FAQs

Ask a Question

General Software Security Questionnaire for Power Monitoring Expert 9.0 (PME 9.0)

Issue
General Software Security Questionnaire for Power Monitoring Expert 9.0 (PME 9.0)

Product Line
EcoStruxure Power Monitoring Expert 9.0
PME 9.0

Environment
Security Questions

Cause
Looking for some general software security answers regarding Power Monitoring Expert 9.0.

Resolution

Ports & Services
  • Which ports and services are enabled by default when the device is shipped?
    • Windows services can be found on pages 1300-1305 in the PME 9.0 System Guide.  Here are the ports:
  • What is the process for disabling ports and services?
    • PME depends on certain ports for the communication between its components and the connected devices.  Which ports are required for a specific installation depends on the system configuration and the monitoring devices used.  To disable a port, you can block via firewall.  To disable a service, use the windows interface.
  • Are there any ports or services, which cannot be disabled?
    • You can disable any service, but it may prevent operation of that function.  Same applies with ports, but ports should be blocked via firewall, not through software.
  • Can someone port scan the device?
    • Yes
  • What is the recommendation when port scanning the device? Are there any specific ports to avoid?
    • No special treatment.

Security Patch Management

  • How often do you release software patches?
    • Cumulative updates are published at least Quarterly on an as-needed basis.
  • What’s the procedure/process for implementing these patches?
    • We release a cumulative update installer.
  • How do you analyze, research/test, plan, deploy, and back out patches if necessary?
    • All patches follow the same software development process that the software was developed with. 
  • Can patches be applied without interrupting proper operation of the device? If reboots or other interruptions are required can they be delayed or scheduled to occur at a specific time in the future?
    • Some patches will require restarting the server while others may require restarting one or more services.  In both cases, it can be delayed.
  • If critical patches get released, how quickly can you certify this patch and get communication out to customers?
    • Depending on the circumstances and the disclosure situation, this will often be done in a matter of a few weeks.
  • Can you patch across the network or does user have to be on the device?
    • Patches need to be executed on the PME server.
  • How do you respond to vulnerability reports?
    • Vulnerability reports are investigated to determine if they represent an actual vulnerability and if it is an exploitable vulnerability.  It then gets evaluated, given a CVSS score, and logged so that it can be prioritized by the development team. If there is a specific incident being reported, there is an additional process with an incident response team.

Malicious Software Prevention

  • Does the device support anti-virus or malware prevention tools? If so, please describe in general terms (e.g. Signature Based A/V, Behavior Based, Application White listing, etc.)
    • PME can be used with antivirus (AV) software. AV software can have a significant impact on system performance if not set up correctly. In particular, SQL Server performance can be affected if data and log files are not excluded from on-access scans. We have seen issues during the installation of PME, where AV scan delays caused timeouts and failures in the installation process. PME can be used with whitelisting software products such as McAfee Application Control software.
  • How will your application respond to scanning tools such as Nessus, HFNetCheck, etc and antivirus?
    • PME does not specifically respond to these types of scans.  In the case of Nessus, for example, it will provide the same responses on open ports as any other software would receive.  We have seen cases where Nessus had some false positive results related to some of the web pages served and we have addressed those as they were brought up.
  • Other than anti-virus or malware prevention what methods or practices does the vendor recommend to mitigate risk exposure?
    • There are several recommended actions in the PME 9.0 IT Guide including protecting the system key, disabling unused ports, replacing security certificates, reviewing user accounts on a regular basis, and others.
  • Does the vendor provide to or notify customers of updated anti-virus and malware prevention signatures applicable to the device?
    • N/A

Account Management

  • Does the device support individualized accounts and passwords?
    • Please refer to the Users section, on page 313, in the PME 9.0 System Guide for details on a user account in PME.
  • How many accounts can be created?
    • No limit
  • Are the passwords user-modifiable?
    • PME Users are.  Windows users determined by GTC.
  • What is the minimum number of characters in a password?
    • 1 for PME users.  Windows users determined by GTC.
  • What characters are required or allowable in creating a password?
    • Passwords cannot contain a whitespace character.  Alphanumeric and special characters allowed.
  • Are users required to change password periodically? If yes, what is the time period?
    • PME user passwords do not expire, however if you’re using Active Directory and Windows Users you can setup expiring password on whatever time period you want.
  • What is the method for removing, disabling, or renaming accounts?
    • PME users managed with User Manager in the application.  Windows users managed by GTC.
  • Are there any accounts which cannot be deleted? If yes, are the passwords re-settable?
    • If using PME users, you must have a supervisor level account.  Windows users managed by GTC.
  • Is there an account lockout after X amount of failed login attempts?
    • Not for PME users.
  • What user account information is logged when the device is accessed?
    • Failed logins and user changes are logged.
  • Does the device support syslog?
    • Meters support syslog, PME software does not.
  • Does the device support SNMP?
    • It is possible to use additional software to send SNMP messages based on events in PME, but it does not natively support SNMP.
  • What logs can be accessed locally?
    • All logs can be accessed locally.
  • What is the maximum number of entries in the access logs?
    • Only limit is hard drive or database size limits.

Security Status Monitoring

  • What capabilities does the device possess for monitoring and detecting cyber security incidents?
    • PME does not intrinsically detect cyber security incidents. It is possible, in theory, to engineer a project to add some version of this capability.
  • Does the device have the capability to issue alerts if incidents related to security are detected?
    • PME has the ability to send email notifications which could be tied to the hypothetical monitoring function discussed above.
Was this helpful?
What can we do to improve the information ?