Best Practices for Security

SCADA Security Guidelines Manual

A best-practices guide is included with every copy of VTScada. This is a stand-alone document (not part of these help files), which can be found in the Documents sub-folder of your installation folder.
(C:\VTScada\Documents\VTScada_Security_Guidelines_Manual.html

The manual provides guidance for installing, commissioning, verifying and maintaining the cybersecurity-certified capability of VTScada in accordance with applicable IEC 62443 cybersecurity standards.

Do not assume that your site is too small to be worth hacking.

All SCADA systems are targeted by hackers. You are running a SCADA system. Your site is a target.

Design your pages and tag structures with security in mind.

You can save a large amount of work, and greatly reduce the number of custom privileges you will need by creating a well-organized set of roles and corresponding rule scopes.

Enforce strong passwords.

Use the available options to enforce strong passwords (minimum length, combination of letters, numbers and other characters). Advise operators against re-using passwords for multiple applications.

Whenever there is ever a security update for your version of VTScada, apply it as soon as possible.

Typically, vulnerabilities are published a short time after a security update is distributed. Hackers will immediately seek to exploit that vulnerability on sites that have failed to protect themselves by applying the update.

Protect your control objects with custom privileges so only designated operators may use them.

This will limit the number of operators who will have access to controls and pages.

Place operator controls on pop-up pages.

By placing controls on a pop-up page, you reduce the chances of an operator accidentally issuing a control action. Also, because access to a pop-up page can be restricted using a custom privilege, it is possible to restrict access to many output tags with one privilege on one page rather than many privileges on many tags.

Use care when granting the Thin Client Access privilege and configuring a VTScada Thin Client Server.

VTScada cannot secure the networks between the remote client and the server.
Thin clients transmit the user credentials (username and password) using Basic Authentication, which is a simple non-encrypted Base 64 encoding of "username:password", and which is easily decoded by capturing network traffic.
It is essential that you use an X.509 certificate (commonly referred to as an SSL certificate*) to secure the communications from packet sniffing software connected to a local machine or switch. Do not overlook the possibility that attacks might originate from within your trusted network.

The use of a VPN is a reasonable second choice.

*Transport Layer Security (TLS) replaced Secure Socket Layer (SSL) security years ago.

If allowing Thin Client access, test the TLS connection using 3rd party tools, looking for weak ciphers, etc.

Smaller sites that do not have a dedicated IT department may need to find a contractor to help with this.

Do not grant privileges to the Logged Off account. (Exceptions may apply in rare circumstances.)

Do not grant unnecessary privileges to any account or role.

Configure the VAM to be hidden while the application runs to prevent access to the various diagnostic utilities by unauthorized persons.

This action is recommended for all sites. Use the "Other" tab of the Edit Properties page of the Application Configuration dialog to hide the VAM from all who do not have the required privilege, while the application runs. (see Hide the VAM).

Secure the Source Debugger and other diagnostic applications

This step is urged for sites that may prefer not to hide the VAM.

Before running the Import File Changes tool in the VAM, review the list of changes that will be imported using the Import/Export files tool of the Application Configuration dialog.

Note that the Import/Export tool will not add new files to your application. For that, you must use the File Manifest.

Consider running VTScada as a Windows™ service and using only thin clients to access applications.

This option provides maximum control over the choice of account under which VTScada runs, its permissions, and user-access to applications.

Use Windows security techniques to prevent unauthorized persons from accessing the VTScada program directory. Keep the workstations that are running VTScada in a secure location.

All other security measures are in vain if someone can destroy your application by deleting files or taking a hammer to the server.