Remote SCADA Network Access Security

Ok, here’s the deal. I have a client that I (alone) VPN into to access the Ignition gateway and other SCADA stuff. The Ignition SCADA network is isolated except for my IPCop DSL interface, which is configured to block everything. No automatic Windows updates for the client PCs, no client PC virus protection updates.

Now the customer wants others to be able remotely benefit from Ignition. I have been looking for a way to “proxy” the Ignition gateway to my public website (hosted on GoDaddy) so they can launch a project applet on their browser, while keeping the gateway obscured and inaccessible from the user. A “keep them at arms-length” type of defense.

My attempts thus far have failed. The Java JNLP files point directly to the gateway IP address, and unless I enable IPCop’s port forwarding for the client’s IP, it won’t work. That is unacceptable from a security standpoint.

Do I just fold my tent and permit direct gateway access? Obviously I would have to open up the router to internet access so the gateway and client PCs can get automatic security and virus updates. That opens up another big can of worms, which I’d rather avoid.

Let the IT dept handle it you say? My experience is that the IT depts conveniently disown SCADA networks, leaving them in the hands of the SCADA integrator. That’s been fine up to now, but I realize that I need more advanced schooling in industrial network security to provide safe remote acccess to client’s SCADA systems. My own web research has been unsatisfying in regards to a Java-based system like Ignition.

Does anybody have experiences they’re willing to share, specific to safe remote Ignition Gateway access? Any good white papers or tutorials on the web dealing with this specific topic? Your help is greatly appreciated!

It isn’t pretty, but you can use something like HAproxy to rewrite all the urls in and out and just use one gateway.

Something I’ve been looking into is putting a second database provider on the actual gateway pointing to some database that is publicly accessible and then pointing a second Ignition install at that. It is a bit slow, but it seems like a more elegant way of doing things than opening up the production gateway to the world.

What about something Hamachi-ish? The connection’s encrypted (256-bit) and the client’s IP would be sufficiently obscured. Don’t know how this would help from an “arm’s length” point of view, but it may give you other ideas.

Are they doing control or just looking at status and historical data? If the latter is the case, you might remotely log/update data via Ignition directly or use some kind of database synchronization to achieve this.

Some tips for secure remote access:

The best remote access from a security perspective would be using IT to help support VPN connectivity for clients. If this isn’t feasible, the next best approach of the top of my head places the Ignition gateway in a DMZ, only port forwarding the (single) port that you need from the public IP address. Enabling SSL/TLS with a “real” certificate would be a good idea for a public hosted environment. You can achieve additional protection by separating the gateway from other nodes on your network, particularly file servers, and even the database (unless it’s running on the same machine). If the database is on the same machine, ensure that DB access is limited to the local IP address (localhost is best) and disable remote access over the DB port on the local firewall (even Windows Firewall or whatever will do here).