Security level
The security of DriveRadar® APPredict is based on the IEC 62443-4-2 international standard. The standard defines IT security requirements for components in industrial automation systems and control systems. SEW-EURODRIVE has developed the security architecture in accordance with this standard and supplemented it with targeted protective measures.
The following tables show the IT security properties and their fulfillment levels in the form of a vector according to IEC 62443-4-2. The abbreviations used are explained in the standard. All internal and external interfaces of the software are taken into account.
For detailed information on the IT security of Schaeffler OPTIME, refer to the respective documentation.
FR 1 – Identification and Authentication Control (IAC)
CR 1.1 | SL-4 SEW-EURODRIVE recommends introducing mandatory 2-factor authentication for all users. |
CR 1.2 | Not relevant No direct device authentication or process authentication required in the cloud environment |
CR 1.3 | SL-4 User accounts are created via an invitation process with double opt-in. It is possible to centrally administer user accounts via the web app. A connection to a central identity management system with single sign-on is in the planning stage. |
CR 1.4 | SL-4 |
CR 1.5 | SL-4 If 2-factor authentication is not active, SEW-EURODRIVE recommends changing passwords on a quarterly basis. No mandatory change in the form of password expiration intervals |
CR 1.6 | Not relevant No hardware components with wireless interfaces present |
CR 1.7 | SL-2 No mandatory change in the form of password expiration intervals |
CR 1.8 | Not relevant The software does not use PKI certificates. TLS certificates are provided by the infrastructure. |
CR 1.9 | Not relevant The software does not use PKI certificates. |
CR 1.10 | SL-4 |
CR 1.11 | SL-4 |
CR 1.12 | SL-4 |
CR 1.13 | Not relevant No network components present |
CR 1.14 | SL-2 The software securely stores and validates the user access data based on the cloud infrastructure. No hardware-based security modules are used at the cloud infrastructure level. |
FR 2 – Use Control (UC)
CR 2.1 | SL-2 The software implements a role-based access system. SEW-EURODRIVE recommends quarterly reviews of the users and the assigned roles. |
CR 2.2 | Not relevant No direct device authentication or process authentication required in the cloud environment |
CR 2.3 | SL-4 |
CR 2.4 | SL-4 The software does not allow uploaded code to be executed. Via the provided web front end, you can only upload images that are saved in the cloud-based web app and not executed. |
CR 2.5 | SL-1 The software does not implement automatic blocking or logout if the user is inactive. |
CR 2.6 | SL-4 |
CR 2.7 | SL-1 The software does not implement a limit on parallel user sessions. |
CR 2.8 | SL-4 |
CR 2.9 | SL-4 The available storage space for logs of the web app is handled at the cloud infrastructure level. |
CR 2.10 | SL-4 The availability of the log system is handled at the cloud infrastructure level. Log system failures do not affect the function. |
CR 2.11 | SL-4 |
CR 2.12 | SL-4 |
CR 2.13 | Not relevant The software is cloud-based. |
FR 3 – System Integrity (SI)
CR 3.1 | SL-4 |
CR 3.2 | SL-4 |
CR 3.3 | SL-3 |
CR 3.4 | Not relevant The integrity of persistent data (data at rest) is handled by the cloud infrastructure. |
CR 3.5 | SL-4 |
CR 3.6 | Not relevant The software does not control any direct processes that need to be set to a safe state. |
CR 3.7 | SL-4 |
CR 3.8 | SL-4 |
CR 3.9 | SL-3 No special storage media, such as Write Once Read Many, are used to store logs of the web app. |
CR 3.10 | SL-4 |
CR 3.11 | Not relevant The software is cloud-based. |
CR 3.12 | Not relevant The software is cloud-based. |
CR 3.13 | Not relevant The software is cloud-based. |
CR 3.14 | Not relevant The software is cloud-based. |
FR 4 – Data Confidentiality (DC)
CR 4.1 | SL-4 |
CR 4.2 | Not relevant The deletion of persistent data is handled by the cloud infrastructure. |
CR 4.3 | SL-4 |
FR 5 – Restricted Data Flow (RDF)
CR 5.1 | SL-3 The cloud environment used by the web app is segmented by Virtual Private Cloud. Access is restricted via security groups and access control lists. |
CR 5.2 | SL-4 The system limits of the software are protected by an upstream firewall and security groups. |
CR 5.3 | SL-4 The software can send warning messages and error messages from monitored assets to the e-mail address specified by the user. This function can be configured by the respective user. The software cannot receive e-mails. |
FR 6 – Timely Response to Events (TRE)
CR 6.1 | SL-4 The software logs security-relevant actions, such as logins and changes. Authorized users can view the logs. The logs are immutably stored at the cloud infrastructure level and can be read via an API. |
CR 6.2 | SL-4 |
FR 7 – Resource Availability (RA)
CR 7.1 | SL-4 |
CR 7.2 | SL-4 |
CR 7.3 | SL-4 |
CR 7.4 | SL-4 |
CR 7.5 | Not relevant The emergency power supply concerns physical systems and is ensured by the cloud provider. |
CR 7.6 | SL-2 The configuration of network settings and security settings is handled at the cloud infrastructure level and is not a central component of the software's range of functions. |
CR 7.7 | SL-4 The configuration of network settings and security settings is handled at the cloud infrastructure level and is not a central component of the software's range of functions. |
CR 7.8 | Not relevant The software is cloud-based. The requirement to provide an inventory functionality does not apply. |
