Upload
others
View
177
Download
3
Embed Size (px)
Citation preview
Citect SCADA 2018 R2- Security
© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.
Brad Shaw – Global Product Manager Citect SCADA
May 2019
Agenda
© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.
Why focus on Security?
Encrypted Communications
User Groups for Access Control
Why focus on Security ?
© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.
Confidentiality
AvailabilityIntegrity
Encrypted Communications
© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.
© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.
Encrypted Communications
• AVEVA systems are highly distributed and scalable
• Different products communicate via different protocols
• Encryption requires Certificate Management
• Smaller customers don’t have I.T. departments capable of
managing certificates we handle it for you
• Common encryption technology across AVEVA products
Customer Problem
Establish Trust
Encrypted Communications
© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.
Example Architecture
PrimaryServer
StandbyServer
Display Client Historian
DeploymentServer
System Management
Server
System Management Server
• Creates unique certificates per system
• Distributes certificates to other computers
• Handles certificate renewal
• Enables AVEVA products to encrypt
communications
• Only configure one System Management
Server in your system
© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.
Encrypting Citect SCADA Communications
• Configure the System Management Server (only one!)
• Connect all other machines to the System Management Server
• Including CtAPI Client Applications
• Requires a user from the aaAdministrators group on the
Management Server
• Configure Encryption
• Servers must be configured to “Run as a Service”
• Configure DNS Name in computers.dbf
• Status shown in Runtime Manager
© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.
Encrypting Citect SCADA Communications
• Encrypted with TLS v1.2
• All server-client and server-server communications
• CtAPI communications using new binaries in 2018 R2 release
• Kernel
• New Page Table Platform.Session
• Available via ‘Dump Kernel’ command on Server
processes
© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.
Example – Configuring Encryption
© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.
Configure Prerequisites – Run as a service
1
2
Example – Configuring Encryption
© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.
Configure Prerequisites – setup System Management Server
1
2
Example – Configuring Encryption
© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.
Enable Encryption
1
2
Example – Configuring Encryption
© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.
Connect other computers to System Management Server
1
2
© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.
Certificate Management
• System Management Server manages certificates
• Creates a unique Root CA, Intermediate CA per system
• Creates a unique binding certificate per machine
• Automatic certificate renewal
• Connection to Management Server required to renew
certificates
• Certificates have 15 month expiry, renewed every month
• If renewal fails, it will retry daily until it succeeds
Deployment Configuration
• Deployment Server configuration is streamlined
1. Connect Deployment Server / Clients to System
Management Server
2. Configure Deployment Server
• Auth file no longer required
3. Connect Deployment Clients to Deployment Server
• Auto-detect deployment server name
© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.
DeploymentServer
System Management
Server
DeploymentClient
Enhanced Security via User Groups
© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.
Security – User Groups
• Citect.Engineers
• Has permission to set the read/write password
• Citect.ServerUsers
• Has permission to read the server password
• Citect.LocalUsers
• Not required if processes are running as the same user
• Has permission to access communications channel to Runtime Manager
• Has permission to use local CtAPI
© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.
Prevent unauthorized user access to internal communications
User Groups – Recommended Configuration
• Citect.Engineers
• Permissions are only needed when configuring new machines
• Only add experienced engineering users to this group
• Citect.ServerUsers
• If running as a service, make no changes
• If running normally, add any windows users that have permission to log onto this machine
• Citect.LocalUsers
• Add all valid users to this group
• Changing group permissions requires the user to sign-out of Windows
© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.
Questions
© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.
linkedin.com/company/aveva
@avevagroup
ABOUT AVEVA
AVEVA is a global leader in engineering and industrial software driving digital transformation across the entire asset and operational life cycle of capital-intensive industries.
The company’s engineering, planning and operations, asset performance, and monitoring and control solutions deliver proven results to over 16,000 customers across the globe. Its customers are supported by the largest industrial software ecosystem, including 4,200 partners and 5,700 certified developers. AVEVA is headquartered in Cambridge, UK, with over 4,400 employees at 80 locations in over 40 countries.
aveva.com
© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.