Installation & Commissioning Security
Before connecting Ekip Connect to any network or devices, to minimize the risk of security breaches and malware, follow this security checklist:
1. Operating System
Threat Mitigated: Known OS vulnerabilities, unpatched security exploits, and system-level privilege escalation attacks.
Threat Mitigated: Bootkit attacks, unauthorized boot-level code execution, and tampering with the boot process
2. Workstation Security
Restrict physical access to Ekip Connect workstations
Threat Mitigated: Physical tampering, unauthorized device access, and direct hardware manipulation.
Enable full disk encryption (BitLocker or equivalent)
Threat Mitigated: Data exfiltration if the workstation is stolen or physically compromised; unauthorized access to sensitive stored data.
Disable autologin; configure password-protected login
Threat Mitigated: Unauthorized access by threat actors with physical access or who gain access to an unlocked workstation.
Configure automatic screen lock (15 minutes recommended)
Threat Mitigated: Unauthorized access to the EkipConnect application and connected systems during user absence
Enable Windows Firewall with default-deny inbound rules
Threat Mitigated: Unauthorized network access, unsolicited inbound traffic, and malware command-and-control communication.
3. Software Protection
Install antivirus + antimalware software
Threat Mitigated: Malware infection, trojan execution, and malicious code running on the workstation.
Configure real-time scanning and daily full scans.
Threat Mitigated: Real-time detection and prevention of malware execution; identification of dormant or recently introduced threats.
Enable automatic antivirus definition updates
Threat Mitigated: Evasion of antivirus detection by new or recently discovered malware variants.
4. User Authentication
All users must authenticate via MyABB (if ABB laptop)
Threat Mitigated: Unauthorized access to EkipConnect by unauthenticated or impersonated users.
Enforce strong passwords (minimum 8 characters, 3 character types)
Threat Mitigated: Brute force attacks, dictionary attacks, and password guessing by threat actors.
Enable Multi-Factor Authentication (MFA) for MyABB
Threat Mitigated: Account takeover and unauthorized access even if user credentials are compromised or stolen
Disable concurrent sessions from same user account
Threat Mitigated: Unauthorized access using stolen or compromised credentials on a different workstation or device.
5. Network Configuration
Deploy on dedicated management network segment (separate VLAN)
Threat Mitigated: Lateral movement by attackers from compromised enterprise systems; unauthorized access to critical management functions.
• Port 443/TCP (HTTPS cloud connectivity)
• Port 53/UDP (DNS)
• Port 123/UDP (NTP)
Threat Mitigated: Unauthorized outbound communication, malware command-and-control callbacks, and data exfiltration to attacker infrastructure.
Isolate device networks from enterprise networks (firewall required)
Threat Mitigated: Lateral movement between enterprise and critical device networks; unauthorized access to safety-critical devices.
6. Automatic Updates
Enable automatic Windows updates
Threat Mitigated: Known OS vulnerabilities and system-level security patches are deployed in a timely manner.
Configure antivirus to auto-update definitions
Threat Mitigated: Detection evasion by new malware variants and zero-day malware threats.
7. Initial Verification
Verify antivirus is running and updated
Threat Mitigated: Configuration errors, missed security controls, and incomplete deployment of mandatory security baselines.
Firewall configuration & security
Ekip Connect uses specific ports for different types of communication. Proper firewall configuration is essential for security.
Mandatory Ports (Required for Cloud Features)
Port 443/TCP (HTTPS - Cloud Connectivity)
ALWAYS encrypted (TLS 1.2 or higher)
Threat Mitigated: Man-in-the-middle (MITM) attacks on cloud communication (mitigated by TLS encryption); Unauthorized access to cloud APIs and firmware libraries; Interception of firmware updates and security patches
Port 53/UDP (DNS - Domain Name Resolution)
Recommend using trusted DNS servers
Threat Mitigated: DNS spoofing attacks that redirect EkipConnect to malicious cloud endpoints; DNS cache poisoning; Unauthorized redirection of cloud connectivity
Recommended Ports (Highly Recommended)
Port 123/UDP (NTP - Time Synchronization)
Enable if network configuration allows
Threat Mitigated: Log timestamp tampering and manipulation; Clock skew attacks that invalidate time-based security controls; Inaccurate audit trail and incident reconstruction
Device Communication Ports (For Device Connections)
Port 502/TCP (Modbus TCP)
Firewall should restrict this port to authorized devices only
Threat Mitigated: Unauthorized device communication and parameter manipulation; Rogue devices connecting to the management interface; Eavesdropping on unencrypted device traffic (mitigated by network segmentation); Denial-of-service attacks from unauthorized network segments
Port 69/UDP (TFTP - Trivial File Transfer Protocol)
Can be disabled outside of maintenance windows
Threat Mitigated: Unauthorized firmware download and deployment; Malicious firmware injection via TFTP Man-in-the-middle attacks on firmware transfer (mitigated by network isolation); Unauthorized device provisioning; Eavesdropping on unencrypted firmware transfers
Note: while device Provisioning process into ABB Ability™ EM & AM, be sure your firewall is properly configured, according to active ports reported above. If communication issues are encountered, try to temporarily disable your firewall, enabling it again at the end of Provisioning process.
For more details on the Modbus security deployment guidelines and safety information, please click here.