Hardening guide overview

This section groups together recommendations you must follow to ensure the secure installation, configuration, deployment, operations, and maintenance of PcVue. It is based on requirements from the ISO/IEC 62443 standard series and widely accepted good practices in the industrial control system domain. It provides a framework for maintaining security, protecting against potential threats, and ensuring resilience.

Security context and risk analysis

The security context of a system where PcVue is used must be determined by the entity in charge, based on a risk analysis performed under its responsibility. The risk analysis helps determine technical and organizational measures proportionate to the risks associated with operating the specific target system. In particular, governance and system management policies must be in place.

The responsible entity must ensure that the product, the project, the infrastructure, and any third-party components are securely integrated within the target system security context. This includes understanding and addressing the security aspects of each component in relation to the overall system.

Regular reviews must be performed:

  • The integration process must be reviewed and updated regularly to adapt to evolving system requirements and practices.
  • The system documentation must be reviewed and updated regularly to take into account system changes and evolving security policies.
  • The risk analysis must be reviewed and updated regularly to keep the system security context documentation up-to-date and to adapt to new security threats.

Defense-in-depth strategy

A defense-in-depth strategy must be in place to ensure multiple layers of protection. This strategy involves applying complementary security mechanisms at different layers to detect and respond to potential threats effectively.

A typical defense-in-depth strategy includes:

  • Governance - Policies, procedures, and training.
  • Physical security - Access control, physical protection, video protection.
  • Network perimeters - Firewall, VPN, filtering, bastion.
  • Internal networks - Segmentation, IDS/IPS, encryption, flow control.
  • Hosts - Hardening, firewall, patching, antivirus and EDR, endpoint protection.
  • Application - Minimized service footprint, secure configuration.
  • Data - Encryption, classification, access control.

The strategy must be periodically reviewed and maintained to adapt to new security challenges and threats.
The responsible entity must perform regular security audits to evaluate the effectiveness of the defense-in-depth strategy. Audits assess if the system’s defense layers, such as network security, access control, encryption, and incident monitoring, are properly configured and operated.

See Reference architectures for more information.

Network design, segmentation, and endpoints exposure

Modern systems heavily depend on network technologies. PcVue hosts consume data from other hosts and components, and depending on their role, potentially expose endpoints.
Understanding the role of endpoints, network flows and the nature of the transmitted data is of prime importance to properly design the networks, select the segmentation rules and apply an adequate control of the network traffic.

API, data acquisition drivers, and PcVue client/server interfaces must be securely integrated depending on the network design and segmentation.

The following measures must be in place:

  • Ensure that any data exchange or interaction between the product and external applications are performed securely, using encryption and authentication where appropriate.
  • Review and evaluate the security of APIs and data acquisition drivers regularly to address emerging threats and vulnerabilities.
  • Follow the documentation to implement secure communication.
  • Perform regular security assessments on the APIs and data acquisition drivers in use.

Stay up-to-date and patch

To protect against known vulnerabilities, it is crucial to keep all the components of your systems up to date. ARC Informatique makes Maintenance Release available on a regular basis, they must be installed to keep the product up-to-date. Regular patching and updates ensure your system remains secure and performs at its best.

Failing to patch software exposes systems to known vulnerabilities that attackers may exploit. It increases the risk of data breaches, service disruptions, and unauthorized access. Over time, unpatched systems become increasingly unmanageable and non‑compliant with security standards, putting the entire organization at risk.

The following resources are available to keep you informed:

  • Newsletter - Subscribe to our newsletter for the latest news and updates on security and product enhancements.
  • Security Bulletins - Security bulletins are posted on our web site at https://www.pcvue.com/security/.
  • Release Notes - Always review the release notes provided with product releases to understand changes and improvements that can be useful in your context or may affect your systems. Release Notes are published on the Knowledge Base. It is a great resource to help you plan updates.
  • Knowledge Base - Access our comprehensive Knowledge Base for valuable informational resources, FAQs, and troubleshooting guides.

Reporting security vulnerabilities to us is important to strengthen product quality and improve the level of protection of all product users collectively.
A procedure is in place, including a responsible disclosure policy and a point of contact.

See Product security for more information.