ModuleOT is an open hardware security platform which provides all features necessary for securing remote energy resources. The platform consists of a physical bump in-the wire device which runs a custom-built application built with Go and Python and leverages AES-NI Instruction set available on modern hardware for cryptographic acceleration. By combining these features, ModuleOT acts as an all-in-one low-cost solution to enable cryptographically secured communications to any critical remote servers or devices. Because the software application has been built using Golang, this source can be easily compiled for different hardware platforms. The module is designed to provide the following core features:
- Encrypted communications across an untrusted network
- Certificate-based authentication with secure storage
- Hardware cryptographic acceleration
- IP-based whitelisting
- Local firewall management
- Legacy (RS485) device support
These instructions will get you a copy of the project up and running on your local machine. To locally compile the source code, you will need to set up Golang on your system and compile the code with the included dependancy packages in your $GOPATH/src directory
-
Python - Interpreted programming language
-
Nmap - Network mapping utility
-
OpenSSL - TLS/SSL communciation handler
-
OpenSSH - SSH server handler
-
Pip - Python package installer
-
PyModbusTCP - Python based ModbusTCP-Serial Relay
- Install Python
sudo apt-get install python
- Install Nmap
sudo apt-get install nmap
- Install OpenSSL
sudo apt-get install openssl
- Install OpenSSH
sudo apt-get install openssh-server
- Configure SSH Server
sudo nano /etc/ssh/sshd_config
- Install Pip
sudo apt-get install python-pip
- Install PyModbusTCP
sudo pip install PyModbusTCP
- Place the MotApp executable in /usr/bin/
- Place the moduleot.service file in /etc/services/ and enable the service
sudo systemctl enable moduleot.service
A ModuleOT device may be easily configured and deployed using any computer system running a Debian-based Linux OS. To do so, The system dependancies must be installed
The configuration file for the ModuleOT application is located at /usr/lib/ssl/config.json An example configuration for a ModuleOT device is shown below: Note: The MODBUSIP field only has to be set for Modbus serial devices:
{
"WANINTERFACE": "enp1s0",
"WANIP": "10.10.49.45",
"WANMASK": "24",
"LANINTERFACE": "enp2s0",
"LANIP": "192.168.10.10",
"LANMASK": "24",
"TLS_PORT": "8000",
"WHITELIST" : ["192.168.10.20","192.168.10.30","192.168.10.40","192.168.10.10","10.10.49.45","10.10.49.49"],
"MODBUSIP": "192.168.10.40",
"NETWHITELIST": ["192.168.10.10","192.168.10.40”, “192.168.10.30", “192.168.10.20”, “192.168.10.10”],
"PORTS": [“502", “443”, “80”, "20000"],
}
Note: Always remember to restart moduleot.service after changing the config file!
By default, the IP address of the device is:
- 10.10.49.45/24 on the server device
- 10.10.49.49/24 on the client device
ModuleOT has the following user account configuration by default: Username Password Privileges motuser motpass SSH-login, basic rights moduleot NREL Read-write, sudo root NREL Administrator
Note: Due to this design only the motuser account may login via ssh and it is necessary to run a “su” command to switch users to a more privileged account
- Golang - Open source, compiled programming language with strong multithreading and communication support
- Protobuf - Used to serialize/deserialize data
We use Semantic Versioning. For the versions available, see the tags on this repository.
Notice: This computer software was prepared Alliance for Sustainable Energy, LLC, hereinafter the Contractor, under Contract DE-AC36-08GO28308 with the Department of Energy (DOE). All rights in the computer software are reserved by DOE on behalf of the United States Government and the Contractor as provided in the Contract. You are authorized to use this computer software for Governmental purposes but it is not to be released or distributed to the public. NEITHER THE GOVERNMENT NOR THE CONTRACTOR MAKES ANY WARRANTY, EXPRESS OR IMPLIED, OR ASSUMES ANY LIABILITY FOR THE USE OF THIS SOFTWARE. This notice including this sentence must appear on any copies of this computer software.
NOTICE: EXPORT OR DEEMED EXPORT OF THIS SOFTWARE MAY VIOLATE U.S. EXPORT CONTROLS. DO NOT PROVIDE THIS SOFTWARE (OR ACCESS TO THIS SOFTWARE) TO ANY NON-U.S. CITIZEN WITHOUT PROPER AUTHORIZATION. ALLIANCE WILL NOT BE RESPONSIBLE FOR ANY VIOLATION OF EXPORT CONTROL BY ANY OTHER PARTY.