Keyno
te:

Moderator
Don Pearson
Chief Strategy Officer
Inductive Automation

Today’s Agenda
• Introduction to Inductive Automation & Bedrock Automation
• Security Threats
• A Security New Approach
• SCADA Security
• Public-Private Key Infrastructure
• Review of ICS & SCADA Security Best Practices
• Q&A

About Inductive Automation
• Founded in 2003
• HMI, SCADA, MES, and IIoT software
• Installations in 100 countries
• Used by 48% of Fortune 100 companies
• Over 1,700 integrators
• Working with Bedrock Automation to create the
most secure control systems possible
Learn more at: inductiveautomation.com/about

Ignition: Industrial Application Platform
One Universal Platform for SCADA, MES & IIoT:
• Unlimited licensing model
• Cross-platform compatibility
• Based on IT-standard technologies
• Scalable server-client architecture
• Web-managed
• Web-launched on desktop or mobile
• Modular configurability
• Rapid development and deployment

• Incorporated in October 2013
• A subsidiary of Maxim Integrated (Nasdaq: MXIM 1983)
• Combined 200+ man-years of automation and
semiconductor experience
• To date, 107 global patents filed with over 40 granted
• Working with Inductive Automation to create the most
secure control systems possible
Learn more at: bedrockautomation.com
About Bedrock Automation

Presenters
Chris Harlow
Product and Customer
Service Manager,
Bedrock Automation
Travis Cox
Co-Director of Sales
Engineering,
Inductive Automation

Cyber Threats to ICS and SCADA
• Stolen Credentials
• Ransomware
• Human Factors
• Social Engineering
• Root Kit Attacks
• Session Hijacking
• Counterfeiting
• DDoS Sensors/Actuators
Networks
Controllers
Client
Management
Computers

Attack Vectors
• Database attacks
• Escalated privilege exploits
• Network components/
communications hijacking
• ‘Man-in-the-middle’ attacks
• Backdoors and holes in network
perimeter (field devices)
• Attacks that access thru pins
Outcomes
• Denial of Service (DoS): crash the
SCADA server leading to shutdown
condition
• Delete SCADA server system files:
system downtime and loss of
operations
• Plant a Trojan and take complete
control of system
• Log sensitive company operational
data for criminal or competitive use
Attack Vectors and Outcomes

What You Want in a “Secure” System

The Flaw in Typical SCADA Architectures

The Flaw in Typical SCADA Architectures

The Flaw in Typical SCADA Architectures

What if Security Could Be...
Built In versus Bolted On

Then Security Would Be...
Layered and Embedded

And The Result Is...
Security that just happens!
To the Hardware Root of Trust
✓ Authenticated Control, I/O, IIoT Edge
✓ Authenticated Firmware
✓ Authenticated Control Database
✓ Authenticated Applications
✓ Authenticated Workstations
✓ Authenticated Networks
✓ Role-Based Access Authenticated
✓ Biometric Authentication

SCADA Security - Device/PLC Connections

SCADA Security - Device/PLC Connections
Secure Your Device/PLC Connections:
• Native device communication options:
- Keep on a separate, private OT network
- Network segmentation
- VLAN with encryption
- Set up routing rules
- Use an edge gateway as a bridge between device & network
• OPC UA and MQTT communication offers built-in security, and
communications can be encrypted over TLS

SCADA Security - Device/PLC Connections

SCADA Security - Rethink Your Idea of Security
• Understand that no system is inherently secure or insecure
• You cannot eliminate security risk but you can significantly mitigate it
• Focus on preventing intrusion
• Don’t only secure the ICS/SCADA platform itself – you also need to
secure all of the connections from the SCADA to devices,
databases, clients, etc.

SCADA Security - Physical Security
Implement physical security measures:
• Badges & badge readers
• Physical media controls (laptops, phones, USB keys, etc.)
• Video monitoring
• Policies and training
• Guards

SCADA Security - Operating System
Protect your OS by:
• Removing any unnecessary programs.
• Keeping OS patches & service packs up-to-date.
• Disabling remote services on Windows.
• Setting up firewalls to restrict network traffic; close all ports and
only reopen necessary ports.
• Setting up firewalls on redundant servers.
• Getting a VPN device with good multi-factor authentication if remote
access is required.

SCADA Security - Databases

SCADA Security - Databases
Protect the database connection with the SCADA software:
• Use TLS encryption if your database supports it.
• Create a separate user account with limited privileges, instead of using a
database owner account such as root or sa.

SCADA Security - Encryption
Use encryption to:
• Protect all data sent over HTTP
• Protect against snooping & session hijacking
• Protect the SCADA gateway
• Encrypt OPC UA communication
• Help secure databases that support TLS/SSL
• Secure native device communication by using with a VLAN

SCADA Security - Databases

SCADA Security - Server & Clients

SCADA Security - Authentication
Use authentication for:
• Username/password (No default passwords or sticky notes)
• User- and role-based security (Principle of Least Privilege)
• Biometrics (fingerprints, retina scans)
• Public Key Infrastructure (PKI)
• Key cards
• USB tokens
• Application security (role-based application settings/permissions)
• Database connection encryption
• OPC UA connections

SCADA Security - Roles
Security roles:
• Security is based on roles assigned to specific users
• You can create structure or hierarchy for roles (not default)
• Users can have access to many roles or none
• Be sure to think about how different roles affect the security of the project

SCADA Security - Zones
Security zones:
• Lists of gateways, computers, or IP addresses that are defined and
grouped together
• Place additional policies and restrictions on defined zones
• Provide read-only and read/write access to specified locations
• Help keep different areas of the business separate while
allowing them to interconnect

SCADA Security - Audits
Auditing:
• Record details about specific events
• Track down who did what from where
• Helpful in deterring attacks by SCADA insiders
• Use audit logs, trails, profiles

SCADA Security - Secure Standard Architecture

SCADA Security - Secure Hub & Spoke Architecture

Public-Private Key Infrastructure

How to Manage Keys
• A Cloud SaaS is deployed for managing and administering cyber keys and certificates
• User security administrator tool to define role-based access control
• Keys embedded in the controller, no need for persistent cloud connection

Securing ICS – Best Practices
Use a secure CPU with a
secure RTOS
Use physically secure controllers
Use encryption between ICS
and SCADA
Use a PKI for role based access
Sign and Encrypt ICS
application code
Use mutual authentication
between ICS and SCADA
Use ICS hardware with built in
Anomaly Detection
Ask your vendors what they’re doing
to secure their products

Securing SCADA – Best Practices
Secure PLC and device connections
Implement physical security measures
Protect the operating system
Use encryption
Use authentication
Protect the database connection
Use role-based security
Use security zones

Closing Discussion Question
To wrap up the discussion, what are your thoughts about how Inductive
Automation and Bedrock Automation can help industrial organizations
improve their security, both now and in the future?

Sept. 17-19, 2018
Today is the last day to buy early-bird
tickets at: icc.inductiveautomation.com

Jim Meisler x227
Vannessa Garcia x231
Vivian Mudge x253
IA Account Executives
Myron Hoertling x224
Shane Miller x218
Ramin Rofagha x251
Maria Chinappi x264
Kristin Azure x260
Lester Ares x214
800-266-7798 x247
Melanie Moniz
IA Director of Sales:
Guest Presenter:
Chris Harlow
Chris.Harlow@BedrockAutomation.com
Visit: BedrockAutomation.com
Call: 781.821.0280
Questions & Comments

Thank You