It is currently Tue Jul 29, 2014 4:45 am




Post new topic Reply to topic  [ 4 posts ] 
 Remote SCADA Network Access Security 
Author Message
Sergeant
Sergeant

Joined: Fri Aug 08, 2008 10:00 am
Posts: 54
Post Remote SCADA Network Access Security
Ok, here's the deal. I have a client that I (alone) VPN into to access the Ignition gateway and other SCADA stuff. The Ignition SCADA network is isolated except for my IPCop DSL interface, which is configured to block everything. No automatic Windows updates for the client PCs, no client PC virus protection updates.

Now the customer wants others to be able remotely benefit from Ignition. I have been looking for a way to "proxy" the Ignition gateway to my public website (hosted on GoDaddy) so they can launch a project applet on their browser, while keeping the gateway obscured and inaccessible from the user. A "keep them at arms-length" type of defense.

My attempts thus far have failed. The Java JNLP files point directly to the gateway IP address, and unless I enable IPCop's port forwarding for the client's IP, it won't work. That is unacceptable from a security standpoint.

Do I just fold my tent and permit direct gateway access? Obviously I would have to open up the router to internet access so the gateway and client PCs can get automatic security and virus updates. That opens up another big can of worms, which I'd rather avoid.

Let the IT dept handle it you say? My experience is that the IT depts conveniently disown SCADA networks, leaving them in the hands of the SCADA integrator. That's been fine up to now, but I realize that I need more advanced schooling in industrial network security to provide safe remote acccess to client's SCADA systems. My own web research has been unsatisfying in regards to a Java-based system like Ignition.

Does anybody have experiences they're willing to share, specific to safe remote Ignition Gateway access? Any good white papers or tutorials on the web dealing with this specific topic? Your help is greatly appreciated!


Mon Mar 26, 2012 8:27 am
Profile
General
General

Joined: Tue May 31, 2011 6:27 am
Posts: 313
Location: Minnesota
Post Re: Remote SCADA Network Access Security
It isn't pretty, but you can use something like HAproxy to rewrite all the urls in and out and just use one gateway.

Something I've been looking into is putting a second database provider on the actual gateway pointing to some database that is publicly accessible and then pointing a second Ignition install at that. It is a bit slow, but it seems like a more elegant way of doing things than opening up the production gateway to the world.


Mon Mar 26, 2012 8:37 am
Profile
General
General

Joined: Tue Mar 24, 2009 9:14 am
Posts: 855
Location: Hudson, MI
Post Re: Remote SCADA Network Access Security
What about something Hamachi-ish? The connection's encrypted (256-bit) and the client's IP would be sufficiently obscured. Don't know how this would help from an "arm's length" point of view, but it may give you other ideas.

_________________
Jordan

Duct tape is like The Force. It has a light side, a dark side, and it holds the universe together.


Mon Mar 26, 2012 8:55 am
Profile
Moderator
Moderator

Joined: Thu Mar 30, 2006 10:08 pm
Posts: 1188
Post Re: Remote SCADA Network Access Security
Are they doing control or just looking at status and historical data? If the latter is the case, you might remotely log/update data via Ignition directly or use some kind of database synchronization to achieve this.

Some tips for secure remote access:

The best remote access from a security perspective would be using IT to help support VPN connectivity for clients. If this isn't feasible, the next best approach of the top of my head places the Ignition gateway in a DMZ, only port forwarding the (single) port that you need from the public IP address. Enabling SSL/TLS with a "real" certificate would be a good idea for a public hosted environment. You can achieve additional protection by separating the gateway from other nodes on your network, particularly file servers, and even the database (unless it's running on the same machine). If the database is on the same machine, ensure that DB access is limited to the local IP address (localhost is best) and disable remote access over the DB port on the local firewall (even Windows Firewall or whatever will do here).

_________________
Nathan Boeger, CISSP-ISSAP, CCNP Voice, VCP
Not Another Industrial Blog - My SCADA software blog
"Design Simplicity Cures Engineered Complexity"


Mon Mar 26, 2012 9:27 am
Profile WWW
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 


Who is online

Users browsing this forum: No registered users and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to: