Design Like a Pro: SCADA Security Guidelines

Moderator

Don Pearson

Chief Strategy Officer

Inductive Automation

Today’s Agenda

• Introduction to Ignition

• SCADA/ICS Security Basics

• Approaches to SCADA/ICS Security

• Tools for Protecting Your Network

• Security Hardening in Ignition

• Q&A

About Inductive Automation

• Founded in 2003

• HMI, SCADA, MES, and IIoT software

• Installed in 100+ countries

• Over 1,500 integrators

• Used by 48% of Fortune 100 companies

Learn more at: inductiveautomation.com/about

Used By Industries Worldwide

Ignition: Industrial Application Platform

One Universal Platform for SCADA, MES & IIoT:

• Unlimited licensing model

• Cross-platform compatibility

• Based on IT-standard technologies

• Scalable server-client architecture

• Web-managed

• Web-launched on desktop or mobile

• Modular configurability

• Rapid development and deployment

Presenter

Kevin McClusky

Co-Director of Sales Engineering,

Inductive Automation

Disclaimer

Cybersecurity is a deep and complex topic, and this webinar presents a

general overview of the subject. It is not intended as comprehensive

instruction or training on industrial control system security. It contains

general, widely applicable guidelines about ICS security; however,

because every organization is different, you should work with a security

expert to make sure that your specific security needs are met.

Different Types of Security

SCADA/ICS Security Basics

Three laws of SCADA security:

• Nothing is 100% secure.

• All software can be hacked.

• Every piece of information can be an attack.

– From SCADA Security – What’s Broken and How to Fix It

by Andrew Ginter


Who’s attacking our systems?

• Insiders (corporate insiders & SCADA insiders)

• Organized Crime

• Hackers

• Intelligence Agencies

• Military


How are they attacking us?

• Phishing

- #1 attack vector for ICS

- Spear phishing

- In 2016, 30% of phishing messages

were opened, up from 23% in 2015

• Malware & ransomware

High-profile attacks:

- WannaCry & Not Petya (2017)

- Stuxnet (2010)

• Weak authentication

• SQL injection

• Network scanning

• Abuse of authority

• Brute force

• Rogue devices

• Removable media

Approaches to SCADA/ICS Security

What can we do about it?

• Keep it simple. Complexity doesn’t improve

security.

• Know your environment (which

machines & software versions you have,

your normal traffic level, etc.).

• You can’t eliminate risk but you can

mitigate risk.

• Make it very difficult and expensive to

pull off an attack.


IT Security

• Software-based

• Focus: detecting & responding to

intrusion

• Stakes: compromised or stolen

data, system crashes, interruption,

financial losses, etc.

ICS Security

• Hardware-based

• Focus: preventing intrusion

• Stakes: loss of life, environmental

damage, economic impact

Industrial organizations must focus on prevention while also implementing

IT-class security measures in order to secure their control systems.



Tools for Protecting Your Network

Authentication

• Username/password (Don’t use

default passwords!)

• User- and role-based security

(Based on Principle of Least

Privilege)

• Biometrics (fingerprints, retina

scans)

• Public Key Infrastructure (PKI)

• Key cards

• USB tokens

• Application security: role-based

settings/permissions can be used to

secure applications (clients, design

environment, tags)

• Database connection encryption

• OPC UA connections


Encryption (TLS/SSL/https)

• Encrypts all data sent over HTTP

• Protects against snooping & session

hijacking

• Can be used to protect the SCADA

Gateway

• Can be used with a VLAN to secure

native device communication

• Can be used to encrypt OPC UA

communication

• Can be used to help secure databases

that support TLS/SSL


Auditing

• Record details about specific events

• Track down who did what from where

• Helpful in deterring attacks by SCADA insiders

• Use audit logs, trails, profiles


Ways to Protect Your Operating System:

• Remove any unnecessary programs.

• Keep OS patches & service packs up-to-date.

• Disable remote services on Windows.

• Set up firewalls to restrict network traffic; close all ports and only reopen ports

that are necessary.

• Set up firewalls on redundant servers.

• If remote access is required, get a VPN device with good multi-factor

authentication.


Ways to Secure Your Device/PLC Connections:

• Native device communication options:

- Keep on a separate, private OT network

- Network segmentation

- VLAN with encryption

- Set up routing rules

- Use edge-of-network gateway as bridge between device & network

• OPC UA and MQTT communication offers built-in security, and communications

can be encrypted over TLS


SCADA

NetworkIT Network

Unidirectional Gateway

TX RX

Inte

rface

Inte

rface

Unidirectional Gateways (data diodes) are an option for standalone networks

with tight controls over what goes in and out.


Physical Security:

• Because control devices like PLCs cannot be locked down, it is essential to

implement physical security measures, such as the following:

- Badges & badge readers

- Physical media controls (including laptops, phones, USB keys)

- Video monitoring

- Policies and training

- Guards

Security Hardening in Ignition

• The following steps are intended to provide

general guidance on how to set up and secure

your Ignition installation

• General suggestions regarding the hardware and

network where Ignition is installed


Secure the Gateway

• Change the Admin Password

• Configure Access for the Gateway

• Enable SSL

- Acquire and install an SSL Certificate

for Ignition, from a certificate authority

(highly recommended)

Demo: Securing the Gateway


Device, MQTT, and OPC Security

• OPC UA Communication

• Native Device Communication

• MQTT

Demo: Device, MQTT, and OPC Security


Use Security Zones

• A Security Zone is a list of Gateways, Computers, or IP addresses

that are defined and grouped together.

• When zones are defined, you can place additional policies &

restrictions on them.

• Provides read-only and read/write access to specified locations.

• Helps keep different areas of the business separate while allowing

them to interconnect.

Demo: Security Zones


Define Application Security

• Client Security

• Designer Security

• Tag Security

• Named Queries

Demo: Defining Application Security


Set Up Audit Logging

• Audit Profiles are simple to set up, and immediately start recording

events.

• Only tag writes, SQL UPDATE, SQL INSERT, and SQL DELETE

statements are recorded. A time-stamp is also recorded.

Demo: Setting Up Audit Logging


Protect the Database

• Rather than using a database owner account such as root or sa, we

recommend creating a separate user account with limited privileges

for the database connection with the Ignition Gateway.

• If your database supports TLS encryption, use it for the Ignition-to-

database connection.

• TLS can be enabled for databases running on different servers

(follow the information for its JDBC driver and internal security

settings).


Securing Java

• Change Java security settings

• Keep Java up-to-date


Securing Java

Disable Java Plug-In in Web Browsers


Turning on the Firewall

• Enable firewall for all traffic

• Allow needed ports through

Demo: Configuring Windows Firewall


Active Directory and Authentication Services

• Group Access and Disabling Auto Login

• User Accounts

• LDAP Protocol Security

Demo: Active Directory & Authentication Services


Keep Ignition Up-to-Date

• Software security requires constant effort and maintenance

• Security updates are released periodically to ensure continued

protection

• Keeping up-to-date with updates is strongly recommended

Summary

Questions & Comments

Jim Meisler x227

Vannessa Garcia x231

Vivian Mudge x253

Account Executives

Myron Hoertling x224

Shane Miller x218

Ramin Rofagha x251

Maria Chinappi x264

Dan Domerofski x273

Lester Ares x214

Melanie Hottman

Director of Sales:

800-266-7798 x247

Jeff Osterback x207

Kevin McClusky

Co-Director of Sales Engineering:

[email protected]

Technology

Design Like a Pro: SCADA Security Guidelines