Citect SCADA 2018 R2- Security

© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.

Brad Shaw – Global Product Manager Citect SCADA

May 2019

Agenda

© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.

Why focus on Security?

Encrypted Communications

User Groups for Access Control

Why focus on Security ?

© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.

Confidentiality

AvailabilityIntegrity

Encrypted Communications

© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.

© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.

Encrypted Communications

• AVEVA systems are highly distributed and scalable

• Different products communicate via different protocols

• Encryption requires Certificate Management

• Smaller customers don’t have I.T. departments capable of

managing certificates we handle it for you

• Common encryption technology across AVEVA products

Customer Problem

Establish Trust

Encrypted Communications

© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.

Example Architecture

PrimaryServer

StandbyServer

Display Client Historian

DeploymentServer

System Management

Server

System Management Server

• Creates unique certificates per system

• Distributes certificates to other computers

• Handles certificate renewal

• Enables AVEVA products to encrypt

communications

• Only configure one System Management

Server in your system

© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.

Encrypting Citect SCADA Communications

• Configure the System Management Server (only one!)

• Connect all other machines to the System Management Server

• Including CtAPI Client Applications

• Requires a user from the aaAdministrators group on the

Management Server

• Configure Encryption

• Servers must be configured to “Run as a Service”

• Configure DNS Name in computers.dbf

• Status shown in Runtime Manager

© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.

Encrypting Citect SCADA Communications

• Encrypted with TLS v1.2

• All server-client and server-server communications

• CtAPI communications using new binaries in 2018 R2 release

• Kernel

• New Page Table Platform.Session

• Available via ‘Dump Kernel’ command on Server

processes

© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.

Example – Configuring Encryption

© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.

Configure Prerequisites – Run as a service

1

2

Example – Configuring Encryption

© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.

Configure Prerequisites – setup System Management Server

1

2

Example – Configuring Encryption

© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.

Enable Encryption

1

2

Example – Configuring Encryption

© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.

Connect other computers to System Management Server

1

2

© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.

Certificate Management

• System Management Server manages certificates

• Creates a unique Root CA, Intermediate CA per system

• Creates a unique binding certificate per machine

• Automatic certificate renewal

• Connection to Management Server required to renew

certificates

• Certificates have 15 month expiry, renewed every month

• If renewal fails, it will retry daily until it succeeds

Deployment Configuration

• Deployment Server configuration is streamlined

1. Connect Deployment Server / Clients to System

Management Server

2. Configure Deployment Server

• Auth file no longer required

3. Connect Deployment Clients to Deployment Server

• Auto-detect deployment server name

© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.

DeploymentServer

System Management

Server

DeploymentClient

Enhanced Security via User Groups

© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.

Security – User Groups

• Citect.Engineers

• Has permission to set the read/write password

• Citect.ServerUsers

• Has permission to read the server password

• Citect.LocalUsers

• Not required if processes are running as the same user

• Has permission to access communications channel to Runtime Manager

• Has permission to use local CtAPI

© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.

Prevent unauthorized user access to internal communications

User Groups – Recommended Configuration

• Citect.Engineers

• Permissions are only needed when configuring new machines

• Only add experienced engineering users to this group

• Citect.ServerUsers

• If running as a service, make no changes

• If running normally, add any windows users that have permission to log onto this machine

• Citect.LocalUsers

• Add all valid users to this group

• Changing group permissions requires the user to sign-out of Windows

© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.

Questions

© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.

linkedin.com/company/aveva

@avevagroup

ABOUT AVEVA

AVEVA is a global leader in engineering and industrial software driving digital transformation across the entire asset and operational life cycle of capital-intensive industries.

The company’s engineering, planning and operations, asset performance, and monitoring and control solutions deliver proven results to over 16,000 customers across the globe. Its customers are supported by the largest industrial software ecosystem, including 4,200 partners and 5,700 certified developers. AVEVA is headquartered in Cambridge, UK, with over 4,400 employees at 80 locations in over 40 countries.

aveva.com

© 2019 AVEVA Group plc and its subsidiaries. All rights reserved.