The preponderance of ICS security professionals recoil with the concept of smart phones having any role in SCADA or DCS. As covered in an early blog entry, there is a big difference between using smart phones for control and using them to view data that has been pushed out to the corporate or other external network. Security people who just say no to a legitimate business need are of limited value to an organization and often are ignored. If the business insists that some process information is required on smart phones or iPads, and they understand and accept the risk of the potential information confidentiality compromise, then let’s find the best way to do this.
Transpara Visual KPI is a good example of how data can be provided to smartphone users without increasing the risk of an impact to the integrity or availability of the SCADA and DCS.
The first step is to get the SCADA or DCS data out to the corporate network. OSIsoft’s PI server or another historian can do this, and in fact most organizations are pushing data out to a DMZ or corporate network. The best practice is to push the data from the control center to ICS DMZ and then from the ICS DMZ to the corporate network, but many owner/operators either allow corporate access to the PI server on the ICS DMZ or push it out directly to the corporate network. Of these two sub-optimal options, we prefer allowing corporate access to the ICS DMZ because the firewall can significantly limit the attacks on a PI server that then communicates with a PI server in the control center.
The Transpara application server is installed on the corporate network, and the connection between the Transpara server and the PI server is tied to a PI user account. Access control measures are applied to the Transpara PI user. So now we already have two restrictions on what data can be viewed on smart phones. First, you can control what data is pushed to the external PI server. And second, you can control what data the Transpara application server can access by its associated PI user.
Displays/web pages are then generated in the Transpara application server for smartphone users. This is where owner/operators need a good data classification system and a judgement of the true business need and impact of the loss of confidentiality of this information. We push our clients here to confirm that this isn’t just a nice-to-have toy. Will the information be used to provide some significant value to the company that warrants whatever the impact is that this data might no longer remain private?
Once the displays are created Transpara Visual KPI leverages Active Directory authorization. You can provide rights to view various displays or sets of displays by Active Directory users or groups, with role based groups being the recommendation. This is now the third area where you can restrict what data is presented to smart phones.
Since Transpara leverages Active Directory, you can use any type of authentication that Active Directory supports for process data viewing on smart phones. This includes a variety of two-factor authentication options.
Connections to the Transpara application server are based on the smartphone the company supports. If you are a pure Blackberry shop, the BES server connects to the Transpara application server. Other smartphones or mixed environments typically go through a proxy server. All this communication is encrypted via SSL as you would expect.
The Transpara Visual KPI solution is a good example of how information can be provided to smart phones while adding little risk to the integrity or availability of the SCADA or DCS process. Any additional risk would be a new attack path from the smartphone to proxy/BES to Transpara App Server to External PI Server to Internal PI Server. Considering there are already multiple attack paths to any corporate network, this additional risk is miniscule. You have to assume the corporate network is compromised, and this should not prevent providing information required by the business. That risk is addressed or bolstered by air gapping, one-way, IPS or some other SCADA security perimeter solution.
Image by judy_breck