Wonderware Security

Wonderware Security Statement

Introduction

The following security statement is our way of transparently explaining how we securely collect, store, manage and present your data so that we may earn and retain your digital trust.

At Schneider Electric, the safety and security of your data is our top priority. As an established leader and provider of industrial software for the last three decades, we recognize that your industrial data demands a more stringent cybersecurity posture and a higher set of operating standards compared to other information domains.

Physical Security

Best-In-Class, Certified Data Centers

Our cloud services are physically deployed across multiple Microsoft Azure data centers. Schneider Electric is a strategic data center hardware vendor to Microsoft and their Azure data centers as well as a strategic Independent Software Vendor (ISV) partner to Microsoft for both their on-premises and cloud software platform technologies.

Microsoft data centers are world-class facilities with more certifications than any other cloud provider. Certifications and compliance achievements include ISO/IEC 22301, 27017, 27018 and ISO/IEC 27001 in addition to SOC 1, SOC 2 and SOC 3.

To learn more about Microsoft’s Azure data centers, please follow the link below.
https://azure.microsoft.com/en-us/support/trust-center/

Data Residency and Digital Sovereignty

Currently, Wonderware cloud solutions are deployed to U.S. Microsoft Azure data centers. However, we are actively planning to expand to multiple geographies wherever Microsoft maintains Azure data centers.

Data Security

Committed to market leading cybersecurity best practices

Data at Rest

All sensitive customer data is encrypted, logically segregated and segmented in a multi-tenant architecture. These measures offer the best assurances that customer data is safe from unauthorized access, and limit the risk of data being compromised in any meaningful manner while protecting the privacy, control and autonomy of each customer’s data independently from any other. Schneider Electric has U.S. Patents Pending around the unique industrial implementation underpinning the solution.

Data in Motion

All data flow communications to and from Wonderware Online are encrypted using SSL/TLS over HTTP (i.e., HTTPS) on the industry standard and well defined Port 443 using Advanced Encryption Standard (AES) 256-bit encryption with secure 2048-bit X.509 certificates. This is true for our on-premises data publishers, our modern browser based client and our native mobile apps. Our secure and publicly accessible REST based APIs are also leveraging this security scheme.

We continuously monitor the changing security landscape of cryptography and cybersecurity to ensure that we offer the best available protections to our customers and their sensitive data.

Hybrid Deployments

Given our long, rich history and domain expertise in the industrial automation market, we fully support and complement traditional industrial on-premises systems pushing data to the cloud in a hybrid-architecture where on-premises systems work in tandem with our cloud solutions.

IT Friendly

Our small footprint data publishers are very IT friendly from a local network point of view in that we only require a single, outbound and unidirectional port to be opened to communicate to our cloud services securely with encryption using SSL/TLS over HTTP on Port 443.

Our on-premises data publishers do not receive inbound connections, only outbound connections are initiated by the system of trust from customer networks and never the other way around by any external agent. Our data publishers also do not auto-update on-premises O/S components. Updates are controlled manually by our customers at their discretion.

All data from our on-premises publishers can be safely routed through traditional next generation firewalls, intrusion detection systems (IDS) and intrusion prevention systems (IPS) and network segmented demilitarized zones (DMZ).

Data Transmission Reliability: Store & Forward

All Wonderware provided data publishers employ store and forward mechanisms so that no data is ever lost in the event that a network connection between the on-premises publisher and the Wonderware cloud services becomes unavailable. When network connectivity resumes, a parallel data stream will be initiated to back-fill any data that was collecting during the period of network unavailability.

Application Security

Protecting and defending your data across people, process and technology.

Identity and Access Management (IAM)

Authentication

By default, customers sign-up, register and authenticate their account directly through our application API or web portal based on the OpenID Connect (OIDC) authentication layer on top of the OAuth 2.0 authorization framework.

For enterprise customers, Single-Sign-On (SSO) and federated identity access integrations are available with a customer’s existing IAM implementation.

We enforce a level of password complexity during sign-up and registration to promote secure credentials.

We verify account ownership during registration and for password resets to ensure the request is from an authentic source.

Authorization

Customers have complete and granular control over who they chose to allow to have visibility and access to various elements of their data in the Wonderware Online service. At any time, customers can add, modify and remove users from their account as well as immediately revoke any access by any user at their discretion.

Account Management

Customers have complete and granular control over who they chose to allow to have visibility and access to various elements of their data in the Wonderware Online service. At any time, customers can add, modify and remove users from their account as well as immediately revoke any access by any user at their discretion.

Customers can control and manage saved content including dashboards, keywords, data point (tag) metadata, ad-hoc charts and visualizations.

API Access

Wonderware Online offers a set of REST based APIs that are secured using SSL/TLS encryption, that require proper and valid parametrization to limit scope and that require a level of authorization beyond the default standard user permissions.

External Security Audits

Schneider Electric continues to work with respected third-party professional application security monitoring and assessment experts on a regular and periodic basis in an effort to proactively identify any potential vulnerabilities so that we can quickly address those concerns and stay current with the ever changing cybersecurity landscape. In these engagements, these third-party companies conduct vulnerability and penetration scans amongst a number of additional security reviews such as OWASP identified vulnerabilities and related audits.

Continuous Monitoring and Security Assessments

Schneider Electric has in place various proactive monitoring and active security policies and procedures to identify abnormal behavior, catch anomalous activity, detect and isolate suspicious activity against or within our online solution. Examples include limitations on authentication requests, location based risk evaluations, size and growth of user activity, failed authentications, API rate requests and more.

  • Availability

    Wonderware Online is designed to be a highly secure, scalable, robust and resilient managed service deployed across data centers in multiple locations.

    Wonderware Online benefits from a highly committed team of people who continue to release non-disruptive updates on a frequent and consistent basis to maintain and elevate both the security and functionality of the offering.

    Ensuring continued availability of our offering is outlined in our service level agreement (SLA) which can be referenced at the provided link here: http://software.schneider-electric.com/legal/legal-information/

    We believe in being as transparent as possible around the availability of our service and therefore encourage you to subscribe to our service dashboard at https://status.wonderware.com to be proactively notified about any planned maintenance periods or unexpected disruptions.

    For a complete list of our existing terms and conditions governing our cloud service, please visit our legal page here:
    http://software.schneider-electric.com/legal/legal-information/

    To stay current on all recent activity surround our service, subscribe to our blog at https://on.wonderware.com/topic/online.

  • Policy On Customer Data Access for Support

    As Wonderware Online is a cloud hosted service, collaboration with technical support to troubleshoot and diagnose issues are now easier, more direct and faster than ever.  Having said that, we’ve ensured that the entire interaction with our support personnel, including scope, duration and permissions are wholly under your control and are highly secure to respect your data privacy rights outlined in the Wonderware Online set of terms and conditions and data privacy policy.

    As a Wonderware Online administrator, you can now temporarily add support@wonderware.com as a standard user to your list of authorized users for your account or “solution(s)” for which you would like assistance from Wonderware Technical Support. At any time, you can revoke access to your solution(s). You can also leverage the Wonderware Online tag based security model to further limit visibility into the specific tags, sensors or data values that require further investigation by our support personnel.

    Specific steps to take should you require support:

    Add support@wonderware.com as a standard user to the solution(s) that require investigation. Optionally, you can limit access to a limited subset of tags, sensors or data values here in this step.

    • Notify your technical support contact once this has been done.
    • Collaborate with your technical support contact to help them reproduce the issue(s).
    • Once the issue(s) have been addressed to your satisfaction or, at any time prior and at your discretion, remove support@wonderware.com from your list of authorized users.
    •