Security Considerations and Best Practices for AVEVA Products

Customer IT Infrastructure

AVEVA recommends that customers apply best practices and due diligence when configuring IT infrastructure - covering networks, servers, and client machines - to ensure:

• Robust security

• Disaster recovery capabilities

• Adequate anti-virus protection

File Privileges and Attack Surface

AVEVA recommends that customers carefully manage privileges for files required by AVEVA products to reduce potential attack vectors from internal and external malicious actors targeting both AVEVA applications and customer project data.

AVEVA Product Installation

Installing AVEVA applications requires local administrator rights on the target machine. This applies to AVEVA applications themselves and, in some cases, third-party dependencies (for example, .NET, Oracle). Customers must:

• Establish a deployment strategy for products.

• Designate authorized personnel for installing products, dependencies, and updates.

Data and Database Storage

AVEVA products store data and databases in Windows files and folders. AVEVA recommends that customers implement Windows File Access Controls to minimize inappropriate or unnecessary access.

Application and Configuration Files

Used to configure the environment or application. Read-only access is sufficient for most users. Write access is required for Custom PML and Project environment definitions. AVEVA recommends that customers restrict write access to environmental files (evars). Tampering can lead to malicious code execution and only trusted roles (for example, project administrators) should have write access.

In MSIX deployments, custom_evars.bat defines paths for Customized PML, Executables, Bespoke configurations, Project and reference paths. AVEVA strongly recommends that customers control the storage location(s) and limit read/write access.

LocalAppData stores MSIX installation details, Global and Shared Services configuration, Logging, UI settings, and Serialization files. AVEVA recommends that customers apply Windows Access Controls to protect contents.

Database Files

All users require read and write access to project data - even those with read-only project-level permissions - to create and close slots in the communication database. AVEVA recommends that customers follow best practices for data backup and disaster recovery for all projects.

Best Practices for Secure Handling of Shared Project Data

To maintain a secure environment when working with shared project data such as Report Definitions, Project Defaults and PML Customizations, AVEVA recommends that customers follow these guidelines:

Restrict Access

Limit write permissions on shared locations to a trusted group of administrative users.

Non-admin users should have read-only access.

Review Content

Before placing any shared content (for example, Report Definitions, Customizations, or Custom Scripts) in shared locations, ensure it has been reviewed for security.

Enable Auditing

Enable Windows file write access auditing on shared locations.

Review audit logs periodically to detect unexpected changes.

Communicate Controls

Share these requirements with IT administrators and project teams to confirm proper access and review processes are in place.

Running Reports

Users should only run reports from approved and managed folders. Unified Engineering reports can embed executable code, so all reports must be thoroughly reviewed. Only trusted reports should be used.

Spectrum Projects Access

For Spectrum-based projects, follow official instructions, see Configure Access for Cloudstore (per Project). If using Communities to share your Spectrum Project with another CONNECT Account, note that they will have write access to the Cloudstore, which propagates to all Edge Connectors. Only share projects with trusted accounts and ensure they configure Cloudstore access correctly.

Reports in Spectrum Projects: Reports available at initial project creation and upload will propagate across all Spectrum Edge Connectors including those configured as part of a CONNECT Community. Following the 2025.12.001 Spectrum release, AVEVA Connector File Sync Service 2.0.48, any additions or modifications at edge locations will not sync.

Gateway Data Publisher

The Gateway Data publisher is a server application and should only be run in a server environment. Execution of the Gateway Data Publisher should be restricted to admin users on this server and not be accessible for other users.

Users should only publish data to the Ingestion Service from approved and managed folders. The Gateway Data Publisher provides settings for the staging area when setting up the service. Access to the staging area must be restricted to authorized users only. See Security Guidelines for securing file access.

Developing Secure .NET Customization DLLs

AVEVA advises developers to implement proactive security measures against common desktop application vulnerabilities.

Recommended Resources

See the Microsoft Learn article Secure coding guidelines.

See the OWASP article OWASP Desktop App Security Top 10.

Additional AVEVA Recommendations

AVEVA recommends that customers:

• Scan customization DLLs for malware before publishing and include them in endpoint protection scans.

• Sign DLLs to ensure integrity and source authentication. See the OWASP article OWASP Desktop App Security Top 10.

• Use static analysis tools to detect code injection, sensitive data exposure, and insufficient input validation. See the OWASP article Source Code Analysis Tools.

• Monitor third-party dependencies for vulnerabilities and upgrade promptly. See the OWASP article OWASP Desktop App Security Top 10.

Ongoing Improvements

AVEVA continues to explore technical measures to further strengthen security. For additional details or assistance, please contact your support representative.