How to Keep Your Data Safe with PakBus^® Encryption: Part 1

In today’s connected world, protecting your data is more important than ever, especially when it comes to environmental, industrial, or scientific monitoring. If you’re using an automated monitoring platform (also known as a data-acquisition system or data logger) from Campbell Scientific, strong security practices safeguard not just the system itself, but also the integrity of the data you rely on.

In this blog article, and the next two in the series, I'll share with you practical steps that you can take to keep your automated monitoring platform secure.

Protect the Hardware

Let's start with the basics: protecting your hardware.

• Place your automated monitoring platform, power supply, and peripherals in secure locations to prevent unauthorized access.
• Protect cables and interfaces from interference or tampering.
• Use the built-in, three-level security system.
• Set a PakBus^® Encryption Key for secure communications.

How to Set Up Three-Level Security

Campbell Scientific automated monitoring platforms support up to three levels of security codes (Security Levels 1, 2, and 3) that control access to different system functions. Valid security codes are integers from 1 to 65535 (0 = no security).

1. Access the security settings.
   1. Use the LoggerNet Connect screen, the Device Configuration Utility (DevConfig), or a terminal emulator to connect to your automated monitoring platform.
   2. Navigate to the Security or Deployment → Datalogger tab in DevConfig (or equivalent menu in LoggerNet).
2. Configure each security level:
• Security Level 1 (highest privilege) – Allows full access including changing programs and settings
• Security Level 2 (intermediate privilege) – Allows some changes (e.g., clock, public table variables) but restricts full program changes
• Security Level 3 (lowest privilege) – Only data collection is permitted; other communications/actions are blocked unless a higher-level code is entered.
3. For each configured security level:
1. Enter a numeric security code (integer between 1 and 65535).
2. Confirm the code.
3. Record these codes securely. If the codes are forgotten, you may lose the ability to make changes and may need to perform a factory reset or contact support.

Best Practice: Set codes for all three levels. Assign unique codes for each level to maintain distinct privilege tiers. If the deployment is low risk, you may choose the same code for all levels, but this reduces the benefit of tiered access.

How PakBus Encryption Works

Introduced with Operating System 26 and LoggerNet 4.2, PakBus encryption provides AES-128 end-to-end protection for PakBus messages, including control commands and data transfers.

Supported Devices

• CR6 Automated Monitoring Platform
• CR1000X-Series Measurement and Control Dataloggers
• CR300-Series Measurement and Control Dataloggers
• Granite™ 6, 9, and 10 Measurement and Control Data-Acquisition Systems

To activate encryption, configure a PakBus Encryption Key in both your automated monitoring system settings and LoggerNet Setup.

Setting up the PakBus Encryption Key

1. On the automated monitoring platform, open DevConfig or the data logger’s settings editor.
2. Navigate to the section for PakBus Security/PakBus Settings (menu names vary by model).
3. Enter a strong shared key (password) for PakBus encryption (AES-128). Note: For data loggers with a UID, encryption is enabled by default and the default key is the UID.
4. Apply the settings to the data logger.
5. In LoggerNet Setup (or the equivalent client software), open the device’s properties (right-click device → Properties).
6. Navigate to the PakBus/Communications/Advanced tab and enter the same encryption key you configured on the data logger. This ensures the communication between LoggerNet and the data logger uses the shared key.
7. Verify the connection. Attempt to communicate with the data logger and check that encrypted communication is happening. (Unencrypted commands will be rejected if encryption is enabled and required.) 

Note: The key doesn’t necessarily need to be a 16-character hex string. The important requirement is that the key is shared and configured both in the data logger and in the client so that PakBus encryption (AES-128) works. Also, while some programmatic encryption instructions (such as Encryption() in CRBasic) refer to the PakBus Encryption Key setting, the key is not typically set via a Const PakBusEncryptionKey = … line in CRBasic. Check your data logger’s OS version and manual for any model-specific instructions.

Key Benefits

Some of the benefits of using PakBus encryption:

• Secure communications between LoggerNet and supported devices
• Encrypted data logger-to-data logger communications
• Blocked unencrypted commands (unless exempted using the `EncryptExempt()` CRBasic instruction)

This adds an essential layer of defense, ensuring only trusted, authenticated devices can communicate with your data logger.

Conclusion

I hope you found this information helpful. No single step can eliminate every security risk, but combining multiple safeguards—from physical protections to encrypted communications—creates a layered defense that makes your system much more resilient. By securing your Campbell Scientific automated monitoring platform, you're not only protecting your data but also strengthening the entire monitoring network.

Remember to look for the next blog article in the series for more information.

Do you need help setting this up? Please reach out to our application engineers or sales engineers, as we are happy to help you.