Integrated SCADA Application Security – More Control, Less Complexity
All the security features in the world are of no use if they are so burdensome that operators and developers avoid using them. Like all our core SCADA features, we strive to make SCADA application security management simple and scalable, while remaining infinitely configurable. Application security is managed within the standard operator interface, allowing authorized users to make changes without switching views; then instantly deploy those changes across the entire system without restarting.
Security By Design (IEC-62443-4-1 Certification)
VTScada’s Development Environment is certified to be in compliance with IEC 62443 Security For Industrial Automation And Control Systems – Part 4-1: Secure Product Development Lifecycle Requirements. This standard defines secure development life cycle (SDL) requirements for products used in industrial automation and control systems. This includes security requirement definitions, secure design, secure implementation (including coding guidelines), verification and validation, defect management, patch management, and product end-of-life. These processes are applied to all development and maintenance phases of VTScada.
Note: VTScada does not utilize Java and is therefore unaffected by Java-based exploits.
Integrated tools to support your security strategy
- Centralized account management
- Industry-standard encryption (TLS)
- Read Only Server Options
- Windows active directory support
- Immediate application wide change deployment
- OpenID Connect® for single sign-in and Two-Factor Thin Client authentication
- Supports OAuth 2.0 for SMTP and POP3 authentication
- Configuration traceability
- Card-reader support
Implementations compliant with…
- NERC/CIP (North American Electric Reliability Corporation)
- DFARS 252 (Defense Federal Acquisition Regulations Supplement)
- NIST 800 (National Institute of Standards and Technology)
- Marine reliability standards ABS, Lloyds Bureau, DNV, BV
A Smarter Approach to Security Management
Each application includes its own security accounts and settings which control access to all parts of the application including workstations, thin clients, mobile clients, and alarm notifications. Deployed security changes are immediate and application wide. Accounts are easily copied, modified, and deleted. You can now even share accounts across multiple applications.
Rules and Roles simplify user management by replacing an ever-growing list of privileges.
- Rules combine tags, privileges, and locations to finely tune who can do what, where.
- Roles are sets of Rules corresponding to specific jobs (e.g., plant opera-tor). Quickly configure new users by adding one or more roles to an account.
The security database scheme employs the same level of encryption as online banking as does the security data exchanged between Internet Clients and Servers.
In addition to TLS (Transport Layer Security) VTScada supports SMTP email servers requiring TLS (e.g., Gmail) when sending alarm notifications. USB hardware keys (dongles) are also available.
Configure passwords to exceed a minimum length, contain alphabet-ic, numeric, or special characters, or expire after a configurable period. Accounts can be disabled following repeated failed log-in attempts and users can be logged-out after a configurable period of inactivity.
Options for Easy Login
- Windows® Security Integration – Log on to VTScada using your Windows account. No need to manage both Windows and VTScada accounts.
- Proximity Card Readers – Log on the same way you enter a secured building. Configure Operator Notes to require authentication.
- OpenID Connect® – Provides sign-in and Two-Factor Thin Client authentication.
Enhanced Security with OpenID Connect®
Support for OpenID Connect permits integration of VTScada Security with third-party authentication servers on VTScada Anywhere Clients. Depending on your chosen authentication server, this can allow single sign-in (one password to access to many systems) and two-factor authentication (e.g., Google Authenticator or Apple Touch sensor).
Define what information users can see in large applications. For example, if an application monitors two plants, operators from each plant can be grouped so that they see only the alarms and tags from their respective plants. A third group for managers can be set up to see information from both plants.
Share Security Accounts Across Applications
To reduce duplication and ensure consistency, accounts can now be shared across multiple applications. The security database scheme now employs military-grade encryption as does the security information exchanged between the VTScada Internet Client and Server.