Safeguard
Security Context & Rationale
References
Each account should be tied to an
individual. Organizations should
control individual accounts
through policy.
Mobile application requires
registration and authentication
and security events are logged.
This safeguard ensures all
activities are traceable and non-
repudiable.
ATT&CK for ICS: M0801
NIST SP 800-53 Rev5: AC-3(7)
ISA/IEC 62443-3-3: SR 1.1
Ensure Magnet Key is removed
after putting the optimyze sensor
in Configuration Mode so that the
device does not re-enter
Configuration Mode unexpectedly
and enable alternative access to
your data.
Protections, such as the magnet
key, are put in place to make
pairing deliberate and to require
physical proximity to the device.
This safeguard provides
additional checks and ensures no
fingerprinting of BLE devices
takes place.
NIST SP 800-53 Rev5: AC-18
ISA/IEC 62443-4-2: CR 4.1, NDR
1.6
Ensure Bluetooth signal cannot
be received outside the
organization-controlled
boundaries by employing
emission security and
purposefully positioning the
device.
Multiple BLE pairing mechanisms
are available to ensure availability
of data. This safeguard reduces
the likelihood of capturing or
intercepting signals.
ATT&CK for ICS: M0806
NIST SP 800-53 Rev5: AC-18,
SC-40
ISA/IEC 62443-3-3: SR 5.2
Implement specific inventory,
logging and monitoring of
hardware and report security-
related incidents associated with
optimyze devices to Xylem.
These might include unexpected
operations, confirmed tampering,
or theft of the device.
Devices are hardened and Xylem
provides PSIRT to help
customers investigate potential
security incidents. This safeguard
supports the ability to track assets
and recognize potential security
events.
ATT&CK for ICS: M0947
NIST SP 800-53 Rev5: SM-8
ISA/IEC 62443-3-3: SR 1.11, SR
2.8, SR 3.4
Maintain updated firmware and
software on all devices and apps.
Device firmware integrity is
maintained by cryptographically
signing at the source and then
verifying the authenticity and
integrity at runtime. It builds on
modern tools provided by our
partners. Sometime vulnerabilities
are discovered, and we work with
our partners to deploy updates to
security and resilience. This
safeguard mitigates exploitation
risks and ensures security
patching.
ATT&CK for ICS ID: M0951
NIST SP 800-53 Rev5: MA-3(6)
ISA/IEC 62443-3-3: SR 3.1.3, SR
7.1
Ensure cybersecurity policies,
awareness, and training to the
operators, administrators and
other personnel.
While the system has been
hardened in many ways, this
safeguard prevents Social
Engineering attacks and
promotes awareness related to
cybersecurity.
NIST SP 800-53 Rev5: AT-2
ISA/IEC 62443-2-4: SP.01
Before device disposal clear all
paired connections and disable
accounts.
No data is persistent on the
Gateway device, but BLE bonding
is enabled for continuous
gathering of sensor data. This
safeguard ensures that no one
can connect to your sensors
using already-paired devices.
ATT&CK for ICS ID: M0942
NIST SP 800-53 Rev5: SR-12
ISA/IEC 62443-3-3: SR 4.2
For additional information see references:
10 Cybersecurity
optimyze
™
Gateway Instruction, Operation, and Maintenance Manual
15