Call us! 512-349-0334 or (877) INDUSOFT

SCADA Security Tips from an InduSoft Expert

SCADA security

SCADA security

As technologies evolve and enable higher levels of connectivity, the vulnerability of industrial automation systems to cyber attacks has been a topic of increasing concern for vendors, system integrators, and end users. The recent incident with the Stuxnet virus sparked even more discussion on SCADA security and represented a wake-up call to the few who remained skeptical about the potential of such attack.

The cost-saving and productivity-gains from integrating control networks to business systems are too high in the competitive landscape to be ignored. On the other hand, the truth is that “the only system 100% secure is a system that does not work at all”. In other words, the real question is “How secure (or how vulnerable) is your system?”

InduSoft understands that security is a core component of HMI/SCADA systems, and this component must evolve continuously as new standards, technologies, and architectures emerge. InduSoft Web Studio, the HMI/SCADA software developed by InduSoft, offers several features to increase the security of the systems where it is deployed:

  • Support for encryption (Security Socket Layer – SSL) for communication over TCP/IP with the Thin Client stations.
  • Support for Server Certificate (Security Policy) on its native OPC UA Client module.
  • Built-in security system with multiple group levels. Device driver blocks keyboard commands on a very low level and allows you to lock the operator on the HMI/SCADA interface, blocking commands such as Alt+Tab, Windows key, Ctrl+Alt+Delete, Alt+F4, so the operator cannot shutdown the application or switch to the desktop or any other unauthorized application.
  • The Secure Viewer Thin Client offers a Thin Client solution, with support for all features of the native security system of InduSoft Web Studio.
  • Ability to filter the access to the Server based on IP Address ranges of the clients (useful for systems designed for LAN only).
  • Web Tunneling Gateway interface, supporting remote access to the runtime station through firewalls, via HTTP or HTTPS protocols.
  • Continuous support for the latest patches and versions of Microsoft operating systems
  • Support for Windows CE operating system (truly embedded operating system from Microsoft, especially suitable for local HMIs)
  • Compatibility with the major anti-virus packages in the market.

In addition to the built-in features provided by the product, the end user must enforce processes to increase the level of security of the system. Good practices include:

  • Anti-virus protection: Use anti-virus software in each computer, but test it to avoid incompatibility with the control system.
  • Business Network isolated from the Control Network: Use two NIC cards in the stations that link different areas of the system (e.g.: the business network with the control network) and configure firewalls, so information flow from the control network to the business network (not the other way around, unless it is necessary).
  • Design and test contingent plans (disaster recovery plans): Backup an image of each computer, so it can be restored to a safe state, shall the system be infected. Use hardkey as the licensing method.
  • “Clean” the stations: Remove unnecessary software and hardware components (including additional Ethernet ports) and keep the OS and anti-virus updated (after testing compatibility in an isolated station).

Special thanks for Fabio Terezinho, head of Consulting Services at InduSoft for this valuable information on SCADA security.

Leave a Reply