than centrally on the Industrial App Store.
We use a consent-based model to grant access to client data. An app can only request data from a given source if the calling user has been granted access through RBAC rules, and also if the user has granted the app delegated permission to access a given source on their behalf.
We use a strongly-typed query API that does not allow direct execution of e.g. raw SQL queries. Drivers are designed to ensure that translation from the query API model to a driver-specific query use security features such as parameterised SQL queries.
Azure AD, 2FA is down to the domain administration as it is SSO.
It has to be - we'd also advise clients to do this as quickly as possible to prevent staff members beginning to use non-company accounts.
Domain administrators can control who can sign into the App Store via standard Azure AD configuration.
User access to data is managed through App Store Connect local configuration.
Applications can access data on behalf of a user only if the user has consented to this.
Industrial App Store:
User - can sign into Industrial App Store apps and use data sources that they have been granted permission to access
Developer - can manage registration settings for Industrial App Store apps published by their organisation
Organisation Administrator - can grant or restrict access to Industrial App Store apps to users and user groups within their organisation, and configure trust settings for their organisation
Global Administrator - as above, but can manage any organisation. This role is restricted to approved Intelligent Plant employees.
App Store Connect:
Read - can read data from an assigned data source
Write Tag Values - can write tag values to an assigned data source (if supported and enabled by the data source driver)
Write Tag Annotations - can write tag annotations to an assigned data source (if supported and enabled by the data source driver)
Configure Tags - can create/update/delete tag definitions on an assigned data source (if supported and enabled by the data source driver)
Configure Script Tags - can create/update/delete dynamic calculation tags for a data source. The query API only allows configuration via pre-installed calculation templates, and does not allow configuration of ad hoc calculations.
Administrator - can create/update/delete data source configuration. Management of data sources is only possible locally on the App Store Connect machine.
Microsoft AD provides this, along with the App Store Connect Configuration.
The system does not store any user passwords by design.
Handled by Domain Policy as Azure AD integrated.
The Industrial App Store does not store any passwords.
When configuring a data source connection on an App Store Connect, sensitive settings are encrypted locally on the machine using the Windows Data Protection API, using the Local Machine scope and driver-specific entropy to ensure that the sensitive information cannot be decrypted externally to the machine that it was encrypted on.
Credentials are protected based on the policies of the 3rd party vendors that the App Store Connect is interfacing with.
N/A
Yes. However Some apps which are meant to be non-interactive will automatically refresh a session (for instance a graphic that is displayed on a non-user PC).
Additionally, some apps may request "offline access" to data. These apps are able to refresh access tokens without user interaction (typically apps that perform continuous monitoring of data). Apps that request offline access are clearly marked when the user signs in. An app's data source permissions can be revoked at any time.
JavaScript, HTML5
Logged in Active Directory.
audit is available in app store connect log for all customer data requests - this is on the customer to review, or to organise a review.
Configuration changes on the Industrial App Store (e.g. assignment of a user to a group, changes in organisation trust settings) are recorded and visible to Organisation Administrator users for the affected organisation.
Dynamic calculation tags record metadata such as the identity of the creator, last modified, and the date and time that the calculations was created or last modified at.
Data source configuration changes on an App Store Connect fall under the purview of the organisation's own IT change management, since these must be performed locally on the App Store Connect machine.
There is a log of Applications access and Spending of credits for audit purposes.
Organisation-specific audit trails on the Industrial App Store are protected by role-based access control and can only be viewed by users who are in the Organisation Administrator role for the organisation, or are in the Global Administrator role (i.e. selected Intelligent Plant employees).
Industrial App Store logs are only available to selected Intelligent Plant employees.
App Store Connect logs reside on the App Store Connect machine and are protected by the IT access policies of the organisation.
HTTPS encryption from End-to-End
Storage at Client site - so Client managed.
Configuration changes on the Industrial App Store (e.g. assignment of a user to a group, changes in organisation trust settings) are recorded and visible to Organisation Administrator users for the affected organisation.
Dynamic calculation tags record metadata such as the identity of the creator, last modified, and the date and time that the calculations was created or last modified at.
Data source configuration changes on an App Store Connect fall under the purview of the organisation's own IT change management, since these must be performed locally on the App Store Connect machine.
HTTPS certificates are issued to appstore.intelligentplant.com and managed by Intelligent Plant
Potentially - where access to an unencrypted data source is added (eg. Modbus) at site. Encryption is always performed on all traffic between App Store Connect and the App Store.
Port 433 from App Store Connect to the App Store, Port 433 from any client to the App Store, data source specific ports from App Store Connect to client datastores.
If this is talking about the potential for the likes of SQL injection, then yes.
No.
Any malicious code in an external app would only be able to read data that it was given access to - as such these are sandboxed to prevent malicious code being able to harm the client network
We have a continuous build process with automated testing and a bug reporting mechanism where the user or person who reports the bug is able to hold it open or close it.
We utilise Azure backup and restore and test this frequently.
They are phsyicially separated as the data is stored on the client infrastructure. Data for a single customer could be produced, if that client were currently connected to the App Store and had shared that data with us.

User
User logs in to IAS and uses an app to analyse data. They choose to search a data source for the requirement.

Industrial App Store
The authorised app will be connected to the App Store Connect will be able to access the required data.

ASC creates a route for data to be fed in from.
App Store Connect

ASC creates a route for data to be fed in from.
Historian
How do I get my data on to IAS?
To begin utilising the power of IAS apps on your data, App Store Connect (ASC) will need to be installed. For detailed information about what ASC is and how to install it, watch the below videos.
We are independently audited against ISO 9001 and ISO 27001 for our quality and cyber security continuous improvement processses. - SkyHigh Networks have also recently risk-assessed the App Store.
We don't store or transmit credit card data, so are not required to be PCI compliant, we have no equity or debt in the US SEC, so are not required to be SOX compliant. We believe we operate to a standard above ISO27001 and have an audit to verify that we meet this standard.
Yes. Penetration tests are performed annually - any security problems are reported and fixed as soon as possible.
Azure, Microsoft
Currently: Azure - Europe (Dublin) - may extend to other continents at a later date.
Service network is Azure hosted and not a business connected network, we allow only trusted IP addresses to connect for maintenance. The industrial app store is designed to allow data to flow without having full network access for clients and for us as well.
We do not store any login credentials in the Industrial App Store. Instead, we delegate all authentication to trusted external providers such as the Microsoft Identity Platform.
We use role-based access control (RBAC) to manage access to client data; RBAC rules are defined and stored using the App Store Connect that resides on the client's network rather than centrally on the Industrial App Store.
We use a consent-based model to grant access to client data. An app can only request data from a given source if the calling user has been granted access through RBAC rules, and also if the user has granted the app delegated permission to access a given source on their behalf.
We use a strongly-typed query API that does not allow direct execution of e.g. raw SQL queries. Drivers are designed to ensure that translation from the query API model to a driver-specific query use security features such as parameterised SQL queries.
Azure AD, 2FA is down to the domain administration as it is SSO.
It has to be - we'd also advise clients to do this as quickly as possible to prevent staff members beginning to use non-company accounts.
Domain administrators can control who can sign into the App Store via standard Azure AD configuration.
User access to data is managed through App Store Connect local configuration.
Applications can access data on behalf of a user only if the user has consented to this.
Industrial App Store:
User - can sign into Industrial App Store apps and use data sources that they have been granted permission to access
Developer - can manage registration settings for Industrial App Store apps published by their organisation
Organisation Administrator - can grant or restrict access to Industrial App Store apps to users and user groups within their organisation, and configure trust settings for their organisation
Global Administrator - as above, but can manage any organisation. This role is restricted to approved Intelligent Plant employees.
App Store Connect:
Read - can read data from an assigned data source
Write Tag Values - can write tag values to an assigned data source (if supported and enabled by the data source driver)
Write Tag Annotations - can write tag annotations to an assigned data source (if supported and enabled by the data source driver)
Configure Tags - can create/update/delete tag definitions on an assigned data source (if supported and enabled by the data source driver)
Configure Script Tags - can create/update/delete dynamic calculation tags for a data source. The query API only allows configuration via pre-installed calculation templates, and does not allow configuration of ad hoc calculations.
Administrator - can create/update/delete data source configuration. Management of data sources is only possible locally on the App Store Connect machine.
The system does not store any user passwords by design.
Microsoft AD provides this, along with the App Store Connect Configuration.
Handled by Domain Policy as Azure AD integrated.
The Industrial App Store does not store any passwords.
When configuring a data source connection on an App Store Connect, sensitive settings are encrypted locally on the machine using the Windows Data Protection API, using the Local Machine scope and driver-specific entropy to ensure that the sensitive information cannot be decrypted externally to the machine that it was encrypted on.
Credentials are protected based on the policies of the 3rd party vendors that the App Store Connect is interfacing with.
N/A