Chapter 17. Security Considerations

There are four default logins, Admin, User, Viewer, and Guest. All accounts have unique default passwords, not shared by other devices.

Default passwords adhere to current (by 2026) recommendations, e.g. by NIST, for password safety: Random, 16 characters, at least one uppercase letter, one lowcase letter, one digit, and one special sign.

All passwords can be changed by an Admin user. Admin users can also create, edit and delete individual accounts. (see Section 4.2.1, “User Management” in Section 4.2, “System Administration”).

	Tip
	Always create and use individual accounts per user. In case, an account gets hijacked, this helps in finding out, which users PC might be captured, because all logins are logged in the logbook. Use secure passwords, as recommend by NIST, and do not use the same passwords on multiple devices.

Meteo-40 plus provides remote access to its web interface via AmmonitConnect. AmmonitConnect creates a secure path, by means of reverse tunneling, to allow the access to Meteo-40 plus web interface when using mobile devices with private (not globally routable) IPs.

AmmonitConnect can be disabled or a custom installation in a private server can be implemented.

Note, that through AmmonitConnect, anybody can check, if a device is online or not, when they know or guess the serial number. But they would not see more information than that.

	Tip
	Use a custom AmmonitConnect Access Code, instead of the default Ammonit, to avoid unauthorized Internet traffic from reaching the data logger.

Data Transmission security depends on the transmission method. Ammonit strongly recommends to use SCP, SFTP (both based on SSH, or FTPS (based on TLS) to transfer CSV and other files.

Transmission over email is also secured by TLS, but insecure email transmission, without TLS, is still possible. In doubt, ask your email server provider, if it still supports insecure SMTP.

Live data transmission is always secured by TLS.

For higher security demands, CSV and other files can be encrypted using the OpenPGP standard. Note, that this is symmetric encryption using a password. If you use file encryption, make sure to use a good password.

	Tip
	It is recommended to send CSV files to AmmonitOR. The transmission is secure thanks to SCP.

Data is not particularly secured on the device itself.

	Tip
	Make sure, that adversaries don't get any physical access to your Meteo-40 plus.

Meteo-40 plus data loggers support Modbus TCP and Modbus RTU protocols for the integration in Supervisory Control And Data Acquisition (SCADA) systems (see Chapter 8, SCADA. Modbus is a widely used but inherently insecure communication protocol in SCADA systems, lacking built-in security mechanisms like authentication and encryption.

External security can be implemented to protect these systems. E.g. network segmentation and firewalls: Isolating SCADA networks from corporate networks and the internet using properly configured firewalls is a fundamental security practice.

Physical security can be implemented by using a different physical communication port for the SCADA communication. The RS-485 Server port and, if required, a Modbus RTU to aModbus TCP converter, can be used for the SCADA communication.

	Tip
	If the Modbus TCP protocol is used, the access to the data can be restricted to a single IP addres by entering it in the Allowed client IP address field (see Section 8.1, “Configuring Meteo-40 plus for SCADA” for more information).

Meteo-40 plus does use cryptography for encryption and digital signing. All cryptographic routines are standard routines, no self-made cryptography is used.

	Tip
	Make sure to perform regular software upgrades of your Meteo-40 plus device. New versions come with new features, but might also fix security related issues. You can always find the list of changes in the Chapter , Release Notes.