Secure by DesignDevices and technologies developed to create secure, fortified environments.
Purchasing devices and technologies that have been developed “Secure by Design” or which help create secure, fortified environments easily is another good practice that should be considered when implementing defence in depth strategies. In association with industrial computing, three basic elements are defined: the field devices enabling process control (PLCs, RTUs, DCSs) and the industrial protocols that enable these devices to communicate with the third element, the industrial applications and real time systems (SCADA, HMI, Historian).
Logitek Industrial Cyber Security provides “Secure by Design” solutions for each of these three elements:
Fortified remote solutions
A suite of LK Remote solutions that include PLC features permitting remote authorised access (password management) by means of secure protocols such as SSL or HTTPS.
They use the IEEE802-1X standard for secure authentication at wireless access points.
They incorporate over 40 industrial protocols, including DNP3 Secure.
They include a built-in firewall, incorporate OpenVPN software so the remote device can be a client of any virtual private network and have IP67 protection to guarantee availability at extreme temperatures (-40º a 75ºC).
Secure industrial protocols
Two solutions to fortify the OPC protocol. OPC UA software and firewall with specific firmware.
Kepware OPC UA servers (Open Connectivity Unified Architecture) feature the integration of the remaining specifications (DA, HDA, A&E), operating system independence, development under SOA, accessibility by means of HTTP protocols and integration of native security.
They are “OPC UA Certified”, i.e. they provide the security functions specified by the standard: confidentiality, integrity, availability, application and user authentication, authorisation and auditability.
The configuration that enables secure OPC communications to be made is commonly known as an OPC tunnel (both the client and the server need to support OPC UA). In the case of Kepware, this is not a product, but the use and proper deployment of the following components:
- KEPServerEX v5
- OPC Connectivity Suite
All the OPC DA servers Kepware distributes include the option of parametrization as OPC UA.
The majority of protocols can use fixed ports to attend to requests (e.g. Modbus uses 502). In the case of OPC, this protocol dynamically assigns TCP ports to each client request, being an “unfriendly” environment if a firewall has been deployed between the field device and the SCADA system.
The Tofino OPC Enforcer LSM (Loadable Security Module) (associated with the Eagle 20 Tofino firewall), inspects, traces and provides security for each of the connections made between a server and an OPC client. To do this, its only opens the TCP port required for each communication and only between a certain client and a certain server.
Fortified SCADA solutions
The software solutions supplied by Wonderware have been developed with secure programming methodologies, can be deployed with various levels of redundancy (communication, application, logs, display) and can be virtualized to exploit the advantages this technology provides (reuse, high availability, disaster recovery).