* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download HMI-20_2006-Plant-Security-Traceability-Electronic-Records
Survey
Document related concepts
Computer network wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Deep packet inspection wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Remote Desktop Services wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Network tap wikipedia , lookup
Airborne Networking wikipedia , lookup
Computer security wikipedia , lookup
List of wireless community networks by region wikipedia , lookup
Wireless security wikipedia , lookup
Peer-to-peer wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Transcript
HMI-20 Plant Security, Traceability, and Electronic Records Mark Hepburn ICONICS Worldwide Customer Summit – September 2006 Securing HMI/SCADA Networks • Network Security Is Critical For Today’s HMI/SCADA • Networks are Everywhere • Managing Security is Difficult • People want “everything connected from anywhere” • But the Risks Must be Managed • SIMPLY and SECURELY! Security Should be Central to Your System 3 Secure Connectivity Is Key Limit Access To Any Client ICONICS Security Environment ICONICS Components Providing Security • Security Server • Secure Desktop • GenBroker (Network Level Security) Complement Windows Operating System And Network Security • Synchronizes User Profiles Security at communication protocol level Biometric Integration Security via network segregation/separation Biometrics Increase Security Tools for FDA 21 CFR 11 Compliance Let’s Demonstrate HMI-20 ICONICS Security Server Phil Koehler ICONICS Worldwide Customer Summit – September 2006 Configuring The ICONICS Security Server The ICONICS Security Server provides restricted access to functions based on concept of a logged-in user. V9 Security Server is now under the “ICONICS Tools” program group Choose Security Type Choose “Basic” or “Advanced” Modes Advanced Options • Standard ICONICS • Integrated NT Security or Active Directory - Single Sign-on Security Config File Features Configuration is saved in protected file format Saved to local or network server locations May be accessed from any networked node Security Administration An “Administrator” must be established. • At least one user must be established with “Security System Administrator” privileges enabled. There may be multiple administrators Group and User Permissions Security May Be Established In “Groups” And/Or For Individual “Users” Users Have Rights Of All Associated Groups • Plus His Own Personal Privileges Configurable Properties Allows configuration of user details and general properties Configurable Properties Allows shift patterns to be defined for users Prevents access using the username and password at specified times Configurable Properties Account policy can be defined with fine granularity Similar functionality to Windows Default Group Restrict Privileges To Anyone Using The PC • Regardless Of Login Restricting Application Privileges Lock-Down many GENESIS32 Application Functions: • By User or Group • By Function Tree • By Module - Dozens of Functions - E.g. Prohibit Exit Runtime Restrictions Apply Immediately Upon Change Easy Administration Restrictions may be applied to sets of functions Editing Existing Configurations Enter a “Security Server Administrator” User Name and Password Emergency password may be obtained from ICONICS. • Provide the “Challenge Code” to ICONICS Global Technical Support Personnel Establishing Global “Critical Points” Force Login to Change “Critical Points” Click on Graphic for a Demo Log Into ICONICS Security Server Establishing Global “Critical Alarms” Force Login before a “Critical Alarms” can be acknowledged Critical Points Let’s Demonstrate HMI-20 Demo Critical Points NT Security Integration Rob Stanton ICONICS Worldwide Customer Summit – September 2006 HMI-20 GENBROKER SECURITY Dave Hellyer ICONICS Worldwide Customer Summit – September 2006 Communication Protocol Security ICONICS Products use a client-server architecture Use the GenClient/GenBroker architecture to communicate with • OPC Servers, DA, HDA, A&E, XML-DA • ICONICS Administrative Servers - Security & License • SNMP Can use a variety of transport methods • COM/DCOM, TCP/IP, SOAP/XML COM/DCOM Original communication infrastructure used between OPC Clients & Servers Can be used for single node and network based applications Requires DCOM security rights on server and client to be configured • Client rights required for call-backs • Both server and client need to belong to same NT domain, or trust relation between domains must be established COM/DCOM Not particularly firewall friendly • Requires ports restriction • Default range is 1024 – 65535 • Port configuration via registry COM/DCOM GraphWorX32 (Client Application) GenClient OPC Server GenBroker – TCP/IP ICONICS Communication Architecture Uses native TCP/IP communication to encapsulate OPC calls Communicates to all OPC Servers via GenBroker service Communicates at near DCOM speeds Can be used over any IP based carrier • Internet, Intranet, PPP, GPRS, etc. GenBroker – TCP/IP Only requires single server side port • Firewall friendly • Default port 38080, can be changed Integration with ICONICS security model GenBroker – TCP/IP GraphWorX32 (Client Application) GenClient GenBroker OPC Server GenBroker – SOAP/XML ICONICS Communication Infrastructure Uses native SOAP/XML communication to encapsulate OPC calls Communicates to all OPC Servers via IIS and GenBroker service Only requires single server side port • Standard HTTP port Supports OPC DA, HDA, A&E GenBroker – SOAP/XML GraphWorX32 (Client Application) IIS GenClient GenBroker OPC Server COM/DCOM - TCP/IP SOAP/XML GenBroker Property DCOM TCP/IP SOAP/XML Security ++ +++ +++ - On users Yes Yes Yes - On nodes Yes Yes Yes - On client applications No Yes Yes Ease of configuration + +++ ++ Yes No No Firewall friendly-ness + +++ ++++ Communication speed +++ +++ + - Requires client OS configuration Administrative Servers Genbroker can be configured to use (local)\remote Primary Server and a Secondary Server if available Administrative Servers can be setup as TRUE client/server Communication Channels OPC Direct (default) Direct channel over DCOM Direct channel over TCP/IP Direct channel over SOAP/XML Indirect channel via a mediator node Advanced Client Security For Secure OPC Tunneling Remote OPC Server Credential Configuration Dialogue User defined credentials for automatic login to Servers requiring credentials Advanced Server Settings Turn off bindings to unnecessary network cards Disable OPC over SOAP/XML if not used Disable OPC over DCOM is not used for networking Advanced Server Security Data Servers can be locked down to deny write access Functionality can be restricted All writes can require Encrypted Credentials Advanced Server Client IDs Require Client IDs to limit access Restrict Client Node access Allowed Security Server Nodes Allowed License Server Nodes Require Client Versions Advanced Server License Restrictions Preferred Node list will grant Mission-Critical nodes preferential license access Can reserve Client Units for preferential license access HMI-20 Demo GenBroker Limiting Network Node Access Rob Stanton ICONICS Worldwide Customer Summit – September 2006 HMI-20 Biometric Security ICONICS Worldwide Customer Summit – September 2006 Requires Unique Physical Features Identification Unique Login Integrated NT Security Keep It Changing Unauthorized Login Attempts Audit Trails Revision and Change Control Traceability Reporting Data Stored Securely in SQL, MSDE, Oracle • GenEvent Server • AlarmWorX32, TrendWorX32, BridgeWorX Reporting Tools • AlarmWorX32 Reporting • ReportWorX • GraphWorX32 • PortalWorX HMI-20 Demo ICONICS Traceability and Reporting ICONICS Worldwide Customer Summit – September 2006 HMI-20 Architecting Networks for Plant Security Rob Stanton ICONICS Worldwide Customer Summit – September 2006 Network Security Today’s Process Control Networks are becoming more integrated with Enterprise Networks This requires a closer look at the security between the Enterprise Networks and Process Control • Ensure production and safety are not put at risk It is generally excepted that a firewall solution is the way to provide a connection between Enterprise Networks and Process Control • Maintain a secure network Network Architecture Options Physical separation “Dual homed” computers • With and without firewalls Router with packet filtering Firewall Firewall with DMZ Firewall with DMZ and only outbound connections from the Process Control Network Use of VLANs Physical Segregation Enterprise Network Process Control Network Physical Separation No direct attack risk Physical access to the Process Control Network is required But… × No direct data transfer between the Process Control Network and Enterprise Network possible × Requires manual interaction to transfer data (sneaker net) Dual homed computers Enterprise Network Process Control Network Dual homed computers Simple connection between two networks allows for easy data transfer But… × Widely seen as easy targets for attacks × Significant security risk × Direct internet connection potentially possible from dual homed computers Dual homed + Personal Firewall Enterprise Network Process Control Network Dual homed + Personal Firewall Simple connection between two networks allows for easy data transfer Communication limited to servers only But… × Limited granularity, e.g. controller access either blocked or allowed × Difficult to maintain for multiple servers × Direct internet connection potentially possible from dual homed computers Router with packet filtering Enterprise Network Router with packet filters and rules Process Control Network Router with packet filtering Enforces device-to-device rules, allowing only servers access to the Process Control Network But… × Requires a secure Enterprise Network × Limited protection against sophisticated assaults, due to lack of stateful inspections 2 port Firewall Enterprise Network Firewall Process Control Network 2 port Firewall Stateful packet inspection ? In which network will the shared server be But… × Either requires rule to allow shared server access to the Process Control Network × Risk of spoofed shared server × Or requires rule to allow Enterprise Network computers access to shared server on the Process Control Network × Risk of flaws in application layer software on shared server Firewall with DMZ Enterprise Network DMZ Firewall Process Control Network Firewall with DMZ Stateful packet inspection No direct path from the Enterprise Network to the Process Control Network Servers in DMZ have access to the Process Control Network EN computers access servers in DMZ But… × Increased complexity may lead to configuration errors Outbound Connections Only Enterprise Network DMZ Firewall Process Control Network Outbound Connections Only Stateful packet inspection No inbound connections to the Process Control Network Servers in the Process Control Network store data in DMZ based data stores Enterprise Network computers access servers in DMZ But… × Increased complexity may lead to configuration errors Separation into VLANs Enterprise Network HMI VLAN Server -In HMI VLAN -In PLC VLAN 1 -In PLC VLAN 2 PLC VLAN 1 PLC VLAN 2 Process Control Network Separation into VLANs Limit allowed communication between devices on the same physical LAN Prevents propagation of unwanted traffic across all devices But… × To be used to separate devices in the Process Control Network rather than separation of Enterprise Network/DMZ and the Process Control Network. Simple ways to harden your site It’s the simple things… Isolate networks • Install firewalls between IT and plant networks Turn off unnecessary services • Turn off IIS, Telnet, FTP, Remote Desktop where not required (reduce attack surface) Restrict access to important machines • Lock them up