Enterprise Security

Security Built Into Every Layer

From encryption to compliance, OptiZeus protects your industrial operations with defense-in-depth security controls.

Architecture

Security Architecture

Multiple layers of protection from network edge to database.

Encryption

SSL/TLS on all connections including HTTPS (port 3443) and WSS for WebSocket. Supports self-signed or CA-issued certificates. All data in transit is encrypted.

Authentication

JWT token-based authentication with session management, configurable session timeouts, login rate limiting, and timing-safe API key comparison.

Multi-Factor Authentication

TOTP-based 2FA via Google Authenticator, Microsoft Authenticator, or any standard TOTP app. Optional per user, recommended for all privileged accounts.

Role-Based Access Control

Four permission levels: Admin, Engineer, Operator, and Viewer. Granular control over who can configure, operate, or view system resources.

Audit Trail

Every action logged: login/logout, tag writes, configuration changes, alarm acknowledgments. Tamper-proof records, exportable as CSV. 21 CFR Part 11 compliant.

Network Security

Helmet.js CSP/HSTS headers, CORS whitelisting, API rate limiting (300 req/min/IP), SQL injection prevention via parameterized queries, and IP whitelisting.

Compliance

Standards & Compliance

Aligned with the regulations and frameworks your industry requires.

IEC 62443

Industrial Automation and Control Systems Security

OptiZeus addresses the foundational requirements of IEC 62443:

  • FR1 — Identification & Authentication (JWT, 2FA, AD/LDAP)
  • FR2 — Use Control via role-based access (Admin/Engineer/Operator/Viewer)
  • FR3 — System Integrity checks and secure configuration
  • FR4 — Data Confidentiality through TLS encryption on all channels
  • FR5 — Restricted Data Flow with network segmentation support
  • FR6 — Timely Response to Events via audit trails and alarm notifications
  • FR7 — Resource Availability with redundancy and failover mechanisms

21 CFR Part 11

FDA Electronic Records & Signatures

OptiZeus provides the controls required by FDA 21 CFR Part 11 for electronic records in regulated environments:

  • Electronic signatures with configurable reason codes
  • Complete audit trails with timestamps and user attribution
  • User authentication and unique account enforcement
  • Role-based access controls limiting record modification
  • Automatic, tamper-evident timestamps on all records

GAMP5

Good Automated Manufacturing Practice

The Enterprise tier includes a validation package aligned with GAMP5 guidelines:

  • User Requirements Specification (URS)
  • Design Specification (DS)
  • Installation Qualification (IQ)
  • Operational Qualification (OQ)
  • Performance Qualification (PQ)

ISA-18.2

Alarm Management

OptiZeus alarm management aligns with the ISA-18.2 alarm lifecycle:

  • Smart alarm grouping and flood detection
  • Alarm rationalization and priority classification
  • Shelving with automatic re-enable
  • Performance metrics and KPI tracking
  • Sequence of Events (SOE) recording with 1ms resolution

ISA-88 (S88)

Batch Control

Full ISA-88 batch control architecture for recipe-driven processes:

  • Recipe management with versioning and approval workflows
  • Procedure hierarchy (Procedure / Unit Procedure / Operation / Phase)
  • Equipment module abstraction
  • Automated batch records with electronic signatures

ISA-95

Enterprise Integration

Supports the ISA-95 three-level OT/IT separation model:

  • Level 0-2 (OT) — Direct PLC/sensor communication via OPC-UA, Modbus, S7, EIP
  • Level 2.5 (DMZ) — MQTT and OPC-UA gateways for secure data brokering
  • Level 3-4 (IT) — MES/ERP integration via REST APIs and database connectors

Active Directory Integration

Integrate with your existing identity infrastructure. OptiZeus supports Active Directory / LDAP authentication with group-to-role mapping and single sign-on, so operators use their existing corporate credentials without managing separate accounts.

Best Practices

Security Recommendations

Follow these guidelines to harden your OptiZeus deployment.

  1. 1Deploy behind a firewall with only required ports open (3443 for HTTPS, 8883 for MQTTS)
  2. 2Enable HTTPS and enforce TLS for all connections
  3. 3Enable 2FA for all admin and engineer accounts
  4. 4Use Active Directory for centralized user management
  5. 5Configure alarm notifications for security events
  6. 6Regularly export and review audit trails
  7. 7Implement network segmentation per the Purdue Model
  8. 8Keep OptiZeus updated with the latest patches

Need a Security Assessment?

Our team can walk you through OptiZeus security controls, provide compliance documentation, and help plan a secure deployment for your environment.

Contact SalesView Documentation