Cyber Security Deployement Guidelines

Installation & Commissioning Security
Before connecting Ekip Connect to any network or devices, to minimize the risk of security breaches and malware, follow this security checklist:

1. Operating System

•    Deploy on Windows 11 with latest security patches (minimum: Windows 10)
•    Enable Secure Boot in BIOS (mandatory for Windows 11)

2. Workstation Security

•    Restrict physical access to Ekip Connect workstations
•    Enable full disk encryption (BitLocker or equivalent)
•    Disable autologin; configure password-protected login
•    Configure automatic screen lock (15 minutes recommended)
•    Enable Windows Firewall with default-deny inbound rules

3. Software Protection

•    Install antivirus + antimalware software
•    Configure real-time scanning and daily full scans
•    Enable automatic antivirus definition updates

4. User Authentication

•    All users must authenticate via MyABB (if ABB laptop)
•    Enforce strong passwords (minimum 8 characters, 3 character types)
•    Enable Multi-Factor Authentication (MFA) for MyABB
•    Disable concurrent sessions from same user account

5. Network Configuration

•    Deploy on dedicated management network segment (separate VLAN)
•    Configure firewall to allow only required outbound ports:

      • Port 443/TCP (HTTPS cloud connectivity)

      • Port 53/UDP (DNS)

      • Port 123/UDP (NTP)

•    Isolate device networks from enterprise networks (firewall required)

6. Automatic Updates

•    Enable automatic Windows updates
•    Configure antivirus to auto-update definitions

7. Initial Verification

•    Verify Secure Boot is active
•    Verify Windows Firewall is enabled

•    Verify antivirus is running and updated

   

Firewall configuration & security

Ekip Connect uses specific ports for different types of communication. Proper firewall configuration is essential for security.

Mandatory Ports (Required for Cloud Features)

Port 443/TCP (HTTPS - Cloud Connectivity)

• ABB ELSP Digital Manager API
• ABB Ability Platform connectivity
• Firmware library access
• Updates and patches download
• Must be ENABLED for cloud features
• ALWAYS encrypted (TLS 1.2 or higher)

Port 53/UDP (DNS - Domain Name Resolution)

• Required to resolve ABB cloud endpoints
• Must be ENABLED for any cloud connectivity
• No encryption (standard DNS protocol)

• Recommend using trusted DNS servers

   

Recommended Ports (Highly Recommended)

Port 123/UDP (NTP - Time Synchronization)

• Network Time Protocol for system clock accuracy
• Important for log timestamp accuracy and security
• Highly recommended but not strictly mandatory

• Enable if network configuration allows

   

Device Communication Ports (For Device Connections)

Port 502/TCP (Modbus TCP)

• Device-to-Ekip Connect communication via Ethernet
• BIDIRECTIONAL (device can connect back)
• Unencrypted protocol (network segmentation required)
• Only enable on device networks (not internet-facing)
• Firewall should restrict this port to authorized devices only

Port 69/UDP (TFTP - Trivial File Transfer Protocol)

• Firmware download and device provisioning
• BIDIRECTIONAL communication
• Unencrypted (use only on isolated networks)
• Only required during firmware update operations
• Can be disabled outside of maintenance windows

Note: while device Provisioning process into ABB Ability™ EM & AM, be sure your firewall is properly configured, according to active ports reported above. If communication issues are encountered, try to temporarily disable your firewall, enabling it again at the end of Provisioning process.