SECURITY
Introduction
Security must NEVER be an after-thought…….
As Vikings we no longer chase enemies in long boats, but our impressive hardware and software is used to terrify our competitors and keep our products safe!
Brodersen have been manufacturing products for use in remote monitoring and control solutions for more than 50 years. Our customer base is global and our products are used in a diverse range of applications that include energy management systems, water and waste water SCADA, infrastructure monitoring, building automation and airport management systems.
This application note provides an overview of the RTU32M/N Series security functionality. RTU security is a hot topic amongst large utility companies who need to ensure their SCADA systems comply with both their own corporate security requirements and regulatory authority security standards.
Traditionally corporate IT security system standards are based around information security with focus on Confidentiality, Integrity and Availability. These focal points are typically reversed when defining SCADA system security requirements ie. Availabilty is most important! Most RTU vendors have struggled to adapt their products to evolving security standards that are easily implemented in devices like PCs and Smartphones that are obsolete in 2-3 years, but hard to deploy in RTUs designed to operate for 10-15 years.
A fresh start allows security to be included - not as an 'add-on'
The RTU32M/N Series are the latest generation of Brodersen RTUs – with a new architecture that allows a ‘fresh start’ to developing product and security functionality. Instead of trying to add on security, the RTU32M/N products have it included at multiple levels ie. adding a hard shell to a soft core seems good, until an entry point is found – a better solution is to have multiple layers of hard shells around a hard core (our Viking ancestors knew that!)
The essential components for the new RTU platform include ‘future proof’ hardware with guaranteed availability of the core CPU board components past 2035 and an embedded Linux operating system.
RTU Security Features Overview
The RTU32M/N Series have numerous security features that include;
- Management of User Access and User Authentication – limiting use of default passwords, user group passwords and user privileges managed from a central location via LDAP
- Firewall Implementation – a user interface to manage which IP ports are open and whitelisting and blacklisting of ranges of IP addresses (uses iptables)
- Management of System Services – controls access to HHTP, HTTPS, SSH and Event Viewer services. An important requirement of any secure system is that non-essential services are disabled
- Secure Applications and Firmware Updates – use of ‘signed’ application logic and firmware using RSA public-key cryptosystem techniques
- Encryption of Sensitive Data – any files that include user or password type info. can be stored in an encrypted ‘container’ area of the SD card to protects against theft or incorrect transfer of SD cards
- Secure Network Connections and Protocols – protecting data ‘in flight’ using dual VPNs and secure SCADA protocols such as DNP3 Secure
Managing user access - discouraging use of default passwords
The RTU32M/N Series products use a web server interface to view system information and manage the setup of the RTU. The System Overview page below shows a ‘Security alert’ and warns that the RTU is configured to use default passwords
Administration of default passwords and creating additional users
The admin user password can be changed from the default
The root user password is not set by default to ensure root level access is only available if enabled/set
A user with Administrators group level access can add additional users and set their user group
Web server User group access levels include;
- Guests (read only)
- Superusers (read and some config)
- Administrators (full access)
User authentication from a central LDAP service
Management of user authentication from a centrally managed server is critical for large corporations and utility companies that need to respond rapidly to changes of personnel. The RTU can be configured to authenticate a user when a log in event occurs
The example setup here shows how user groups are mapped from the RTU to the LDAP server groups
Secure / Dual VPN Connection
The RTU supports dual VPN server connections using PPTP and L2TP/IPsec to provide secure connections to other networks. L2TP with IPsec adds security to the establishment of the connection using pre-shared keys and encapsulation of the data packets using encryption
The RTU logic block ‘CONNECTVPNEX’ allows management and logging of the VPN connection process
PPP over serial link
Some corporate users have restrictions imposed on their field technicians that do not allow LAN ports on laptops to be used for anything other than connection to their corporate system. Use of PPP (Point to Point Protocol) allows IP connectivity with the RTU using a serial port.
Syslog reporting services
Management of system services
Various system services can be enabled/disabled to restrict access to only the required services.
Encrypted storage – with optional SD cards
The RTU is able to store any files that include user and password type information in an encrypted container area of the SD card.
Firewall setup – managing IP ports and IP addresses
The RTU Firewall allows management of the IP ports that connect services and networks to the RTU. In addition, Blacklists and Whitelists allow management of excluded/included lists of IP addresses.
Applications and firmware updates are ‘signed’ to keep your RTUs safe
The WorkSuite logic application includes an Application Code Signing Tool that manages the generation and storage of public and private keys and enables the signing of logic applications (with an encrypted signature). The public key and private key are used by WorkSuite to encrypt authorisation. The public key is loaded in the RTU and used to decrypt authorisation. Firmware update utilities for loading of RTU base firmware and IO module firmware also ensure that only ‘signed’ code/updates authorised by Brodersen will load.