As technologies evolve and enable higher levels of connectivity, the vulnerability of industrial automation systems to cyber attacks has been a topic of increasing concern for vendors, system integrators, and end users. The recent incident with the Stuxnet virus sparked even more discussion on SCADA security and represented a wake-up call to the few who remained skeptical about the potential of such attack.
The cost-saving and productivity-gains from integrating control networks to business systems are too high in the competitive landscape to be ignored. On the other hand, the truth is that “the only system 100% secure is a system that does not work at all”. In other words, the real question is “How secure (or how vulnerable) is your system?”
InduSoft understands that security is a core component of HMI/SCADA systems, and this component must evolve continuously as new standards, technologies, and architectures emerge. InduSoft Web Studio, the HMI/SCADA software developed by InduSoft, offers several features to increase the security of the systems where it is deployed:
- Support for encryption (Security Socket Layer – SSL) for communication over TCP/IP with the Thin Client stations.
- Support for Server Certificate (Security Policy) on its native OPC UA Client module.
- Built-in security system with multiple group levels. Device driver blocks keyboard commands on a very low level and allows you to lock the operator on the HMI/SCADA interface, blocking commands such as Alt+Tab, Windows key, Ctrl+Alt+Delete, Alt+F4, so the operator cannot shutdown the application or switch to the desktop or any other unauthorized application.
- The Secure Viewer Thin Client offers a Thin Client solution, with support for all features of the native security system of InduSoft Web Studio.
- Ability to filter the access to the Server based on IP Address ranges of the clients (useful for systems designed for LAN only).
- Web Tunneling Gateway interface, supporting remote access to the runtime station through firewalls, via HTTP or HTTPS protocols.
- Continuous support for the latest patches and versions of Microsoft operating systems
- Support for Windows CE operating system (truly embedded operating system from Microsoft, especially suitable for local HMIs)
- Compatibility with the major anti-virus packages in the market.
In addition to the built-in features provided by the product, the end user must enforce processes to increase the level of security of the system. Good practices include:
- Anti-virus protection: Use anti-virus software in each computer, but test it to avoid incompatibility with the control system.
- Business Network isolated from the Control Network: Use two NIC cards in the stations that link different areas of the system (e.g.: the business network with the control network) and configure firewalls, so information flow from the control network to the business network (not the other way around, unless it is necessary).
- Design and test contingent plans (disaster recovery plans): Backup an image of each computer, so it can be restored to a safe state, shall the system be infected. Use hardkey as the licensing method.
- “Clean” the stations: Remove unnecessary software and hardware components (including additional Ethernet ports) and keep the OS and anti-virus updated (after testing compatibility in an isolated station).
Special thanks for Fabio Terezinho, head of Consulting Services at InduSoft for this valuable information on SCADA security.