SECURITY
Cyber security certification is a must, cyber complaint are for those who can not get it .
Brodersen are cyber certified 62443-4-1, 62443-4-2 and DNV cyber certification on our drivers. Don’t buy non cyber certified products. There is a reason to why they dont have a certificate.
Introduction
Security must NEVER be an after-thought…….
As Vikings we no longer chase enemies in long boats, but our impressive hardware and software is used to terrify our competitors and keep our products safe!
Brodersen have been manufacturing products for use in remote monitoring and control solutions for more than 50 years. Our customer base is global and our products are used in a diverse range of applications that include energy management systems, water and waste water SCADA, infrastructure monitoring, building automation and airport management systems.
This application note provides an overview of the RTU32M/N Series security functionality. RTU security is a hot topic amongst large utility companies who need to ensure their SCADA systems comply with both their own corporate security requirements and regulatory authority security standards.
Traditionally corporate IT security system standards are based around information security with focus on Confidentiality, Integrity and Availability. These focal points are typically reversed when defining SCADA system security requirements ie. Availabilty is most important! Most RTU vendors have struggled to adapt their products to evolving security standards that are easily implemented in devices like PCs and Smartphones that are obsolete in 2-3 years, but hard to deploy in RTUs designed to operate for 10-15 years.
A fresh start allows security to be included - not as an 'add-on'
The RTU32M/N Series are the latest generation of Brodersen RTUs – with a new architecture that allows a ‘fresh start’ to developing product and security functionality. Instead of trying to add on security, the RTU32M/N products have it included at multiple levels ie. adding a hard shell to a soft core seems good, until an entry point is found – a better solution is to have multiple layers of hard shells around a hard core (our Viking ancestors knew that!)
The essential components for the new RTU platform include ‘future proof’ hardware with guaranteed availability of the core CPU board components past 2045 and an embedded Linux operating system.
RTU Security Features Overview
The RTU32M/N Series have numerous security features that include besides 62443-4-1, 62443-4-2 that is a must;
- Management of User Access and User Authentication – limiting use of default passwords, user group passwords and user privileges managed from a central location via LDAP
- Firewall Implementation – a user interface to manage which IP ports are open and whitelisting and blacklisting of ranges of IP addresses (uses iptables)
- Management of System Services – controls access to HHTP, HTTPS, SSH and Event Viewer services. An important requirement of any secure system is that non-essential services are disabled
- Secure Applications and Firmware Updates – use of ‘signed’ application logic and firmware using RSA public-key cryptosystem techniques
- Encryption of Sensitive Data – any files that include user or password type info. can be stored in an encrypted ‘container’ area of the SD card to protects against theft or incorrect transfer of SD cards
- Secure Network Connections and Protocols – protecting data ‘in flight’ using dual VPNs and secure SCADA protocols such as DNP3 Secure
Managing user access - discouraging use of default passwords
Administration of default passwords and creating additional users
The admin user password can be changed from the default
The root user password is not set by default to ensure root level access is only available if enabled/set
A user with Administrators group level access can add additional users and set their user group
Web server User group access levels include;
- Guests (read only)
- Superusers (read and some config)
- Administrators (full access)
User authentication from a central LDAP service
Management of user authentication from a centrally managed server is critical for large corporations and utility companies that need to respond rapidly to changes of personnel. The RTU can be configured to authenticate a user when a log in event occurs
The example setup here shows how user groups are mapped from the RTU to the LDAP server groups
Secure / Dual VPN Connection
The RTU supports dual VPN server connections using PPTP and L2TP/IPsec to provide secure connections to other networks. L2TP with IPsec adds security to the establishment of the connection using pre-shared keys and encapsulation of the data packets using encryption
The RTU logic block ‘CONNECTVPNEX’ allows management and logging of the VPN connection process
PPP over serial link
Some corporate users have restrictions imposed on their field technicians that do not allow LAN ports on laptops to be used for anything other than connection to their corporate system. Use of PPP (Point to Point Protocol) allows IP connectivity with the RTU using a serial port.
Syslog reporting services
If enabled, the Syslog service sends reports of all RTU runtime events and web server events to a corporate Syslog server.
Management of system services
Various system services can be enabled/disabled to restrict access to only the required services.
Encrypted storage – with optional SD cards
Firewall setup – managing IP ports and IP addresses
Applications and firmware updates are ‘signed’ to keep your RTUs safe
why 62443-4-1 & 62443-4-2 certifications matter
UL certification based on 62443
BRODERSEN is the first company to receive UL certification based on IEC 62443-4-1 for the interdisciplinary process of developing Brodersen products, including industrial software. With additional product specific UL certifications BRODERSEN proves that the product development process is fully compliant to IEC 62443-4-1 and that substantial technical product requirements are implemented in compliance with IEC 62443-4-2.
1. Global Recognition and Trust
IEC 62443 is the internationally recognised standard for industrial cybersecurity. Achieving 62443-4-1 (secure development lifecycle) and 62443-4-2 (secure product requirements) certifications demonstrates that your solutions meet stringent security benchmarks trusted worldwide.
2. Proven Secure Development Process
Certification to 62443-4-1 ensures your organisation follows a secure-by-design approach, covering:
- Security management
- Secure implementation
- Verification and validation testing
- Update and patch management
This guarantees that security is embedded throughout the product lifecycle, not just added as an afterthought.
3. Robust Product Security
62443-4-2 certification validates that your products deliver essential security capabilities, including:
- Identification and authentication control
- System integrity
- Data confidentiality
- Timely response to events
This means your customers can trust your devices to operate safely in critical environments.
4. Competitive Advantage
Cybersecurity is no longer optional—it’s a key differentiator. Certifications signal to customers and partners that you prioritise safety, compliance, and resilience against cyber threats, giving you a strong edge in tenders and global markets.
5. Compliance and Risk Reduction
Meeting IEC 62443 standards helps organisations comply with regulatory requirements and significantly reduces the risk of costly cyber incidents, protecting both operations and reputation.