Design Like a Pro: SCADA Security Guidelines

Moderator
Don Pearson
Chief Strategy Officer
Inductive Automation

Today’s Agenda
• Introduction to Ignition
• SCADA/ICS Security Basics
• Approaches to SCADA/ICS Security
• Tools for Protecting Your Network
• Security Hardening in Ignition
• Q&A

About Inductive Automation
• Founded in 2003
• HMI, SCADA, MES, and IIoT software
• Installed in 100+ countries
• Over 1,500 integrators
• Used by 48% of Fortune 100 companies
Learn more at: inductiveautomation.com/about

Used by Major Companies Worldwide

Ignition: Industrial Application Platform
One Universal Platform for SCADA, MES & IIoT:
• Unlimited licensing model
• Cross-platform compatibility
• Based on IT-standard technologies
• Scalable server-client architecture
• Web-managed
• Web-launched on desktop or mobile
• Modular configurability
• Rapid development and deployment

Presenter
Kevin McClusky
Co-Director of Sales Engineering,
Inductive Automation

Disclaimer
Cybersecurity is a deep and complex topic, and this webinar presents a
general overview of the subject. It is not intended as comprehensive
instruction or training on industrial control system security. It contains
general, widely applicable guidelines about ICS security; however,
because every organization is different, you should work with a security
expert to make sure that your specific security needs are met.

SCADA/ICS Security Basics
Three laws of SCADA security:
• Nothing is 100% secure.
• All software can be hacked.
• Every piece of information can be an attack.
– From SCADA Security – What’s Broken and How to Fix It
by Andrew Ginter

Who’s attacking our systems?
• Insiders (corporate insiders & SCADA insiders)
• Organized Crime
• Hackers
• Intelligence Agencies
• Military

How are they attacking us?
• Phishing
- #1 attack vector for ICS
- Spear phishing
- In 2016, 30% of phishing messages
were opened, up from 23% in 2015
• Malware & ransomware
High-profile attacks:
- WannaCry & Not Petya (2017)
- Stuxnet (2010)
• Weak authentication
• SQL injection
• Network scanning
• Abuse of authority
• Brute force
• Rogue devices
• Removable media

Approaches to SCADA/ICS Security
What can we do about it?
• Keep it simple. Complexity doesn’t
improve security.
• Know your environment (which
machines & software versions you
have,
your normal traffic level, etc.).
• You can’t eliminate risk but you can
mitigate risk.
• Make it very difficult and expensive to
pull off an attack.

IT Security
• Software-based
• Focus: detecting & responding to
intrusion
• Stakes: compromised or stolen
data, system crashes, interruption,
financial losses, etc.
ICS Security
• Hardware-based
• Focus: preventing intrusion
• Stakes: loss of life, environmental
damage, economic impact
Industrial organizations must focus on prevention while also implementing
IT-class security measures in order to secure their control systems.

Tools for Protecting Your Network
Authentication
• Username/password (Don’t use
default passwords!)
• User- and role-based security
(Based on Principle of Least
Privilege)
• Biometrics (fingerprints, retina
scans)
• Public Key Infrastructure (PKI)
• Key cards
• USB tokens
• Application security: role-based
settings/permissions can be used to
secure applications (clients, design
environment, tags)
• Database connection encryption
• OPC UA connections

Encryption (TLS/SSL/https)
• Encrypts all data sent over HTTP
• Protects against snooping & session
hijacking
• Can be used to protect the SCADA
Gateway
• Can be used with a VLAN to secure
native device communication
• Can be used to encrypt OPC UA
communication
• Can be used to help secure databases
that support TLS/SSL

Auditing
• Record details about specific events
• Track down who did what from where
• Helpful in deterring attacks by SCADA insiders
• Use audit logs, trails, profiles

Ways to Protect Your Operating System:
• Remove any unnecessary programs.
• Keep OS patches & service packs up-to-date.
• Disable remote services on Windows.
• Set up firewalls to restrict network traffic; close all ports and only reopen ports
that are necessary.
• Set up firewalls on redundant servers.
• If remote access is required, get a VPN device with good multi-factor
authentication.

Ways to Secure Your Device/PLC Connections:
• Native device communication options:
- Keep on a separate, private OT network
- Network segmentation
- VLAN with encryption
- Set up routing rules
- Use edge-of-network gateway as bridge between device & network
• OPC UA and MQTT communication offers built-in security, and communications
can be encrypted over TLS

SCADA
Network
IT Network
Unidirectional Gateway
TX RX
Interface
Interface
Unidirectional Gateways (data diodes) are an option for standalone networks
with tight controls over what goes in and out.

Physical Security:
• Because control devices like PLCs cannot be locked down, it is essential to
implement physical security measures, such as the following:
- Badges & badge readers
- Physical media controls (including laptops, phones, USB keys)
- Video monitoring
- Policies and training
- Guards

Security Hardening in Ignition
• The following steps are intended to provide
general guidance on how to set up and secure
your Ignition installation
• General suggestions regarding the hardware and
network where Ignition is installed

Secure the Gateway
• Change the Admin Password
• Configure Access for the Gateway
• Enable SSL
- Acquire and install an SSL Certificate
for Ignition, from a certificate authority
(highly recommended)

Device, MQTT, and OPC Security
• OPC UA Communication
• Native Device Communication
• MQTT

Demo: Device, MQTT, and OPC Security

Use Security Zones
• A Security Zone is a list of Gateways, Computers, or IP addresses
that are defined and grouped together.
• When zones are defined, you can place additional policies &
restrictions on them.
• Provides read-only and read/write access to specified locations.
• Helps keep different areas of the business separate while allowing
them to interconnect.

Define Application Security
• Client Security
• Designer Security
• Tag Security
• Named Queries

Demo: Defining Application Security

Set Up Audit Logging
• Audit Profiles are simple to set up, and immediately start recording
events.
• Only tag writes, SQL UPDATE, SQL INSERT, and SQL DELETE
statements are recorded. A time-stamp is also recorded.

Demo: Setting Up Audit Logging

Protect the Database
• Rather than using a database owner account such as root or sa, we
recommend creating a separate user account with limited privileges
for the database connection with the Ignition Gateway.
• If your database supports TLS encryption, use it for the Ignition-to-
database connection.
• TLS can be enabled for databases running on different servers
(follow the information for its JDBC driver and internal security
settings).

Securing Java
• Change Java security settings
• Keep Java up-to-date

Securing Java
Disable Java Plug-In in Web Browsers

Turning on the Firewall
• Enable firewall for all traffic
• Allow needed ports through

Demo: Configuring Windows Firewall

Active Directory and Authentication Services
• Group Access and Disabling Auto Login
• User Accounts
• LDAP Protocol Security

Demo: Active Directory & Authentication Services

Keep Ignition Up-to-Date
• Software security requires constant effort and maintenance
• Security updates are released periodically to ensure continued
protection
• Keeping up-to-date with updates is strongly recommended

Questions & Comments
Jim Meisler x227
Vannessa Garcia x231
Vivian Mudge x253
Account Executives
Myron Hoertling x224
Shane Miller x218
Ramin Rofagha x251
Maria Chinappi x264
Dan Domerofski x273
Lester Ares x214
Melanie Hottman
Director of Sales:
800-266-7798 x247
Jeff Osterback x207
Kevin McClusky
Co-Director of Sales Engineering:
x237
kmcclusky@inductiveautomation.com

Design Like a Pro: SCADA Security Guidelines

Design Like a Pro: SCADA Security Guidelines

More Related Content

What's hot

Similar to Design Like a Pro: SCADA Security Guidelines

More from Inductive Automation

Recently uploaded

Design Like a Pro: SCADA Security Guidelines