GeoSIG Cybersecurity Recommendations
17. September 2025GeoSIG instruments, as described in their documentation, have built-in security and safety features against unauthorised access or use. However, ultimately it is the user’s responsibility to ensure the safe and secure usage of our instruments based on their actual implementation. No factory delivered solution can fit each and every possible scenario. The user is advised herein that once you connect a device to a network, you are also connecting that network to that device. It is the responsibility of the user to take appropriate precautions so that all devices should be adequately hardened, such as with individual strong passwords, and should have their traffic monitored and managed via appropriate security features, such as firewalls. Also, noncritical devices should be segmented away from networks that contain sensitive information.
Compliance with a well-defined security procedure helps protect not only an individual device, but also other devices connected through the network. Such procedure would be intended to prevent exploitation of an individual device’s resources by unauthorized individuals, including the use of such device to attack other systems on the network or the Internet.
The following recommendations can be considered in establishing such a security procedure:
1. Physical access restriction
All devices must be restricted from unauthorised physical access and a well-defined physical access procedure shall be utilised.2. No Unattended Console Sessions
Except for the devices which are physically secured, no unattended console sessions shall be left running.3. No Unattended Network Sessions
No unattended user interface sessions shall be left running towards any device accessed through its network interface.4. Use of a Firewall
For a network that has any connection to the outside world, a hardware firewall must be running and configured to block all inbound traffic that is not explicitly required for the intended use of the network and the connected devices. The user can also consider limiting outbound traffic.
| Any communication ports that are required for the operation must be protected.
5. No Unnecessary Services or Ports
If a service or port is not necessary for the intended purpose or operation of the device, that service must not be running and the port must be closed. (e.g. if seedlink server is running, but not used, turn it off)6. Use of authentication
Network and console device access must require authentication by means of strong and individualised passwords per device (no passe-partout passwords). Wireless access must require strong encryption to associate (such as WPA2), or some other strong mechanism to keep casual users near the access point from using it to get full access to the network. WEP or MAC address restrictions do not meet this requirement.7. Password complexity and security
When passwords are used, they must meet the specifications similar to below:
| All default passwords must be changed at time of initial access or latest at deployment into service.Passwords MUST:
- contain eight characters or more
- contain characters from AT LEAST two of the following three character classes:
Alphabetic (e.g., a-z, A-Z)
Numeric (i.e. 0-9)
Punctuation and other characters (e.g., !@#$%^&*()_+|~-=\`{}[]:";'<>?,./)
