Presentation is loading. Please wait.

Presentation is loading. Please wait.

ICONICS Worldwide Customer Summit – September 2006 Plant Security, Traceability, and Electronic Records HMI-20 Mark Hepburn.

Published byMorris Sparks Modified over 8 years ago

Similar presentations

Presentation on theme: "ICONICS Worldwide Customer Summit – September 2006 Plant Security, Traceability, and Electronic Records HMI-20 Mark Hepburn."— Presentation transcript:

1 ICONICS Worldwide Customer Summit – September 2006 Plant Security, Traceability, and Electronic Records HMI-20 Mark Hepburn

2 Securing HMI/SCADA Networks Network Security Is Critical For Today’s HMI/SCADA Networks are Everywhere Managing Security is Difficult People want “everything connected from anywhere” But the Risks Must be Managed SIMPLY and SECURELY!

3 3 Security Should be Central to Your System

4 Secure Connectivity Is Key

5 Limit Access To Any Client

6 ICONICS Security Environment ICONICS Components Providing Security Security Server Secure Desktop GenBroker (Network Level Security) Complement Windows Operating System And Network Security Synchronizes User Profiles Security at communication protocol level Biometric Integration Security via network segregation/separation

7 Biometrics Increase Security

8 Tools for FDA 21 CFR 11 Compliance

9 Let’s Demonstrate

10 ICONICS Worldwide Customer Summit – September 2006 ICONICS Security Server HMI-20 Phil Koehler

11 Configuring The ICONICS Security Server The ICONICS Security Server provides restricted access to functions based on concept of a logged-in user. V9 Security Server is now under the “ICONICS Tools” program group

12 Choose Security Type Choose “Basic” or “Advanced” Modes Advanced Options Standard ICONICSStandard ICONICS Integrated NT Security or Active DirectoryIntegrated NT Security or Active Directory - Single Sign-on

13 Security Config File Features Configuration is saved in protected file format Saved to local or network server locations May be accessed from any networked node

14 Security Administration An “Administrator” must be established. At least one user must be established with “Security System Administrator” privileges enabled. There may be multiple administrators

15 Group and User Permissions Security May Be Established In “Groups” And/Or For Individual “Users” Users Have Rights Of All Associated Groups Plus His Own Personal Privileges

16 Configurable Properties Allows configuration of user details and general properties

17 Configurable Properties Allows shift patterns to be defined for users Prevents access using the username and password at specified times

18 Configurable Properties Account policy can be defined with fine granularity Similar functionality to Windows

19 Default Group Restrict Privileges To Anyone Using The PC Regardless Of Login

20 Restricting Application Privileges Lock-Down many GENESIS32 Application Functions: By User or Group By Function Tree By Module - Dozens of Functions - E.g. Prohibit Exit Runtime Restrictions Apply Immediately Upon Change

21 Easy Administration Restrictions may be applied to sets of functions

22 Editing Existing Configurations Enter a “Security Server Administrator” User Name and Password Emergency password may be obtained from ICONICS. Provide the “Challenge Code” to ICONICS Global Technical Support Personnel

23 Establishing Global “Critical Points” Force Login to Change “Critical Points” Click on Graphic for a Demo Log Into ICONICS Security Server

24 Establishing Global “Critical Alarms” Force Login before a “Critical Alarms” can be acknowledged

25 Critical Points Let’s Demonstrate

26 ICONICS Worldwide Customer Summit – September 2006 Demo Critical Points NT Security Integration HMI-20 Rob Stanton

27 ICONICS Worldwide Customer Summit – September 2006 GENBROKER SECURITY HMI-20 Dave Hellyer

28 Communication Protocol Security ICONICS Products use a client-server architecture Use the GenClient/GenBroker architecture to communicate with OPC Servers, DA, HDA, A&E, XML-DA ICONICS Administrative Servers - Security & License SNMP Can use a variety of transport methods COM/DCOM, TCP/IP, SOAP/XML

29 COM/DCOM Original communication infrastructure used between OPC Clients & Servers Can be used for single node and network based applications Requires DCOM security rights on server and client to be configured Client rights required for call-backs Both server and client need to belong to same NT domain, or trust relation between domains must be established

30 COM/DCOM Not particularly firewall friendly Requires ports restriction Default range is 1024 – 65535 Port configuration via registry

31 COM/DCOM OPC Server GraphWorX32 (Client Application) GenClient

32 GenBroker – TCP/IP ICONICS Communication Architecture Uses native TCP/IP communication to encapsulate OPC calls Communicates to all OPC Servers via GenBroker service Communicates at near DCOM speeds Can be used over any IP based carrier Internet, Intranet, PPP, GPRS, etc.

33 GenBroker – TCP/IP Only requires single server side port Firewall friendly Default port 38080, can be changed Integration with ICONICS security model

34 GenBroker – TCP/IP GenBroker OPC Server GraphWorX32 (Client Application) GenClient

35 GenBroker – SOAP/XML ICONICS Communication Infrastructure Uses native SOAP/XML communication to encapsulate OPC calls Communicates to all OPC Servers via IIS and GenBroker service Only requires single server side port Standard HTTP port Supports OPC DA, HDA, A&E

36 GenBroker – SOAP/XML GenBroker OPC Server GraphWorX32 (Client Application) GenClient IIS

37 COM/DCOM - TCP/IP - SOAP/XML GenBroker PropertyDCOMTCP/IPSOAP/XML Security+++++ - On usersYes - On nodesYes - On client applicationsNoYes Ease of configuration++++++ - Requires client OS configurationYesNo Firewall friendly-ness++++++++ Communication speed+++ +

38 Administrative Servers Genbroker can be configured to use (local)\remote Primary Server and a Secondary Server if available Administrative Servers can be setup as TRUE client/server

39 Communication Channels OPC Direct (default) Direct channel over DCOM Direct channel over TCP/IP Direct channel over SOAP/XML Indirect channel via a mediator node

40 Advanced Client Security For Secure OPC Tunneling Remote OPC Server Credential Configuration Dialogue User defined credentials for automatic login to Servers requiring credentials

41 Advanced Server Settings Turn off bindings to unnecessary network cards Disable OPC over SOAP/XML if not used Disable OPC over DCOM is not used for networking

42 Advanced Server Security Data Servers can be locked down to deny write access Functionality can be restricted All writes can require Encrypted Credentials

43 Advanced Server Client IDs Require Client IDs to limit access Restrict Client Node access Allowed Security Server Nodes Allowed License Server Nodes Require Client Versions

44 Advanced Server License Restrictions Preferred Node list will grant Mission- Critical nodes preferential license access Can reserve Client Units for preferential license access

45 ICONICS Worldwide Customer Summit – September 2006 Demo GenBroker Limiting Network Node Access HMI-20 Rob Stanton

46 ICONICS Worldwide Customer Summit – September 2006 Biometric Security HMI-20

47 Requires Unique Physical Features

48 Identification

49 Unique Login

50 Integrated NT Security

51 Keep It Changing

52 Unauthorized Login Attempts

53 Audit Trails

54 Revision and Change Control

55 Traceability Reporting Data Stored Securely in SQL, MSDE, Oracle GenEvent Server AlarmWorX32, TrendWorX32, BridgeWorX Reporting Tools AlarmWorX32 Reporting ReportWorX GraphWorX32 PortalWorX

56 ICONICS Worldwide Customer Summit – September 2006 Demo ICONICS Traceability and Reporting HMI-20

57 ICONICS Worldwide Customer Summit – September 2006 Architecting Networks for Plant Security HMI-20 Rob Stanton

58 Network Security Today’s Process Control Networks are becoming more integrated with Enterprise Networks This requires a closer look at the security between the Enterprise Networks and Process Control Ensure production and safety are not put at risk It is generally excepted that a firewall solution is the way to provide a connection between Enterprise Networks and Process Control Maintain a secure network

59 Network Architecture Options Physical separation “Dual homed” computers With and without firewalls Router with packet filtering Firewall Firewall with DMZ Firewall with DMZ and only outbound connections from the Process Control Network Use of VLANs

60 Physical Segregation Enterprise Network Process Control Network

61 Physical Separation No direct attack risk Physical access to the Process Control Network is required But… ×No direct data transfer between the Process Control Network and Enterprise Network possible ×Requires manual interaction to transfer data (sneaker net)

62 Dual homed computers Enterprise Network Process Control Network

63 Dual homed computers Simple connection between two networks allows for easy data transfer But…  Widely seen as easy targets for attacks  Significant security risk  Direct internet connection potentially possible from dual homed computers

64 Dual homed + Personal Firewall Process Control Network Enterprise Network

65 Dual homed + Personal Firewall Simple connection between two networks allows for easy data transfer Communication limited to servers only But…  Limited granularity, e.g. controller access either blocked or allowed  Difficult to maintain for multiple servers  Direct internet connection potentially possible from dual homed computers

66 Router with packet filtering Router with packet filters and rules Process Control Network Enterprise Network

67 Router with packet filtering Enforces device-to-device rules, allowing only servers access to the Process Control Network But…  Requires a secure Enterprise Network  Limited protection against sophisticated assaults, due to lack of stateful inspections

68 2 port Firewall Firewall Process Control Network Enterprise Network

69 2 port Firewall Stateful packet inspection  In which network will the shared server be But…  Either requires rule to allow shared server access to the Process Control Network ×Risk of spoofed shared server  Or requires rule to allow Enterprise Network computers access to shared server on the Process Control Network ×Risk of flaws in application layer software on shared server

70 Firewall with DMZ Firewall Process Control Network DMZ Enterprise Network

71 Firewall with DMZ Stateful packet inspection No direct path from the Enterprise Network to the Process Control Network Servers in DMZ have access to the Process Control Network EN computers access servers in DMZ But…  Increased complexity may lead to configuration errors

72 Outbound Connections Only Firewall DMZ Process Control Network Enterprise Network

73 Outbound Connections Only Stateful packet inspection No inbound connections to the Process Control Network Servers in the Process Control Network store data in DMZ based data stores Enterprise Network computers access servers in DMZ But…  Increased complexity may lead to configuration errors

74 Separation into VLANs PLC VLAN 2PLC VLAN 1 HMI VLAN Server -In HMI VLAN -In PLC VLAN 1 -In PLC VLAN 2 Process Control Network Enterprise Network

75 Separation into VLANs Limit allowed communication between devices on the same physical LAN Prevents propagation of unwanted traffic across all devices But…  To be used to separate devices in the Process Control Network rather than separation of Enterprise Network/DMZ and the Process Control Network.

76 Simple ways to harden your site It’s the simple things… Isolate networks Install firewalls between IT and plant networks Turn off unnecessary services Turn off IIS, Telnet, FTP, Remote Desktop where not required (reduce attack surface) Restrict access to important machines Lock them up

77

Download ppt "ICONICS Worldwide Customer Summit – September 2006 Plant Security, Traceability, and Electronic Records HMI-20 Mark Hepburn."

Similar presentations

Chapter Five Users, Groups, Profiles, and Policies.

Chapter Five Users, Groups, Profiles, and Policies.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.

Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
Beth Johnson April 27, 1998. What is a Firewall Firewall mechanisms are used to control internet access An organization places a firewall at each external.

Beth Johnson April 27, What is a Firewall Firewall mechanisms are used to control internet access An organization places a firewall at each external.
Topics 1.Security options and settings 2.Layer 2 vs. Layer 3 connection types 3.Advanced network and routing options 4.Local connections 5.Offline mode.

Topics 1.Security options and settings 2.Layer 2 vs. Layer 3 connection types 3.Advanced network and routing options 4.Local connections 5.Offline mode.
Lesson 19: Configuring Windows Firewall

Lesson 19: Configuring Windows Firewall
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.

7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 10: Remote Access.

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 10: Remote Access.
Chapter 6 Configuring, Monitoring & Troubleshooting IPsec

Chapter 6 Configuring, Monitoring & Troubleshooting IPsec
Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.

Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.

Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.
ICONICS 2008 Worldwide Customer Summit - Boston, MA.

ICONICS 2008 Worldwide Customer Summit - Boston, MA.
70-270: MCSE Guide to Microsoft Windows XP Professional Chapter 5: Users, Groups, Profiles, and Policies.

70-270: MCSE Guide to Microsoft Windows XP Professional Chapter 5: Users, Groups, Profiles, and Policies.
Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.

Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.
1 Objectives Windows Firewalls with Advanced Security Bit-Lock Update and maintain your clients using Windows Server Update Service Microsoft Baseline.

1 Objectives Windows Firewalls with Advanced Security Bit-Lock Update and maintain your clients using Windows Server Update Service Microsoft Baseline.

Similar presentations

Ads by Google