Network Security Guidelines

Network Security Guidelines for the Keysight Sampling Oscilloscope Products

As cyber security threats continue to evolve, many businesses and laboratories are evaluating the networking security of their measurement instruments. The following information provides networking security guidelines for the following Keysight products:

  • N1000A and 86100D DCA-X sampling oscilloscopes
  • N1002A DCA-M Optimization Controller

To provide overlapping protection from vulnerabilities, a multilayered approach to network security is recommended. Securing the measurement instruments on your network is just one piece in a larger picture of IT cybersecurity, which includes firewalls, network segmentation, gateway antivirus scanning, and intrusion detection. As cyber threats continue to evolve, continued updates to network security tools and techniques are required.

The products listed above use the Microsoft Windows operating system, which allows standard IT networking security defenses to be used. Each of the following sections covers standard practices for improving networking security.

Use Antivirus software

  • Install antivirus software on your instrument, and schedule regular scans. This is important to do even if your instrument is not connected to a network, because instruments will still be susceptible to malware transported by removable media such as USB flash drives.
  • To further reduce the risk of removable media malware, you can also disable AutoPlay and AutoRun in Windows.
  • On N1000A and N1002A instruments, some antivirus products block USB devices by default, which can disable the USB device communication Keysight instrumentation. To resolve this issue, use the antivirus software to create a policy to allow these USB devices to communicate.
  • For more information, refer to the Keysight Computer Virus Control Program description at: https://about.keysight.com/en/quality/Keysight_Computer_Virus_Control_Program.pdf

The N1000A and N1002A comes with antivirus software already installed (Windows Defender).

Some antivirus software can negatively impact the computational performance (speed) of the computer. Many of our customers successfully use the Symantec Endpoint Protection antivirus with minimal impact to their measurement speeds. Scans should be performed during non-critical hours at least once a week.

Update your software regularly

  • Keep your antivirus and malware scanning software current by setting them to automatically update.
  • Microsoft security updates should be applied on a monthly basis (more often for critical updates). This can be done manually on a regular schedule, or by configuring the updates to automatically install.
  • Update the instrument's firmware regularly to have the latest security updates. Keysight releases instrument firmware updates multiple times per year.
  • Some instrument security updates may require an update to the BIOS. Please contact Keysight Technical Support to determine if your BIOS version needs to be updated.
  • Any other software you have installed on your instrument should also be updated when new versions are available to address security issues.

Use Password Authentication

  • By default, the instruments do not have screen saver locks configured. You can configure screen locks to automatically require access if the instrument is idle for more than a set number of minutes.
  • Auto-logon is configured by default on the instruments, but this can be changed so that login is required when Windows restarts. You can also change the default Windows account passwords to unique, strong passwords that expire at set intervals. There are two default accounts: dca-admin, and dca-service. Ths dca-service account is for Keysight service personnel only. To require a login,
    1. Click the search icon in the Windows taskbar.
    2. Enter Run.
    3. In the displayed dialog, enter "control userpasswords2".
    4. Click OK.
    5. In the dialog, locate the Users must enter a user name and password... field. Select this field and click OK. This selection forces the instrument to require a login. Contact your systems administrator for further information.
  • The Windows Event Viewer automatically creates an audit log for logons and logoffs. For additional security, you can monitor your audit log for unauthorized access attempts.
  • Allowing a web browser to store passwords is not a recommended security practice.

Disable and Reduce Unnecessary Access

  • The instrument comes configured to allow access for remote services which allows flexible measurement configurations and access to data. You can disable these features if you don't use them.
  • Windows Firewall is automatically configured with open ports which can be closed, depending on your test application needs. The FlexDCA software configures an Inbound firewall rule for its use. Other Inbound ports used by Keysight Software are listed in the following table.
  • Open Inbound Ports Used By Keysight Software
    Port Number Service Used By
    4880 Instrument HiSLiP
    5024 Instrument Telnet
    5025 Instrument Socket
    8000 Keysight License Service Management
    8001 Keysight License Manager Notifications
    8020 Keysight License Service Alerts
    8766 Keysight Communications Fabric
    9944 Agilent Automated DigtialTest App (Primary)
    49944 Agilent Automated DigtialTest App (Alternate)
  • The Keysight license service allows licenses to be added to or removed from an instrument remotely over the network. You can disable the firewall rules for this feature if you don’t need it.
  • For ease of data file usage, SCPI allows file manipulation by default (both instrument and PC) of all files with that user's permission. Disable SCPI access if you are not using this feature.
  • The following Networking services can be disabled, depending on your application:
    • Keysight Remote I/O Port Mapper
    • Keysight Remote I/O Server
  • By default, the N1000A/N1002A's ethernet port is configured with the Windows 10 Public Network setting, which disables network discovery and file sharing services. This provides better network security than the Private setting. Responses to network pings (ICMP Echo Requests) are blocked by the default firewall settings in Windows 10.
  • The Telnet application does not encrypt data or passwords sent over the network. Telnet is susceptible to man-in-the-middle attacks and other vulnerabilities. You can stop the Telnet service or remove it completely if not needed for your application.
  • Windows 10 includes the OneDrive cloud-based file hosting. Your organization may have security policies established for sensitive data being stored or shared via OneDrive. If you do not use OneDrive, OneDrive can be disabled via the Local Group Policy Editor in Windows.
  • Avoid installing additional software programs on your instrument because they can increase the cyber attack surface of your instrument.
  • Avoid installing Virtual Network Computing (VNC) programs such as TightVNC or RealVNC, which allow anyone with possession of the password to remotely take control of the instrument, access its data, and access the network. If VNC must be used for a short time, disable the VNC Server when the remote session is finished.
  • Browsing to untrusted websites from the instrument is not recommended due to the risk of malware.
  • Don't connect instruments directly to untrusted or public networks. Measurement instruments are designed for use on a private network, behind corporate NAT/PAT routers and firewalls. Any public IP address on the Internet will immediately be attacked by a multitude of malicious scripts searching for vulnerabilities.

Regularly Backup Your Data

Use backup software to automatically backup your measurement data on a frequent basis, and regularly verify that the backup is working. Store valuable data securely in external media or off-site.

Protect Sensitive Data

Removable media such as USB flash drives present data security risks if the media is lost or stolen and present a means for malicious software to be transported to the instrument. For these reasons, some businesses and laboratories have removable media security policies established by their IT departments to help prevent such risks.

The instrument's hard drive does not utilize disk encryption to guard the internal contents of the drive against unauthorized copying. If the physical security of your instrument is at risk, do not store sensitive data on it.

If sensitive files need to be securely deleted from the hard drive, Keysight recommends using the Windows 10's Cipher utility for the N1000A/N1002A.

To secure sensitive data before the instrument is transported out of your facility or shipped to Keysight for servicing, you can easily remove the hard drive via the N1000A/N1002A's rear panel. For more information, refer to the Keysight instrument declassification procedure documents available at: http://rfmw.em.keysight.com/aerospace/index.aspx