Security ​

Authentication & Authorization ​

The Argonaut Authentication Service uses industry standards and follows best practices for secure session management of user accounts to Argonaut Services. Argonaut user session management uses JWTs (JSON Web Token) which are tamper-resistent, digitally signed (to ensure the integrity of the token), and have a configurable expiry time before needing to be refreshed (to reduce the window of opportunity for attacks). In addition to the layers of security provided by JWTs, each request for access to the Argonaut API goes through an ACL (Access Control List) permission system to provide fine-grained access control per-user. The Authentication service is capable of integrating with more than the provided local Authentication model by the use of Authentication Providers. Each Authentication provider allows for further scoping of Roles & ACLs to a user's session to allow varying degrees of trust depending on the Authentication mechanism.

Input Validation and Sanitization ​

The Argonaut API service takes security measures to protect against common vulnerabilities. It achieves this by enforcing parameterized queries to prevent SQL injection attacks when accessing the database, and by utilizing a graphical template framework that includes additional security measures to prevent cross-site scripting (XSS) vulnerabilities. XSS attacks occur when untrusted data is incorrectly interpreted as code and executed by a web application, leading to potential exploitation. The graphical template framework used by Argonaut has built-in safeguards that sanitize or escape user-generated content before rendering it on web pages, ensuring that any injected scripts or malicious code does not execute and pose a risk to users. These practices contribute to the overall security of the Argonaut API service and help safeguard against potential exploits and attacks.

Deployment & Infrastructure ​

By default, Argonaut will only expose an ingress that requires TLS communication to the Web Console and the API. The Certificate Management Service in the deployment allows for replacing the default certificate with a signed certificate to the domain the Argonaut instance is hosted on. The Argonaut deployment environment can contain sensitive information such as passwords, tokens, or keys that must also be protected. The deployment platform Argonaut uses stores this sensitive information as a "secret". Secrets are encrypted and stored securely within the Kubernetes cluster in a way that separates sensitive data from configuration and reduces the risk of accidental exposure of sensitive information. Access to the deployment API is intended to be limited to authorized users or service accounts with the necessary permissions. Ultimately, protection of these Kubernetes based secrets relies upon a well structured system and RBAC access controls appropriately configured within the deployment environment. These considerations are beyond the scope of Argonaut, or this specific documentation.

Device Communication ​

Device communication can take on many forms in a manufacturing environment. The technical details of how networked systems securely interact with those devices is important, however, a device's safe-guards to determine the appropriateness of a remote request must also be considered prior to exposing a device on a network. In other words, just because a device can expose unrestricted access to its command structure, doesn't mean it should. For example, a PLC should not directly expose control to a register controlling an output, but rather expose a register that is capable of making as much of an informed decision as possible on whether (or not) an action can be performed. If a device does not have the logical capacity to make an informed decision, then an edge-device interface should be designed in a way to mitigate undesired behavior.

The Sparkplug™ Protocol Specification offers a message transport solution that utilizes the MQTT protocol to define a standard method of communication with Sparkplug enabled devices, it is one of the ways Argonaut is capable of communicating with a device. If a device does not have the Sparkplug Protocol built-in, an EoN (Edge of Network) Node can be used to provide the needed translation interface. These EoN Nodes utilize a network protocol configuration, and device-specific configuration that should adhere to the previously defined device restrictions for device-access at the point of integration. A default Argonaut deployment secures access to a MQTT broker by requiring TLS secure communication on both the standard MQTT protocol, and websockets over TLS, along with requiring a valid username & password.

It is the integrator or end-users responsibility to appropriately configure and authorize users of the MQTT environment to ensure expected system security. Devices accounts should be as limited as possible to only allow desired function.