Skip to content
English
Contact Us
  • There are no suggestions because the search field is empty.

Cybersecurity Recommendations for Test Equipment Permanently or Temporarily Connected to IP Networks

These guidelines apply to the test platforms' LAN and WLAN/Wi-Fi Management ports, to minimize the chance for cyber security vulnerability breaches. Ethernet test ports are completely isolated and considered secure.

Image of a hacker threatening cyber security

Cyber security warning iconAvoid connecting the Ethernet management port of any test set to a public IP address or to an unknown (“free”) Wi-Fi access point. Ensure that all connected devices are protected by appropriate IT security controls (for example, firewall, VPN, and related network security measures). You may be surprised by how quickly the first attack attempt happens, once a device is connected directly to an open Internet access port, with Public IP address.

The goal is to have the ability to block security threats destined for network attached equipment, and that includes modern test equipment. Organizations focusing on mitigating the increase in cyber-security threats may find that specialized test equipment presents unique IT challenges, in terms of having full control. These often arise from a lack of knowledge about their system/OS architecture and/or specific application scenarios. Although a compromised test instrument might not directly impact an organization's production networks, reputation, or revenue, it could still malfunction, slow down, become irresponsive or crash. Recognizing the differences between test systems and standard IT systems is critical, as is considering the vital cyber-security measures and guidelines needed for their protection.

Most VeEX test sets use a highly customized version of Linux, as we disable all unnecessary services to limit possible attack vectors, which should reduce what hackers could do with them if they manage to gain access and control. However, modern hackers use highly automated tools and bots to scan the networks for devices out in the open and we all have to assume that any default passwords (published in manuals and user guides) are public knowledge. That is why it is important to (at least) change the default passwords to something unique and complex.

About Telecom Test Equipment & Vulnerabilities

The Ethernet test ports in spacialized network test equipment use dedicated hardware to generate and analyze the streams in real time. They normally generate and terminate artificial test traffic, from/to an isolated FPGA, without further connectivity, system or files access, so they don't pose major risks and are generally considered safe, due to their limited, or lack of, connectivity with the rest of the world. So, for cyberscurity purposes, let's focus on the Ethernet Management ports (LAN/WLAN) used for updating/upgrading, configuring, controlling, uploading, downloading, and/or accessing these instruments. Except for always-on rack-mount instruments (e.g. MPA, VeSion®, R-Server, RTU, RFTS, etc.) and associated servers, portable test sets are considered unmonitored network devices, often operating outside of a "walled garden", so extra caution is taken. However, their typical use case scenarios limit their exposure.

Test ports in VeEX test sets use standalone network namespace for isolation. No exposed TCP services.

VeEX R&D teams routinely run security and vulnerability scans for our test platforms, to identify any new kernel, drivers, port restrictions, or security patches that may be required. We also review custom security scans and vulnerability reports our customers share with us and take appropriate actions, to reduce vulnerabilities and keep our products as secure as possible. We often recommend mitigation actions for reported vulnerabilities; however, full remediation (solutions) may require some extra time since they are often made available on new formal software releases.

VeEX test platforms are considered closed system, since they normally don't allow third-party software, apps or driver installations. This all done at system level integration by our R&D teams. That helps limit exposure to malicious viruses, trojans and code injection.

The Ethernet/IP capable test modules (removable or internal) and test engines are isolated closed system that generate synthetic traffic and terminate test traffic for measurement purposes only (normally at FPGA level), so Ethernet test ports don't have any connectivity with the CPU, system or OS, besides passing custom setting parameters and measurement results (KPI). For that reason, most test ports and their test applications are not considered vulnerable.

For Cloud Services and SaaS solutions, VeEX relies on top tier 1 communications and data center service providers, to ensure optimal security standards offered by their networks and cloud-hosting infrastructure.

However, there is nothing more important than End Users' behavior and their Internet security training and awareness. Which applies not only to test equipment, but to smartphones, tablets, PCs, routers, cameras, IoT devices, and any connected devices.

image-png-Feb-01-2023-10-34-16-7591-PM Remediation: If you suspect that any of your VeEX test sets may have been exposed to a security threat or compromised, we recommend taking the following steps to restore it to its original factory condition:

  • Format the internal storage. The user interface workflow for this simple procedure depends on the specific product, for example you can go to >System Tools >Utilities >Files >Manage >Format or >System Utilities >Manage >Format or >System Menu >About >Storage >Format.

  • Download the latest software installation package for your test platform directly from VeEX’s website and perform a Clean Installation. This process restores the test set to its original factory state by reformatting, repartitioning, and reloading all system files and applications. Refer to the product user guides and release notes for detailed instructions on performing Clean Software Upgrades.

Basic Cybersecurity Recommendations

  • Never Connect the test platform's Management BASE-T port to a Public IP address. Use a LAN port behind the cyber security wall, with all the network security protections, using private IP addresses. Use EZ-Remote™ or VPN (if applicable) to provide access to (external) remote users.
  • Change the factory default passwords to your own unique strong passwords (e.g., VNC services, CLI/SCPI sessions, etc.). Root and admin level access and passwords are not available for VeEX's portable test sets.
  • Keep the Telnet/SSH functionality disabled, unless the test equipment is being used in a secured/isolated scripting environment or if it has been explicitly requested by one of our customer support agents, for troubleshooting purposes.
  • Keep the test equipment's software up to date, by downloading software install packages from their respective product web pages, using their built-in VeExpress™ client or searching for Software Updates. For older products' updates and support, refer to the Discontinued Products' page and End-of-Life policy.
  • Always download software updates, software tools and apps from www.veexinc.com, VeExpress, R-Server, or links provided directly by VeEX or authorized local partner. (Except for Apple and Google app stores, VeEX's software is not distributed by any third-party organizations.)
    • Always get the software update installers packages directly from VeEX Inc. If supported by the test set, use VeExpress™, which offers the most secure mean since it allows the test set to download the updates/upgrades directly from VeEX servers, without any intermediate steps to compromise.
  • Limit the security risks associated with USB memories - Don't plug in USB memory sticks you don't recognize, especially if they're found in public places, giveaways from events/conferences/tradeshows or sent to you unsolicited. Keep personal and business USB drives separate.
  • Always report damaged, lost and stolen equipment to VeEX (Contact Us), and never buy VeEX test equipment from gray or black markets. VeEX keeps records of backlisted (reported) equipment.
  • Train end users to follow these guidelines and to always be aware of potential end point security situations and threats.
  • Include test equipment in your network's scans, cyber-security risk, vulnerabilities and threats assessments, and report any concern to the manufacturers. (Contact Us.)
  • The potential for vulnerabilities increases if/when hackers have physical access to the device they are targeting, so limit the exposure (e.g., identify the device, study its specs and user manuals and find man-in-the-middle opportunities to intercept and interfere).

Note: VeEX's handheld test sets are not meant to be permanently connected and active on a network, for long periods of time, since they can't be managed by OT Cyber-Security systems. However, their non-test traffic and activity can be monitored and regularly scanned, following customers' cyber security guidelines.

Peer-to-Peer Wi-Fi Connection

If you want to avoid connecting to unknown LAN or WLAN, in order to transfer information between the test set and PC/Table/phone, many of VeEX's test sets support Wi-Fi Access Point (AP) Mode, which allows users to stablish a local isolated connection directly between the test set and a laptop, tablet or smartphone. Such connection is terminated at both ends (test set and computer), without any external connection to the Internet. In this mode, users can use a standard web browser to connect to the Web Access and Web Remote functions of the test ser, by entering the test set's IP address on the browser's address field.

  • Web Remote (Control) - Allows users to operate test sets from a remote location, using any standard web browser from a PC/Mac/Linux, tablet or smartphone. No app required. It mirrors the content of the test set's screen on the PC and allows users to control the remote test sets as if they were touching the screen. Alternatively, users can use a trusted VNC client app to connect to the test set and control it.
  • Web (Remote) Access - Access, manage and download test results, test profiles and screenshots. Once connected, users can View, Download, Delete, generate PDF, Search and Filter, directly on the test set from the remote PC/Table/Phone. (Software upgrade not available.)

This isolated operation mode is considered secured, since it is pee-to-peer.

Complying with Wi-Fi Restrictions

For environments that restrict the use of Wi-Fi and/or Bluetooth radios, VeEX test sets offer two main options:

  • Some test sets use external USB Wi-Fi transceivers, which can be completely removed from the test sets, before entering the restricted facilities.
  • Some test sets, with internal Wi-Fi chips, have the option to disable and completely turn OFF the radios. Some of these instruments can be ordered without internal Wi-Fi or Bluetooth hardware, as a factory option.
  • Most test sets allow wired local connections with PCs or tablets, via USB cables and/or RJ45 Ethernet cables.