Hubbell NX AREA CONTROLLER User Manual

NX AREA CONTROLLER

IT ADMINISTRATOR’S NETWORK & SECURITY GUIDE

identiers are trademarks ™ or registered trademarks ® of Hubbell Lighting, Inc. or their respective owners. Use of them does not necessarily imply any

701 Millennium Blvd. | Greenville, SC 29607 | (864) 678-1000 | www.hubbellcontrolsolutions.com

aliation with or endorsement by such respective owners.

Version 1.0.4

0120 21

NX Area Controller Platform

IT Administrator’s Network & Security Guide

Table of Contents

1. Introduction ................................................................................................................................................................................. 3

2. NX Area Controller Platform Overview .............................................................................................................................. 4

2.1 Area Controller ......................................................................................................................................................................... 4

2.2 NX Distributed Intelligence™ .............................................................................................................................................. 5

2.3 ControlHubb ............................................................................................................................................................................. 5

2.4 NX Wireless Network .............................................................................................................................................................. 6

2.5 System Topologies .................................................................................................................................................................. 6

3. Software & Firmware Management .................................................................................................................................... 7

4. IT Network .................................................................................................................................................................................... 7

4.1 WLAN/LAN ................................................................................................................................................................................. 7

4.2 Network Ports & Protocols ................................................................................................................................................... 7

4.3 IP Address Assignment .......................................................................................................................................................... 8

4.3.1 Manual ..................................................................................................................................................................................... 8

4.3.2 DHCP ........................................................................................................................................................................................ 8

4.3.3 DNS (Host Name Management) ..................................................................................................................................... 9

4.4 Setting Up On An Isolated Network (Not Connected To IT network) .................................................................10

5. Network Setup & Maintenance ...........................................................................................................................................11

5.1 System Login ...........................................................................................................................................................................11

5.2 System Setup ..........................................................................................................................................................................11

5.3 Backup & Restore ...................................................................................................................................................................12

5.4 Password Management ......................................................................................................................................................12

5.5 Third Party Integration (BACnet™) ...................................................................................................................................14

6. Administration & User Management ................................................................................................................................14

Add User ..........................................................................................................................................................................................15

Edit User ...........................................................................................................................................................................................16

Delete User .....................................................................................................................................................................................16

7. Additional Security Considerations ...................................................................................................................................16

7.1 TLS Encryption ........................................................................................................................................................................16

7.2 SSL Certicates (Installing A Signed Certicate) ........................................................................................................16

7.3 Remote Maintenance ...........................................................................................................................................................17

7.4 Remote Access (Firewall) ....................................................................................................................................................17

7.5 Web Authentication .............................................................................................................................................................18

Security Passwords & Recovery ...............................................................................................................................................19

7.6 Security Updates ...................................................................................................................................................................20

Security Package Management ..............................................................................................................................................20

Standard Operating Procedure ...............................................................................................................................................20

7.7 Remote Support ....................................................................................................................................................................21

identiers are trademarks ™ or registered trademarks ® of Hubbell Lighting, Inc. or their respective owners. Use of them does not necessarily imply any

701 Millennium Blvd. | Greenville, SC 29607 | (864) 678-1000 | hubbellcontrolsolutions.com

aliation with or endorsement by such respective owners.

NX Area Controller

IT Administrator’s Network & Security Guide

1. Introduction

This IT Administrator’s Network & Security Guide will provide necessary guidance for IT Personnel or network administrators on integrating the NX Area Controller into their network successfully and securely. The guide will provide best practices for maintaining reliable connectivity, ensuring system security and integration into the overall building management through the NX Area Controller.

This guide does not provide instruction on conguration or individual device installation of the NX Distributed Intelligence Control system. These additional documents can be located on Hubbell Control Solutions website under “NX Distributed Intelligence™” and the respective product pages.

https://www.hubbell.com/hubbellcontrolsolutions/en/Products

Keywords

IT - Information Technology

LAN - Local Area Network

WAN - Wide Area Network

TLS - Transport Layer Security

IP - Internet Protocol

TCP - Transfer Control Protocol

SSL - Socket Security Layer

OS - Operating System

DHCP - Dynamic Host Conguration Protocol

DNS - Dynamic Name Server

IEEE - Institute of Electrical and Electronics Engineers

PC - Personal Computer

HTTP- Hyper Text Transfer Protocol

AES - Advanced Encryption Standard

UDP - User Datagram Protocol

SSH -Secure Shell

IE - Internet Explorer

HCS - Hubbell Control Solutions

CA - Certication Authority

OT - Operational Technology

NAC - Network Access Control

identiers are trademarks ™ or registered trademarks ® of Hubbell Lighting, Inc. or their respective owners. Use of them does not necessarily imply any

701 Millennium Blvd. | Greenville, SC 29607 | (864) 678-1000 | www.hubbellcontrolsolutions.com

aliation with or endorsement by such respective owners.

NX Area Controller

IT Administrator’s Network & Security Guide

2. NX Area Controller Overview

The NX Area Controller is part of the NX lighting system from Hubbell Controls Solutions (HCS) that enables commercial buildings to meet energy codes, be energy ecient and allow building personnel to manage and control their entire lighting system from one single user interface. There are several key elements that make up the NX Lighting Control ecosystem.

2.1 Area Controller

In the NX Control System, the area controller serves as an on-premise server, an edge controller and a router that connects the NX network (described below) to internet and other external networks. It routes and manages the network trac to enable a secure methodology for controlling and managing the lights controlled by NX Distributed Intelligence™.

Area Controller: Key Summary Points

• NX Area Controller hosts internal Lightpd Web server

• NX Area Controller uses a Linux based OS, Ubuntu 18.04

• Physical and Datalink layer using IEEE 802.3 Ethernet

• Transport layer is TCP

• IPv4 Address can be static or dynamic using DHCP

• HTTPS communications using port 443 (must be enabled by the user)

• Single password access

• Password is hashed and salted

• Built-in BACnet™ /IP Interface

• BACnet /IP Annex J

• Uses BACnet default IANA port 47808

• IANA port can be recongured

identiers are trademarks ™ or registered trademarks ® of Hubbell Lighting, Inc. or their respective owners. Use of them does not necessarily imply any

701 Millennium Blvd. | Greenville, SC 29607 | (864) 678-1000 | www.hubbellcontrolsolutions.com

aliation with or endorsement by such respective owners.

NX Area Controller

IT Administrator’s Network & Security Guide

2.2 NX Distributed Intelligence™

The NX Distributed Intelligence is the underlying technology within the NX Control and serves as a backbone for the entire system. It can stand on its own without being dependent on any edge device. Below are the 4 key attributes summarizing this control platform:

The Hubbell Control Solutions’ NX Distributed Intelligence lighting control platform is the rst of its kind to utilize a distributed network architecture (DNA) which provides users with unmatched system reliability, scalability and simplicity.

Truly Intelligent

NX provides occupants with nearly unlimited lighting control possibilities and is designed to self-congure, automatically meeting energy code requirements as devices are connected.

Simple

Scalable

Versatile

2.3 controlHUBB

NX is designed for buildings, rooms and luminaire-based applications with a comprehensive portfolio of panel, room-based and in-xture controllers, sensors and human interfaces as well as support for Building Automation Systems.

NX supports indoor and outdoor applications, wired, wireless and hybrid networked lighting control deployments, and enables emerging applications such as Hubbell Lighting’s SpectraSync™ color tuning technology.

The controlHUBB Mobile App provides Bluetooth® wireless setup and conguration of NX Room Control devices and luminaires equipped with an NX In-Fixture module with smart sensor. The controlHUBB Mobile App is available in Android and iOS versions for free download from Google Play™ or Apple® App Store.

identiers are trademarks ™ or registered trademarks ® of Hubbell Lighting, Inc. or their respective owners. Use of them does not necessarily imply any

701 Millennium Blvd. | Greenville, SC 29607 | (864) 678-1000 | www.hubbellcontrolsolutions.com

aliation with or endorsement by such respective owners.

NX Area Controller

Hubbell NX Distributed Lighting System Network Diagram

IT Administrator’s Network & Security Guide

2.4 NX Wireless Network

NX Distributed Intelligence™ Platform uses two levels of wireless communication within the network.

1. Device to Device Communication

2. User to Device Communication

For device to device communication, NX Wireless ecosystem uses mesh technology based on Institute of Electrical and Electronics Engineers (IEEE) 802.15.4 standard and follows strict IEEE guidelines to ensure sustainability and reliability. It operates in the 2.4 GHz ISM band with 16 channels.

For the user to device communication, NX employs Bluetooth® technology (BLE) which is based on IEEE 802.15.2 standard and follows similarly strict guidelines to ensure maximum reliability & performance while minimizing any interference. This user wireless communication is encrypted using AES 128-bit encryption.

2.5 Internal System Network Topology and Protocols

The NX Lighting Control System is set to be a self-contained LAN. The network backbone called HubbNET™ is Ethernet based connecting the NX Area Controller (NXAC-120) to NX Network Bridges which serve as both a 2 port Layer 2 Ethernet switch for HubbNET connectivity and a bridge to proprietary TIA485 communication segments called SmartPORT™. SmartPORT segments serve as the communications backbone within a space or room linked together by the HubbNET backbone. All addressing within the HubbNET backbone is Link Local.

The NX Area Controller serves as the single portal device for communications outside the HubbNET LAN for Remote Access or a single setup PC. The single connection is also used for BACnet™ integration into BMS.

In-Fixture Lighting

2 port RS485

datalink CAT5

Floor X

In-Fixture Lighting

2 port RS485

datalink CAT5

Floor 2

HubbNET LAN Backbone

Physical and Data layer Ethernet IEEE 802.3 Cable CAT 5e or better IPv4 Link Local addressing (non routable) Default HubbNET port 20056 10BaseT communication speed Transport UDP

Building

Management

System

(BMS)

BACnet

NX Network

ROOM X1 ROOM X2

Bridge

IPv4

Address

(Link Local)

In-Fixture Lighting

Controller

2 port RS485

datalink CAT5

NX Network

ROOM X1

Bridge

IPv4

Address

(Link Local)

In-Fixture Lighting

Controller

2 port RS485

datalink CAT5

Proprietary RS485 SmartPort Subnet

ASHRAE SSPC135 BACnet /IP

NX Area

Controller

(single IPv4

address)

Daylight/

In-Fixture Lighting

SmartPort Subnet

Occ Sensor

Controller

2 port RS485

datalink CAT5

Daylight/ Occ Sensor

Controller

2 port RS485

datalink CAT5

Proprietary Protocol

RS 485 datalink Standard TIA-568 network cables Cables CAT5 or better

Web server

HTTPS Port 443

IEEE 802.3 Ethernet HubbNET LAN

Layer 2

Managed

Network Switch

External Boundary

Internal Boundary

NX Room Lighting Controller

4 Port RS485 datalink

NX Room Lighting Controller

4 Port RS485 datalink

User Interface

NX Network

Bridge

IPv4

Address

(Link Local)

Daylight/ Occ Sensor

CAT5

Proprietary RS485 SmartPort SubnetProprietary RS485 SmartPort Subnet

NX Network

Bridge

IPv4

Address

(Link Local)

Daylight/ Occ Sensor

CAT5

Proprietary RS485 SmartPort Subnet

External Connection

Physical and Datalink layer Ethernet IEEE 802.3 Web Server

HTTPS port 443 Single access Password Password Hashed and Salted

NX Room Lighting Controller

ROOM X2

NX Room Lighting Controller

4 Port RS485 datalink

Firewall

Daylight/ Occ Sensor

CAT5

Daylight/ Occ Sensor

CAT5

Corporate Intranet or any remote

access capability (optional)

NX Room Lighting Controller

4 Port RS485 datalink

NX Room Lighting Controller

4 Port RS485 datalink

Integration to Other Systems

BMS integration using BACnet /IP

Port 47808 default (configurable)

ROOM X...

NX Network

Bridge

IPv4

Address

(Link Local)

Daylight/ Occ Sensor

CAT5

Proprietary RS485 SmartPort Subnet

NX Network

Bridge

IPv4

Address

(Link Local)

Daylight/ Occ Sensor

CAT5

Proprietary TRS485 SmartPort Subnet

NX Room Lighting Controller

ROOM X...

NX Room Lighting Controller

4 Port RS485 datalink

CABLE TYPES

Daylight/ Occ Sensor

CAT5

Daylight/ Occ Sensor

CAT5

Rev 2 – June 6, 2020

ETHERNET IEEE 802.3

Copper

Proprietary using

CAT5e or better

Type cables

Figure 1: NX Distributed Intelligence™ Lighting System Network

identiers are trademarks ™ or registered trademarks ® of Hubbell Lighting, Inc. or their respective owners. Use of them does not necessarily imply any

701 Millennium Blvd. | Greenville, SC 29607 | (864) 678-1000 | www.hubbellcontrolsolutions.com

aliation with or endorsement by such respective owners.

NX Area Controller

IT Administrator’s Network & Security Guide

Internal NX Lighting Networks Summary

HubbNET™

• Internal LAN Connection between NX Area Controller and NX Network Bridges

• Physical and Datalink layer using IEEE 802.3 Ethernet

• 10BaseT communication speed

• Cables are Cat5e or better

• Powered Ethernet from port 1 of the NX Area Controller does not adhere to IEEE 802.3 Clause 33. All other ports from the NX Area Controller are not powered.

• Layer 3 addressing is Link Local as per RFC 3927 for individual devices

• Transport layer is UDP

• Default port for internal Area controller communications to NX Network Bridges is 20056 but can be recongured.

• NX Network Bridge serves as a bridge between Ethernet based HubbNET to proprietary TIA485 Based SmartPORT™ segment.

• Addressing is Link Local as per RFC 3927

SmartPORT Segment

• SmartPORT wiring uses Cat5 or better for TIA485 proprietary communications.

• Spread spectrum modulation is DSSS

3. Software & Firmware Management

Hubbell has a release management process in place which releases quarterly rmware updates for lighting devices and software updates for the NX Area Controller Platform. However, in order to apply these updates to the existing installed network, an authorized person is required. Please contact Hubbell Tech Services to schedule your rmware update. See link below.

https://www.hubbell.com/hubbellcontrolsolutions/en/technical_support

4. IT Network

4.1 WLAN/LAN

In cases where building personnel such as facility managers need to access the NX Area Controller Platform Software in order to view/manage their lighting network from their oce on the premises, the area controller (see networked system topology) needs to be connected to the building LAN. The area controller has a built-in webserver which allows clients to request the web-based software access using LAN/WLAN.

4.2 Network Ports & Protocols

The system operates through the following ports:

Port # Protocol Public Description

22 SSH Yes Terminal. Used for maintenance. SSH Server

443 HTTPS Yes Web trac, apache service

5001 HTTP No Intra process communication

5002 HTTP No Intra process communication

5003 HTTP No Intra process communication

47808 UDP Yes BACnet™

20056 UDP No Second NIC used for internal proprietary trac

Table 1

identiers are trademarks ™ or registered trademarks ® of Hubbell Lighting, Inc. or their respective owners. Use of them does not necessarily imply any

701 Millennium Blvd. | Greenville, SC 29607 | (864) 678-1000 | www.hubbellcontrolsolutions.com

aliation with or endorsement by such respective owners.

NX Area Controller

IT Administrator’s Network & Security Guide

4.3 IP Address Assignment

4.3.1 Manual

Manually set network settings allow precise control over the network’s conguration (Figure 2). We strongly recommend using the factory provided IP address and subnet mask when using the manual option. However, in case the user wants to provide their own IP address and subnet mask, it will be necessary to contact the Information Technology Department personnel to get that setup.

4.3.2 DHCP

The Dynamic Host Conguration Protocol (DHCP) is a router feature that dynamically allocates conguration parameters to connected devices such as IP, DNS, and default gateway addresses. Enabling DHCP on a router normally eliminates the need to manually congure network settings on connected devices. The implementation of DHCP on most routers allows a device to be assigned a xed IP address by associating a specic IP address to a device’s MAC address.

The area controller has ability to connect to the DHCP server to get IP address assigned dynamically and automatically to it (Figure

2). However, this option needs to be enabled (contact your IT administrator and for any additional support, contact Hubbell

Tech Services).

Now use the router’s DHCP setting to automatically connect devices to the network by negotiating the appropriate settings with the device. This option may not be applicable to all networks; for example, the network administrator does not want to use DHCP and has supplied information to manually congure the device’s IP interface.

Figure 2

identiers are trademarks ™ or registered trademarks ® of Hubbell Lighting, Inc. or their respective owners. Use of them does not necessarily imply any

701 Millennium Blvd. | Greenville, SC 29607 | (864) 678-1000 | www.hubbellcontrolsolutions.com

aliation with or endorsement by such respective owners.

NX Area Controller

IT Administrator’s Network & Security Guide

4.3.3 DNS (Host Name Management)

When you want to connect to another computer or service on the Internet (to a Website for example), rarely would you want to use the IP address to make the connection as it would be a pain to remember the numeric IP address for each site you want to visit. The Domain Name System (DNS) was created to allow internet users to take advantage of a meaningful Uniform Resource Locator (URL) such as https://www.hubbellcontrolsolutions.com/ to connect to an IP address without having to know the server’s or computer’s numerical IP address. The DNS does this by looking up the URL and providing the numeric IP address to the requesting computer. Should the IP address of a computer/server be changed, the DNS server can be updated with its new IP address, thereby ensuring that other networked computers can still nd this computer/server through its URL.

Why should area controllers use a xed IP address or use Hostname Management? To program or to access an IP controller, you must be able to connect to it. Like a postal address, a xed IP address that is always assigned to the same device allows you to consistently connect to and work with the same device.

An alternative to using a xed IP address is to use the controller’s Hostname Management which allows a controller to be identied by a nickname such as My_Hubb instead of the controller’s IP address. The hostname can then be used in a web browser to request access to the Area Controller login page.

The Area Controller enables DNS conguration. However, the user will need to register on an appropriate domain server and procure their own host name if they do not want to type an IP address every time, they want to access the area controller web page. Figure 3 provides DNS settings provided on the area controller.

Figure 3

identiers are trademarks ™ or registered trademarks ® of Hubbell Lighting, Inc. or their respective owners. Use of them does not necessarily imply any

701 Millennium Blvd. | Greenville, SC 29607 | (864) 678-1000 | www.hubbellcontrolsolutions.com

aliation with or endorsement by such respective owners.

NX Area Controller

IT Administrator’s Network & Security Guide

4.4 Setting up on an isolated network (not connected to IT network)

This is a use case in which the IT manager or user does not want to integrate their lighting network into their IT network and/or connect it to any WLAN/LAN. The area controller network in this case would be isolated from the rest of the IT infrastructure and building networks. In order to setup for this use case, following steps need to be followed:

1. Do not connect area controller to the building LAN/Router.

2. Do not activate DHCP and/or DNS servers on area controller.

3. Use static IP address only. (you can use factory default IP Address 192.168.1.1). The area controller supports the IPV4 addressing.

4. Connect your laptop directly to the area controller using a standard Cat5 cable. Bring your laptop into the same IP network as your laptop using the adapter settings. For example, if your area controller IP address is 192.168.1.1, you can assign your laptop a static IP address 192.168.1.5. The subnet would be 255.255.255.0 (same as your area controller) (Figure 4).

5. Now go to your web browser and type the area controller IP address. The login page of the area controller would show up (see section 5.1). You are now ready to go.

Figure 4

identiers are trademarks ™ or registered trademarks ® of Hubbell Lighting, Inc. or their respective owners. Use of them does not necessarily imply any

701 Millennium Blvd. | Greenville, SC 29607 | (864) 678-1000 | www.hubbellcontrolsolutions.com

aliation with or endorsement by such respective owners.

NX Area Controller

IT Administrator’s Network & Security Guide

5. Network Setup & Maintenance

5.1 System Login

The default IP address of the shipped system is 192.168.1.1 with sub-mask 255.255.255.0.

After connecting the system to the LAN or an isolated network, you can log in by typing in its IP address in your browser’s URL eld. It is recommended to use Chrome, but it will work with Firefox and Edge too. It is not compatible with IE. The rst hit will cause the system to go through initialization but will display the following page after about 10 seconds (Figure 5). Take note of the version number at the bottom left section of the page. You may need this for tech support.

Figure 5

Important: For rst time users:

Default User Name: admin Password: Nextgen.1

As a responsible user, you are expected to change the password upon logging in the rst time. Save the new password in a safe and secure place. See Password Management Section for more details.

5.2 System Setup

Upon logging in, the user should go to the system setup and enter facility details (Figure 6) .

Figure 6

identiers are trademarks ™ or registered trademarks ® of Hubbell Lighting, Inc. or their respective owners. Use of them does not necessarily imply any

701 Millennium Blvd. | Greenville, SC 29607 | (864) 678-1000 | www.hubbellcontrolsolutions.com

aliation with or endorsement by such respective owners.

NX Area Controller

IT Administrator’s Network & Security Guide

5.3 Backup & Restore

It is recommended that the user backup their area controller settings to avoid any loss of information that may occur during rmware updates, power outage or any other events.

The Data Management tab (Figure 7) allows you to fully backup and restore the area controller’s conguration settings that were created for the specic facility or areas within it. The backup le is in the form of a database which can be downloaded and stored locally on your workstation using the “Download Backup” option. It can then be restored from “Choose File” option followed by “Upload Database” function.

Figure 7

Through the Data management page admin can download encrypted database which can be stored as backup (Figure 7).

Only Encrypted database can be restored.

5.4 Password Management

From the User Settings page (Figure 7), admin can update passwords for all three user types/roles: Reader, User and Admin (Figure 8).

Figure 8

identiers are trademarks ™ or registered trademarks ® of Hubbell Lighting, Inc. or their respective owners. Use of them does not necessarily imply any

701 Millennium Blvd. | Greenville, SC 29607 | (864) 678-1000 | www.hubbellcontrolsolutions.com

aliation with or endorsement by such respective owners.

NX Area Controller

IT Administrator’s Network & Security Guide

When a password change is initiated by another user other than the Active user, the Active user upon logging in, is prompted to update the password (Figure 9). User should be aware of the updated password in order to change the password.

Figure 9

After 10 unsuccessful password attempts user is locked out (Figure 10).

Figure 10

Admin user account has the capability to unlock locked user account by prompting password change for the locked user. If Admin account is locked, then reach out to HCS Tech support for further resolution.

Technical Service Center Phone Number: (800) 888-8006 Option 1 - Layout & Proposal of Agents Support Team Option 2 - Tech Support Option 3 - Warranty Support Option 4 - Field Commissioning Email Support: HCStech@hubbell.com

identiers are trademarks ™ or registered trademarks ® of Hubbell Lighting, Inc. or their respective owners. Use of them does not necessarily imply any

701 Millennium Blvd. | Greenville, SC 29607 | (864) 678-1000 | www.hubbellcontrolsolutions.com

aliation with or endorsement by such respective owners.

NX Area Controller

IT Administrator’s Network & Security Guide

5.5 Third Party Integration (BACnet™)

The Area Controller acts as a BACnet/IP server and virtual BACnet router between BACnet clients and a NX Virtual BACnet Solution. BACnet Devices served by the Area Controller are Zones. Zones are virtual BACnet devices that represent a physical space within the building such as a conference room, open oce, or corridor. Each Zone will have a single state of occupancy and some quantity of Relays and or Dimmers. We recommend referencing our BACnet Protocol Implementation Conformance Statement (PICS) for complete details.

https://hubbellcdn.com/literature/BACnet_protocol_NXAC_120.pdf

Through the BACnet/IP, users can change the light levels for individual devices, zones and areas; and similarly, the user can read the value of the individual devices (occupancy sensors and daylight sensors) and individual space outputs (zone light levels, presets) from their BAS console.

6. Administration & User Management

The system is pre-congured with 3 user types/roles each with dierent rights. Roles can be described as:

User Role Description Restrictions

Reader Default & least privileged

User

A user who can read and congure the lighting aspects of the system.

Admin Unlimited system user

A user to perform read only actions. The system either locks elds or rejects the change after submission.

User cannot make system level changes except to lighting conguration.

This user can congure every aspect of the system, and very limited OS level conguration.

Table 2

The main screen, may also be referred to as page, is the landing page after a successful login. This is a snapshot of it:

Figure 11

The left pane allows user to browse the lighting network. The right pane displays details of any node selected on the left pane. The ‘System Setup’ is only accessible by a user having the administrator role. The system is designed to perform most administrative functions without requiring the NX network. For example, a user can change any editable eld on the screen and successfully save. A user with insucient rights will receive a message about not having rights to perform action.

The user settings page lists all the users congured in the system (Figure 12).

identiers are trademarks ™ or registered trademarks ® of Hubbell Lighting, Inc. or their respective owners. Use of them does not necessarily imply any

701 Millennium Blvd. | Greenville, SC 29607 | (864) 678-1000 | www.hubbellcontrolsolutions.com

aliation with or endorsement by such respective owners.

IT Administrator’s Network & Security Guide

Figure 12

The following sections will guide on Adding, Editing and Deleting users.

Add User

The button on the User Settings main page, opens the screen below.

NX Area Controller

Figure 13

The following (Table 3) outlines a common password management process for dierent user types in the system.

Field Name Description Comments

Returns the following error when user name already exists

• User name for the new user.

User Name

• User name is case sensitive, admin and Admin are 2 dierent user names and are allowed in the system.

Role

Is Active

Select one of the 3 roles, Admin, Reader or User

User can be activated or inactivated. Only active users can login

Password Rules:

• Should be 6 – 20 characters long

• Should have at least 1 upper case letter

• Should have at least 1 lower case letter

Password

Specify new password as per the password rules

• Should have at least 1 number

The following error is displayed when the passwords don’t match

Conrm Password Repeat the same password

Table 3

identiers are trademarks ™ or registered trademarks ® of Hubbell Lighting, Inc. or their respective owners. Use of them does not necessarily imply any

701 Millennium Blvd. | Greenville, SC 29607 | (864) 678-1000 | www.hubbellcontrolsolutions.com

aliation with or endorsement by such respective owners.

NX Area Controller

IT Administrator’s Network & Security Guide

Edit User

User details can be edited by clicking the button against the specic user on the User Settings page (Figure 12).

Delete User

User can be deleted by clicking the button against the specic user on the User Settings (Figure 12) page. The following conrmation dialog is displayed.

7. Additional Security Considerations

7.1 TLS Encryption

The TLS protocol aims primarily to provide privacy and data integrity between two or more communicating computer applications. When secured by TLS, connections between a client (e.g., a web browser) and a server (e.g. www.hubbell.com) is more reliable.

The area controller operating system supports TLS 1.2 and TLS 1.3 is the most updated version.

7.2 SSL Certicates (Installing a Signed Certicate)

One of the most common forms of cryptography today is public-key cryptography. Public-key cryptography utilizes a public key and a private key. The system works by encrypting information using the public key. The information can then only be decrypted using the private key.

A common use for public-key cryptography is encrypting application trac using a Secure Socket Layer (SSL) or Transport Layer Security (TLS) connection. One example: conguring Apache to provide HTTPS, the HTTP protocol over SSL. This allows a way to encrypt trac using a protocol that does not itself provide encryption.

A Certicate is a method used to distribute a public key and other information about a server and the organization who is responsible for it. Certicates can be digitally signed by a trusted Certication Authority, or CA. A CA is a trusted third party that has conrmed that the information contained in the certicate is accurate.

It is highly recommended to replace the self-signed certicate with a certicate that has been signed by a certicate authority.

Note: If your area controller has the SSL option disabled, it is strongly recommended that user enables it and imports a CA signed certicate on their own (See Figure 14).

To set up a secure server using public-key cryptography, in most cases, you send your certicate request (including your public key), proof of your company’s identity, and payment to a CA. The CA veries the certicate request and your identity, and then sends back a certicate for your secure server. Alternatively, you can create your own self-signed certicate.

Note: Self-signed certicates should not be used in most production environments.

Continuing the HTTPS example, a CA-signed certicate provides two important capabilities that a self-signed certicate does not:

1. Browsers (usually) automatically recognize the certicate and allow a secure connection to be made without prompting the user.

2. When a CA issues a signed certicate, it is guaranteeing the identity of the organization that is providing the web pages to the browser.

Most Web browsers, and computers, that support SSL have a list of CAs whose certicates they automatically accept. If a browser encounters a certicate whose authorizing CA is not in the list, the browser asks the user to either accept or decline the connection. Also, other applications may generate an error message when using a self-signed certicate.

identiers are trademarks ™ or registered trademarks ® of Hubbell Lighting, Inc. or their respective owners. Use of them does not necessarily imply any

701 Millennium Blvd. | Greenville, SC 29607 | (864) 678-1000 | www.hubbellcontrolsolutions.com

aliation with or endorsement by such respective owners.

Figure 14

NX Area Controller

IT Administrator’s Network & Security Guide

The process of getting a certicate from a CA is easy. A quick overview is as follows:

a. Create a private and public encryption key pair. b. Create a certicate request based on the public key. The certicate request contains information about your server and the

company hosting it.

c. Send the certicate request, along with documents proving your identity, to a CA. We cannot tell you which certicate

authority to choose. Your decision may be based on your past experiences, or on the experiences of your friends or colleagues, or purely on monetary factors.

d. Once you have decided upon a CA, you need to follow the instructions they provide on how to obtain a certicate

from them. e. When the CA is satised that you are indeed who you claim to be, they send you a digital certicate. f. Install this certicate on your secure server and congure the appropriate applications to use the certicate.

Please contact Hubbell Tech Support for this step.

7.3 Remote Maintenance

The area controller server provides a tool called “OpenSSH” that can be enabled for maintenance purposes. Only authorized personnel shall have the access to this tool. If you or someone in your team requires access to it, you must contact Hubbell Tech Services for required authorization and support.

To ensure the recommended security settings for SSH, it is strongly recommended that at least one of the following methods is applied:

1. Regenerate new SSH server keys

2. Using SSH Keys

Using SSH Keys is the most secure option for SSH and is therefore recommended, but not required for your server to function.

7.4 Remote Access (Firewall)

In order to control the user access of the system from remote locations, the network administrator often must deploy a rewall. The implementation of this security feature would be the responsibility of the IT network architect and would not interfere with the standard operation of the lighting system as that is occurring on the OT network. However, if the administrator chooses to build an extra layer of rewall at the area controller level, primarily to limit access to it, only to very specic external users, then they can do so. The area controller supports the rewall feature. See Figure 15 for the multiple rewall scheme for reference. In order to setup the rewall on the area controller, you must contact Hubbell Tech Support for details and help with the setup.

identiers are trademarks ™ or registered trademarks ® of Hubbell Lighting, Inc. or their respective owners. Use of them does not necessarily imply any

701 Millennium Blvd. | Greenville, SC 29607 | (864) 678-1000 | www.hubbellcontrolsolutions.com

aliation with or endorsement by such respective owners.

THE INTERNET

NX Area Controller

IT Administrator’s Network & Security Guide

FIREWALL

DESKTOPS

FIREWALL

AREA CONTROLLER

ROUTER LEVEL

LOCAL BUILDING NETWORK

AREA CONTROLLER LEVEL

Figure 15

7.5 Web Authentication

For a more secure connection to web via WLAN/LAN, the area controller supports the IEEE 802.1x authentication. IEEE 802.1X is an IEEE Standard for port-based Network Access Control (PNAC). It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN. It is often used to gain access to large networks with a variety of dierent users such as in a university network or large building campus network.

Area Controller supports IEEE 802.1x based web authentication. However, since most users may not prefer it to be enabled, the factor default has this option disabled. In order to enable it to for all web transactions, please contact Hubbell Tech Support.

Figure 16 shows how this scheme works.

AUTHENTICATOR

AUTHENTICATION

SERVER

DESKTOP

RADIUS

EAP

INTERNET/ LAN

Figure 16: Typical Scheme for IEEE 802.1X Authentication

identiers are trademarks ™ or registered trademarks ® of Hubbell Lighting, Inc. or their respective owners. Use of them does not necessarily imply any

701 Millennium Blvd. | Greenville, SC 29607 | (864) 678-1000 | www.hubbellcontrolsolutions.com

aliation with or endorsement by such respective owners.

NX Area Controller

IT Administrator’s Network & Security Guide

Security Passwords & Recovery

Password Recovery

An admin user can enable “Show Forgot Password” on login screen from Security settings page (Figure 17).

Once “Forgot Password” is enabled, user upon login is directed to User Security prole (Figure 18) to set up security questions which can be used to reset forgotten passwords.

Once security questions are set, users can use “Forgot Password” link to recover password (Figure 19).

Figure 17

Figure 18

identiers are trademarks ™ or registered trademarks ® of Hubbell Lighting, Inc. or their respective owners. Use of them does not necessarily imply any

701 Millennium Blvd. | Greenville, SC 29607 | (864) 678-1000 | www.hubbellcontrolsolutions.com

aliation with or endorsement by such respective owners.

NX Area Controller

IT Administrator’s Network & Security Guide

FORGOT PASSWORD?

Figure 19: Forgot Password Link on Login Page

7.6 Security Updates

Security Package Management

Hubbell IT reviews the security and advise what security patches are required for NXAC system as part of Security monitoring. This section describes the standard procedure to manage security packages.

Standard Operating Procedure

Figure 20 depicts standard operating procedure to apply security patches on NXAC.

NXAC Security Patch Management

HUBELL CYBER SECURITY

SEND SECURITY BULLETIN

ENGINEERING TEAM COULD ALSO

IDENTIFY SECURITY THREAT

PREPARE INSTALLATION GUIDE

ENGINEERING

SEND INSTALLATION GUIDE

CUSTOMERTECHNICAL SERVICES

SCHEDULE MAINTENANCE

PERFORM INSTALLATION

ACKNOWLEDGE COMPLETION

HUBELL CYBER SECURITY

ENGINEERING

CUSTOMERTECHNICAL SERVICES

Figure 20

identiers are trademarks ™ or registered trademarks ® of Hubbell Lighting, Inc. or their respective owners. Use of them does not necessarily imply any

701 Millennium Blvd. | Greenville, SC 29607 | (864) 678-1000 | www.hubbellcontrolsolutions.com

aliation with or endorsement by such respective owners.

NX Area Controller

IT Administrator’s Network & Security Guide

Steps Action

1 Hubbell Cyber Security Council sends out security bulletin

2 Engineering identies the list of security patches that need to be installed

3 Engineering prepares the necessary installation instructions and sends it to Technical Services

4 Technical Services will schedule maintenance with the customers and perform the installation on-site or remote

5 Technical Services will get conrmation from customer that the system is running

6 Technical Services will notify Engineering that the job is complete

Table 4: SOP Actions

7.7 Remote Support

Hubbell Control Solutions’ Technical Services, per agreement with the customer, can remotely access a NX system in a secure manner requiring minimal to no local IT support or Local IT infrastructure. This will support Field Service initiatives such as in Startup, ongoing maintenance and troubleshooting from a single location diering from the systems physical proximity. Much of the troubleshooting and adjustments can be performed by HCS via a secure remote connection in one of three ways, per customer’s preference.

1. Remote access through the corporate intranet but the cybersecurity policies of most project sites may not allow for a connection like this. Exercising of this option is completely on the approval of the site’s local IT Department.

2. The second option is to have someone on-site to open a laptop and connect with a remote service such as team viewer with HCS internal team if the laptop is allowed by corporate IT policy or has a cellular connection like with a cell phone hotspot.

3. The third most secure and least disruptive option for the IT Department is to have HCS establish a remote cellular connection to the NX Lighting System independent of the IT Infrastructure. It is performed by mounting a cellular modem based remote device right next to the area controller.

When requiring remote support, the HCS Technical Support is available for your assistance. They can be contacted to discuss the above options in more detail and a suitable choice can be made by the IT Department accordingly.

End of Document

identiers are trademarks ™ or registered trademarks ® of Hubbell Lighting, Inc. or their respective owners. Use of them does not necessarily imply any

701 Millennium Blvd. | Greenville, SC 29607 | (864) 678-1000 | www.hubbellcontrolsolutions.com

aliation with or endorsement by such respective owners.

Hubbell NX AREA CONTROLLER User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual