SlideShare a Scribd company logo

Design Like a Pro: SCADA Security Guidelines

Download as PPTX, PDF
Inductive Automation
Inductive Automation

Inductive Automation’s Co-Director of Sales Engineering Kevin McClusky (presenter) and Chief Strategy Officer Don Pearson (moderator) discusses a prevention-focused approach that encompasses physical security as well as cybersecurity. As you’ll learn, an effective SCADA security plan doesn’t just safeguard the platform itself but also each network, device, and database connection. Learn more about: - Phishing and other common attack vectors - Guarding against internal threats - Locking down your operating system - Leveraging encryption effectively - Using Java safely - Applying security guidelines in the Ignition industrial application platform - And much more

Technology
1 of 48
Moderator Don Pearson Chief Strategy Officer Inductive Automation
Today’s Agenda • Introduction to Ignition • SCADA/ICS Security Basics • Approaches to SCADA/ICS Security • Tools for Protecting Your Network • Security Hardening in Ignition • Q&A
About Inductive Automation • Founded in 2003 • HMI, SCADA, MES, and IIoT software • Installed in 100+ countries • Over 1,500 integrators • Used by 48% of Fortune 100 companies Learn more at: inductiveautomation.com/about
Used By Industries Worldwide
Ignition: Industrial Application Platform One Universal Platform for SCADA, MES & IIoT: • Unlimited licensing model • Cross-platform compatibility • Based on IT-standard technologies • Scalable server-client architecture • Web-managed • Web-launched on desktop or mobile • Modular configurability • Rapid development and deployment
Presenter Kevin McClusky Co-Director of Sales Engineering, Inductive Automation
Disclaimer Cybersecurity is a deep and complex topic, and this webinar presents a general overview of the subject. It is not intended as comprehensive instruction or training on industrial control system security. It contains general, widely applicable guidelines about ICS security; however, because every organization is different, you should work with a security expert to make sure that your specific security needs are met.
Different Types of Security
SCADA/ICS Security Basics Three laws of SCADA security: • Nothing is 100% secure. • All software can be hacked. • Every piece of information can be an attack. – From SCADA Security – What’s Broken and How to Fix It by Andrew Ginter
SCADA/ICS Security Basics Who’s attacking our systems? • Insiders (corporate insiders & SCADA insiders) • Organized Crime • Hackers • Intelligence Agencies • Military
SCADA/ICS Security Basics How are they attacking us? • Phishing - #1 attack vector for ICS - Spear phishing - In 2016, 30% of phishing messages were opened, up from 23% in 2015 • Malware & ransomware High-profile attacks: - WannaCry & Not Petya (2017) - Stuxnet (2010) • Weak authentication • SQL injection • Network scanning • Abuse of authority • Brute force • Rogue devices • Removable media
Approaches to SCADA/ICS Security What can we do about it? • Keep it simple. Complexity doesn’t improve security. • Know your environment (which machines & software versions you have, your normal traffic level, etc.). • You can’t eliminate risk but you can mitigate risk. • Make it very difficult and expensive to pull off an attack.
Approaches to SCADA/ICS Security IT Security • Software-based • Focus: detecting & responding to intrusion • Stakes: compromised or stolen data, system crashes, interruption, financial losses, etc. ICS Security • Hardware-based • Focus: preventing intrusion • Stakes: loss of life, environmental damage, economic impact Industrial organizations must focus on prevention while also implementing IT-class security measures in order to secure their control systems.
Approaches to SCADA/ICS Security
Approaches to SCADA/ICS Security
Tools for Protecting Your Network Authentication • Username/password (Don’t use default passwords!) • User- and role-based security (Based on Principle of Least Privilege) • Biometrics (fingerprints, retina scans) • Public Key Infrastructure (PKI) • Key cards • USB tokens • Application security: role-based settings/permissions can be used to secure applications (clients, design environment, tags) • Database connection encryption • OPC UA connections
Tools for Protecting Your Network Encryption (TLS/SSL/https) • Encrypts all data sent over HTTP • Protects against snooping & session hijacking • Can be used to protect the SCADA Gateway • Can be used with a VLAN to secure native device communication • Can be used to encrypt OPC UA communication • Can be used to help secure databases that support TLS/SSL
Tools for Protecting Your Network Auditing • Record details about specific events • Track down who did what from where • Helpful in deterring attacks by SCADA insiders • Use audit logs, trails, profiles
Tools for Protecting Your Network Ways to Protect Your Operating System: • Remove any unnecessary programs. • Keep OS patches & service packs up-to-date. • Disable remote services on Windows. • Set up firewalls to restrict network traffic; close all ports and only reopen ports that are necessary. • Set up firewalls on redundant servers. • If remote access is required, get a VPN device with good multi-factor authentication.
Tools for Protecting Your Network Ways to Secure Your Device/PLC Connections: • Native device communication options: - Keep on a separate, private OT network - Network segmentation - VLAN with encryption - Set up routing rules - Use edge-of-network gateway as bridge between device & network • OPC UA and MQTT communication offers built-in security, and communications can be encrypted over TLS
Tools for Protecting Your Network SCADA Network IT Network Unidirectional Gateway TX RX Interface Interface Unidirectional Gateways (data diodes) are an option for standalone networks with tight controls over what goes in and out.
Tools for Protecting Your Network Physical Security: • Because control devices like PLCs cannot be locked down, it is essential to implement physical security measures, such as the following: - Badges & badge readers - Physical media controls (including laptops, phones, USB keys) - Video monitoring - Policies and training - Guards
Security Hardening in Ignition • The following steps are intended to provide general guidance on how to set up and secure your Ignition installation • General suggestions regarding the hardware and network where Ignition is installed
Security Hardening in Ignition Secure the Gateway • Change the Admin Password • Configure Access for the Gateway • Enable SSL - Acquire and install an SSL Certificate for Ignition, from a certificate authority (highly recommended)
Demo: Securing the Gateway
Security Hardening in Ignition Device, MQTT, and OPC Security • OPC UA Communication • Native Device Communication • MQTT
Demo: Device, MQTT, and OPC Security
Security Hardening in Ignition Use Security Zones • A Security Zone is a list of Gateways, Computers, or IP addresses that are defined and grouped together. • When zones are defined, you can place additional policies & restrictions on them. • Provides read-only and read/write access to specified locations. • Helps keep different areas of the business separate while allowing them to interconnect.
Demo: Security Zones
Security Hardening in Ignition Define Application Security • Client Security • Designer Security • Tag Security • Named Queries
Demo: Defining Application Security
Security Hardening in Ignition Set Up Audit Logging • Audit Profiles are simple to set up, and immediately start recording events. • Only tag writes, SQL UPDATE, SQL INSERT, and SQL DELETE statements are recorded. A time-stamp is also recorded.
Demo: Setting Up Audit Logging
Security Hardening in Ignition Protect the Database • Rather than using a database owner account such as root or sa, we recommend creating a separate user account with limited privileges for the database connection with the Ignition Gateway. • If your database supports TLS encryption, use it for the Ignition-to- database connection. • TLS can be enabled for databases running on different servers (follow the information for its JDBC driver and internal security settings).
Security Hardening in Ignition Securing Java • Change Java security settings • Keep Java up-to-date
Security Hardening in Ignition Securing Java Disable Java Plug-In in Web Browsers
Security Hardening in Ignition Turning on the Firewall • Enable firewall for all traffic • Allow needed ports through
Demo: Configuring Windows Firewall
Security Hardening in Ignition Active Directory and Authentication Services • Group Access and Disabling Auto Login • User Accounts • LDAP Protocol Security
Demo: Active Directory & Authentication Services
Security Hardening in Ignition Keep Ignition Up-to-Date • Software security requires constant effort and maintenance • Security updates are released periodically to ensure continued protection • Keeping up-to-date with updates is strongly recommended
Summary
Questions & Comments Jim Meisler x227 Vannessa Garcia x231 Vivian Mudge x253 Account Executives Myron Hoertling x224 Shane Miller x218 Ramin Rofagha x251 Maria Chinappi x264 Dan Domerofski x273 Lester Ares x214 Melanie Hottman Director of Sales: 800-266-7798 x247 Jeff Osterback x207 Kevin McClusky Co-Director of Sales Engineering: x237 kmcclusky@inductiveautomation.com
Design Like a Pro: SCADA Security Guidelines

Recommended

Design Like a Pro: Essential Steps for Enterprise Architectures
Design Like a Pro: Essential Steps for Enterprise ArchitecturesDesign Like a Pro: Essential Steps for Enterprise Architectures
Design Like a Pro: Essential Steps for Enterprise Architectures
Inductive Automation
 
Get More Data Into Your SCADA 2016
Get More Data Into Your SCADA 2016Get More Data Into Your SCADA 2016
Get More Data Into Your SCADA 2016
Inductive Automation
 
10 Steps to Architecting a Sustainable SCADA System
10 Steps to Architecting a Sustainable SCADA System10 Steps to Architecting a Sustainable SCADA System
10 Steps to Architecting a Sustainable SCADA System
Inductive Automation
 
Open and Secure SCADA: Efficient and Economical Control, Without the Risk
Open and Secure SCADA: Efficient and Economical Control, Without the RiskOpen and Secure SCADA: Efficient and Economical Control, Without the Risk
Open and Secure SCADA: Efficient and Economical Control, Without the Risk
Inductive Automation
 
The New Ignition v7.9 - See, Maintain, and Manage Your Enterprise With Ease
The New Ignition v7.9 - See, Maintain, and Manage Your Enterprise With Ease The New Ignition v7.9 - See, Maintain, and Manage Your Enterprise With Ease
The New Ignition v7.9 - See, Maintain, and Manage Your Enterprise With Ease
Inductive Automation
 
Fixing SCADA: How Ignition Saves Money
Fixing SCADA: How Ignition Saves MoneyFixing SCADA: How Ignition Saves Money
Fixing SCADA: How Ignition Saves Money
Inductive Automation
 
4 Keys to Removing Friction in Your Industrial Organization
4 Keys to Removing Friction in Your Industrial Organization4 Keys to Removing Friction in Your Industrial Organization
4 Keys to Removing Friction in Your Industrial Organization
Inductive Automation
 
Affordably Refreshing Your Water District’s Process Control
Affordably Refreshing Your Water District’s Process ControlAffordably Refreshing Your Water District’s Process Control
Affordably Refreshing Your Water District’s Process Control
Inductive Automation
 

Recommended

Design Like a Pro: Essential Steps for Enterprise Architectures
Design Like a Pro: Essential Steps for Enterprise ArchitecturesDesign Like a Pro: Essential Steps for Enterprise Architectures
Design Like a Pro: Essential Steps for Enterprise Architectures
Inductive Automation
 
Get More Data Into Your SCADA 2016
Get More Data Into Your SCADA 2016Get More Data Into Your SCADA 2016
Get More Data Into Your SCADA 2016
Inductive Automation
 
10 Steps to Architecting a Sustainable SCADA System
10 Steps to Architecting a Sustainable SCADA System10 Steps to Architecting a Sustainable SCADA System
10 Steps to Architecting a Sustainable SCADA System
Inductive Automation
 
Open and Secure SCADA: Efficient and Economical Control, Without the Risk
Open and Secure SCADA: Efficient and Economical Control, Without the RiskOpen and Secure SCADA: Efficient and Economical Control, Without the Risk
Open and Secure SCADA: Efficient and Economical Control, Without the Risk
Inductive Automation
 
The New Ignition v7.9 - See, Maintain, and Manage Your Enterprise With Ease
The New Ignition v7.9 - See, Maintain, and Manage Your Enterprise With Ease The New Ignition v7.9 - See, Maintain, and Manage Your Enterprise With Ease
The New Ignition v7.9 - See, Maintain, and Manage Your Enterprise With Ease
Inductive Automation
 
Fixing SCADA: How Ignition Saves Money
Fixing SCADA: How Ignition Saves MoneyFixing SCADA: How Ignition Saves Money
Fixing SCADA: How Ignition Saves Money
Inductive Automation
 
4 Keys to Removing Friction in Your Industrial Organization
4 Keys to Removing Friction in Your Industrial Organization4 Keys to Removing Friction in Your Industrial Organization
4 Keys to Removing Friction in Your Industrial Organization
Inductive Automation
 
Affordably Refreshing Your Water District’s Process Control
Affordably Refreshing Your Water District’s Process ControlAffordably Refreshing Your Water District’s Process Control
Affordably Refreshing Your Water District’s Process Control
Inductive Automation
 
Top 10 Design & Security Tips to Elevate Your SCADA System
Top 10 Design & Security Tips to Elevate Your SCADA SystemTop 10 Design & Security Tips to Elevate Your SCADA System
Top 10 Design & Security Tips to Elevate Your SCADA System
Inductive Automation
 
Design Like a Pro: Alarm Management
Design Like a Pro: Alarm ManagementDesign Like a Pro: Alarm Management
Design Like a Pro: Alarm Management
Inductive Automation
 
Integrator Evolution: Discussing Current Challenges & Future Trends in Indust...
Integrator Evolution: Discussing Current Challenges & Future Trends in Indust...Integrator Evolution: Discussing Current Challenges & Future Trends in Indust...
Integrator Evolution: Discussing Current Challenges & Future Trends in Indust...
Inductive Automation
 
Get More Data Into Your SCADA
Get More Data Into Your SCADAGet More Data Into Your SCADA
Get More Data Into Your SCADA
Inductive Automation
 
Leveraging Operational Data in the Cloud
Leveraging Operational Data in the CloudLeveraging Operational Data in the Cloud
Leveraging Operational Data in the Cloud
Inductive Automation
 
Integrator Roundtable Discussion: Facing the Future of Automation
Integrator Roundtable Discussion: Facing the Future of AutomationIntegrator Roundtable Discussion: Facing the Future of Automation
Integrator Roundtable Discussion: Facing the Future of Automation
Inductive Automation
 
IIOT on Variable Frequency Drives
IIOT on Variable Frequency DrivesIIOT on Variable Frequency Drives
IIOT on Variable Frequency Drives
muthamizh adhithan
 
Design Like a Pro: SCADA Security Guidelines
Design Like a Pro: SCADA Security GuidelinesDesign Like a Pro: SCADA Security Guidelines
Design Like a Pro: SCADA Security Guidelines
Inductive Automation
 
Practical IIoT Solutions for Manufacturing
Practical IIoT Solutions for ManufacturingPractical IIoT Solutions for Manufacturing
Practical IIoT Solutions for Manufacturing
Inductive Automation
 
Industrial Internet
Industrial InternetIndustrial Internet
Industrial Internet
Alex Lavell
 
Et software brochure
Et software brochureEt software brochure
Et software brochure
Enviro Technology Services Plc
 
Design Like a Pro: Planning Enterprise Solutions
Design Like a Pro: Planning Enterprise SolutionsDesign Like a Pro: Planning Enterprise Solutions
Design Like a Pro: Planning Enterprise Solutions
Inductive Automation
 
The New Ignition v7.9 - See, Maintain, and Manage Your Enterprise With Ease
The New Ignition v7.9 - See, Maintain, and Manage Your Enterprise With EaseThe New Ignition v7.9 - See, Maintain, and Manage Your Enterprise With Ease
The New Ignition v7.9 - See, Maintain, and Manage Your Enterprise With Ease
Inductive Automation
 
Smart Networks for the Industrial Internet of Things
Smart Networks for the Industrial Internet of ThingsSmart Networks for the Industrial Internet of Things
Smart Networks for the Industrial Internet of Things
Creekside Marketing Group, LLC
 
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
Digital Bond
 
Ransomware Attack: Best Practices to proactively prevent contain and respond
Ransomware Attack: Best Practices to proactively prevent contain and respondRansomware Attack: Best Practices to proactively prevent contain and respond
Ransomware Attack: Best Practices to proactively prevent contain and respond
AlgoSec
 
Integrating the Alphabet Soup of Standards
Integrating the Alphabet Soup of StandardsIntegrating the Alphabet Soup of Standards
Integrating the Alphabet Soup of Standards
Jim Gilsinn
 
Practical Approaches to Securely Integrating Business and Production
Practical Approaches to Securely Integrating Business and ProductionPractical Approaches to Securely Integrating Business and Production
Practical Approaches to Securely Integrating Business and Production
Jim Gilsinn
 
Bringing Digital Transformation Into Focus
Bringing Digital Transformation Into FocusBringing Digital Transformation Into Focus
Bringing Digital Transformation Into Focus
Inductive Automation
 
Integrator Roundtable Discussion: Facing the Future of Automation
Integrator Roundtable Discussion: Facing the Future of AutomationIntegrator Roundtable Discussion: Facing the Future of Automation
Integrator Roundtable Discussion: Facing the Future of Automation
Inductive Automation
 
Open and Secure SCADA: Efficient and Economical Control, Without the Risk
Open and Secure SCADA: Efficient and Economical Control, Without the RiskOpen and Secure SCADA: Efficient and Economical Control, Without the Risk
Open and Secure SCADA: Efficient and Economical Control, Without the Risk
Inductive Automation
 
Material best practices in network security using ethical hacking
Material best practices in network security using ethical hackingMaterial best practices in network security using ethical hacking
Material best practices in network security using ethical hacking
Desmond Devendran
 

More Related Content

What's hot

Smart Networks for the Industrial Internet of Things
Smart Networks for the Industrial Internet of ThingsSmart Networks for the Industrial Internet of Things
Smart Networks for the Industrial Internet of Things
Creekside Marketing Group, LLC
 
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
Digital Bond
 
Ransomware Attack: Best Practices to proactively prevent contain and respond
Ransomware Attack: Best Practices to proactively prevent contain and respondRansomware Attack: Best Practices to proactively prevent contain and respond
Ransomware Attack: Best Practices to proactively prevent contain and respond
AlgoSec
 
Integrating the Alphabet Soup of Standards
Integrating the Alphabet Soup of StandardsIntegrating the Alphabet Soup of Standards
Integrating the Alphabet Soup of Standards
Jim Gilsinn
 
Bringing Digital Transformation Into Focus
Bringing Digital Transformation Into FocusBringing Digital Transformation Into Focus
Bringing Digital Transformation Into Focus
Inductive Automation
 

What's hot (20)

Top 10 Design & Security Tips to Elevate Your SCADA System
Top 10 Design & Security Tips to Elevate Your SCADA SystemTop 10 Design & Security Tips to Elevate Your SCADA System
Top 10 Design & Security Tips to Elevate Your SCADA System
 
Design Like a Pro: Alarm Management
Design Like a Pro: Alarm ManagementDesign Like a Pro: Alarm Management
Design Like a Pro: Alarm Management
 
Integrator Evolution: Discussing Current Challenges & Future Trends in Indust...
Integrator Evolution: Discussing Current Challenges & Future Trends in Indust...Integrator Evolution: Discussing Current Challenges & Future Trends in Indust...
Integrator Evolution: Discussing Current Challenges & Future Trends in Indust...
 
Get More Data Into Your SCADA
Get More Data Into Your SCADAGet More Data Into Your SCADA
Get More Data Into Your SCADA
 
Leveraging Operational Data in the Cloud
Leveraging Operational Data in the CloudLeveraging Operational Data in the Cloud
Leveraging Operational Data in the Cloud
 
Integrator Roundtable Discussion: Facing the Future of Automation
Integrator Roundtable Discussion: Facing the Future of AutomationIntegrator Roundtable Discussion: Facing the Future of Automation
Integrator Roundtable Discussion: Facing the Future of Automation
 
IIOT on Variable Frequency Drives
IIOT on Variable Frequency DrivesIIOT on Variable Frequency Drives
IIOT on Variable Frequency Drives
 
Design Like a Pro: SCADA Security Guidelines
Design Like a Pro: SCADA Security GuidelinesDesign Like a Pro: SCADA Security Guidelines
Design Like a Pro: SCADA Security Guidelines
 
Practical IIoT Solutions for Manufacturing
Practical IIoT Solutions for ManufacturingPractical IIoT Solutions for Manufacturing
Practical IIoT Solutions for Manufacturing
 
Industrial Internet
Industrial InternetIndustrial Internet
Industrial Internet
 
Et software brochure
Et software brochureEt software brochure
Et software brochure
 
Design Like a Pro: Planning Enterprise Solutions
Design Like a Pro: Planning Enterprise SolutionsDesign Like a Pro: Planning Enterprise Solutions
Design Like a Pro: Planning Enterprise Solutions
 
The New Ignition v7.9 - See, Maintain, and Manage Your Enterprise With Ease
The New Ignition v7.9 - See, Maintain, and Manage Your Enterprise With EaseThe New Ignition v7.9 - See, Maintain, and Manage Your Enterprise With Ease
The New Ignition v7.9 - See, Maintain, and Manage Your Enterprise With Ease
 
Smart Networks for the Industrial Internet of Things
Smart Networks for the Industrial Internet of ThingsSmart Networks for the Industrial Internet of Things
Smart Networks for the Industrial Internet of Things
 
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
 
Ransomware Attack: Best Practices to proactively prevent contain and respond
Ransomware Attack: Best Practices to proactively prevent contain and respondRansomware Attack: Best Practices to proactively prevent contain and respond
Ransomware Attack: Best Practices to proactively prevent contain and respond
 
Integrating the Alphabet Soup of Standards
Integrating the Alphabet Soup of StandardsIntegrating the Alphabet Soup of Standards
Integrating the Alphabet Soup of Standards
 
Practical Approaches to Securely Integrating Business and Production
Practical Approaches to Securely Integrating Business and ProductionPractical Approaches to Securely Integrating Business and Production
Practical Approaches to Securely Integrating Business and Production
 
Bringing Digital Transformation Into Focus
Bringing Digital Transformation Into FocusBringing Digital Transformation Into Focus
Bringing Digital Transformation Into Focus
 
Integrator Roundtable Discussion: Facing the Future of Automation
Integrator Roundtable Discussion: Facing the Future of AutomationIntegrator Roundtable Discussion: Facing the Future of Automation
Integrator Roundtable Discussion: Facing the Future of Automation
 

Similar to Design Like a Pro: SCADA Security Guidelines

Material best practices in network security using ethical hacking
Material best practices in network security using ethical hackingMaterial best practices in network security using ethical hacking
Material best practices in network security using ethical hacking
Desmond Devendran
 
Network Security, Change Control, Outsourcing
Network Security, Change Control, OutsourcingNetwork Security, Change Control, Outsourcing
Network Security, Change Control, Outsourcing
Nicholas Davis
 
Network security, change control, outsourcing
Network security, change control, outsourcingNetwork security, change control, outsourcing
Network security, change control, outsourcing
Nicholas Davis
 
Social Distance Your IBM i from Cybersecurity Risk
Social Distance Your IBM i from Cybersecurity RiskSocial Distance Your IBM i from Cybersecurity Risk
Social Distance Your IBM i from Cybersecurity Risk
Precisely
 
Secure IOT Gateway
Secure IOT GatewaySecure IOT Gateway
Secure IOT Gateway
LF Events
 
Defending Applications In the Cloud: Architecting Layered Security Solutions ...
Defending Applications In the Cloud: Architecting Layered Security Solutions ...Defending Applications In the Cloud: Architecting Layered Security Solutions ...
Defending Applications In the Cloud: Architecting Layered Security Solutions ...
EC-Council
 

Similar to Design Like a Pro: SCADA Security Guidelines (20)

Open and Secure SCADA: Efficient and Economical Control, Without the Risk
Open and Secure SCADA: Efficient and Economical Control, Without the RiskOpen and Secure SCADA: Efficient and Economical Control, Without the Risk
Open and Secure SCADA: Efficient and Economical Control, Without the Risk
 
Material best practices in network security using ethical hacking
Material best practices in network security using ethical hackingMaterial best practices in network security using ethical hacking
Material best practices in network security using ethical hacking
 
Network Security, Change Control, Outsourcing
Network Security, Change Control, OutsourcingNetwork Security, Change Control, Outsourcing
Network Security, Change Control, Outsourcing
 
Chapter08
Chapter08Chapter08
Chapter08
 
Network security, change control, outsourcing
Network security, change control, outsourcingNetwork security, change control, outsourcing
Network security, change control, outsourcing
 
C days2015
C days2015C days2015
C days2015
 
Security Best Practices for Your Ignition System
Security Best Practices for Your Ignition SystemSecurity Best Practices for Your Ignition System
Security Best Practices for Your Ignition System
 
Cloak your critical industrial control systems before they get hacked
Cloak your critical industrial control systems before they get hackedCloak your critical industrial control systems before they get hacked
Cloak your critical industrial control systems before they get hacked
 
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11
 
Implementing an improved security for collin’s database and telecommuters
Implementing an improved security for collin’s database and telecommutersImplementing an improved security for collin’s database and telecommuters
Implementing an improved security for collin’s database and telecommuters
 
ITN6_Instructor_Materials_Chapter11.pdf
ITN6_Instructor_Materials_Chapter11.pdfITN6_Instructor_Materials_Chapter11.pdf
ITN6_Instructor_Materials_Chapter11.pdf
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and Data
 
Social Distance Your IBM i from Cybersecurity Risk
Social Distance Your IBM i from Cybersecurity RiskSocial Distance Your IBM i from Cybersecurity Risk
Social Distance Your IBM i from Cybersecurity Risk
 
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and Data
 
Network security
Network securityNetwork security
Network security
 
CCNP Security-Firewall
CCNP Security-FirewallCCNP Security-Firewall
CCNP Security-Firewall
 
Secure IOT Gateway
Secure IOT GatewaySecure IOT Gateway
Secure IOT Gateway
 
Dncybersecurity
DncybersecurityDncybersecurity
Dncybersecurity
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014
 
Defending Applications In the Cloud: Architecting Layered Security Solutions ...
Defending Applications In the Cloud: Architecting Layered Security Solutions ...Defending Applications In the Cloud: Architecting Layered Security Solutions ...
Defending Applications In the Cloud: Architecting Layered Security Solutions ...
 

More from Inductive Automation

Unlocking Greater Efficiency: The Why and How of OEE Implementation
Unlocking Greater Efficiency: The Why and How of OEE ImplementationUnlocking Greater Efficiency: The Why and How of OEE Implementation
Unlocking Greater Efficiency: The Why and How of OEE Implementation
Inductive Automation
 
Design Like a Pro: Developing & Deploying Perspective Applications as HMIs
Design Like a Pro: Developing & Deploying Perspective Applications as HMIsDesign Like a Pro: Developing & Deploying Perspective Applications as HMIs
Design Like a Pro: Developing & Deploying Perspective Applications as HMIs
Inductive Automation
 
Integrator Discussion: Leading Through Innovation During COVID-19 and Beyond
Integrator Discussion: Leading Through Innovation During COVID-19 and BeyondIntegrator Discussion: Leading Through Innovation During COVID-19 and Beyond
Integrator Discussion: Leading Through Innovation During COVID-19 and Beyond
Inductive Automation
 

More from Inductive Automation (20)

De-Risk Your Digital Transformation — And Reduce Time, Cost & Complexity
De-Risk Your Digital Transformation — And Reduce Time, Cost & ComplexityDe-Risk Your Digital Transformation — And Reduce Time, Cost & Complexity
De-Risk Your Digital Transformation — And Reduce Time, Cost & Complexity
 
Overcoming Digital Transformation Pain Points
Overcoming Digital Transformation Pain PointsOvercoming Digital Transformation Pain Points
Overcoming Digital Transformation Pain Points
 
How Ignition Eases SCADA Pain Points
How Ignition Eases SCADA Pain PointsHow Ignition Eases SCADA Pain Points
How Ignition Eases SCADA Pain Points
 
New Ignition Features In Action
New Ignition Features In ActionNew Ignition Features In Action
New Ignition Features In Action
 
Solving Data Problems to Accelerate Digital Transformation.pptx
Solving Data Problems to Accelerate Digital Transformation.pptxSolving Data Problems to Accelerate Digital Transformation.pptx
Solving Data Problems to Accelerate Digital Transformation.pptx
 
Turn Any Panel PC Into an Ignition HMI
Turn Any Panel PC Into an Ignition HMITurn Any Panel PC Into an Ignition HMI
Turn Any Panel PC Into an Ignition HMI
 
5 Mobile-Responsive Layout Strategies
5 Mobile-Responsive Layout Strategies5 Mobile-Responsive Layout Strategies
5 Mobile-Responsive Layout Strategies
 
Integrators Explore the Road Ahead
Integrators Explore the Road AheadIntegrators Explore the Road Ahead
Integrators Explore the Road Ahead
 
The Art of Displaying Industrial Data
The Art of Displaying Industrial DataThe Art of Displaying Industrial Data
The Art of Displaying Industrial Data
 
Common Project Mistakes: Visualization, Alarms, and Security
Common Project Mistakes: Visualization, Alarms, and SecurityCommon Project Mistakes: Visualization, Alarms, and Security
Common Project Mistakes: Visualization, Alarms, and Security
 
Common Project Mistakes (And How to Avoid Them)
Common Project Mistakes (And How to Avoid Them)Common Project Mistakes (And How to Avoid Them)
Common Project Mistakes (And How to Avoid Them)
 
First Steps to DevOps
First Steps to DevOpsFirst Steps to DevOps
First Steps to DevOps
 
Choosing a SCADA System for the IIoT Era
Choosing a SCADA System for the IIoT Era Choosing a SCADA System for the IIoT Era
Choosing a SCADA System for the IIoT Era
 
Design Like a Pro: How to Pick the Right System Architecture
Design Like a Pro: How to Pick the Right System ArchitectureDesign Like a Pro: How to Pick the Right System Architecture
Design Like a Pro: How to Pick the Right System Architecture
 
The Evolution of Industrial Visualization
The Evolution of Industrial VisualizationThe Evolution of Industrial Visualization
The Evolution of Industrial Visualization
 
Historic Opportunities: Discover the Power of Ignition's Historian
Historic Opportunities: Discover the Power of Ignition's HistorianHistoric Opportunities: Discover the Power of Ignition's Historian
Historic Opportunities: Discover the Power of Ignition's Historian
 
Unlocking Greater Efficiency: The Why and How of OEE Implementation
Unlocking Greater Efficiency: The Why and How of OEE ImplementationUnlocking Greater Efficiency: The Why and How of OEE Implementation
Unlocking Greater Efficiency: The Why and How of OEE Implementation
 
Leveraging Ignition Quick Start to Rapidly Build Real Projects
Leveraging Ignition Quick Start to Rapidly Build Real ProjectsLeveraging Ignition Quick Start to Rapidly Build Real Projects
Leveraging Ignition Quick Start to Rapidly Build Real Projects
 
Design Like a Pro: Developing & Deploying Perspective Applications as HMIs
Design Like a Pro: Developing & Deploying Perspective Applications as HMIsDesign Like a Pro: Developing & Deploying Perspective Applications as HMIs
Design Like a Pro: Developing & Deploying Perspective Applications as HMIs
 
Integrator Discussion: Leading Through Innovation During COVID-19 and Beyond
Integrator Discussion: Leading Through Innovation During COVID-19 and BeyondIntegrator Discussion: Leading Through Innovation During COVID-19 and Beyond
Integrator Discussion: Leading Through Innovation During COVID-19 and Beyond
 

Recently uploaded

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 

Recently uploaded (20)

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 

Design Like a Pro: SCADA Security Guidelines

  • 1.
  • 2. Moderator Don Pearson Chief Strategy Officer Inductive Automation
  • 3. Today’s Agenda • Introduction to Ignition • SCADA/ICS Security Basics • Approaches to SCADA/ICS Security • Tools for Protecting Your Network • Security Hardening in Ignition • Q&A
  • 4. About Inductive Automation • Founded in 2003 • HMI, SCADA, MES, and IIoT software • Installed in 100+ countries • Over 1,500 integrators • Used by 48% of Fortune 100 companies Learn more at: inductiveautomation.com/about
  • 5. Used By Industries Worldwide
  • 6. Ignition: Industrial Application Platform One Universal Platform for SCADA, MES & IIoT: • Unlimited licensing model • Cross-platform compatibility • Based on IT-standard technologies • Scalable server-client architecture • Web-managed • Web-launched on desktop or mobile • Modular configurability • Rapid development and deployment
  • 7. Presenter Kevin McClusky Co-Director of Sales Engineering, Inductive Automation
  • 8. Disclaimer Cybersecurity is a deep and complex topic, and this webinar presents a general overview of the subject. It is not intended as comprehensive instruction or training on industrial control system security. It contains general, widely applicable guidelines about ICS security; however, because every organization is different, you should work with a security expert to make sure that your specific security needs are met.
  • 10. SCADA/ICS Security Basics Three laws of SCADA security: • Nothing is 100% secure. • All software can be hacked. • Every piece of information can be an attack. – From SCADA Security – What’s Broken and How to Fix It by Andrew Ginter
  • 11. SCADA/ICS Security Basics Who’s attacking our systems? • Insiders (corporate insiders & SCADA insiders) • Organized Crime • Hackers • Intelligence Agencies • Military
  • 12. SCADA/ICS Security Basics How are they attacking us? • Phishing - #1 attack vector for ICS - Spear phishing - In 2016, 30% of phishing messages were opened, up from 23% in 2015 • Malware & ransomware High-profile attacks: - WannaCry & Not Petya (2017) - Stuxnet (2010) • Weak authentication • SQL injection • Network scanning • Abuse of authority • Brute force • Rogue devices • Removable media
  • 13. Approaches to SCADA/ICS Security What can we do about it? • Keep it simple. Complexity doesn’t improve security. • Know your environment (which machines & software versions you have, your normal traffic level, etc.). • You can’t eliminate risk but you can mitigate risk. • Make it very difficult and expensive to pull off an attack.
  • 14. Approaches to SCADA/ICS Security IT Security • Software-based • Focus: detecting & responding to intrusion • Stakes: compromised or stolen data, system crashes, interruption, financial losses, etc. ICS Security • Hardware-based • Focus: preventing intrusion • Stakes: loss of life, environmental damage, economic impact Industrial organizations must focus on prevention while also implementing IT-class security measures in order to secure their control systems.
  • 17. Tools for Protecting Your Network Authentication • Username/password (Don’t use default passwords!) • User- and role-based security (Based on Principle of Least Privilege) • Biometrics (fingerprints, retina scans) • Public Key Infrastructure (PKI) • Key cards • USB tokens • Application security: role-based settings/permissions can be used to secure applications (clients, design environment, tags) • Database connection encryption • OPC UA connections
  • 18. Tools for Protecting Your Network Encryption (TLS/SSL/https) • Encrypts all data sent over HTTP • Protects against snooping & session hijacking • Can be used to protect the SCADA Gateway • Can be used with a VLAN to secure native device communication • Can be used to encrypt OPC UA communication • Can be used to help secure databases that support TLS/SSL
  • 19. Tools for Protecting Your Network Auditing • Record details about specific events • Track down who did what from where • Helpful in deterring attacks by SCADA insiders • Use audit logs, trails, profiles
  • 20. Tools for Protecting Your Network Ways to Protect Your Operating System: • Remove any unnecessary programs. • Keep OS patches & service packs up-to-date. • Disable remote services on Windows. • Set up firewalls to restrict network traffic; close all ports and only reopen ports that are necessary. • Set up firewalls on redundant servers. • If remote access is required, get a VPN device with good multi-factor authentication.
  • 21. Tools for Protecting Your Network Ways to Secure Your Device/PLC Connections: • Native device communication options: - Keep on a separate, private OT network - Network segmentation - VLAN with encryption - Set up routing rules - Use edge-of-network gateway as bridge between device & network • OPC UA and MQTT communication offers built-in security, and communications can be encrypted over TLS
  • 22. Tools for Protecting Your Network SCADA Network IT Network Unidirectional Gateway TX RX Interface Interface Unidirectional Gateways (data diodes) are an option for standalone networks with tight controls over what goes in and out.
  • 23. Tools for Protecting Your Network Physical Security: • Because control devices like PLCs cannot be locked down, it is essential to implement physical security measures, such as the following: - Badges & badge readers - Physical media controls (including laptops, phones, USB keys) - Video monitoring - Policies and training - Guards
  • 24. Security Hardening in Ignition • The following steps are intended to provide general guidance on how to set up and secure your Ignition installation • General suggestions regarding the hardware and network where Ignition is installed
  • 25. Security Hardening in Ignition Secure the Gateway • Change the Admin Password • Configure Access for the Gateway • Enable SSL - Acquire and install an SSL Certificate for Ignition, from a certificate authority (highly recommended)
  • 27. Security Hardening in Ignition Device, MQTT, and OPC Security • OPC UA Communication • Native Device Communication • MQTT
  • 28. Demo: Device, MQTT, and OPC Security
  • 29. Security Hardening in Ignition Use Security Zones • A Security Zone is a list of Gateways, Computers, or IP addresses that are defined and grouped together. • When zones are defined, you can place additional policies & restrictions on them. • Provides read-only and read/write access to specified locations. • Helps keep different areas of the business separate while allowing them to interconnect.
  • 31. Security Hardening in Ignition Define Application Security • Client Security • Designer Security • Tag Security • Named Queries
  • 33. Security Hardening in Ignition Set Up Audit Logging • Audit Profiles are simple to set up, and immediately start recording events. • Only tag writes, SQL UPDATE, SQL INSERT, and SQL DELETE statements are recorded. A time-stamp is also recorded.
  • 34. Demo: Setting Up Audit Logging
  • 35. Security Hardening in Ignition Protect the Database • Rather than using a database owner account such as root or sa, we recommend creating a separate user account with limited privileges for the database connection with the Ignition Gateway. • If your database supports TLS encryption, use it for the Ignition-to- database connection. • TLS can be enabled for databases running on different servers (follow the information for its JDBC driver and internal security settings).
  • 36. Security Hardening in Ignition Securing Java • Change Java security settings • Keep Java up-to-date
  • 37. Security Hardening in Ignition Securing Java Disable Java Plug-In in Web Browsers
  • 38. Security Hardening in Ignition Turning on the Firewall • Enable firewall for all traffic • Allow needed ports through
  • 40. Security Hardening in Ignition Active Directory and Authentication Services • Group Access and Disabling Auto Login • User Accounts • LDAP Protocol Security
  • 41. Demo: Active Directory & Authentication Services
  • 42. Security Hardening in Ignition Keep Ignition Up-to-Date • Software security requires constant effort and maintenance • Security updates are released periodically to ensure continued protection • Keeping up-to-date with updates is strongly recommended
  • 43.
  • 45.
  • 46.
  • 47. Questions & Comments Jim Meisler x227 Vannessa Garcia x231 Vivian Mudge x253 Account Executives Myron Hoertling x224 Shane Miller x218 Ramin Rofagha x251 Maria Chinappi x264 Dan Domerofski x273 Lester Ares x214 Melanie Hottman Director of Sales: 800-266-7798 x247 Jeff Osterback x207 Kevin McClusky Co-Director of Sales Engineering: x237 kmcclusky@inductiveautomation.com