- Operate device only in secure mode.
- Only connect the device to the internet in secure mode.
- The device is in secure mode if the device has been commissioned using secure commissioning, secure tunneling has been activated, and strong and different passwords are used.
Possible additional security measures include:
- Only operate the device in secure mode in a safe network environment.
- Set up a separate IP network with its own hardware for KNX communication.
- Use user IDs and strong passwords to restrict access to the (KNX) IP network.
- If the device is operated in insecure mode, additionally protect remote access to the device by using a VPN connection.
- (A virtual private network (VPN) establishes an encrypted and authorized connection (VPN tunnel) from a remote connection to a network via the internet. This VPN connection enables secure communication protected from eavesdropping between a remote device and the KNX installation.)
- If Wi-Fi is used, change the preset SSID of the wireless access point. Encrypt the Wi-Fi using a secure procedure (such as WPA2 at present).
- Document network settings and give them to the building owner/operator or LAN administrator.
- Coordinate the administration of access rights to this KNXnet/IP device in an IP network with the respective IP network administrator.
Measures after replacing a device in the network
If an IP Router Secure or an IP Interface Secure in secure mode is stolen from a network or replaced due to a defect, secure commissioning has to be repeated for all other devices in the network. To do this, deactivate the“Secure commissioning“ option for each device in the settings of the project, activate the option again and load the data to the devices again. (There is no need to load the data into the device between deactivation and reactivation.)
Secure commissioning has to be repeated because it is not possible to exclude the possibility that the keys that are in the secure section of the device can be read. Recommissioning has the effect that new keys are generated and the old keys become worthless. The removed device no longer works in the network.
More information on KNX security
For more information on KNX security, including, for example, a security check, refer to the “KNX Secure” section on the KNX website (http://www.knx.org).