All new EcoStruxure IT software developers attend a mandatory security training which is given upon hire and every year after that. Additionally, they can choose to enroll in a White Hat Hacker training to receive the Ethical Hacker certification.
Any change to the EcoStruxure IT platform is subjected to a mandatory peer review where code and infrastructure changes are reviewed by at least one other engineer in order to validate code quality, security and performance.
All changes are tracked using a version control system (GIT) to ensure history, traceability and audit tracking.
EcoStruxure IT testing environments are physically isolated from the Production environment.
Dynamic Vulnerability Scanning
Schneider Electric uses several third-party security tools to continuously dynamically scan the EcoStruxure IT platform for vulnerabilities. Schneider Electric maintains a committed security team to handle results and work with engineering teams to remediate issues.
Static Code Analysis
All changes to source code are continuously scanned for bugs, security and license issues via static analysis tooling. Any source code change which doesn’t meet the EcoStruxure IT standards will be returned to the development team for improvement.
3rd Party Security Penetration Testing
Schneider Electric continuously employs a rotating number of 3rd party certified hackers to perform detailed penetration tests on all components of EcoStruxure IT (gateway, mobile and web app). When new features are released, mission statements are handed to security experts to verify feature security. Learn more about our security test report sharing policy.
The Schneider Electric Corporate Product Cyber Emergency Response Team (CPCERT) has defined vulnerability management processes to ensure efficient incident response.
To report an incident, please contact your local Customer Care Center.
If you’re a researcher, please report a cybersecurity vulnerability here.
All vulnerability disclosures are reported on the Schneider Electric Cybersecurity Support Portal.
XSS Protection (Input Validation)
In accordance with industry best practices, we use strict procedures for output sanitization of all user input. This is enforced in part by static code analysis and also by using well known, tried and tested third party frameworks.
Product security features
The EcoStruxure IT password policy requires:
- At least 8 characters in length
- At least 3 of the following 4 types of characters:
- Lower case letters (a-z),
- Upper case letters (A-Z),
- Numbers (i.e. 0-9),
- Special characters (e.g. !@#$%^&* )
- No more than 2 identical characters in a row (i.e. “aaa” not allowed)
EcoStruxure IT will validate your password, as long as it is not one of the 10 000 most common passwords and that it is not the first part of your email address.
Please note that your password will not expire according to recommended password policies by NIST & National Cyber Security Centre in the UK.
Multifactor authentication provides another layer of security to your EcoStruxure IT account, making it more challenging for somebody else to sign in as you. Multifactor authentication is turned on for all logins to EcoStruxure IT, whether you are a customer, partner or Schneider Electric employee. Schneider Electric advises you to use the EcoStruxure IT app for second factor authentication or a 3rd-party authenticator app. Though it is possible to use short-lived one time SMS tokens as a last resort, it is not recommended.
Secure Credential Storage
Schneider Electric follows secure credential storage best practices by never storing EcoStruxure IT passwords in clear text format, and only as the result of a bcrypt secure, salted hash. Passwords are decoupled from the internal platform and saved using Auth0, a solution recommended by authentication management experts.
Failed Login Attempts
Schneider Electric enforces brute force protection for EcoStruxure IT. You will be blocked from logging in to your account if you have entered a wrong password for more than 10 times from the same IP address. You will then receive instructions on how to unblock the IP address from EcoStruxure IT via email.
Schneider Electric enforces rate limits as well. If you attempt to log in 20 times per minute as the same user from the same location, regardless of having the correct credentials, the rate limit will apply. You will then only be able to make 10 attempts per minute.
Schneider Electric is committed to keeping your data secure and private, even before it leaves your site. All connections from the EcoStruxure IT gateway to our cloud are validated using an industry standard 2048 bit RSA certificate and data is encrypted in transit using 256 bit AES encryption. To avoid compromising the security of your site, the EcoStruxure IT gateway uses an outbound connection through Port 443, and only communicates to EcoStruxure IT cloud using 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, and 18.104.22.168.
The communication from this outbound connection is always initiated by the gateway. The gateway connects to our cloud at regular intervals to check for messages, and then performs actions based on those messages. Infographic: Learn more about how EcoStruxure IT applies updates to your infrastructure
All requests coming from the gateway are signed using a unique private key created on installation and stored in the gateway, making it impossible to impersonate it.
The EcoStruxure IT gateway features an auto-update functionality ensuring that the software security patching happens automatically and that the gateway is always up-to-date. During the update, the gateway continues to communicate sensor data and alarms to the cloud, minimizing downtime.
The General Data Protection Regulation (“GDPR”) addresses the processing of personal data and the free movement of that data. Its goal is to strengthen the security and protection of personal data in the EU and to harmonize EU data protection law. This regulation sets out a number of data protection principles and requirements which must be adhered to when personal data is processed.
Schneider Electric is committed to complying with its obligations under the GDPR. Schneider Electric shares personal information with 3rd party data processors on a need-to-know basis.
Personal Data Handling and Storage
Schneider Electric collects sensor data and alarms from critical infrastructure devices, that you choose to share with us. Schneider Electric only collects data about the performance of your equipment, and metadata such as where it’s located and how old it is.
Before being committed to storage, your data is tagged as yours. Your data is segregated from other customers data by a unique identifier, which the system uses to ensure proper matching of data. In addition, the cloud engine keeps a complete audit trail of the data received and the data processing, so we can always retrace our steps and see where your data has been and what it has been used for.
EcoStruxure IT does not access any data stored on your servers or storage, or monitor any traffic passed through your network. Data is stored on Microsoft Azure in the United States.
Personal Data Use
Firstly, Schneider Electric processes and stores data for you, so it’s available to you anywhere in the world through the EcoStruxure IT app. But more importantly, sharing your data with Schneider Electric allows us to optimize the services and products we provide, to help you optimize your data center, and to enable you to benchmark yourself with peers worldwide.
Automatic Personal Data Deletion
When you deactivate your EcoStruxure IT account, our system automatically deletes your personal data for login. A historical record is kept for marketing purposes that is deleted after three years.
Data center and network security
The EcoStruxure IT servers are hosted in the United States on the Microsoft Azure Cloud, which is ISO 27001, HIPAA, FedRAMP, SOC 1, and SOC 2 certified. Learn more about Microsoft Azure facilities, premises and physical security
Access to the EcoStruxure IT Production Network is restricted by an explicit need-to-know basis, utilizes least privilege, is monitored, and is controlled by our Operations Team. Employees accessing the EcoStruxure IT Production Network are required to use multiple factors of authentication.
As EcoStruxure IT is running on Microsoft Azure, Schneider Electric leverages their always-on traffic monitoring, and real-time mitigation of common network-level attacks, providing the same defenses utilized by Microsoft’s online services.
3rd Party Security Penetration Testing
Schneider Electric continuously employs a rotating number of 3rd party certified hackers to perform detailed penetration tests of the entire EcoStruxure IT platform. Learn more about our security test report sharing policy.
EcoStruxure IT is maintained and operated by a core DevOps team with extremely high standards for cyber security and data privacy. All parts of the EcoStruxure IT system are continuously monitored and scanned for potential security vulnerabilities or privacy issues. The DevOps team is on-call 24/7 and able to react promptly to newly discovered threats or issues.
Encryption in Transit
All connections to the EcoStruxure IT cloud are validated using an industry standard 2048 bit RSA certificate and data is encrypted in transit using 256 bit AES encryption. For Android versions prior to 7.0, Schneider Electric can only guarantee 128 bit AES encryption due to limitations in the Android platform.
Encryption at Rest
EcoStruxure IT data is encrypted using 256 bit AES encryption.
Availability & continuity
All components of the EcoStruxure IT platform are deployed in high availability configuration to eliminate single point of failure. All data is backed up to separate storage to prevent data loss.
Subprocessors and Subcontractors
Discover the list of subprocessors helping to the good delivery of EcoStruxure IT services.