Inductive Automation’s Co-Director of Sales Engineering Kevin McClusky (presenter) and Chief Strategy Officer Don Pearson (moderator) discusses a prevention-focused approach that encompasses physical security as well as cybersecurity. As you’ll learn, an effective SCADA security plan doesn’t just safeguard the platform itself but also each network, device, and database connection.
Learn more about:
- Phishing and other common attack vectors
- Guarding against internal threats
- Locking down your operating system
- Leveraging encryption effectively
- Using Java safely
- Applying security guidelines in the Ignition industrial application platform
- And much more
3. Today’s Agenda
• Introduction to Ignition
• SCADA/ICS Security Basics
• Approaches to SCADA/ICS Security
• Tools for Protecting Your Network
• Security Hardening in Ignition
• Q&A
4. About Inductive Automation
• Founded in 2003
• HMI, SCADA, MES, and IIoT software
• Installed in 100+ countries
• Over 1,500 integrators
• Used by 48% of Fortune 100 companies
Learn more at: inductiveautomation.com/about
6. Ignition: Industrial Application Platform
One Universal Platform for SCADA, MES & IIoT:
• Unlimited licensing model
• Cross-platform compatibility
• Based on IT-standard technologies
• Scalable server-client architecture
• Web-managed
• Web-launched on desktop or mobile
• Modular configurability
• Rapid development and deployment
8. Disclaimer
Cybersecurity is a deep and complex topic, and this webinar presents a
general overview of the subject. It is not intended as comprehensive
instruction or training on industrial control system security. It contains
general, widely applicable guidelines about ICS security; however,
because every organization is different, you should work with a security
expert to make sure that your specific security needs are met.
10. SCADA/ICS Security Basics
Three laws of SCADA security:
• Nothing is 100% secure.
• All software can be hacked.
• Every piece of information can be an attack.
– From SCADA Security – What’s Broken and How to Fix It
by Andrew Ginter
12. SCADA/ICS Security Basics
How are they attacking us?
• Phishing
- #1 attack vector for ICS
- Spear phishing
- In 2016, 30% of phishing messages
were opened, up from 23% in 2015
• Malware & ransomware
High-profile attacks:
- WannaCry & Not Petya (2017)
- Stuxnet (2010)
• Weak authentication
• SQL injection
• Network scanning
• Abuse of authority
• Brute force
• Rogue devices
• Removable media
13. Approaches to SCADA/ICS Security
What can we do about it?
• Keep it simple. Complexity doesn’t
improve security.
• Know your environment (which
machines & software versions you
have,
your normal traffic level, etc.).
• You can’t eliminate risk but you can
mitigate risk.
• Make it very difficult and expensive to
pull off an attack.
14. Approaches to SCADA/ICS Security
IT Security
• Software-based
• Focus: detecting & responding to
intrusion
• Stakes: compromised or stolen
data, system crashes, interruption,
financial losses, etc.
ICS Security
• Hardware-based
• Focus: preventing intrusion
• Stakes: loss of life, environmental
damage, economic impact
Industrial organizations must focus on prevention while also implementing
IT-class security measures in order to secure their control systems.
17. Tools for Protecting Your Network
Authentication
• Username/password (Don’t use
default passwords!)
• User- and role-based security
(Based on Principle of Least
Privilege)
• Biometrics (fingerprints, retina
scans)
• Public Key Infrastructure (PKI)
• Key cards
• USB tokens
• Application security: role-based
settings/permissions can be used to
secure applications (clients, design
environment, tags)
• Database connection encryption
• OPC UA connections
18. Tools for Protecting Your Network
Encryption (TLS/SSL/https)
• Encrypts all data sent over HTTP
• Protects against snooping & session
hijacking
• Can be used to protect the SCADA
Gateway
• Can be used with a VLAN to secure
native device communication
• Can be used to encrypt OPC UA
communication
• Can be used to help secure databases
that support TLS/SSL
19. Tools for Protecting Your Network
Auditing
• Record details about specific events
• Track down who did what from where
• Helpful in deterring attacks by SCADA insiders
• Use audit logs, trails, profiles
20. Tools for Protecting Your Network
Ways to Protect Your Operating System:
• Remove any unnecessary programs.
• Keep OS patches & service packs up-to-date.
• Disable remote services on Windows.
• Set up firewalls to restrict network traffic; close all ports and only reopen ports
that are necessary.
• Set up firewalls on redundant servers.
• If remote access is required, get a VPN device with good multi-factor
authentication.
21. Tools for Protecting Your Network
Ways to Secure Your Device/PLC Connections:
• Native device communication options:
- Keep on a separate, private OT network
- Network segmentation
- VLAN with encryption
- Set up routing rules
- Use edge-of-network gateway as bridge between device & network
• OPC UA and MQTT communication offers built-in security, and communications
can be encrypted over TLS
22. Tools for Protecting Your Network
SCADA
Network
IT Network
Unidirectional Gateway
TX RX
Interface
Interface
Unidirectional Gateways (data diodes) are an option for standalone networks
with tight controls over what goes in and out.
23. Tools for Protecting Your Network
Physical Security:
• Because control devices like PLCs cannot be locked down, it is essential to
implement physical security measures, such as the following:
- Badges & badge readers
- Physical media controls (including laptops, phones, USB keys)
- Video monitoring
- Policies and training
- Guards
24. Security Hardening in Ignition
• The following steps are intended to provide
general guidance on how to set up and secure
your Ignition installation
• General suggestions regarding the hardware and
network where Ignition is installed
25. Security Hardening in Ignition
Secure the Gateway
• Change the Admin Password
• Configure Access for the Gateway
• Enable SSL
- Acquire and install an SSL Certificate
for Ignition, from a certificate authority
(highly recommended)
29. Security Hardening in Ignition
Use Security Zones
• A Security Zone is a list of Gateways, Computers, or IP addresses
that are defined and grouped together.
• When zones are defined, you can place additional policies &
restrictions on them.
• Provides read-only and read/write access to specified locations.
• Helps keep different areas of the business separate while allowing
them to interconnect.
33. Security Hardening in Ignition
Set Up Audit Logging
• Audit Profiles are simple to set up, and immediately start recording
events.
• Only tag writes, SQL UPDATE, SQL INSERT, and SQL DELETE
statements are recorded. A time-stamp is also recorded.
35. Security Hardening in Ignition
Protect the Database
• Rather than using a database owner account such as root or sa, we
recommend creating a separate user account with limited privileges
for the database connection with the Ignition Gateway.
• If your database supports TLS encryption, use it for the Ignition-to-
database connection.
• TLS can be enabled for databases running on different servers
(follow the information for its JDBC driver and internal security
settings).
40. Security Hardening in Ignition
Active Directory and Authentication Services
• Group Access and Disabling Auto Login
• User Accounts
• LDAP Protocol Security
42. Security Hardening in Ignition
Keep Ignition Up-to-Date
• Software security requires constant effort and maintenance
• Security updates are released periodically to ensure continued
protection
• Keeping up-to-date with updates is strongly recommended