"The only HMI you have today on small stations"
Not exactly informative
Let's get you to this century - it costs nothing extra
Print out a QR code and stick it on the cabinet. Link to QR code generator site here. Paste the IP address of the RTU into the QR code generator. Now you have a digital cockpit. See the video, it comprehensively shows how to make your cabinet smart. All that knowledge for no effort – what’s there not to love about that!
Is it safe? Yes!! And here’s the why and the how:
There are two ways to get to the QR code HMI: 1) connect to corporate wi-fi or 2) connect to the RTU wi-fi. Let’s start with RTU wi-fi after all not many outstations are covered by corporate a wi-fi.
Only turn on wi-fi when you are on site. By having a button on the cabinet door that can be pressed and enable wi-fi for 10 minutes
Use LDAP for access control. This ensures that users have the correct privileges and dismissed employees can’t get access with a stored password
Use syslog on top-end to monitor login attempts, both successful & unsuccessful. Generate proper alarms on top-end. Then you know if a hacker is trying to hack into the RTU
Sign your code. Let you System Integrators generate the code and hand it over to you. You download the code from top-end via SFTP, DNP3 File transfer, etc. or a corporate PC connected to the RTU. The WorkSuite logic application includes an Application Code Signing Tool that manages the generation and storage of public and private keys and enables the signing of logic applications (with an encrypted signature). The public key and private key are used by WorkSuite to encrypt authorisation
Use the firewall inside the RTU to Whitelist IP-range for the service crew
Use the RTU dual VPN to secure connection to top-end
Program from video, ready-to-use in WorkSuite. No file unzip, just import – right here:
No fun being a hacker when we are around. Let’s find out why
The wi-fi is not on, so he can’t sit outside the building, he needs to break in and hope there’s no alarm on the building. Then he needs to identify how to turn on wi-fi. He needs to know there’s a wi-fi in the first place, because he can’t see anything at all from the outside. But now he is inside and must find a way in to get access to the wi-fi, However, there’s only a small range of IP-addresses whitelisted in the firewall, and with more than 4 billion combinations, this might take more than 10 minutes. On top of that, there’s SSL and HTTPS. And after 10 minutes it all starts over again.. except the breaking into the building.
Let’s assume he knows a friend on the inside, so he gets access to the wi-fi. Not so easy. Now he needs to get the LDAP user rights. and just maybe he has stolen a computer with with the correct credentials. Now he wants to change the program. But then he also needs the corporate certificate (public/private key). and naturally the correct software for doing it all. And – remember – after 10 minutes it starts all over.
Now it really sucks to be a hacker. He is now facing MISSION IMPOSSIBLE. He wants to finalize the job at home. He steals the RTU and runs home to dig out VPN credentials and gets access to the corporate net in another way….. BUT HE DIDNT KNOW IT WAS BRODERSEN. All data is encrypted and the key for that is stored in a crypto-chip. Not even Brodersen can help him now. Better luck next time, slick, you won’t get in here!