December 31, 2019
Pathscape V3 and Security Domains
New Cybersecurity laws require Pathscape to use passwords when configuring Ethernet devices
On January 1, 2020, California will be the first state to enforce cybersecurity and IoT related legislation. Oregon, New York and Massachusetts are following suit. California’s law is Title 1.81.26 “Security of Connected Devices” and mandates that we equip our products with security features that are appropriate to the nature and function of the device. By law, this encompasses all products that are assigned Internet Protocol addresses which can connect to the Internet directly or indirectly. Pathway Connectivity, a division of Acuity Brands, will only ship compliant devices regardless of the jurisdiction into which they are sold.
The law requires us to either supply a unique password for our products (see Local Security below) or requires the users to change the password before being able to use it (See Creating a Security Domain below). With Pathscape v3 we provide features that protect our products from unauthorized access or use by enforcing passwords. Furthermore, Pathway Connectivity does not collect or store personal information on our devices.
Ten facts about what this means to you
- When using products shipped after January 1, 2020, Pathscape will require a single password to allow configuration of all the devices on your network.
- Products shipped before January 1, 2020 will continue to function without passwords using either Pathscape 2 or Pathscape 3.
- All products shipped after January 1, 2020 may only be configured using Pathscape 3.
- Products shipped after January 1, 2020 cannot be downgraded to earlier password-free firmware.
- Products that are fully configurable from the front panel can create their own unique password. Only with network configured products will you need to type a password; one password for all devices on the network.
- You will be encouraged to print or save a recovery key in case you lose the password.
- If you lose the password and lose the recovery key, you will manually have to factory default each device on the network. See the resource section of the Pathway website for a comprehensive document describing how to manually factory default all our devices.
- The complete network configuration may be saved without a password before factory defaulting devices. Applying the saved configuration will require a new password to be set for the network.
- Configuring our devices to receive unsecured protocols such as sACN and ArtNet will require you to accept the risks. See WARNING BOX regarding unsecured protocols below.
- Pathway does not store personal information such as names or email addresses on our devices.
Introducing Security Domains
To simplify the process of managing security on your network Pathscape 3 introduces the concept of a To simplify the process of managing security on your network Pathscape 3 introduces the concept of a “Security Domain”. Below we will describe how to create a Security Domain and add or remove devices from it. In the Device tab of Pathscape 3 there is a new view that shows you the name of the device’s domain and a padlock icon showing its current state.
There are four different ways a device can appear in the Security Domain column.
Red Padlock - Unsecured Device
Any device shipped after January 1, 2020 will have version 5 firmware which includes security. These devices will report their type, name and firmware version only. All other properties cannot be read until you add them to a Security Domain (see below on creating domains)
Amber Padlock - Secured Device not in the current Domain
Devices that have been added to a security domain will appear with an amber padlock. These v5 devices will allow you to read all their properties and deven save a show file with the network setup, but the properties are Read-Only. You will have to login to the domain to set any properties. (See Login procedure below.) You may also see Locally Secured beside an amber padlock. This means the front panel was used to create a unique (and hidden) password to allow front-panel-only configuration. To gain read/write privileges with Pathscape, you must factory default the device from the front panel and add it it to the local security domain using Pathscape.
Green Padlock - Secured Device in current Domain
Once you have logged into a Security Domain with a password, any device in your domain will appear with a green padlock and all their properties will be Read/Writeable.
Empty Security Cell Domain cell - Version 4 firmware device shipped prior to January 1, 2020
If the Security Domain cell is empty, this device is using Version 4 firmware and cannot be secured. Pathscape 3 will be able to read and write properties exactly like Pathscape 2. If you upgrade to v5 firmware the device will appear with a red padlock and you will need to add it to a domain before you can use it.
Creating a Security Domain
- After starting Pathscape, the on-line devices will populate the Device view.
- Choose the Security Domain view from the Select View dropdown.
- Each device running V5 firmware will have a red Unsecured value in the Security Domain column.
- (Optional) You may update devices to Version 5 firmware using TOOLS | FIRMWARE. Select the devices choose SELECT LATEST, then SEND FIRMWARE. The devices will go off-line and come back with a red padlock. Remember, Pathscape 3 can configure V4 devices without security. Only update if you desire the security features offered in V5.
- From the SECURITY menu, choose NEW DOMAIN.
- Enter the new Domain Name and Administrator and User passwords.
- Administrator can change passwords, factory default devices and add devices to the domain.
- Users can change device properties and save and restore show files. There is one User account password for all users.
- Add the Unsecured devices on your network by checking the Unsecured checkbox and then Continue.
- Print the Recovery Key.
- You may also click on the Recovery Key, SELECT ALL and COPY the key to the Clipboard and store it in a safe place.
- Press CONTINUE to add the devices to the Domain. The devices will have an amber padlock and their properties will be read-only.
- Login to the Domain as a user by pressing the button in the toolbar. NOTE: The WINDOW | TOOLBAR option must be checked.
- As security parameters are verified, the amber padlocks will turn green and the properties of those devices will be read/writable.
Administering a Domain
To administer a Domain, select SECURITY | ADMINISTRATION... in the menu.
Choose this option to add new devices that currently have a red padlock to the domain.
If you want to clear the security settings of a device and remove it from the domain, choose Factory Default. Only devices in the Security Domain shown in this dialog box will be available to be defaulted. For devices that you do not have a password for you must have physical access to factory default them before you re-gain network configurability. See the resource section of the Pathway website for a comprehensive document describing how to manually factory default all our devices.
If your staffing changes, it is a good idea to change the passwords on the domain. All devices should be on-line when you change the password. If your staffing changes, it is a good idea to change the passwords on the domain. All devices should be on-line when you change the password. Side note: If some devices are off-line and you change the password, when those devices come back on-line, they will coincidently have the same domain name, but use the old password. You will have to factory default them then add them to the new domain using the new password. You can Factory Default them using the SECURITY |ADMINISTRATION… option in the menu. When asked to login, there will be two domains with the same name. Choose the second one and use the old password and Factory Default the devices listed. When they come back online, they will have red padlocks and be listed as Unsecured. Add them to the new domain using the new password.
Local Security – Using the Touring Edition, QUATTRO or OCTO without Pathscape
As they have a font panel user interface, the Touring Edition, OCTO and QUATTRO can be configured as simple Input/Output gateways using standard universes without the need for Pathscape. Even though a computer network with a PC is not being used, the cybersecurity laws still require unique password to ensure ‘bad actors’ do not later change your configuration remotely using a PC.
- From the UTILITY menu on the front panel, ENABLE LOCAL SECURITY.
- In the PROTOCOL menu, ALLOW UNSECURED.
- Enable Rx on the protocols you want to receive.
- On each port, set PORT DIRECTION to Input or Output and patch a standard universe (i.e., UNIV 1)
WARNING ABOUT INSECURE PROTOCOLS
You are enabling an open protocol that does not use encryption or authentication. This protocol could be eavesdropped or spoofed by malicious parties. You are strongly encouraged to secure access to your network, both physically and technologically. To continue, you must acknowledge that you have read this statement and that you accept these risks.
If you do open Pathscape, this device will be part of the domain "Locally Secured".
You cannot login to this security domain. If you want to configure or patch custom universes to this device you must use the front panel to Factory Default it, then use Pathscape to add it to a Security Domain.
Recovering a Domain
If you lose the Administrator password (or it was maliciously changed without your consent), you can recover the domain, retaining its configuration and set new passwords.
- From the menu, choose SECURITY | RECOVER DOMAIN...
- Type in the 20 digit recovery key and press Continue.
- Type in a new Administrator password.
- From the menu choose SECURITY | ADMINISTER DOMAIN... and Change Passwords to set a new User password.
Retaining Device Settings from unknown Domains
There are times when you don’t know the password of a Security Domain, but you’d like to retain all its configuration. Without logging in to a Domain, all devices that appear with amber padlocks are read-only. If you save a show file, the configuration of all devices is saved. You can then factory default the devices using the prescribed method; see the resource section of the Pathway website for a comprehensive document describing how to manually factory default all our devices. Once they re-appear in Pathscape with a red padlock, add them to a Security Domain then open the show file and SEND ALL Transactions to restore the network configuration and patch.
Using older versions of Pathscape with new devices
If you use Pathscape 1 or Pathscape 2 with devices shipped after January 1, 2020 (Version 5 firmware), you will not be able to configure them; you must use Pathscape 3. As a reminder, the device label will appear in the earlier versions of Pathscape as “Please upgrade to the latest version of Pathscape”. Other properties will be shown and are correct, but any attempts to change them will fail.