Check out our White Paper Series!
A complete library of helpful advice and survival guides for every aspect of system monitoring and control.
1-800-693-0351
Have a specific question? Ask our team of expert engineers and get a specific answer!
Sign up for the next DPS Factory Training!
Whether you're new to our equipment or you've used it for years, DPS factory training is the best way to get more from your monitoring.
Reserve Your Seat TodayWhen you think about network security, where do you focus first? You might picture your firewalls, or maybe your VPN. You've likely implemented good network segmentation, too.
But here's the truth most security plans overlook: Your monitoring gear is just as vulnerable as any other network device.
That IP-enabled box sitting out in the middle of nowhere - your RTU - is potentially an easy point of entry for an attacker. And once they're in, they're in. That may lead to data interception or even remote tampering by manipulation of control outputs.
Let's talk about how to fix this.
You can have the best digital security team in the world in all other respects. But if your remote monitoring hardware is running outdated firmware/software - or worse, default logins - you're still at risk.
Here are just a few of the issues I've seen out in the field:
Network intruders love small details. Those are the areas where they can get in.
Even worse, these aren't just hypothetical risks. In real-world breach reports, embedded electronic devices like RTUs, routers, and printers have consistently been exploited through these exact weaknesses.
A few years ago, a regional utility was hit hard after attackers gained access to an unsecured RTU. It was quietly running with a default password and exposed to the internet. That was all it took.
The attackers used it as a beachhead to jump into the network. They didn't need to brute-force anything fancy - they simply logged in.
That's why secure monitoring hardware isn't optional anymore. It's necessary for preventing unauthorized access to your data. When searching for the right device, make sure you select equipment with the following features:
If your team uses a web browser to access your RTU (and they probably have for the last 10 years or so), this is the first thing you need to lock down.
TLS (Transport Layer Security) encrypts all web traffic between your device and the browser. If your RTU doesn't support TLS 1.2 or higher, everything you send - such as login info or config changes - becomes vulnerable.
TLS is important to have as it:
There's also a practical benefit here. When techs log into a device in the field, browser warnings about invalid security certificates slow them down and shake confidence. TLS support - especially with a valid signed certificate - makes your whole operation feel cleaner and more professional.
What to look for: TLS 1.2+ enabled by default, with a valid SSL certificate you can manage from the device's web interface.
SSH (Secure Shell) is a big deal for command-line access. But shockingly, many devices still use Telnet - which transmits your credentials in plain text.
With SSH, you get:
You don't need to be a CLI wizard to care about this. Even if you're just logging in to restart a stuck modem or check interface logs, that connection should be encrypted.
And if you use automation tools like Ansible, SSH is your best friend. Telnet won't be sufficient - and shouldn't be anywhere on your network in 2025.
Devices like the G6 NetGuardian RTUs ship with SSH as a superior alternative to Telnet. SSH is ready out of the box. All you have to do is select that option from the web interface when provisioning your new RTU.
Role-Based Access Control allows you to assign different levels of access to different staff members. You must be able to answer "Who has access to what?" for every piece of gear in your network.
A secure RTU needs role-based access. This lets you create different users with different levels of permission so that:
Let's take a quick example. One DPS client had a situation where a technician accidentally rebooted a microwave radio at a high-altitude site. It wasn't malicious - just a wrong click in the web interface.
Unfortunately, the RTU didn't support role-based access. Everyone was using the same login. That mistake resulted in a small network outage in the affected area.
After switching to a G6 NetGuardian with role-based access, that client now separates control privileges from basic monitoring. That kind of simple access control can eliminate major problems before they ever happen.
SNMPv3 support is a big concern. SNMP is how your RTU sends alarms to your central system. However, not all SNMP versions are created equal.
| Version | Encrypted? | Authenticated? | Secure? |
|---|---|---|---|
| SNMPv1 | No | No | No |
| SNMPv2c | No | No | No |
| SNMPv3 | Yes | Yes | Yes |
With SNMPv3, your traps are encrypted. You also get authentication, so you know they're coming from the right device - not a malicious source.
Many compliance frameworks (NERC CIP, NIST, and ISO 27001) now require SNMPv3 if you're transmitting any sensitive alarm data.
If you're still stuck with legacy devices that don't support SNMPv3, you don't have to stress about overhauls or device replacements. This is a common - and solvable - issue.
Devices like the SNMPv3 Proxy can wrap your legacy SNMPv1 or v2c traps in a secure SNMPv3 shell. This means you don't have to rip out old equipment to secure your reporting chain.
Because we have in-house engineers at DPS, customized solutions for protocol mediation make a lot of sense. We shine the brightest when you point us toward a problem that you can't figure out how to solve. We'll take the closest device we have, modify it to suit your spec, and give you something that fills that gap.
An important question to consider is: What's your RTU's default login? If it's "admin" / "1234," you've got a problem.
Strong security starts with strong passwords. Your gear should:
I once talked to a technician who found an RTU still using a factory-default login - in a major regional transport hub. That's not just a vulnerability. That's a liability.
Every RTU should help you enforce password rotation and offer per-user credentials.
On G6 NetGuardians, you get password complexity enforcement and per-user access control.
If you want a quick scorecard for your current RTUs, here's a fast way to evaluate:
| Feature | Must-Have? | Why It Matters |
|---|---|---|
| TLS 1.2 Web Interface | Yes | Encrypts login sessions and settings |
| SSH Access | Yes | Protects command-line access |
| Role-Based Access Control | Yes | Limits actions by user role |
| SNMPv3 Support | Yes | Encrypts alarm traffic |
| Secure Password Policies | Yes | Prevents brute-force and default login risks |
If your current gear is missing even one of these, it's time to at least consider what your next RTU upgrade will be.
At DPS, we've spent more than 30 years building devices for telcos, utilities, transportation companies, and government agencies. We understand that remote monitoring devices aren't just tools - they're targets.
That's why the RTUs we ship today come with security built-in from the start, offering:
We build our gear in Fresno, California - and every unit is tested before it ships.
Our engineers also handle firmware development, hardware design, and customizations. If you have a unique need, there's a good chance we can solve it.
You can't afford to leave the back door open - especially not when attackers are constantly looking for a way in. If you're not 100% sure your RTUs are secure, let's fix that.
Give me a call at 559-454-1600 or email sales@dpstele.com.
I'll help you:
Andrew Erickson
Andrew Erickson is an Application Engineer at DPS Telecom, a manufacturer of semi-custom remote alarm monitoring systems based in Fresno, California. Andrew brings more than 18 years of experience building site monitoring solutions, developing intuitive user interfaces and documentation, and opt...
