InduSoft Application Design and SCADA Deployment Recommendations for Industrial Control System Security

InduSoft Application Design and SCADA Deployment

Recommendations for Industrial Control System Security

Guidelines and Best Practices

By Richard H. Clark, Cybersecurity Engineer, InduSoft, Inc.

Revision A-01.20.2015

Abstract and Target Audience

Purpose: Provides guidance when building and implementing HMI and SCADA systems and describes best practices to secure them against cyber-attacks and known vulnerabilities.

The target audience of this book are as follows:

1) Customers and Users of InduSoft Web Studio of all experience levels.

2) System Integrators who are creating, implementing, or modifying InduSoft Web Studio applications and implementations.

3) Control Systems Managers and Engineers needing to understand how to implement and design procedures and features within controls systems applications and networks that will be secure according to known best practices.

4) IT Managers and Engineers who need to understand the issues and implement cybersecurity within control system networks.

5) Anyone needing basic information on how to understand and implement SCADA cybersecurity and an introduction to cyber-based risk-management.

InduSoft Application Design and SCADA Deployment

Recommendations for Industrial Control System Security

By Richard H. Clark,  Cybersecurity Engineer, InduSoft, Inc.

Revision A-01.20.2015

Smashwords Edition

License Notes:

This ebook is available free of charge or for a minimal cost, depending on the requirements of the local ebook distributor or publisher.

 Portions or sections of this book may be copied, distributed, reposted, reprinted, or shared as required or needed; simply by including the acknowledgement of the origins of those used or redistributed materials.

eBook ISBN: 978-1311-49042-1

All profits from this ebook are to be directed and donated to the Eastern New Mexico University-Riudoso Foundation, as noted below.

If you find this ebook useful in your business, tax deductible donations to the university 501 (c) (3) foundation are encouraged by contacting:

Copyright 2014 InduSoft, Inc., a Schneider Electric company.  All rights reserved.  All trademarks are owned by Schneider Electric Industries SAS or its affiliated companies or their respective owners.

This ebook contains original content and materials created by the authors, as well as some materials designated as public domain or freely distributable as described within the associated footnotes. The ebook does not contain any known copyrighted information. Copyright violations should be reported to:

InduSoft, Inc., 11044 Research Blvd., Suite A100, Austin, TX 78759 U.S.A, or by email at [email protected], and every effort will be made to make corrections in subsequent revisions and editions.

Further information about selected subjects within this ebook is available from the website at http://www.indusoft.com and the designated references in Appendix C.

Foreword

InduSoft is proud to be able to provide this Security Guide to our users, customers, and the general public, and we hope that you will find this eBook useful. InduSoft strives to maintain customer awareness and education regarding Industrial Control System and Critical Infrastructure Security and in the use of our products. To this end, we continually conduct ongoing product and informational security webinars, publish Technical Notes and White Papers on application construction and security related topics, and publish corporate blogs on security and a number of other useful topics by a variety of different authors. Topics from various InduSoft publications and other media are presented here to help you with your security issues. There are links within the topics that will take you to more in-depth information that is not presented in this handbook. Feel free to explore any of the topics and subjects in more depth by simply clicking on the links provided within the sections and in the footnotes. We always welcome any new ideas and product suggestions that you may have by sending an email to [email protected].

InduSoft has also partnered with Eastern New Mexico University (ENMU) - Ruidoso to assist and provide materials in order to facilitate students and faculty in the online Cybersecurity Coursework and Certificate Programs that the University offers. For more information on these online courses please visit the ENMU Cybersecurity Center of Excellence webpage here:

http://www.ruidoso.enmu.edu/~enmu/index.php/using-joomla/extensions/components/content-component/article-categories/280-cybersecurity-center-of-excellence

And the ENMU Online Cybersecurity Certificate Program web page here:

http://academic.enmu.edu/millerst/Online%20Cyber%20Security%20Programs.htm

Table of Contents

Abstract and Target Audience

Foreword

Chapter 1: New Projects and Security as a Design Consideration

Section 1:  Building your Project

Extract from the InduSoft Technical Note: Application Guidelines

Chapter 2: Existing Projects

Chapter 3: Cloud Based Applications

Section 1: Working with Cloud Based Applications

The following is an extract from the InduSoft White Paper: Cloud Computing for SCADA

Chapter 4: InduSoft Application Security

Section 1: SCADA System Security Best Practices

The following is a transcript extract from the InduSoft Webinar:  SCADA System Security Webinar

Chapter 5: InduSoft Security Discussion for Web Based Applications

Section 1: Using Security with Distributed Web Applications

Extract 1 - From InduSoft White Paper: Security Issues with Distributed Web Applications

Section 2 – Using Security with Web-Based Applications

Extract 2 - From the InduSoft Tech Note: IWS Security System for Web Based Applications

Section 3 – Using Security with Web-Based Applications

Reprint - Control Engineering Magazine - August 2014: Cybersecurity for Smart Mobile Devices

Chapter 6: InduSoft Recommendations for IT Security

Section 1: Firewalls and other SCADA Security Considerations

Transcript extract from the InduSoft Webinar: SCADA and HMI Security in InduSoft Web Studio

Section 2: Control Systems Security Overview

Transcript extract from the InduSoft Webinar: SCADA Security Considerations: Overview

Section 3: SCADA Security - Operational Considerations

Transcript extract from the InduSoft Webinar: SCADA Security Considerations: Operational

Section 4: SCADA Security - Management Considerations

Transcript extract from the InduSoft Webinar: SCADA Security Considerations: Management

Appendix A: NIST Cybersecurity Framework Core

Appendix B: Cyber Security Evaluation Tool (CSET) Information

Appendix C: References

Recommended Publications for Purchase

Further Reading and Links to Organizations

Appendix D: Glossary

Terms Used in this Publication

Acronyms Used in this Publication

Endnotes

About the Author and More Information

Chapter 1: New Projects and Security as a Design Consideration

New projects should be planned with Application Security as a primary goal. Application Safety should follow this primary goal, with Application Functionality filling in the third of these top three project design goals. These three primary design goals create an efficient, smooth operating, and ergonomic application that is operationally obvious; it is well thought out with appropriate