Network Security Guidelines

Security Essentials

Network Security Guidelines for the Keysight Sampling Oscilloscope Products

As cybersecurity threats continue to evolve, many businesses and laboratories are evaluating the networking security of their measurement instruments. The following information provides networking security guidelines for the following Keysight products:

  • N1000A DCA-X sampling oscilloscopes
  • N1002A DCA-M Optimization Controller

To provide overlapping protection from vulnerabilities, a multilayered approach to network security is recommended. Securing the measurement instruments on your network is just one piece in a larger picture of IT cybersecurity, which includes firewalls, network segmentation, gateway antivirus scanning, and intrusion detection. As cyber threats continue to evolve, continued updates to network security tools and techniques are required.

The products listed above use the Microsoft Windows operating system, which allows standard IT networking security defenses to be used. Keysight has security-hardened the Windows Operating System on these instruments, based on industry-standard security recommendations. Please see the Excel file in the C:\Keysight\Windows Hardening folder for the hardening details.

Each of the following sections covers standard practices for improving networking security.

Use Antivirus software

  • The N1000A and N1002A come with the Microsoft Defender Antivirus tool already installed. This can be replaced with third party antivirus tools, but care must be taken that the third-party antivirus tool does not negatively affect instrument performance.
  • To reduce the risk of removable media malware, you can disable AutoPlay and AutoRun in Windows.
  • On N1000A and N1002A instruments, some antivirus products block USB devices by default, which can disable the USB device communication Keysight instrumentation. To resolve this issue, use the antivirus software to create a policy to allow these USB devices to communicate.
  • For more information, refer to the Keysight Computer Virus Control Program description at: https://about.keysight.com/en/quality/Keysight_Computer_Virus_Control_Program.pdf

Update your software regularly

  • Keep your antivirus and malware scanning software current by setting them to automatically update.
  • Microsoft security updates should be applied on a monthly basis (more often for critical updates). This can be done manually on a regular schedule, or by configuring the updates to automatically install.
  • Update the instrument's firmware regularly to have the latest security updates. Keysight releases instrument firmware updates multiple times per year.
  • Some instrument security updates may require an update to the BIOS. Please contact Keysight Technical Support to determine if your BIOS version needs to be updated.
  • Any other software you have installed on your instrument should also be updated when new versions are available to address security issues.

Use Password Authentication

  • By default, the instruments do not have screen saver locks configured. You can configure screen locks to automatically require access if the instrument is idle for more than a set number of minutes.
  • Auto-logon is configured by default on the instruments, but this can be changed so that login is required when Windows restarts. You can also change the default Windows account passwords to unique, strong passwords that expire at set intervals. There are two default accounts: dca-admin, and dca-service. Ths dca-service account is for Keysight service personnel only. To require a login,
    1. Click the search icon in the Windows taskbar.
    2. Enter Run.
    3. In the displayed dialog, enter "control userpasswords2".
    4. Click OK.
    5. In the dialog, locate the Users must enter a user name and password... field. Select this field and click OK. This selection forces the instrument to require a login. Contact your systems administrator for further information.
  • The Windows Event Viewer automatically creates an audit log for logons and logoffs. For additional security, you can monitor your audit log for unauthorized access attempts.
  • Allowing a web browser to store passwords is not a recommended security practice.

Disable and Reduce Unnecessary Access

  • The instrument comes configured to allow access for remote services which allows flexible measurement configurations and access to data. You can disable these features if you don't use them.
  • Windows Firewall is automatically configured with open ports which can be closed, depending on your test application needs. The FlexDCA software configures an Inbound firewall rule for its use. Other Inbound ports used by Keysight Software are listed in the following table.
    • Open Inbound Ports Used By Keysight Software
    Port Number Service Used By
    4880 Instrument HiSLiP
    5024 Instrument Telnet. To reduce the risk of attack, FlexDCA versions A.07.90 and greater have this Telnet port disabled by default. If needed, this port can be enabled from within FlexDCA.
    5025 Instrument Socket
    8000 Keysight License Service Management
    8001 Keysight License Manager Notifications
    8020 Keysight License Service Alerts
    8766 Keysight Communications Fabric
    9944 Agilent Automated DigtialTest App (Primary)
    49944 Agilent Automated DigtialTest App (Alternate)
  • The Keysight license service allows licenses to be added to or removed from an instrument remotely over the network. You can disable the firewall rules for this feature if you don’t need it.
  • For ease of data file usage, SCPI allows limited file manipulation by default (both instrument and PC). Disable SCPI access if you are not using this feature. Starting with FlexDCA version A.07.90, FlexDCA no longer permits arbitrary file types, arbitrary folder access, or reading and writing to network share drives. In the programmer's help, refer to the :DISK:FILE:WRITe SCPI command.
  • The following Networking services can be disabled, depending on your application:
    • Keysight Remote I/O Port Mapper
    • Keysight Remote I/O Server
  • By default, the N1000A/N1002A's ethernet port is configured with the Windows Public Network setting, which disables network discovery and file sharing services. This provides better network security than the Private setting. Responses to network pings (ICMP Echo Requests) are blocked by the default firewall settings in Windows.
  • Windows 11 does not have a telnet server and the telnet client application is disabled by default, but can be enabled by turning on the optional windows feature in Window's control panel. The Telnet application does not encrypt data or passwords sent over the network. Telnet is susceptible to man-in-the-middle attacks and other vulnerabilities. You can stop the Telnet service or remove it completely if not needed for your application. Secure Shell (SSH) should be used instead of Telnet.
  • Windows includes the OneDrive cloud-based file hosting. Your organization may have security policies established for sensitive data being stored or shared via OneDrive. If you do not use OneDrive, OneDrive can be disabled via the Local Group Policy Editor in Windows.
  • Minimize the installation of additional software programs on your instrument because they can increase the cyber-attack surface of your instrument.
  • Avoid installing Virtual Network Computing (VNC) programs such as TightVNC or RealVNC, which allow anyone with possession of the password to remotely take control of the instrument, access its data, and access the network. If VNC must be used for a short time, disable the VNC Server when the remote session is finished.
  • Browsing to untrusted websites from the instrument is not recommended due to the risk of malware.
  • Don't connect instruments directly to untrusted or public networks. Measurement instruments are designed for use on a private network, behind corporate NAT/PAT routers and firewalls. Any public IP address on the Internet is likely to be attacked by a multitude of malicious scripts searching for vulnerabilities.

Regularly Backup Your Data

Use backup software to automatically backup your measurement data on a frequent basis, and regularly verify that the backup is working. Store valuable data securely in external media or off-site.

Protect Sensitive Data

Removable media such as USB flash drives present data security risks if the media is lost or stolen and also present a means for malicious software to be transported to the instrument. For these reasons, some businesses and laboratories have removable media security policies established by their IT departments to help prevent such risks.

The instrument's hard drive does not utilize disk encryption to guard the internal contents of the drive against unauthorized copying. Windows 11 BitLocker encryption can be enabled on the C: and/or D: drive, if desired. If the physical security of your instrument is at risk, do not store sensitive data on it.

If sensitive files need to be securely deleted from the hard drive, Keysight recommends using the Windows Cipher utility for the N1000A/N1002A.

To secure sensitive data before the instrument is transported out of your facility or shipped to Keysight for servicing, you can easily remove the hard drive via the N1000A/N1002A's rear panel. For more information, refer to the Keysight instrument declassification procedure documents available at: http://rfmw.em.keysight.com/aerospace/index.aspx