770 likes | 972 Views
HMI-20. Plant Security, Traceability, and Electronic Records. Mark Hepburn. Securing HMI/SCADA Networks. Network Security Is Critical For Today’s HMI/SCADA Networks are Everywhere Managing Security is Difficult People want “everything connected from anywhere” But the Risks Must be Managed
E N D
HMI-20 Plant Security, Traceability, and Electronic Records Mark Hepburn
Securing HMI/SCADA Networks Network Security Is Critical For Today’s HMI/SCADA Networks are Everywhere Managing Security is Difficult People want “everything connected from anywhere” But the Risks Must be Managed SIMPLY and SECURELY!
ICONICS Security Environment • ICONICS Components Providing Security • Security Server • Secure Desktop • GenBroker (Network Level Security) • Complement Windows Operating System And Network Security • Synchronizes User Profiles • Security at communication protocol level • Biometric Integration • Security via network segregation/separation
HMI-20 Phil Koehler ICONICS Security Server
The ICONICS Security Server provides restricted access to functions based on concept of a logged-in user. V9 Security Server is now under the “ICONICS Tools” program group Configuring TheICONICS Security Server
Choose “Basic” or “Advanced” Modes Advanced Options Standard ICONICS Integrated NT Security or Active Directory Single Sign-on Choose Security Type
Configuration is saved in protected file format Saved to local or network server locations May be accessed from any networked node Security Config File Features
Security Administration An “Administrator” must be established. At least one user must be established with “Security System Administrator” privileges enabled. There may be multiple administrators
Group and User Permissions Security May Be Established In “Groups” And/Or For Individual “Users” Users Have Rights Of All Associated Groups Plus His Own Personal Privileges
Configurable Properties • Allows configuration of user details and general properties
Configurable Properties • Allows shift patterns to be defined for users • Prevents access using the username and password at specified times
Configurable Properties • Account policy can be defined with fine granularity • Similar functionality to Windows
Default Group Restrict Privileges To Anyone Using The PC Regardless Of Login
Lock-Down many GENESIS32 Application Functions: By User or Group By Function Tree By Module Dozens of Functions E.g. Prohibit Exit Runtime Restrictions Apply Immediately Upon Change RestrictingApplication Privileges
Easy Administration Restrictions may be applied to sets of functions
Editing Existing Configurations Enter a “Security Server Administrator” User Name and Password Emergency password may be obtained from ICONICS. Provide the “Challenge Code” to ICONICS Global Technical Support Personnel
Establishing Global“Critical Points” Force Login to Change “Critical Points” Click on Graphic for a Demo Log Into ICONICS Security Server
Establishing Global“Critical Alarms” Force Login before a “Critical Alarms” can be acknowledged
HMI-20 Rob Stanton DemoCritical PointsNT Security Integration
HMI-20 GENBROKER SECURITY Dave Hellyer
Communication Protocol Security • ICONICS Products use a client-server architecture • Use the GenClient/GenBroker architecture to communicate with • OPC Servers, DA, HDA, A&E, XML-DA • ICONICS Administrative Servers • Security & License • SNMP • Can use a variety of transport methods • COM/DCOM, TCP/IP, SOAP/XML
COM/DCOM • Original communication infrastructure used between OPC Clients & Servers • Can be used for single node and network based applications • Requires DCOM security rights on server and client to be configured • Client rights required for call-backs • Both server and client need to belong to same NT domain, or trust relation between domains must be established
COM/DCOM • Not particularly firewall friendly • Requires ports restriction • Default range is 1024 – 65535 • Port configuration via registry
COM/DCOM GraphWorX32 (Client Application) GenClient OPC Server
GenBroker – TCP/IP • ICONICS Communication Architecture • Uses native TCP/IP communication to encapsulate OPC calls • Communicates to all OPC Servers via GenBroker service • Communicates at near DCOM speeds • Can be used over any IP based carrier • Internet, Intranet, PPP, GPRS, etc.
GenBroker – TCP/IP • Only requires single server side port • Firewall friendly • Default port 38080, can be changed • Integration with ICONICS security model
GenBroker – TCP/IP GraphWorX32 (Client Application) GenBroker GenClient OPC Server
GenBroker – SOAP/XML • ICONICS Communication Infrastructure • Uses native SOAP/XML communication to encapsulate OPC calls • Communicates to all OPC Servers via IIS and GenBroker service • Only requires single server side port • Standard HTTP port • Supports OPC DA, HDA, A&E
GenBroker – SOAP/XML GraphWorX32 (Client Application) IIS GenClient GenBroker OPC Server
Administrative Servers Genbroker can be configured to use (local)\remote Primary Server and a Secondary Server if available Administrative Servers can be setup as TRUE client/server
Communication Channels OPC Direct (default) Direct channel over DCOM Direct channel over TCP/IP Direct channel over SOAP/XML Indirect channel via a mediator node
Advanced Client SecurityFor Secure OPC Tunneling Remote OPC Server Credential Configuration Dialogue User defined credentials for automatic login to Servers requiring credentials
Advanced Server Settings Turn off bindings to unnecessary network cards Disable OPC over SOAP/XML if not used Disable OPC over DCOM is not used for networking
Advanced Server Security Data Servers can be locked down to deny write access Functionality can be restricted All writes can require Encrypted Credentials
Advanced Server Client IDs Require Client IDs to limit access Restrict Client Node access Allowed Security Server Nodes Allowed License Server Nodes Require Client Versions
Advanced Server License Restrictions Preferred Node list will grant Mission-Critical nodes preferential license access Can reserve Client Units for preferential license access
HMI-20 Rob Stanton DemoGenBrokerLimiting Network Node Access
HMI-20 Biometric Security