Securing Your Automation1 Controller

Automation1 supports secure communication between the MDK and iSMC that is authenticated and encrypted (with TLS).

Each Automation1 controller has a unique digital certificate for authentication. To establish secure communications with an Automation1 controller, you must first get the certificate of the controller. The first time that you connect, you can get it through a private channel or by using a process named trust-on-first-use. To make sure that you connect to the correct controller and get the correct certificate, Aerotech recommends that you connect over a private channel. To do this, use one of the methods that follow:

  • For drive-based controllers, connect over USB.
  • For PC-based controllers, connect locally on the same PC.

If you connect for the first time in Studio to a PC-based controller over a local connection or a drive-based controller over USB, Studio will automatically trust and save the certificate for you.

For a remote connection, make sure that you fully trust your network and are connecting to the correct controller. Then you can trust the certificate that is supplied by the controller to which you are connecting.

If you are connecting remotely to the controller through Studio or the APIs and you are not sure about this connection, you must manually get the certificate of the controller. Then make sure that it matches the certificate of the controller to which you are connecting. Refer to the procedure that follows.

  1. Open Automation1 Console on a PC that has one of the conditions that follow:
    • The iSMC is running on the PC that you want to use with a PC-based controller.
    • The PC is connected to a drive-based controller over USB.
    • The PC is on a network with the controller that you fully trust.
  2. In Console, issue the connect command to connect to the controller. To see all of the options for this command, enter connect -h.
  3. After you connect to the controller, issue a security certificate get command to show the certificate. Then record the certificate. You can also save the certificate to a file by adding an -f flag and a directory path to the command.

After you read this page, you can get more information about secure communication. For information about secure communication and Studio, see Automation1 Studio. For information about secure communication and the APIs, see the Connect to the Controller Securely section of the .NET API Controller, C API Controller, and Python API Controller pages.

WARNING: When you establish a secure connection to the controller with Automation1 Studio or the APIs, it will encrypt data that is sent over the Ethernet port on your controller. Data will not be encrypted when you make the connection types that follow:

  • Connect to the controller through Automation1 Console.
  • Use the Industrial Ethernet A and B ports on your controller to connect to external Modbus or EtherCAT devices.

Tip: To secure your controller, make sure to secure your network, obey best practices for network security, and use secure communication.

Regenerating the Certificate of a Controller

To make sure that no interruptions occur during controller operations, an Automation1 controller certificate does not expire automatically. Aerotech recommends that you manually regenerate the certificate each year or if you think the controller is compromised. Refer to the procedure that follows.

  1. Synchronize the time on your controller to match the time on the PC that you are using to connect to it. For information about how to do this, see Date and Time Configurations.
  2. Open Automation1 Console. Then connect to the controller over a local connection for PC-based controllers, USB for drive-based controllers, or over a network that you fully trust by using the connect command. To see all of the options for this Console command, enter connect -h.
  3. Issue the command that follows: security certificate regenerate.
  4. Power cycle the controller.
  5. Connect to the controller again through Automation1 Console.
  6. Issue the security certificate get command to show the certificate. Then record the certificate. You can also save the certificate to a file by adding an -f flag and a directory path to the command.
  7. Connect to the controller from each client and make sure that the certificate you see matches the new one that you generated.

IMPORTANT: If you regenerate the certificate of a controller, you must reaccept the certificate from each client that you use in order to reconnect to the controller.

Related Topics 

Automation1 Studio