1 / 77

Plant Security, Traceability, and Electronic Records

HMI-20. Plant Security, Traceability, and Electronic Records. Mark Hepburn. Securing HMI/SCADA Networks. Network Security Is Critical For Today’s HMI/SCADA Networks are Everywhere Managing Security is Difficult People want “everything connected from anywhere” But the Risks Must be Managed

Download Presentation

Plant Security, Traceability, and Electronic Records

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. HMI-20 Plant Security, Traceability, and Electronic Records Mark Hepburn

  2. Securing HMI/SCADA Networks Network Security Is Critical For Today’s HMI/SCADA Networks are Everywhere Managing Security is Difficult People want “everything connected from anywhere” But the Risks Must be Managed SIMPLY and SECURELY!

  3. Security Should be Central to Your System

  4. Secure Connectivity Is Key

  5. Limit Access To Any Client

  6. ICONICS Security Environment • ICONICS Components Providing Security • Security Server • Secure Desktop • GenBroker (Network Level Security) • Complement Windows Operating System And Network Security • Synchronizes User Profiles • Security at communication protocol level • Biometric Integration • Security via network segregation/separation

  7. Biometrics Increase Security

  8. Tools for FDA 21 CFR 11 Compliance

  9. Let’s Demonstrate

  10. HMI-20 Phil Koehler ICONICS Security Server

  11. The ICONICS Security Server provides restricted access to functions based on concept of a logged-in user. V9 Security Server is now under the “ICONICS Tools” program group Configuring TheICONICS Security Server

  12. Choose “Basic” or “Advanced” Modes Advanced Options Standard ICONICS Integrated NT Security or Active Directory Single Sign-on Choose Security Type

  13. Configuration is saved in protected file format Saved to local or network server locations May be accessed from any networked node Security Config File Features

  14. Security Administration An “Administrator” must be established. At least one user must be established with “Security System Administrator” privileges enabled. There may be multiple administrators

  15. Group and User Permissions Security May Be Established In “Groups” And/Or For Individual “Users” Users Have Rights Of All Associated Groups Plus His Own Personal Privileges

  16. Configurable Properties • Allows configuration of user details and general properties

  17. Configurable Properties • Allows shift patterns to be defined for users • Prevents access using the username and password at specified times

  18. Configurable Properties • Account policy can be defined with fine granularity • Similar functionality to Windows

  19. Default Group Restrict Privileges To Anyone Using The PC Regardless Of Login

  20. Lock-Down many GENESIS32 Application Functions: By User or Group By Function Tree By Module Dozens of Functions E.g. Prohibit Exit Runtime Restrictions Apply Immediately Upon Change RestrictingApplication Privileges

  21. Easy Administration Restrictions may be applied to sets of functions

  22. Editing Existing Configurations Enter a “Security Server Administrator” User Name and Password Emergency password may be obtained from ICONICS. Provide the “Challenge Code” to ICONICS Global Technical Support Personnel

  23. Establishing Global“Critical Points” Force Login to Change “Critical Points” Click on Graphic for a Demo Log Into ICONICS Security Server

  24. Establishing Global“Critical Alarms” Force Login before a “Critical Alarms” can be acknowledged

  25. Critical PointsLet’s Demonstrate

  26. HMI-20 Rob Stanton DemoCritical PointsNT Security Integration

  27. HMI-20 GENBROKER SECURITY Dave Hellyer

  28. Communication Protocol Security • ICONICS Products use a client-server architecture • Use the GenClient/GenBroker architecture to communicate with • OPC Servers, DA, HDA, A&E, XML-DA • ICONICS Administrative Servers • Security & License • SNMP • Can use a variety of transport methods • COM/DCOM, TCP/IP, SOAP/XML

  29. COM/DCOM • Original communication infrastructure used between OPC Clients & Servers • Can be used for single node and network based applications • Requires DCOM security rights on server and client to be configured • Client rights required for call-backs • Both server and client need to belong to same NT domain, or trust relation between domains must be established

  30. COM/DCOM • Not particularly firewall friendly • Requires ports restriction • Default range is 1024 – 65535 • Port configuration via registry

  31. COM/DCOM GraphWorX32 (Client Application) GenClient OPC Server

  32. GenBroker – TCP/IP • ICONICS Communication Architecture • Uses native TCP/IP communication to encapsulate OPC calls • Communicates to all OPC Servers via GenBroker service • Communicates at near DCOM speeds • Can be used over any IP based carrier • Internet, Intranet, PPP, GPRS, etc.

  33. GenBroker – TCP/IP • Only requires single server side port • Firewall friendly • Default port 38080, can be changed • Integration with ICONICS security model

  34. GenBroker – TCP/IP GraphWorX32 (Client Application) GenBroker GenClient OPC Server

  35. GenBroker – SOAP/XML • ICONICS Communication Infrastructure • Uses native SOAP/XML communication to encapsulate OPC calls • Communicates to all OPC Servers via IIS and GenBroker service • Only requires single server side port • Standard HTTP port • Supports OPC DA, HDA, A&E

  36. GenBroker – SOAP/XML GraphWorX32 (Client Application) IIS GenClient GenBroker OPC Server

  37. COM/DCOM - TCP/IP - SOAP/XML

  38. Administrative Servers Genbroker can be configured to use (local)\remote Primary Server and a Secondary Server if available Administrative Servers can be setup as TRUE client/server

  39. Communication Channels OPC Direct (default) Direct channel over DCOM Direct channel over TCP/IP Direct channel over SOAP/XML Indirect channel via a mediator node

  40. Advanced Client SecurityFor Secure OPC Tunneling Remote OPC Server Credential Configuration Dialogue User defined credentials for automatic login to Servers requiring credentials

  41. Advanced Server Settings Turn off bindings to unnecessary network cards Disable OPC over SOAP/XML if not used Disable OPC over DCOM is not used for networking

  42. Advanced Server Security Data Servers can be locked down to deny write access Functionality can be restricted All writes can require Encrypted Credentials

  43. Advanced Server Client IDs Require Client IDs to limit access Restrict Client Node access Allowed Security Server Nodes Allowed License Server Nodes Require Client Versions

  44. Advanced Server License Restrictions Preferred Node list will grant Mission-Critical nodes preferential license access Can reserve Client Units for preferential license access

  45. HMI-20 Rob Stanton DemoGenBrokerLimiting Network Node Access

  46. HMI-20 Biometric Security

  47. Requires Unique Physical Features

  48. Identification

  49. Unique Login

  50. Integrated NT Security

More Related