Security Suite

Posted on by Natashia Lutz

The VTScada Security category includes a comprehensive set of features designed to protect your SCADA system from various threats and ensure secure operations. Here are some key aspects:

  1. User Authentication and Authorization: VTScada supports robust user authentication mechanisms, including integration with Active Directory and multi-factor authentication (MFA). This ensures that only authorized personnel can access the system
  2. Role-Based Access Control (RBAC): This feature allows administrators to define roles with specific permissions, ensuring that users have access only to the functions and data necessary for their job
  3. Secure Communication: VTScada employs encryption protocols to secure data transmission between clients and servers, protecting sensitive information from interception and tampering
  4. Audit Logging: Comprehensive logging of user actions and system events helps in monitoring and auditing activities within the SCADA system. This is crucial for detecting and responding to security incidents
  5. Alarm Notification Security: Integrated security controls ensure that alarm notifications are sent only to authorized users, preventing unauthorized access to critical alerts
  6. Security Guidelines Manual: VTScada includes a Security Guidelines Manual that provides detailed instructions on how to install, commission, verify, and maintain the cybersecurity capabilities of the system in accordance with IEC 62443 standards

These features collectively help in creating a secure and resilient SCADA environment, protecting against unauthorized access, data breaches, and other security threats.

  Data Diode
A safe one-way street for critical data.
VTScada pairs with Data Diode to provide a one-way data connection to a VTScada Historian outside of a secure network. Another way VTScada provides secure sharing. 
  IANA-Registered Port
VTScada has its own private TCP/IP port for server synchronization.
The VTScada RPC Manager automatically syncs historical data, alarm/event history, change log, user accounts, and application settings in real time across redundant servers. 
For maximum security and efficiency, VTScada has its own registered TCP/IP port number assigned by the Internet Assigned Numbers Authority (IANA) exclusively for RPC traffic.
  • TCP/IP Port 5780
  OpenID Connect® Support
Single sign-in and two-factor authentication.
Permits integration with third-party authentication servers on VTScada Anywhere Clients.
  • SINGLE SIGN-IN One password to access many systems.
  • TWO-FACTOR AUTHENTICATION E.g., Google Authenticator or Apple Touch sensor.
  Security Realms
Easily divide system access between user groups in large organizations.
Easily divide application access using security realms. Realms must exist on a hierarchy under at least one layer of management that is not assigned to any realm. A manager in realm A can see only the roles and accounts that belong to Realm A. 
  • Accounts and roles created by a realm manager belong to the same realm. 
  • A manager who is a member of a realm cannot change or remove their realm membership.
  IEC 62443-4-1 ML3
Cybersecurity certification of our software development lifecycle.
VTScada’s Development Environment is certified compliant with the IEC 62443-4-1 Maturity Level 3 Security Standard for Automation and Control Systems. IEC standards help increase resilience of critical infrastructure around the world by improving security best practices when developing products that comprise them. 
  • Certification by international authority www.exida.com.
  • Maturity Level 3 recognizes that Trihedral is following and improving their procedures.
  Read-Only DMZ Server
A safe way to share process history and protect Thin Client connections.
For many, remote access to their SCADA system and its data is essential. A read-only server in a DMZ vastly reduces the associated risks. 
A Thin Client Server in a DMZ allows remote users to make read-only connections without jeopardizing servers behind the firewall. 
DMZ servers can also be back-ups should the OT network be compromised.
  • Read-Only Workstation setting prevents any user from performing control actions.
  • Use HTTPS or a VPN to secure links between thin clients and the server.
  • Securely share data with third-party business systems.
  Application-Wide Security Accounts
Easily manage or revoke user privileges system-wide.
Application security accounts and settings control access to all parts of the application including workstations, thin clients, mobile clients, and alarm notifications. 
  • Deployed security changes are immediate and application wide. 
  • Accounts are easily copied, modified, and deleted.
  Windows® Security Integration
No need to manage both Windows and VTScada accounts.
Windows® Security Integration (WSI) can be used in place of, or in addition to, VTScada user accounts. VTScada Security has three elements: Accounts, Roles and Privileges.
When using WSI, accounts (users) are managed in Windows. VTScada privileges are managed in VTScada via assignment to roles. Windows accounts are linked to VTScada roles using Active Directory Groups named for VTScada roles.
  • Fewer passwords for users to remember.
  • External account control.
  Proximity Card Reader Support
Log onto VTScada as easily as entering a secured building. 
Proximity card readers use RFID technology to provide secure, contactless entry to industrial sites. 
  • VTScada allows you to use the same card to also log into your SCADA application. 
  • Improve workflow by requiring users to tap in to create Operator Notes.