Transcript HMI-20_2006-Plant-Security-Traceability-Electronic-Records

HMI-20
Plant Security, Traceability,
and Electronic Records
Mark Hepburn
ICONICS Worldwide Customer Summit – September 2006
Securing HMI/SCADA Networks
• Network Security Is Critical For Today’s
HMI/SCADA
• Networks are Everywhere
• Managing Security is Difficult
• People want “everything connected from
anywhere”
• But the Risks Must be Managed
• SIMPLY and SECURELY!
Security Should be Central to
Your System
3
Secure Connectivity Is Key
Limit Access To Any Client
ICONICS Security Environment
ICONICS Components Providing Security
• Security Server
• Secure Desktop
• GenBroker (Network Level Security)
Complement Windows Operating System
And Network Security
• Synchronizes User Profiles
Security at communication protocol level
Biometric Integration
Security via network
segregation/separation
Biometrics Increase Security
Tools for FDA 21 CFR 11
Compliance
Let’s Demonstrate
HMI-20
ICONICS Security Server
Phil Koehler
ICONICS Worldwide Customer Summit – September 2006
Configuring The
ICONICS Security Server
The ICONICS
Security Server
provides restricted
access to functions
based on concept of
a logged-in user.
V9 Security Server is
now under the
“ICONICS Tools”
program group
Choose Security Type
Choose “Basic” or
“Advanced” Modes
Advanced Options
• Standard ICONICS
• Integrated NT
Security or Active
Directory
- Single Sign-on
Security Config File Features
Configuration is saved
in protected file format
Saved to local or
network server locations
May be accessed from
any networked node
Security Administration
An “Administrator” must
be established.
• At least one user must
be established with
“Security System
Administrator”
privileges enabled.
There may be multiple
administrators
Group and User Permissions
Security May Be
Established In “Groups”
And/Or For Individual
“Users”
Users Have Rights Of All
Associated Groups
• Plus His Own Personal
Privileges
Configurable Properties
Allows configuration
of user details and
general properties
Configurable Properties
Allows shift patterns
to be defined for
users
Prevents access
using the username
and password at
specified times
Configurable Properties
Account policy can
be defined with fine
granularity
Similar functionality
to Windows
Default Group
Restrict Privileges To
Anyone Using The PC
• Regardless Of Login
Restricting
Application Privileges
Lock-Down many
GENESIS32 Application
Functions:
• By User or Group
• By Function Tree
• By Module
- Dozens of Functions
- E.g. Prohibit Exit Runtime
Restrictions Apply
Immediately Upon
Change
Easy Administration
Restrictions may be
applied to sets of
functions
Editing Existing Configurations
Enter a “Security Server
Administrator” User
Name and Password
Emergency password
may be obtained from
ICONICS.
• Provide the “Challenge
Code” to ICONICS
Global Technical
Support Personnel
Establishing Global
“Critical Points”
Force Login to Change
“Critical Points”
Click on Graphic for a
Demo
Log Into ICONICS
Security Server
Establishing Global
“Critical Alarms”
Force Login before a
“Critical Alarms” can be
acknowledged
Critical Points
Let’s Demonstrate
HMI-20
Demo
Critical Points
NT Security Integration
Rob Stanton
ICONICS Worldwide Customer Summit – September 2006
HMI-20
GENBROKER SECURITY
Dave Hellyer
ICONICS Worldwide Customer Summit – September 2006
Communication Protocol Security
ICONICS Products use a client-server
architecture
Use the GenClient/GenBroker architecture
to communicate with
• OPC Servers, DA, HDA, A&E, XML-DA
• ICONICS Administrative Servers
- Security & License
• SNMP
Can use a variety of transport methods
• COM/DCOM, TCP/IP, SOAP/XML
COM/DCOM
Original communication infrastructure used
between OPC Clients & Servers
Can be used for single node and network
based applications
Requires DCOM security rights on server and
client to be configured
• Client rights required for call-backs
• Both server and client need to belong to same
NT domain, or trust relation between domains
must be established
COM/DCOM
Not particularly firewall friendly
• Requires ports restriction
• Default range is 1024 – 65535
• Port configuration via registry
COM/DCOM
GraphWorX32
(Client Application)
GenClient
OPC Server
GenBroker – TCP/IP
ICONICS Communication Architecture
Uses native TCP/IP communication to
encapsulate OPC calls
Communicates to all OPC Servers via
GenBroker service
Communicates at near DCOM speeds
Can be used over any IP based carrier
• Internet, Intranet, PPP, GPRS, etc.
GenBroker – TCP/IP
Only requires single server side port
• Firewall friendly
• Default port 38080, can be changed
Integration with ICONICS security model
GenBroker – TCP/IP
GraphWorX32
(Client Application)
GenClient
GenBroker
OPC Server
GenBroker – SOAP/XML
ICONICS Communication Infrastructure
Uses native SOAP/XML communication to
encapsulate OPC calls
Communicates to all OPC Servers via IIS and
GenBroker service
Only requires single server side port
• Standard HTTP port
Supports OPC DA, HDA, A&E
GenBroker – SOAP/XML
GraphWorX32
(Client Application)
IIS
GenClient
GenBroker
OPC Server
COM/DCOM - TCP/IP SOAP/XML
GenBroker
Property
DCOM
TCP/IP
SOAP/XML
Security
++
+++
+++
- On users
Yes
Yes
Yes
- On nodes
Yes
Yes
Yes
- On client applications
No
Yes
Yes
Ease of configuration
+
+++
++
Yes
No
No
Firewall friendly-ness
+
+++
++++
Communication speed
+++
+++
+
- Requires client OS configuration
Administrative Servers
Genbroker can be
configured to use
(local)\remote Primary
Server and a Secondary
Server if available
Administrative Servers
can be setup as TRUE
client/server
Communication Channels
OPC Direct (default)
Direct channel over
DCOM
Direct channel over
TCP/IP
Direct channel over
SOAP/XML
Indirect channel via a
mediator node
Advanced Client Security
For Secure OPC Tunneling
Remote OPC Server
Credential
Configuration
Dialogue
User defined
credentials for
automatic login to
Servers requiring
credentials
Advanced Server Settings
Turn off bindings
to unnecessary
network cards
Disable OPC over
SOAP/XML if not
used
Disable OPC over
DCOM is not
used for
networking
Advanced Server Security
Data Servers can
be locked down to
deny write access
Functionality can
be restricted
All writes can
require Encrypted
Credentials
Advanced Server Client IDs
Require Client IDs
to limit access
Restrict Client
Node access
Allowed Security
Server Nodes
Allowed License
Server Nodes
Require Client
Versions
Advanced Server License Restrictions
Preferred Node
list will grant
Mission-Critical
nodes preferential
license access
Can reserve
Client Units for
preferential
license access
HMI-20
Demo
GenBroker
Limiting Network Node Access
Rob Stanton
ICONICS Worldwide Customer Summit – September 2006
HMI-20
Biometric Security
ICONICS Worldwide Customer Summit – September 2006
Requires Unique Physical Features
Identification
Unique Login
Integrated NT Security
Keep It Changing
Unauthorized Login Attempts
Audit Trails
Revision and Change Control
Traceability Reporting
Data Stored Securely in SQL, MSDE, Oracle
• GenEvent Server
• AlarmWorX32, TrendWorX32, BridgeWorX
Reporting Tools
• AlarmWorX32 Reporting
• ReportWorX
• GraphWorX32
• PortalWorX
HMI-20
Demo
ICONICS Traceability and
Reporting
ICONICS Worldwide Customer Summit – September 2006
HMI-20
Architecting Networks for
Plant Security
Rob Stanton
ICONICS Worldwide Customer Summit – September 2006
Network Security
Today’s Process Control Networks are becoming
more integrated with Enterprise Networks
This requires a closer look at the security between
the Enterprise Networks and Process Control
• Ensure production and safety are not put at risk
It is generally excepted that a firewall solution is the
way to provide a connection between Enterprise
Networks and Process Control
• Maintain a secure network
Network Architecture Options
Physical separation
“Dual homed” computers
• With and without firewalls
Router with packet filtering
Firewall
Firewall with DMZ
Firewall with DMZ and only outbound
connections from the Process Control
Network
Use of VLANs
Physical Segregation
Enterprise Network
Process Control Network
Physical Separation
 No direct attack risk
 Physical access to the Process Control
Network is required
But…
× No direct data transfer between the Process
Control Network and Enterprise Network
possible
× Requires manual interaction to transfer data
(sneaker net)
Dual homed computers
Enterprise Network
Process Control Network
Dual homed computers
 Simple connection between two networks
allows for easy data transfer
But…
× Widely seen as easy targets for attacks
× Significant security risk
× Direct internet connection potentially possible
from dual homed computers
Dual homed + Personal Firewall
Enterprise Network
Process Control Network
Dual homed + Personal Firewall
 Simple connection between two networks
allows for easy data transfer
 Communication limited to servers only
But…
× Limited granularity, e.g. controller access
either blocked or allowed
× Difficult to maintain for multiple servers
× Direct internet connection potentially possible
from dual homed computers
Router with packet filtering
Enterprise Network
Router with
packet filters
and rules
Process Control Network
Router with packet filtering
 Enforces device-to-device rules, allowing only
servers access to the Process Control
Network
But…
× Requires a secure Enterprise Network
× Limited protection against sophisticated
assaults, due to lack of stateful inspections
2 port Firewall
Enterprise Network
Firewall
Process Control Network
2 port Firewall
 Stateful packet inspection
? In which network will the shared server be
But…
× Either requires rule to allow shared server
access to the Process Control Network
× Risk of spoofed shared server
× Or requires rule to allow Enterprise Network
computers access to shared server on the
Process Control Network
× Risk of flaws in application layer software on
shared server
Firewall with DMZ
Enterprise Network
DMZ
Firewall
Process Control Network
Firewall with DMZ
 Stateful packet inspection
 No direct path from the Enterprise Network to
the Process Control Network
Servers in DMZ have access to the Process
Control Network
EN computers access servers in DMZ
But…
× Increased complexity may lead to
configuration errors
Outbound Connections Only
Enterprise Network
DMZ
Firewall
Process Control Network
Outbound Connections Only
 Stateful packet inspection
 No inbound connections to the Process
Control Network
Servers in the Process Control Network store
data in DMZ based data stores
Enterprise Network computers access servers
in DMZ
But…
× Increased complexity may lead to
configuration errors
Separation into VLANs
Enterprise Network
HMI VLAN
Server
-In HMI VLAN
-In PLC VLAN 1
-In PLC VLAN 2
PLC VLAN 1
PLC VLAN 2
Process Control Network
Separation into VLANs
 Limit allowed communication between
devices on the same physical LAN
 Prevents propagation of unwanted traffic
across all devices
But…
× To be used to separate devices in the Process
Control Network rather than separation of
Enterprise Network/DMZ and the Process
Control Network.
Simple ways to harden your site
It’s the simple things…
Isolate networks
• Install firewalls between IT and plant
networks
Turn off unnecessary services
• Turn off IIS, Telnet, FTP, Remote Desktop
where not required (reduce attack surface)
Restrict access to important machines
• Lock them up