SCADA security has ever increasing media attention due to cyber attacks on infrastructure assets such as water and energy. So how can the SCADA platform support making it difficult to penetrate? Let us assume for the moment that the physical aspects to the system are secure, what about user login and remote access? When a user logs on to ClearSCADA they only get access to the level within the database hierarchy that has been pre-determined for them. If there are other areas of the configuration that they are not allowed to view or control then this will be locked out. The security model in ClearSCADA is object based and is therefore granular down to a single point or object level. It does not matter which client application or interface is used to gain access, any request for data complies to the data security model.
If you need to provide remote access to users then you may wish to deploy a ClearSCADA Performance Server in the DMZ which is synchronised to the primary server using uni-directional communications. This Performance Server (with DMZ option enabled) is now 'read-only' access irrespective whether the user has higher level security on their permission profile (See diagram below on right).
Naturally, any and all access attempts are recorded in the ClearSCADA event journal as are configuration edits, control, and alarm acknowledgements so you can run periodic reports to monitor and report this activity. As a extra precaution, perhaps for critical control actions, you can force the operator to re-enter their password and add a comment to ensure proper warning before action is taken.
 |
 |
|
|
Users are generally associated to a Group (up to 4 groups), then the Group is assigned security permissions on the database hierarchy at any level. Objects below the parent (such as a site) automatically inherit the permissions from the parent so this ensure correct settings and reduces maintenance. The ClearSCADA security model is granular down to individual object such as a tag or point. |
|
Using video cameras to monitor critical infrastructure provides added security but it can be a challenge to get this to work when you want to monitor remote sites over wide area networks (WAN). Therefore, ClearSCADA has partnered with Longwatch, a leading supplier of video surveillance software that is designed to transmit video images over SCADA communications networks. Integrating ClearSCADA with the Longwatch Video Surveillance Platform and Video Historian Platform, along with IP surveillance cameras, provides a solution to capture and convey important security information for critical infrastructure. The video surveillance uses the Modbus protocol and is event-driven to conserve bandwidth. The Longwatch system continuously takes and stores video locally. When motion is detected, an alarm is raised and a video “snippet” is attached to the alarm message and sent to the central control site, showing what happened before and after the event. Through a graphic display in ClearSCADA, operators are able to view what is occurring on site, preventing the need for sending someone to investigate the alarm.
This integration of ClearSCADA with Longwatch allows for video monitoring of locations where high-bandwidth connectivity is impractical or impossible. Communications between the Longwatch Video Control Center and the Remote Video Engines, deployed in the field and host locations, can be either Ethernet IP or Modbus over serial. The Longwatch video platform interfaces to ClearSCADA primarily via OPC, with Longwatch acting as the OPC server and ClearSCADA the OPC client. Video alarms, camera status, and camera control can then be achieved from ClearSCADA via the OPC interface.