OMNIC Paradigm Software | version 2.7
Product Security Information Guide
OMNIC™ Paradigm Software | version 2.7 | September 2024
Document valid through September 15, 2025
Introduction
Thermo Fisher Scientific maintains a Cybersecurity Program designed to safeguard the confidentiality, integrity, and availability of data and systems within its environment. Thermo Fisher Scientific supports a continuously improving security program model focused on reducing risk, defending against threats, maintaining data privacy, and protecting company confidential information, including trade secrets and intellectual property.
About this guide
Thermo Fisher Scientific has implemented safeguards and protections to help protect the Thermo Scientific™ OMNIC™ Paradigm Software version 2.7 against intrusion or data compromise. This document applies only to OMNIC Paradigm Software version 2.7 deployed within the customer's environment. It describes the standards, controls, data security approaches, and business practices employed by Thermo Fisher Scientific for this configuration. This document does not apply to security features within the optional Thermo Fisher Connect Platform™.
Due to the evolving cyber landscape, Thermo Fisher Scientific updates this Product Security Information Guide annually to ensure it contains current, accurate information. This guide expires on September 15, 2025. Please contact your account representative to obtain the latest published version.
The information in this Product Security Information Guide is for reference purposes only. Nothing contained in this document or relayed verbally to any customer will be deemed to amend, modify, or supersede the terms and conditions of any written agreement between such customer and Thermo Fisher Scientific, or its subsidiaries or affiliates. This guide does not create an independent contract or agreement. Thermo Fisher Scientific does not make any promises or guarantees that the methods or suggestions described herein will restore customer systems, resolve malicious code issues, or achieve any other stated results. The customer exclusively assumes all risk of utilizing or not utilizing any guidance described in this Product Security Information Guide.
Corporate Cybersecurity Program
Cybersecurity Program and leadership
Thermo Fisher Scientific's Cybersecurity Program employs technical, administrative, and physical safeguards to detect vulnerabilities and address potential threats. Thermo Fisher Scientific's Cybersecurity Program maintains an International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27001:2013 certification for the management of the following areas:
- Cybersecurity program management and governance, including risk management;
- Cybersecurity operations, including security operation centers;
- Product security;
- Cybersecurity architecture and engineering; and
- Security awareness and training.
Cybersecurity governance and risk management
Thermo Fisher Scientific remains vigilant against potential threats like cyberattacks and cybersecurity incidents, incorporating cybersecurity into its overall risk management process. This is achieved through quarterly business reviews, annual budget planning, and targeted risk-based engagements.
The company's commitment to cybersecurity emphasizes a risk-based, "defense in depth" approach to assess, educate, block, identify, respond to, and recover from cybersecurity threats. Recognizing that no single technology or control can prevent all risks, Thermo Fisher Scientific employs a strategy using numerous technologies, processes, and controls to manage or reduce risk.
Product overview
OMNIC Paradigm Software is a comprehensive package for molecular spectroscopy and microscopy, designed to simplify data collection, analysis, and interpretation. It also enables remote work and global collaboration. The software is compatible with the following Fourier-transform infrared (FTIR) spectrometers:
- Nicolet™ Summit™ X FTIR Spectrometer
- Nicolet Summit LITE FTIR Spectrometer
- Nicolet Summit PRO FTIR Spectrometer
- Nicolet S5 FTIR Spectrometer
- Nicolet iS20 FTIR Spectrometer
- Nicolet iS50 FTIR Spectrometer
- Nicolet iN5 FTIR Spectrometer
- Nicolet Apex FTIR Spectrometer
Hardware specifications
Refer to the Thermo Fisher Scientific Knowledge 1 website topic about Nicolet Spectrometers for hardware specifications of the computer dedicated to running OMNIC Paradigm Software. Specifications depend on the spectrometer and its setup.
System compatibility
OMNIC Paradigm Software is compatible with the following supported operating systems:
- Microsoft™ Windows™ 10 (on companion PC or embedded instrument PC)
- Microsoft Windows 11 (on companion PC)
Thermo Fisher Scientific recommends customers using a companion PC with Windows 10 upgrade to Windows 11 at their earliest convenience. For companion PCs purchased from Thermo Fisher Scientific, contact your Sales Representative for upgrade information.
Note: The embedded computer within the Nicolet Summit does not currently support Windows 11. MariaDB™ is the default database for storing OMNIC Paradigm Software data. Microsoft SQL Server™, Amazon™ Aurora™, or Oracle™ databases can also be used. Customers are responsible for provisioning and configuring the database according to the OMNIC Paradigm Software User Guide.
Regulatory compliance
The Security Suite add-on software enhances capabilities to protect data security and integrity, aiding compliance with 21 CFR Part 11. The Security Suite software comprises two primary applications: Security Administration and Audit Manager.
- Security Administration: Configures access control, audits electronic records, and manages electronic signatures.
- Audit Manager: Views logged security events (e.g., user login, data save), creates reports, and stores logged events. Audit trail capabilities, including workflow tags, are supported.
Contact your Thermo Fisher Scientific Sales Representative for information on purchasing Security Suite software.
OMNIC Paradigm system architecture diagrams
Figure 1: Separate companion PC deployment
This diagram illustrates a separate companion PC deployment for OMNIC Paradigm Software. It shows a Nicolet Summit FTIR Spectrometer connected via USB 2.0 to a companion PC. The companion PC runs the OMNIC Paradigm Software Client, which communicates with the OMNIC Paradigm Server. The server comprises multiple services, including Password Manager, Library, Discovery, Workflow, and History services, and connects to a database (either built-in or distributed). It also connects to the Thermo Fisher Cloud Connection Service. The companion PC can connect to the network via Ethernet or Wi-Fi.
Figure 2: Onboard PC deployment
This diagram shows an onboard PC deployment for OMNIC Paradigm Software. A Nicolet Summit PRO FTIR Spectrometer features an onboard PC running the OMNIC Paradigm Server. This server connects to a database and the Thermo Fisher Cloud Connection Service. An optional companion PC can be connected via Ethernet to host the OMNIC Paradigm Software Client, facilitating data analysis and remote connectivity. The onboard PC can also connect to the Thermo Fisher Connect Platform using Ethernet or Wi-Fi.
OMNIC Paradigm architecture diagrams component glossary
Component glossary
| Component | Description |
|---|---|
| Companion Personal Computer (PC) | The Thermo Fisher Scientific-provided or customer-provided computer that hosts the complete OMNIC Paradigm Software application. Customers can also utilize the companion PC to run the OMNIC Paradigm Software Client depending on the instrument setup and system configuration. |
| OMNIC Paradigm Software Client | Desktop application for OMNIC Paradigm Software, supported on Windows 10 or Windows 11 when run on the companion PC. |
| OMNIC Paradigm Server | Comprised of multiple services that transmit data to the application interface as well as read/write data to the built-in or distributed database. These services include the Password Manager Service, Library Service, Discovery Service, Workflow Service, History Service and the Thermo Fisher Cloud Connection Service. |
| RabbitMQ™ Message Bus | A messaging broker that acts as a common platform to send and receive messages between the OMNIC Paradigm Software Client and the back-end services using the Advanced Messaging Queue Protocol (AMQP). |
| Password Manager Service | Provides credentials to the other back-end services using named pipes to allow for connection to the RabbitMQ Message Bus and the database. |
| Library Service | Used to create, edit, and search spectral libraries. |
| Discovery Service | Automatically detects the instrument available on the network, allowing the customer to select the instrument they want to connect to. |
| Workflow Service | Used to create, edit, and run OMNIC Paradigm workflows. Customers can also utilize the Web API exposed over Hypertext Transfer Protocol Secure (HTTPS) to initiate and control OMNIC Paradigm workflows. |
| History Service | Used to gather previous measurement data from the database, such as spectral data and results of quantitative analysis. The History service utilizes a web application programming interface (API) connection over HTTPS to collect prior measurement data. |
| Thermo Fisher Cloud Connection Service | Used for customers who opt in to send telemetry data, such as internal temperature and power voltages, to the Thermo Fisher Connect Platform. |
| Database | Stores information, including measurement data, user preferences, and system information pertaining to OMNIC Paradigm Software. Customers can use the built-in MariaDB database or configure a compatible alternative, such as SQL Server, Aurora, or Oracle database, to meet their business needs. |
| Thermo Fisher Connect Platform | An optional component: Customers can opt in to send telemetry data to the Thermo Fisher Connect Platform to analyze data anytime, anywhere. Security features within the Thermo Fisher Connect Platform are not in scope for this document. |
System access controls
Authentication
Authentication to OMNIC Paradigm Software and the spectrometers is administered via domain authentication or standard Windows authentication on the Thermo Fisher Scientific-provided computer or the embedded PC. The default mechanism uses standard local Windows authentication. Customers can use their own devices but are responsible for configuring authentication according to their policies.
Customers can also use domain authentication to authenticate users via their domain credentials. OMNIC Paradigm Software validates credentials on the customer's network domain controllers. For customers using domain authentication with the Security Suite software, role-based access control can assign specific permissions to validated users.
While OMNIC Paradigm Software can run using the Windows administrator account, Thermo Fisher Scientific recommends configuring a standard Windows user account to manage the software, adhering to the principle of least privilege. Refer to the Authorization section for more information.
Authorization
Using Security Suite, OMNIC Paradigm Software employs role-based access control (RBAC) to grant permissions and access to authorized users. Role assignments are configurable to meet business requirements. Thermo Fisher Scientific recommends configuring role assignments using the principle of least privilege, providing only the necessary system access to manage OMNIC Paradigm Software and supported instruments.
Firewall/network controls
Installation of OMNIC Paradigm Software updates firewall configurations on the customer-provided or Thermo Fisher Scientific-provided PC to allow connections between the OMNIC Paradigm client and back-end services. No additional firewall modifications are required. A list of back-end services and their ports can be found in the OMNIC Paradigm Software User Guide.
Thermo Fisher Scientific recommends configuring firewall rules to allow necessary traffic to OMNIC Paradigm Software, adhering to specific ports listed in the User Guide. Additionally, closing unused ports is recommended to limit connections and follow industry standards.
Thermo Fisher Scientific also advises confirming that the ports listed in the OMNIC Paradigm Software User Guide allow traffic if connection issues arise with a spectrometer.
Password management
Thermo Fisher Scientific recommends that password requirements align with organizational or industry best practices. For standard Windows authentication, OMNIC Paradigm Software allows password configuration to meet organizational security requirements. For domain authentication, password policy requirements are set by the customer's domain controllers.
During installation, the OMNIC Paradigm Software installer resets the root password for RabbitMQ and MariaDB, prompting the software to create strong, randomly generated passwords for access to these critical back-end services.
Remote support
Customers initiate remote support for OMNIC Paradigm Software and its supporting instrument by contacting technical support. If remote troubleshooting is recommended, the representative will establish a session using a Thermo Fisher Scientific-managed and approved third-party remote support solution.
Thermo Fisher Scientific maintains internal policies and procedures for the secure storage, retention, and disposal of customer data obtained through remote support sessions.
Logging
OMNIC Paradigm Software logs various activities, including user actions, software system events, and instrument events, to evaluate system performance and document user tasks. It uses a built-in event store as an auditing mechanism to track and monitor activities, particularly data acquisition and processing events.
Secure connectivity
Separate companion PC deployment
Separate companion PC application connectivity
| Assets | Secure connection |
|---|---|
| OMNIC Paradigm Server to Software Client | The OMNIC Paradigm Server connects with the OMNIC Paradigm client via RabbitMQ message bus, Password Manager service, and a web API exposed by the History Service. AMQP, named pipes, and HTTPS are the protocols used for data transmission within the companion PC. |
| OMNIC Paradigm Server to Built-In Database | The OMNIC Paradigm Server connects to the built-in database via a TCP/IP connection. The Password Manager Service manages credentials for database connection. Refer to the "System Compatibility" section for a list of compatible databases. |
| OMNIC Paradigm Server to Distributed Database | Customers can configure the OMNIC Paradigm Server to connect to a chosen distributed database via TCP/IP, requiring the database hostname, desired TCP/IP port, and valid credentials. The OMNIC Paradigm Server supports Integrated Windows Authentication (IWA). |
Separate companion PC hardware connectivity
| Assets | Secure connection |
|---|---|
| Companion PC to Instrument | The instrument connects to the companion PC via a direct USB 2.0 connection, where OMNIC Paradigm Software performs data analysis. Thermo Fisher Scientific recommends restricting physical access to the instrument and companion PC for a stable and secure connection. |
| Companion PC to Thermo Fisher Connect Platform | The companion PC connects to the Thermo Fisher Connect Platform via Ethernet or Wi-Fi. Customers can opt in to send telemetry data (e.g., internal temperatures, power voltages), but this connection is not required for normal OMNIC Paradigm Software functionality. For Wi-Fi, Thermo Fisher Scientific recommends WPA2 or WPA3 for authentication. |
Onboard PC deployment
Onboard PC application connectivity
| Assets | Secure connection |
|---|---|
| OMNIC Paradigm Server to Software Client | The OMNIC Paradigm Server connects with the OMNIC Paradigm client via RabbitMQ message bus, Password Manager service, and a web API exposed by the History service. AMQP, named pipes, and HTTPS are the protocols used for data transmission from the embedded PC to the client on the external companion PC. |
| OMNIC Paradigm Server to Built-In Database | The OMNIC Paradigm Server connects to the built-in database via a TCP/IP connection. The Password Manager Service manages credentials for database connection. Refer to the "System Compatibility" section for a list of compatible databases. |
| OMNIC Paradigm Server to Distributed Database | Customers can configure the OMNIC Paradigm Server to connect to a distributed database via TCP/IP, requiring the database hostname, desired TCP/IP port, and valid credentials. The OMNIC Paradigm Server supports Integrated Windows Authentication (IWA). |
Onboard PC hardware connectivity
| Assets | Secure connection |
|---|---|
| Instrument with Embedded PC to Companion PC | An external companion PC connects to an instrument with an embedded PC via Ethernet, allowing the OMNIC Paradigm Software client to be hosted on the external PC for data analysis and instrument network connectivity. Thermo Fisher Scientific recommends restricting physical access to the instrument and companion PC for a stable and secure connection. |
| Instrument with Embedded PC to Thermo Fisher Connect Platform | The instrument with an embedded PC connects to the Thermo Fisher Connect Platform via Ethernet or Wi-Fi. Customers can opt in to send telemetry data (e.g., internal temperatures, power voltages), but this connection is not required for normal OMNIC Paradigm Software functionality. For Wi-Fi, Thermo Fisher Scientific recommends WPA2 or WPA3 for authentication. |
Data encryption methods
Encryption at rest
By default, data generated from OMNIC Paradigm Software is stored in the local MariaDB. Thermo Fisher Scientific recommends customers enable encryption capabilities offered within MariaDB or their chosen database to encrypt data at rest. Refer to vendor-specific documentation for configuring encryption mechanisms.
Encryption in transit
Data produced from OMNIC Paradigm Software is transferred from the instrument to the companion PC or onboard computer via RabbitMQ. The RabbitMQ connection uses Secure Sockets Layer (SSL)/Transport Layer Security (TLS) encryption. Telemetry data sent to the Thermo Fisher Connect Platform uses a secure HTTPS connection, leveraging TLS encryption Version 1.2.
Certificates
OMNIC Paradigm Software version 2.7 supports importing existing SSL certificates via the OMNIC Paradigm Configuration Utility. This service is intended for administrator use only. Default configurations should be used unless customer organizational policy dictates otherwise.
Secure product development lifecycle
Secure software development training
Software development training is available to the OMNIC Paradigm Software Development team to reinforce secure coding principles and review the latest development standards and guidelines.
Company-wide cybersecurity training
Thermo Fisher Scientific believes cybersecurity is the responsibility of every colleague. Regular education and sharing of best practices raise awareness of cybersecurity threats. This is achieved through a security awareness training program, including exercises, cyber-event simulations, and annual attestation to the Technology Acceptable Use Policy.
Product security assessments
Products, instruments, software, and devices undergo custom security assessments as part of the product development lifecycle. Assessments are based on component complexity and may include technical review, focused testing, and regulatory review. The Software Development team reviews, evaluates, and prioritizes security assessment findings for remediation based on criticality and business risk management.
Source code management
The OMNIC Paradigm Software source code is stored in a Thermo Fisher Scientific-approved version control solution with built-in redundancy for data loss prevention. Continuous Integration/Continuous Deployment (CI/CD) is used to automate implementation and delivery of code changes.
Artifact management
Software artifacts (executables, images, libraries) for OMNIC Paradigm Software are stored and maintained in a Thermo Fisher Scientific-approved artifact management solution, providing visibility and control over software builds. This enables the development team to identify dependencies with known vulnerabilities for prioritized remediation.
Static analysis
The OMNIC Paradigm Software Development team uses a Thermo Fisher Scientific-approved static analysis tool that scans code repositories during each commit. This tool helps identify potential security defects, maintain code quality and integrity, and allows for prompt review and prioritization of security alerts for remediation.
Peer code reviews
The OMNIC Paradigm Software Development team conducts manual peer reviews of code before testing and deployment. These reviews provide insights into the code's context and business logic, complementing static analysis findings.
Penetration tests
Thermo Fisher Scientific's Penetration Testing team tests core components of the Nicolet Summit and OMNIC Paradigm Software against the Open Worldwide Application Security Project (OWASP) Top 10 Internet-of-Things (IoT) list. The team uses technical and non-technical approaches to identify vulnerabilities during product development.
Vendor assessments
To evaluate risks from cybersecurity threats associated with third-party technology providers, a risk-based assessment is incorporated into the corporate IT procurement process. This assesses the security risk of third parties providing new technology solutions. This process balances risk reduction and effective resource management.
Product security maintenance
Vulnerability and patch management
The OMNIC Paradigm Software Development team tests and validates security updates and system patches throughout the product lifecycle, deploying them based on criticality and business risk management. Thermo Fisher Scientific recommends validating and applying patches upon notification to keep systems updated and minimize vulnerability risks. Customers can report suspected or potential security issues using the Reporting Security Issues form.
Disaster recovery and business continuity
OMNIC Paradigm Software has data backup capabilities to prevent data loss and aid in restoring normal functionality. Thermo Fisher Scientific suggests customers leverage these backup capabilities in their Disaster Recovery plans and testing. Regular file system and database backups with laboratory managers and IT administrators are also recommended.
System hardening
System hardening mitigates potential exploitation of system vulnerabilities and prevents threats. The OMNIC Paradigm Software Development team uses system hardening practices prior to deployment, including:
- Running Windows 10 hardening scripts derived from Center for Internet Security (CIS) guides on Thermo Fisher Scientific-provided computers and onboard computers associated with Nicolet Summit Pro instruments.
- Disabling Microsoft PowerShell™ on Thermo Fisher Scientific-provided computers.
- Installing Microsoft Windows Defender™ as the default antivirus solution for the onboard computer.
Thermo Fisher Scientific recommends maintaining operating systems and network hardening practices on relevant infrastructure supporting OMNIC Paradigm Software.
Service handling
Application-specific support and training are critical for deploying and supporting the spectrometer and associated software. Thermo Fisher Scientific's experienced professionals provide global, follow-the-sun support for technical assistance and rapid escalation of critical issues.
Technical support for OMNIC Paradigm is provided through Unity Lab Services. Customers can submit a technical support request ticket via the Services Central web portal (login required).
Questions?
To reach a member of the team and discuss this product, please contact us at product.security@thermofisher.com.
For Research Use Only. Not for use in diagnostic procedures. ©2024 Thermo Fisher Scientific Inc. All rights reserved. Microsoft, Microsoft Windows, SQL Server, PowerShell and Windows Defender are registered trademarks of the Microsoft Corporation. MariaDB is a registered trademark of MariaDB Corp. Amazon Aurora is a trademark of Amazon Technologies. Oracle is a registered trademark of the Oracle Corporation. RabbitMQ is a trademark of VMware. All other trademarks are the property of Thermo Fisher Scientific and its subsidiaries unless otherwise specified.
File Info : application/pdf, 14 Pages, 2.30MB
DocumentDocumentReferences
Adobe PDF Library 17.0
eCFR :: 21 CFR Part 11 -- Electronic Records; Electronic SignaturesRelated Documents
 | OMNIC Paradigm Software Product Security Information Guide This guide provides information on the security features and practices implemented for OMNIC Paradigm Software, Version 2.3, by Thermo Fisher Scientific. It covers cybersecurity program details, system architecture, access controls, secure connectivity, data encryption, and secure product development lifecycle. |
 | Thermo Scientific Imaging ATR Accessory User Guide Comprehensive user guide for the Thermo Scientific Imaging ATR Accessory, detailing its features, installation, operation, maintenance, and troubleshooting for Nicolet FT-IR microscopes. |
 | Thermo Scientific Nicolet iS20 Spectrometer: Getting Started Guide A comprehensive guide to getting started with the Thermo Scientific Nicolet iS20 FT-IR spectrometer, covering features, operation, accessories, software, and maintenance. |
 | Nicolet Apex Site and Safety Guide | Thermo Fisher Scientific Comprehensive guide for the safe installation and operation of the Nicolet Apex instrument, including manual conventions, safety symbols, site preparation, and environmental considerations. |
 | Nicolet iS20 Site and Safety Guide Comprehensive guide to the safe installation, operation, and maintenance of the Nicolet iS20 spectrometer, including hazard warnings, safety precautions, and environmental considerations. |
 | Using Chromeleon 7.3 CDS for Regulatory Compliance and Data Integrity This document outlines how Thermo Scientific's Chromeleon 7.3 CDS helps laboratories achieve regulatory compliance and maintain data integrity through its comprehensive features for security, record management, audit trails, and qualification. |
 | Thermo Fisher Scientific Antivirus Whitelist Guide for Vibrational Products A guide from Thermo Fisher Scientific detailing executables and folders to whitelist in antivirus software for optimal performance of OMNIC Paradigm and other vibrational spectroscopy products. |
 | OMNIC Paradigm Software v2.5 User Guide User Guide for OMNIC Paradigm Software version 2.5 from Thermo Fisher Scientific, detailing its features and usage. |