Insecure Communication Channel

CyberSecurity

We’ve had a few questions come up in the community regarding the latest cyber security advisory, so we wanted to consolidate the information and increase the visibility of the topic for all users.

Full Details

Here is a link to the advisory which includes all of the details.

Summary

It was found that the Automation Studio Upgrade Service and B&R Technology Guarding mechanism use insufficient encryption for communicating to the upgrade server and the licensing server. To mitigate this, the B&R server has disabled an insecure communication channel by only allowing HTTPS communication using TLS 1.2 or higher.

In other words, online license activation and online tools upgrades will not work with TLS <1.2.

Affected B&R Versions

  • Automation Studio < 4.6
  • Technology Guarding < 1.4.0

Related Errors

Here is an example of an error that you can encounter as a result of this security change, specifically when trying to license an Automation Studio version less than AS 4.6:

image

Steps to Re-Enable Online Licensing

Download and install Technology Guarding >= v1.4.0.

Steps to Re-Enable Online Tools Upgrades

Download and install AS4.6 or above.

If you need to keep using AS <4.6, refer to the cyber security advisory for workarounds.

More Information

Note that Windows programs based on .NET framework version < 4.6 will by default still try to use TLS < 1.2. To resolve this, you can force them to use TLS 1.2 by setting one registry value in Windows’s Registry Editor. This fix is described in more detail here.

More details about this topic and relevant workarounds are explained directly in the cyber security advisory. More information about cyber security measures in general at B&R can be found on the website here.

If you have any questions, feel free to add them below!

10 Likes