Cyber Security Deployement Guidelines

Installation & Commissioning Security
Before connecting Ekip Connect to any network or devices, to minimize the risk of security breaches and malware, follow this security checklist:

1. Operating System

  • Deploy on Windows 11 with latest security patches (minimum: Windows 10, end of official support Jan 2027)

    Threat Mitigated: Known OS vulnerabilities, unpatched security exploits, and system-level privilege escalation attacks.

  • Enable Secure Boot in BIOS (mandatory for Windows 11)

    Threat Mitigated: Bootkit attacks, unauthorized boot-level code execution, and tampering with the boot process

2. Workstation Security

  • Restrict physical access to Ekip Connect workstations

    Threat Mitigated: Physical tampering, unauthorized device access, and direct hardware manipulation.

  • Enable full disk encryption (BitLocker or equivalent)

    Threat Mitigated: Data exfiltration if the workstation is stolen or physically compromised; unauthorized access to sensitive stored data.

  • Disable autologin; configure password-protected login

    Threat Mitigated: Unauthorized access by threat actors with physical access or who gain access to an unlocked workstation.

  • Configure automatic screen lock (15 minutes recommended)

    Threat Mitigated: Unauthorized access to the EkipConnect application and connected systems during user absence

  • Enable Windows Firewall with default-deny inbound rules

    Threat Mitigated: Unauthorized network access, unsolicited inbound traffic, and malware command-and-control communication.

3. Software Protection

  • Install antivirus + antimalware software

    Threat Mitigated: Malware infection, trojan execution, and malicious code running on the workstation.

  • Configure real-time scanning and daily full scans.

    Threat Mitigated: Real-time detection and prevention of malware execution; identification of dormant or recently introduced threats.

  • Enable automatic antivirus definition updates

    Threat Mitigated: Evasion of antivirus detection by new or recently discovered malware variants.

4. User Authentication

  • All users must authenticate via MyABB (if ABB laptop)

    Threat Mitigated: Unauthorized access to EkipConnect by unauthenticated or impersonated users.

  • Enforce strong passwords (minimum 8 characters, 3 character types)

    Threat Mitigated: Brute force attacks, dictionary attacks, and password guessing by threat actors.

  • Enable Multi-Factor Authentication (MFA) for MyABB

    Threat Mitigated: Account takeover and unauthorized access even if user credentials are compromised or stolen

  • Disable concurrent sessions from same user account

    Threat Mitigated: Unauthorized access using stolen or compromised credentials on a different workstation or device.

5. Network Configuration

  •  Deploy on dedicated management network segment (separate VLAN)

    Threat Mitigated: Lateral movement by attackers from compromised enterprise systems; unauthorized access to critical management functions.

  • Configure firewall to allow only required outbound ports:

      • Port 443/TCP (HTTPS cloud connectivity)

      • Port 53/UDP (DNS)

      • Port 123/UDP (NTP)

    Threat Mitigated: Unauthorized outbound communication, malware command-and-control callbacks, and data exfiltration to attacker infrastructure.

  • Isolate device networks from enterprise networks (firewall required)

    Threat Mitigated: Lateral movement between enterprise and critical device networks; unauthorized access to safety-critical devices.

6. Automatic Updates

  • Enable automatic Windows updates

    Threat Mitigated: Known OS vulnerabilities and system-level security patches are deployed in a timely manner.

  • Configure antivirus to auto-update definitions

    Threat Mitigated: Detection evasion by new malware variants and zero-day malware threats.

7. Initial Verification

  • Verify Secure Boot is active
  • Verify Windows Firewall is enabled
  •  Verify antivirus is running and updated

    Threat Mitigated: Configuration errors, missed security controls, and incomplete deployment of mandatory security baselines.

     

Firewall configuration & security

Ekip Connect uses specific ports for different types of communication. Proper firewall configuration is essential for security.

 

Mandatory Ports (Required for Cloud Features)

Port 443/TCP (HTTPS - Cloud Connectivity)

  • ABB ELSP Digital Manager API
  • ABB Ability Platform connectivity
  • Firmware library access
  • Updates and patches download
  • Must be ENABLED for cloud features
  • ALWAYS encrypted (TLS 1.2 or higher)

    Threat Mitigated: Man-in-the-middle (MITM) attacks on cloud communication (mitigated by TLS encryption); Unauthorized access to cloud APIs and firmware libraries; Interception of firmware updates and security patches

Port 53/UDP (DNS - Domain Name Resolution)

  • Required to resolve ABB cloud endpoints
  • Must be ENABLED for any cloud connectivity
  • No encryption (standard DNS protocol)
  • Recommend using trusted DNS servers

    Threat Mitigated: DNS spoofing attacks that redirect EkipConnect to malicious cloud endpoints; DNS cache poisoning; Unauthorized redirection of cloud connectivity

     

Recommended Ports (Highly Recommended)

Port 123/UDP (NTP - Time Synchronization)

  • Network Time Protocol for system clock accuracy
  • Important for log timestamp accuracy and security
  • Highly recommended but not strictly mandatory
  • Enable if network configuration allows

    Threat Mitigated: Log timestamp tampering and manipulation; Clock skew attacks that invalidate time-based security controls; Inaccurate audit trail and incident reconstruction

     

Device Communication Ports (For Device Connections)

Port 502/TCP (Modbus TCP)

  • Device-to-Ekip Connect communication via Ethernet
  • BIDIRECTIONAL (device can connect back)
  • Unencrypted protocol (network segmentation required)
  • Only enable on device networks (not internet-facing)
  • Firewall should restrict this port to authorized devices only

    Threat Mitigated: Unauthorized device communication and parameter manipulation; Rogue devices connecting to the management interface; Eavesdropping on unencrypted device traffic (mitigated by network segmentation); Denial-of-service attacks from unauthorized network segments

Port 69/UDP (TFTP - Trivial File Transfer Protocol)

  • Firmware download and device provisioning
  • BIDIRECTIONAL communication
  • Unencrypted (use only on isolated networks)
  • Only required during firmware update operations
  • Can be disabled outside of maintenance windows

    Threat Mitigated: Unauthorized firmware download and deployment; Malicious firmware injection via TFTP Man-in-the-middle attacks on firmware transfer (mitigated by network isolation); Unauthorized device provisioning; Eavesdropping on unencrypted firmware transfers

 

Note: while device Provisioning process into ABB Ability™ EM & AM, be sure your firewall is properly configured, according to active ports reported above. If communication issues are encountered, try to temporarily disable your firewall, enabling it again at the end of Provisioning process.

 

For more details on the Modbus security deployment guidelines and safety information, please click here.