University at Buffalo Embedded System Security Recommendations
Version 2.2 – 10/8/12
Copiers, scanners, printers, video cameras, vending machines, SCADA and an increasing number of other electronic devices routinely contain an embedded computer system, are directly connected to the UB computer network and are therefore present a risk for compromise, unauthorized control by a third party or inadvertent data exposure.
These devices provide important services to the UB community it is important that these devices be configured to ensure maximum availability and reduce the opportunity for misuse, misappropriation or risk to other network attached equipment.
This standard document describes the minimum protective configuration measures recommended for devices with embedded computer systems directly attached to the University at Buffalo (UB) including most copiers and printers.
- Passwords: Device passwords and SNMP community strings should be changed from the factory default. Passwords should be “strong” (i.e., containing a mix of upper & lower case, numbers and special case > 11 characters or long pass phrases).
- Software Updates: Software or firmware should be maintained at the latest version and must be at least no older than 2 releases old. A business process must be in place to ensure someone is tasked with checking for new firmware releases on a regular basis.
- Isolation: Where practical, network attached embedded system devices should be protected by a traffic control device (e.g., hardware firewall) or be placed on a protected VLAN to isolate them from the general campus network and Internet. Private address space that is not routable to the Internet is strongly recommended.
- Services: Unnecessary services such as ftp and telnet that are frequently enabled by default should be disabled, since these present additional potential attack points and require the transmission of login information in clear text
- Management: Disable remote management if possible. If not, then the device setup/configuration should be protected by a non-default strong password. If enabled, SNMP service should have community name and password also changed to a strong password.
- Disposal: When the device is removed from its current service (for example, moved to a new group for function, returned to the vendor or declared surplus equipment), any embedded disk drive(s) should be fully overwritten to render any data unreadable or the disk should be physically destroyed. If a disk is replaced, the original disk should be rendered unreadable before disposal unless the data on it is encrypted and the key is not on the disk.
- Data Protection: If the device has the option for encrypting data and/or securely deleting data on its internal disk drive that option must be enabled. If the printer is used to scan/copy regulated private data, then the scan-to-email function must be disabled and only the scan-to-fileserver must be allowed. The designated fileserver must be a secure fileserver that meets UB's “Protection of Regulated Private Data Standards”.