如何使用 PakBus^®加密保护数据安全 : 第 3 部分

In this third and final blog article in the series, I'll share with you some more practical steps that you can take to keep your automated monitoring platform secure.

• If you missed my first article about PakBus encryption or want to review it again, please read How to Keep Your Data Safe with PakBus^® Encryption: Part 1.
• If you you'd like to review my second article about securing programs and communications links, please read How to Keep Your Data Safe with PakBus^® Encryption: Part 2.

Send Data Safely by Email

If your data logger sends data via email, always use a TLS-encrypted connection.

How to Configure Secure Email

1. If your automated monitoring platform supports the EmailSend() instruction and you wish to use a general SMTP server (such as your corporate mail server), then you can configure CRBasic accordingly:
   

   Result = EmailSend("smtp.server.com:587", "recipient@domain.com", "from@domain.com",
   "Subject", "Message body", "", "username", "password", ServerResponse)Choose port 587 or 465 if your SMTP server supports STARTTLS or SSL.

1. Choose port 587 or 465 if your SMTP server supports STARTTLS or SSL.
2. Where possible, use TLS/SSL encryption for SMTP. Avoid using unencrypted port 25 if your mail server policy allows.
3. Test sending, verify receipt, and check headers to confirm the encryption.
4. Monitor the ServerResponse variable or data logger status tables to check for success/failure.
2. Alternatively, our recommended method is to use the EmailRelay() instruction, which posts the message to a Campbell Scientific-managed relay service:

   Result = EmailRelay("recipient@domain.com", "Subject", "Message body", ServerResponse)

   This method offloads SMTP complexity and helps avoid deliverability issues. It does not allow you to directly specify your own SMTP server, port, username, etc., within the instruction.

3. For either method:
   1. Test in a slow sequence (e.g., SlowSequence) to avoid blocking the main scan.
   2. Ensure proper DNS resolution and network connectivity before sending.
4. If you are using an intermediate relay (e.g., your own network uses a LoggerNet server or other SMTP relay):
   1. Configure the relay’s SMTP settings to require TLS/SSL and strong authentication.
   2. Test the entire chain (data logger → relay → destination) before deployment.

Note: Consult your specific automated monitoring platform model’s manual for any differences in email instructions, supported ports, encryption settings, and deliverability limits (e.g., EmailRelay() has a limit of 100 messages per day and 1 MB per message).

Keep Industrial Protocols Secure

When working with industrial communications protocols (Modbus, DNP3, etc.):

• Operate over trusted or secured network infrastructures.
• Use VPNs or private network links to keep traffic safe.

How to Secure Industrial/Control Traffic

• Operate over trusted networks.
  • Where possible, place automated monitoring platforms (and the networks they communicate over) on dedicated network segments (for example VLANs) so that data logger and sensor traffic is separated from general IT traffic.
  • Use network segmentation at the switch/router/firewall level to restrict access to data logger services and industrial-protocol traffic.
  • Avoid running control/automation traffic over broad general-purpose networks without segmentation or access control.
• Use VPNs for remote access.
  • For remote sites, use a site-to-site VPN to connect the remote data logger subnet to the central monitoring site. Configure this at the network/router level (e.g., IPsec).
  • For individual technician access, require a client VPN that provides access only after secure authentication (ideally, certificates or two-factor authentication). Limit such VPN access to explicitly trusted IP ranges and data logger subnets.
  • Ensure the VPN configuration routes only the required data logger/SCADA subnets, not the entire enterprise network, to reduce exposure.
• Use private network links.
  • When using cellular or other telemetry links for remote data loggers, use private APNs or private network configurations rather than full public internet connections.
  • At isolated or high-risk sites, consider using dedicated radio links or other isolated telemetry rather than exposing systems broadly to the internet.
  • Minimize direct public internet access to automated monitoring platform networks; use layered controls (firewalls, VPNs, segmentation).
• Be aware of protocol-specific security considerations.
  • If your data logger communicates with automation/industrial protocols (such as via Ethernet or serial gateways), enable authentication, encryption, and role separation where the protocol supports it.
  • For monitoring-only applications, use read-only or restricted write access; reserve full control or write capabilities for authenticated control systems only.
  • Ensure that the data logger’s internal communications (e.g., TCP/IP, PakBus/TCP) are secured via the data logger settings. Use PakBus encryption, set security codes, and disable unused services (e.g., “PakBus Encryption Key is enabled by default on UID loggers.”).

Conclusion

I hope you found the information contained in this three-part series helpful. As a reminder, no single step can eliminate every security risk, but combining multiple safeguards—from physical protections to encrypted communications—creates a layered defense that makes your system much more resilient. By securing your Campbell Scientific automated monitoring platform, you're not only protecting your data but also strengthening the entire monitoring network.

Do you need help setting this up? Please reach out to our application engineers or sales engineers, as we are happy to help you.