Frequently Asked Questions around Intelligent Plant, and the Industrial App Store
Do Intelligent Plant have independent assessment on Cyber security and quality
We are independently audited against ISO 9001 and ISO 27001 for our quality and cyber security continuous improvement processses. - SkyHigh Networks have also recently risk-assessed the App Store.
What regulations (SOX, PCI, etc.) and/or security standards (ISO 27000 series etc.) does Intelligent Plant conform to?
We don't store or transmit credit card data, so are not required to be PCI compliant, we have no equity or debt in the US SEC, so are not required to be SOX compliant. We believe we operate to a standard above ISO27001 and have an audit to verify that we meet this standard.
How often do Intelligent Plant conduct external independent penetration tests of our service infrastructure? When was the last test performed?
Penetration tests are performed annually - any security problems are reported and fixed as soon as possible.
Who hosts the Intelligent Plant service infrastructure, or do you rely on other IaaS and/or PaaS vendors for hosting (i.e. Amazon, Force.com, Google App Engine, etc.)?
Where are your data centers located (Country/State)?
Currently: Azure - Europe (Dublin) - may extend to other continents at a later date.
How is the App Store network segregated from our company network and Intelligent Plant's company network
Service network is Azure hosted and not a business connected network, we allow only trusted IP addresses to connect for maintenance. The industrial app store is designed to allow data to flow without having full network access for clients and for us as well.
What are our security design principles and secure development lifecycle processes.
We do not store any login credentials in the Industrial App Store. Instead, we delegate all authentication to trusted external providers such as the Microsoft Identity Platform.
We use role-based access control (RBAC) to manage access to client data; RBAC rules are defined and stored using the App Store Connect that resides on the client's network rather than centrally on the Industrial App Store.
We use a consent-based model to grant access to client data. An app can only request data from a given source if the calling user has been granted access through RBAC rules, and also if the user has granted the app delegated permission to access a given source on their behalf.
We use a strongly-typed query API that does not allow direct execution of e.g. raw SQL queries. Drivers are designed to ensure that translation from the query API model to a driver-specific query use security features such as parameterised SQL queries.
How is user access to the system controlled? Do we provide support for any two-factor authentication mechanisms?
Azure AD, 2FA is down to the domain administration as it is SSO.
Can the system be integrated with corporate Active Directory?
It has to be - we'd also advise clients to do this as quickly as possible to prevent staff members beginning to use non-company accounts.
How is user access managed and authorized?
Domain administrators can control who can sign into the App Store via standard Azure AD configuration.
User access to data is managed through App Store Connect local configuration.
Applications can access data on behalf of a user only if the user has consented to this.
What are the user access levels/user roles?
Industrial App Store:
User - can sign into Industrial App Store apps and use data sources that they have been granted permission to access
Developer - can manage registration settings for Industrial App Store apps published by their organisation
Organisation Administrator - can grant or restrict access to Industrial App Store apps to users and user groups within their organisation, and configure trust settings for their organisation
Global Administrator - as above, but can manage any organisation. This role is restricted to approved Intelligent Plant employees.
App Store Connect:
Read - can read data from an assigned data source
Write Tag Values - can write tag values to an assigned data source (if supported and enabled by the data source driver)
Write Tag Annotations - can write tag annotations to an assigned data source (if supported and enabled by the data source driver)
Configure Tags - can create/update/delete tag definitions on an assigned data source (if supported and enabled by the data source driver)
Configure Script Tags - can create/update/delete dynamic calculation tags for a data source. The query API only allows configuration via pre-installed calculation templates, and does not allow configuration of ad hoc calculations.
Administrator - can create/update/delete data source configuration. Management of data sources is only possible locally on the App Store Connect machine.
If the system stores users' passwords, what are the processes for initial password setup for new user? What are the procedures for password reset?
The system does not store any user passwords by design.
Does the system provide the following security reports?
* List of users and their access levels.
* List of users with long period of inactivity.
Microsft AD provides this, along with the App Store Connect Configuration.
Can the system automatically disable user accounts that haven't accessed the system for a defined period of time (i.e. 3 months)?
Handled by Domain Policy as Azure AD integrated.
How does the system protect user passwords and other authentication information stored in the system?
The Industrial App Store does not store any passwords.
When configuring a data source connection on an App Store Connect, sensitive settings are encrypted locally on the machine using the Windows Data Protection API, using the Local Machine scope and driver-specific entropy to ensure that the sensitive information cannot be decrypted externally to the machine that it was encrypted on.
How does the system protect passwords and other session control and authentication information during transmission over the network.
Credentials are protected based on the policies of the 3rd party vendors that the App Store Connect is interfacing with.
What password policies can be configured in the system (age, complexity, account lock-outs, etc.)?
Does the system enforce session inactivity timeouts (where the system automatically logs users off or terminates a user's session after a specified period of inactivity)?
Yes. However Some apps which are meant to be non-interactive will automatically refresh a session (for instance a graphic that is displayed on a non-user PC).
Additionally, some apps may request "offline access" to data. These apps are able to refresh access tokens without user interaction (typically apps that perform continuous monitoring of data). Apps that request offline access are clearly marked when the user signs in. An app's data source permissions can be revoked at any time.
How does the system log unauthorized access attempts?
Logged in Active Directory.
How can an audit log be accessed? Who has access to audit log? Is it reviewed regularly?
audit is available in app store connect log for all customer data requests - this is on the customer to review, or to organise a review.
How does the system maintain an audit trail of security maintenance performed (user account and access rights management, security settings configuration, encryption key management, etc.)?
Configuration changes on the Industrial App Store (e.g. assignment of a user to a group, changes in organisation trust settings) are recorded and visible to Organisation Administrator users for the affected organisation.
Dynamic calculation tags record metadata such as the identity of the creator, last modified, and the date and time that the calculations was created or last modified at.
Data source configuration changes on an App Store Connect fall under the purview of the organisation's own IT change management, since these must be performed locally on the App Store Connect machine.
How does the system maintain an audit trail of users' actions in the system?
There is a log of Applications access and Spending of credits for audit purposes.
How the system stores and protects audit trails and logs to prevent unauthorized access?
Organisation-specific audit trails on the Industrial App Store are protected by role-based access control and can only be viewed by users who are in the Organisation Administrator role for the organisation, or are in the Global Administrator role (i.e. selected Intelligent Plant employees).
Industrial App Store logs are only available to selected Intelligent Plant employees.
App Store Connect logs reside on the App Store Connect machine and are protected by the IT access policies of the organisation.
How does the system protect transmitted data?
HTTPS encryption from End-to-End
How does the system protect data at rest (storage)?
Storage at Client site - so Client managed.
Where encryption is used, does the system use industry recognized strong encryption algorithms? Are there any proprietary cryptographic algorithms used in the system?
yes strong encryption (for passwords for data access), no proprietary encryption algos used.
Where cryptographic tools are used, how does the system manage cryptographic keys?
HTTPS certificates are issued to appstore.intelligentplant.com and managed by Intelligent Plant
Does the system use any insecure data transmitting protocols - like SMTP, FTP, telnet, etc.?
Potentially - where access to an unencrypted data source is added (eg. Modbus) at site. Encryption is always performed on all traffic between App Store Connect and the App Store.
What ports and services are utilized by the application? Are there any uncommon/non-standard ports user?
Port 433 from App Store Connect to the App Atore, Port 433 from any client to the App Store, data source specific ports from App Store Connect to client datastores.
Is user or external input treated as unsafe and appropriately validated?
If this is talking about the potential for the likes of SQL injection, then yes.
Are there any backdoors in the system providing potential ability to circumvent security controls, including authentication and audit logging? Were default passwords for all built-in accounts changed?
How is the system protected against malicious code?
Any malicious code in an external app would only be able to read data that it was given access to - as such these are sandboxed to prevent malicious code being able to harm the client network
Please describe vulnerability/patch management process for the system (how patches are identified, tested, and installed)?
We have a continuous build process with automated testing and a bug reporting mechanism where the user or person who reports the bug is able to hold it open or close it.
Please describe the backup/restore procedures.
We utilise Azure backup and restore and test this frequently.
How is data, belonging to different clients, separated (logically, physically, etc.)? In the event of a subpoena, are you able to produce data for a single customer only, without inadvertently accessing or disclosing other data?
They are phsyicially separated as the data is stored on the client infrastructure. Data for a single customer could be produced, if that client were currently connected to the App Store and had shared that data with us.