09-03-2020

Connected products security
 

Grundfos connected products must be behind a firewall or connected to a private network.

If a firewall or private network is not in place, the Grundfos product may be subject to a cyber-security risk, being vulnerable to an attack or compromise.

Grundfos recommends that authentication data (user and password) are changed from the default settings as part of the initial setup, and that passwords are changed periodically and in connection with firmware updates.

Further, it is general recommendation for all products that firmware are continuously checked and updated to moderate current threats.

The following are highly recommended configurations that should be carefully followed.
If in doubt, it is recommended to consult an IT Infrastructure Specialist.

 

CIM 500

The CIM 500 is a traditional network connected device and should be placed on a private network behind a firewall with no TCP ports forwarded to the device. It should not be connected directly to the Internet. If you need remote access / port forwarding to the device, you should use such technologies as Virtual Private Networks (VPNs) to ensure a secured connection. 
It is recommended that you consult an IT Infrastructure Specialists to establish such a solution.

If the Grundfos product is a CIM 500 in mode 4 GRM IP (Grundfos Remote Management), the firewall must accept connections initialized by the Grundfos product to the Internet only (Outgoing connections).

Firmware version v06.16.00 (and later) contains important safety updates and is therefore highly recommended.

CIM 250/260 (Cellular)

The CIM 250 and 260 modules are cellular based modules and requires cellular connectivity through a private Access Point Name (APN) to be securely connected to the Internet. Any basic cellular connectivity solution is not recommended – only private APNs are recommended.

The private APN must be purchased from your mobile network operator. The mobile network operator will guide you through the setup process.

CU 352/354/362/372/3X2 DH

The CU 3xx is a traditional network connected device and should be placed on a private network behind a firewall. 

It should not be connected directly to the Internet. Also, no TCP/IP ports should be forwarded to the product. 

If you need remote access to the device, you should use such technologies as Virtual Private Networks (VPNs) to ensure a secured connection. It is recommended that you consult an IT Infrastructure Specialists to establish such a solution.