Effective September 2016
New information
White Paper WP048001EN
Cybersecurity concerns? Secure remote
access with your operator interface
Kerry Sparks
Product Manager
Automation product
solutions
Eaton
This white paper reviews the benefits of remote access and the necessary
steps to take to ensure secure connectivity in an environment where the
threat from Internet cyber-attack is real and pervasive.
Products and revisions
Vendor Product
Eaton
Applicable
revision
XV and XP operator
V7.1 and 8.0
interface systems with of Visual
Visual Designer
Tested
revision
V7.1 and 8.0
of Visual
Supporting documentation
Manual name
Reference number
XP-503 OS User Guide
XP-503 Manual
XV-1X2 Quick Start Guide
XV OS Manual V2.25x
XV-102 Manual
XV-152 Manual
XV-303 Manual
MN04801006E
MN04802003Z-EN
MN0480001E
M000174-22
MN04802004Z-EN
MN04802006Z-EN
MN048017_EN
Application details
When a customer has a problem with a machine
or control system not properly functioning for
whatever reason, it is important to be able
to quickly diagnose the cause of the problem
and take corrective action. Without remote
connectivity to the machine, it can be difficult
to do this in a timely and cost-effective manner;
travel to another physical location to determine
the source of a problem, or provide other technical
support. It has been reported that “Having access
to information and being able to take corrective
action remotely decreases field service costs
by $1K to $5K per trip.”
At the same time, remote connectivity also
adds risks for the customer. We continue to
hear daily news stories about cyber criminals,
cyber hactivists, cyber terrorism, and even
state-sponsored cyber-attacks. The Stuxnet virus
was a wakeup call for automation suppliers who
assumed that their systems couldn’t be targeted
for attack. And, as the use of BYODs (Bring Your
Own Devices) such as smart phones, tablets,
and other mobile devices continues to grow in
the manufacturing sector, we are starting to see
them become targets for cyber-attacks as well.
Although Android is experiencing more security
issues today due to its more open platform, we
can’t assume that iOS devices are not vulnerable,
too; the recent decision by Apple® to pay hackers
for discovering and reporting security bugs is
indicative of the current realities.
Amidst this backdrop, it’s easy to see why
cybersecurity is a core focus of all IT departments.
This means it is crucial that you understand the
means necessary to be able to create a secure
environment in which you can provide remote
access services. Understanding how to mitigate
such risks to provide secure remote access can
prevent production disruption while reducing
support costs.
Key remote capabilities
While remote access can mean different things to
different people, each of these varying facets can
be needed in any given situation. For that reason,
it is helpful to begin with some basic remote
access terms and the capabilities they describe:
The general ability for technical experts to manage
a machine or process from afar as if they were
standing right in front of the operator interface
themselves provides the most basic definition
of a remote desktop environment. The remote
desktop generally makes it possible to fix
problems and get everything up and running again
quickly from almost any location at any time.
White Paper WP048001EN
Cybersecurity concerns? Secure remote
access with your operator interface
Effective September 2016
Traditionally, remote environments are enabled by Thin Client
Connectivity over the Web and File Transfer Protocol (FTP). Thin
Client Connectivity leverages standard Internet technology and
browsers, such as Internet Explorer®, to log into a machine’s control
and information system from another location in order to view the
same screens to which the machine’s operator has direct access.
Once connected, the FTP makes it possible to send and receive files
such as historical logs; archived data files and databases; or event
triggered alarms that can then help the remote experts troubleshoot
machine issues more quickly.
•
VPN (Virtual Private Network)—VPN is a technology for
using the Internet or another intermediate network to connect
computers to isolated remote computer networks that would
otherwise be inaccessible. A VPN provides security so that
traffic sent through the VPN connection stays isolated from
other computers on the intermediate network. Some routers can
create one or more VPNs that allow secure connections from the
Internet to computers within a plant network. Most VPN providers
also incorporate SSL encryption.
•
Deep packet inspection—This is a form of network packet
filtering that examines the data portion (and possibly also the
header) of a packet as it passes an inspection point, searching
for protocol non-compliance, viruses, spam, intrusions, or other
defined criteria. It can then decide whether the packet may pass,
be blocked, or if it is to be routed to a different destination.
HMI/SCADA application software includes the capability to
automatically generate Web screens from the same screens
generated for local use and saves significant development time
and cost. A Development Software Interface provides the ability
for the HMI/SCADA developer to connect to the remote system,
upload and download files, and make changes to the application
on-the-fly over the Web to facilitate enhancements and bug fixes
to the application. These abilities will prevent problems in the future
and improve the user interface without disrupting production by
forcing a shutdown of the running application.
The ability to configure alarms and events to automatically generate
text messages and emails to both plant and remote personnel
can prevent production disruption and minimize machine downtime.
Remote Annunciation capabilities are typically included in
software applications and mobile apps as email or text messaging
alert features.
Beyond the standard remote access environment, evolving mobile
technologies now provide additional remote access and machine
support. Smart Phone, iOS, and Android APPS extend remote
capabilities both to and through a growing suite of ubiquitous
computing tools. APPS created for mobile non-Windows® devices
use both text and graphical formats to provide real-time alarm
notification and information, or to simplify and enhance the remote
control of key processes.
Certain routers and passive network devices are commercially
available, which incorporate this technology to filter messages
at the application protocol layer (such as Modbus® TCP or
EtherNet/IP).
•
Network segmentation—Segmenting the network into
functional areas using intelligent routers provides additional
layers of security. The more layers of security that exist, the more
difficult it is for cyber criminals to compromise the security of the
manufacturing line and its control system. Network segmentation
provides a mechanism to create “air gaps” that isolate the
control system from a plant or office network in the event other
segments of the network are under attack. The air gap essentially
unplugs the router’s uplink to the rest of the network and remote
connectivity is disrupted while the manufacturing line is still
allowed to continue to run in this “worst case scenario.”
•
Non-corruptible operating systems—Despite all the network
security measures taken, sometimes an engineer or operator can
introduce a virus into the network by just plugging an infected
USB memory stick into a PC behind the firewall and routers. For
this reason, some Windows-based HMI/SCADA systems offer a
protected mode operating system. In the event that the machines
do contract a virus or other malware, the problem can be cleared
with a simple reboot that will get the machine running much more
quickly than a backup to a restore point (assuming a good restore
point is even available).
•
Web conferencing—Web conferencing tools such as WebEx
from Cisco provide on-demand collaboration, online meeting, Web
conferencing, and videoconferencing applications. Because these
on-demand tools and their security mechanisms are familiar to
company IT groups, and because it typically requires both ends
of the conference to initiate a connection, Web conferencing
is another way of granting remote access to OEMs and other
non-VPN users without the risk of exposing the network to
unwanted users.
Yet, despite all these capabilities, it is extremely important to
remember that remote access should never disrupt the operator’s
own immediate ability to change screens and control the machine
independently. Machine control and interaction through direct
physical presence is often required as the most failsafe means of
ensuring optimal human safety or responding to an emergency.
Security technologies
Once any type of remote access is enabled, security risks are
inevitably introduced; however, a wide array of technologies has
emerged to help guard against vulnerability. Technologies that
support secure remote access include the following:
•
Firewalls—Firewalls help keep a network secure by controlling
the incoming and outgoing network traffic. The firewall can be
either software- or hardware-based, but its primary objective is to
analyze data packets based on a rule set to predetermine whether
or not the packets should be allowed to pass onto the network.
Many routers that pass data between networks contain firewalls
and/or firewall components.
•
SSL (Secure Socket Layer)—Found in outgoing email and
incoming (HTTPS) network access, SSL encryption is important to
help prevent unwanted access to information about the machine.
2
EATON www.eaton.com
Cybersecurity concerns? Secure remote
access with your operator interface
White Paper WP048001EN
Effective September 2016
Security threat vectors
Figure 1 below represents what a typical mid- to large-size plant information and control network
may look like to the engineer who is designing methods to enable remote access and support.
However, the corporate IT manager may see the network more like that shown in Figure 2.
Figure 1.
EATON www.eaton.com
3
White Paper WP048001EN
Effective September 2016
Cybersecurity concerns? Secure remote
access with your operator interface
Figure 2.
The IT department may seem like the “Preventers of Information
Services” as Dilbert might say, but recent history shows that they
are not paranoid. They are just keenly aware of the dangers lurking
in cyberspace, which can make your life and their life miserable.
As they say, you are not paranoid if everybody really is plotting
against you.
Security threat vectors are those paths that malware may use
to infect the plant network. In Figure 2, those paths include:
•
External users accessing the network through the Internet
•
Misconfigured firewalls
•
Unsecure wireless routers and wired modems
•
Laptops infected elsewhere that can plug into the network
behind the firewall
•
Infected USB keys and PLC Logic programs
•
Unsecure RS-232 serial links
In the next section, you will see how Eaton’s operator interface
solutions provide the necessary tools to mitigate risks associated
with all these various threats to bring down the manufacturing
environment.
4
EATON www.eaton.com
Eaton operator interface products
Eaton offers several families of operator interface products and
software to meet a wide range of user requirements. The three
families discussed here are XV hardware platforms with Visual
Designer SCADA software, and XP hardware platforms with
Visual Designer.
XV hardware platform
There are three families of XV hardware—XV-102, XV-152, and
XV-303. From a functional standpoint, the XV-100 family is identical
to these with the only differences being that the XV-102 models
(available in 3.5-, 5.7-, and 7-inch widescreen touchscreens) have a
plastic composite frame while the XV-152 models (available in 5.7-,
8.4-, and 10.4-inch touchscreens) have an aluminum metal frame.
They both run on a Windows CE 5 operating system. The XV-300
family has higher performance and higher capacity than the XV-100
family and comes in either a 7- or 10.1-inch widescreen display with
a multi-touch, projected capacitive touchscreen (PCT). The XV-300
runs on the Windows Compact Embedded 7 Professional OS.
Cybersecurity concerns? Secure remote
access with your operator interface
While the OS components vary somewhat between the models
that run Visual Designer, the functionality of the hardware is
fundamentally the same. They all share a number of remote network
access capabilities that include:
•
•
•
•
Remote desktop server (VNC Gateway)—Allows remote users
to take control of the XV unit from either their PC or from any
device that supports a VNC Client (Virtual Network Computing),
such as an iPad® or Android. The Remote Desktop Client is an
executable that is available for free download from the Eaton
website. To run the client from your PC, you simply select the
IP address of the device, provide a valid password, and take
control remotely. The VNC Gateway links a VNC Client from a PC,
iPhone®/iPad, or Android to the Remote Desktop server, where
the VNC Client takes the place of the Remote Desktop Client.
You can either download and install a VNC Viewer for a PC for
free or purchase the APP from the iTunes® Store or Google Play®
(~$10). The Remote Desktop server uses port 51738 whereas
the VNC Gateway uses port 5900.
FTP server—Allows remote users to view and upload/download
files to and from the XV’s file system over a network. This can
be used to remotely update the XV’s operating system, modify
its startup through the Autoexec.bat files, or make changes to
the running application through the file transfer interface of FTP
(File Transfer Protocol). From your PC, you can open Windows
Explorer/My Computer and enter the following in the address
property: ftp://ipaddress. For example, if the XV is at IP address
192.168.1 23, you would type: ftp://192.168.1.23 and then provide
a valid password for the FTP server. This will allow the XV unit
to browse and manage the file system of the XV. The FTP server
uses ports 20 and 21 (data, command).
Web server—Allows remote users to use either a standard
browser (Internet Explorer, Google Chrome, Firefox, etc.) or the
Visual Designer Secure Viewer service, to view and/or control
the Visual Designer application as standard HTML files as an
independent user interface. This means that the local client
(operator) and the remote client (Web viewer) have independent
access to the project screens based on the login user
credentials provided. So depending on what user and password
are provided when logging on remotely, the remote user may
have access to screens that are not available to the local operator
and vice versa. The remote client can be limited to “view-only”
access or “view and control.” If the project allows remote control,
then the control access is based on the remote user’s login
account settings. For mobile devices like iPad/iPhone or Android
users, plus any PC-based browser other than Microsoft Internet
Explorer, such as Google Chrome, Safari, Firefox, etc., the Mobile
Access interface is HTML5 compatible and provides independent
graphical, alarm, and trend controls. The Web server interfaces
all use ports 80 (HTML server) and 1234 (TCP/IP data server). In
addition, CoDeSys software, which also runs on XV units, offers
a Web server using the same ports.
Remote program download agent (server)—Allows upload,
download, and licensing services to the Visual Designer editor for
easy-to-use application project management. The Remote Agent
(CEServer) running on Visual Designer XV units uses a password
for remote access authentication. The Visual Designer remote
program agent uses port 4322.
White Paper WP048001EN
Effective September 2016
XV OS corruption protection
There are two design features in the XV’s implementation of the
WinCE 5 and WinCE 7 operating systems that protect its integrity in
the event of a breach in security where malware attempts to attack
any vulnerabilities in the operating system or application software.
•
Registry Save function—The WinCE Registry Save function is
disabled in the XV’s OS implementation and cannot be enabled.
Hacks in the Windows registry are a common target for malware
and can be very difficult to find, much less correct. With the
XV, recovery from such an attack to the Windows registry is
accomplished with a simple power cycle of the unit. Instead
of incorporating a Registry Save function, all desired registry
changes are accomplished through batch files like the Autoexec.
bat file and Registry (.Reg) files.
•
Core OS components—The XV’s core operating system
components are located in a read-only flash resource that is not
accessible to the runtime OS. This means that any security breach
that attempts to either install or remove key OS components
can easily be corrected by completely deleting the OS folder
from the InternalStorage or StorageCard (SD) drive and copying
the OS folder back using an SD Card, USB memory device, or
FTP connection. The accessible OS folder only contains add-on
components to the core OS components, allowing for fast
recovery from any type of malware attack, while also supporting
simple OS revision changes. This also ensures that users cannot
accidentally corrupt the OS to an unrecoverable state.
XP hardware platform
The XP-503 platform is essentially a Panel PC with a 1.65 GHz dualcore AMD processor with a Radeon graphics co-processor, 4 GBytes
of DDR3 memory (DRAM), a 32-GByte internal mSATA solid-state
“C” drive, and a 4-GByte external, removable CFast “D” drive with
a 4000 tag Visual Designer software license. The XP-503 models
have three screen size options—10.1-, 15.6-, and 21.5-inch TFT
displays with multi-touch PCT touchscreens and scratch-resistant
safety glass. All XP models run on a Windows Embedded Standard 7
operating system and all are licensed to run Visual Designer software
that comes preloaded and includes a pre-activated runtime software
license for 4000 tags and one Web server license for each of the
three types of Web servers, thin client, secure viewer, and mobile
access. All share the following mobile access capabilities:
•
Remote desktop server—While the standard Windows
remote desktop server is included with every XP model, it is
recommended that the user install one of the various VNC servers
available for free download on the Web. Eaton has tested and
supports UltraVNC as well as RealVNC on the XP hardware
platforms. Each will allow remote users to take control of the
XP unit from either their PC or from any device that supports
a VNC Client (Virtual Network Computing), such as an iPad or
Android. For your PC, all you need to install are the VNC client
components. Running the client from your PC, you select the
IP address of the device, provide a valid password, and take
control remotely. The VNC server also supports the VNC client
from an iPhone/iPad or Android. You can purchase the VNC Client
APP from the iTunes Store or Google Play (~$10). The VNC server
uses port 5900.
Each of these remote services has an independent password so
you can choose which users are able to perform which remote
functions. Knowing which ports are used by each remote access
service allows you to set up your router/firewall/VPN server for
either blocking or forwarding requests for that port to the appropriate
device. The Web servers for Visual Designer and CoDeSys use the
built-in security setup that each program offers. More details on
those features are available in the software security descriptions
addressed later in this paper.
EATON www.eaton.com
5
White Paper WP048001EN
Cybersecurity concerns? Secure remote
access with your operator interface
Effective September 2016
•
•
•
FTP server—Allows remote users to view and upload/download
files to and from the XP’s file system over a network. This works
a little differently from the XV unit in that specific locations—
called Virtual Directories—need to be added to the default
FTP server under Internet Information Services (Control Panel
> Administrative Tools). By default, there are two FTP Virtual
Directories configured. The first is called CFG and it points to
the root directory of the D drive with Read/Write privileges. The
second is called CDrive and it points to the root directory of the
C drive, but has Read-Only privileges. From your PC, you can
open Windows Explorer/My Computer and enter the following
in the address property: ftp://ipaddress/VirtualDirectoryName.
For example, if the XP is at IP address 192.168.1.100, you would
type: ftp://192.168.1.100/Cfg to view and change files on the D
drive. You must first disable the Firewall on the XP unit (Control
Panel > Windows Firewall) and if going through a router, it is
recommended that you use port forwarding and MACID filtering
to secure the FTP service for the XP unit. The FTP server uses
ports 20 and 21 (data, command).
Web server—Allows remote users to utilize a standard Microsoft
Internet Explorer browser or the Visual Designer Secure Viewer
service, to view and/or control the Visual Designer application
as standard HTML files in an independent user interface. This
means that the local client (operator) and the remote client (Web
viewer) have independent access to the project screens based
on the login user credentials provided. So depending on what
user and password are provided when logging on remotely, the
remote user may have access to screens that are not available to
the local operator and vice versa. The remote client can be limited
to “view-only” access or “view and control.” If the project allows
remote control, then the control access is based on the remote
user’s login account settings. For mobile devices like iPad/iPhone
or Android users, plus any PC-based browser other than Microsoft
Internet Explorer, such as Google Chrome, Safari, Firefox, etc.,
the Mobile Access interface is HTML5 compatible and provides
independent graphical, alarm, and trend controls. The Web Server
interfaces all use ports 80 (HTML server) and 1234 (TCP/IP
data server).
Remote program download agent (server)—Allows upload,
download, and licensing services to the Visual Designer editor
for easy-to-use application project management. The Remote
Agent (also called CEServer on XP units) running on XP units
uses a password for remote access authentication. The
Visual Designer remote program agent uses port 4322.
Each of these remote services has an independent password so you
can choose which users are able to perform which remote functions.
Knowing which ports are used by each remote access service allows
you to set up your router/firewall/VPN server for either blocking or
forwarding requests for that port to the appropriate device. The Web
server for Visual Designer uses the same built-in security setup that
is utilized for local access on the XP unit. More details on those
features are available in the software security descriptions addressed
later in this note.
One key difference between the Visual Designer security capabilities
when running on an XP platform is that you can incorporate a
Windows Active Directory service for a Windows domain within
the Visual Designer interface, called LDAP (Lightweight Directory
Access Protocol). This is a powerful feature that allows one or more
XP units to have their security administered by the Windows domain
on which they participate.
Another key difference between the XP and XV hardware platforms
is that the XP platform has support for SSL (Secure Socket Layer)
encryption for email servers. The email capabilities are another
remote feature supported by Visual Designer for alarm or event
annunciation or for sending file attachments; however, SSL
encryption is preferred by most email servers, and in fact, most
modern servers will not support email that does not use SSL.
6
EATON www.eaton.com
XP OS corruption protection
There is one key design feature in the XP’s implementation of the
Windows Embedded Standard 7 operating system that protects its
integrity in the event of a security breach where malware attempts
to attack vulnerabilities in the operating system or application
software.
•
Protect Mode®—Microsoft Windows Embedded operating
systems offer a unique feature called the Enhanced Write Filter
(EWF). Eaton has incorporated this feature into a set of tools
called Protect Mode. The EWF is enabled by default for the entire
operating system partition (C drive) that prevents writing directly
to the drive. Instead, any changes are temporarily held in volatile
DRAM until the unit goes through a power cycle, at which time
the changes are all discarded. Hacks in the Windows registry
and changes to Windows components are a common target for
malware and can be very difficult to find, much less correct. With
XP’s Protect Mode, recovery from such an attack to any Windows
or Visual Designer component or service is accomplished with
a simple power cycle of the unit. What Protect Mode utilities
offer is a mechanism for the user to install or update software
and drivers and to make changes in OS components or settings
while the EWF is enabled, and then select Commit to implement
those changes permanently to the C drive (CompactFlash®
device). During the Commit process, also termed Protect Mode
Save, the system takes all the temporary changes since power
up and makes them permanent through a reboot process. When
rebooted, the EWF is still enabled and the unit is still protected.
Another feature of Protect Mode is the ability to disable the EWF
so that large or complex installations can be done more easily and
after which the Protect Mode feature can be re-enabled.
Not only does this Protect Mode feature protect the unit from
malware, it also minimizes the overall preventive maintenance
required by normal Windows PCs in a factory environment. On
a typical factory floor PC, you need to install anti-virus software
and apply weekly—if not daily—virus definition updates as well
as monthly Windows Security patches. For obvious reasons,
these activities are not performed while the unit is being used in
the manufacturing process and must be done during scheduled
downtime periods. Furthermore, to prevent a lengthy restore
process in the event of either a hardware failure or a security breach
where, despite all security efforts the PC becomes infected in
some way, periodic backups of the PC’s Windows drive (hard drive
or solid-state drive) need to be performed. This is to prevent the
time-consuming process of applying numerous cumulative patches
after a Windows reload. All of this preventive maintenance by skilled
PC technicians is unnecessary with an Eaton XP unit because with
Protect Mode, the operating system drive doesn’t change. The fact
that the XP has all solid-state drives and no fans or other moving
components also means that you have fewer hardware failures from
rotating media or cooling devices.
Visual Designer software security features
The security system built into Visual Designer projects is very
flexible and covers both runtime and development security. Here
we will focus only on the runtime security features that address
network security. The goal of Visual Designer security is to
complement network and physical security for a complete, security
in-depth approach, with multiple strong security features throughout.
Cybersecurity concerns? Secure remote
access with your operator interface
White Paper WP048001EN
Effective September 2016
Security groups
Visual Designer security is modeled after Windows security in that
you have Security Groups (e.g., power users, administrators, guests,
etc.) wherein access privileges are defined, and then users with
user names and passwords who are assigned membership in one or
more security groups. The group settings are shown in Figure 3.
•
The Security Level—Runtime for each group is what dictates
screen access and command access (pushbutton and value
entry). Each screen and each object that can affect a tag value
through user input has a security level property value assigned
(default value 0). Leaving the value at zero ensures that every user
has access to the screen or command. Assigning any number
between 1 and 255 ensures that only users who are members of
a group that includes that security level in their Security Level—
Runtime range will have access. If the logged-on user does not
have access when they attempt to go to an inaccessible screen or
click/touch a control object, nothing will happen.
If the developer wishes to hide controls or change their appearance
based on current access level, there are system tags that the
security system interacts with which can be used to do so.
These system tags include UserName and GroupName (text) plus
GroupLoLevel and GroupHiLevel (integer). All groups automatically
have access to level 0 screens/objects, so it is easy to create
security groups that are hierarchical or functional. If a group’s level is
set to 10–20, for instance, then members of that group have access
to screens/objects in that range as well as to those set to zero.
Figure 3.
Under the button labeled Advanced… are additional properties for
groups, as shown in Figure 4.
EATON www.eaton.com
7
White Paper WP048001EN
Cybersecurity concerns? Secure remote
access with your operator interface
Effective September 2016
Figure 4.
In the Password Options tab, you can set rules to ensure strong
passwords; and, with password aging, you can ensure that
passwords are changed periodically. In the Auto LogOff/LockUp
tab, you can make sure that members of a group are automatically
logged off after a specific time period or inactivity period as well
as ensuring that if someone tries to log in repeatedly and fails that
the account is locked out to prevent someone trying to log in as
another user.
Security modes
Visual Designer supports three different mechanisms for
administering security.
•
Local only—The security system is administered within the local
project for a single runtime instance of Visual Designer. This is the
simplest and most common mode.
•
Distributed client/server—This mode is designed for applications
where there are multiple runtime units networked together
locally; one project/unit is deemed the Security Administration
server; and, all other projects are clients to the one server. This
central administration approach makes sense in an environment
where there are common users among multiple systems with a
common set of privileges to administer. This simplifies the task of
defining, maintaining, and modifying security for such multi-unit
applications.
•
Domain (LDAP)—This mode is designed for users who want
the Visual Designer security system to be administered by the
Windows Domain’s Active Directory services. The Lightweight
Directory Access Protocol (LDAP) is a recognized standard for
managing users and groups across many different applications
on a network. When this mode is selected, the project gets
its users and groups from an LDAP-compliant domain server,
such as Microsoft Active Directory for Windows or OpenLDAP
for Linux. In this mode, the user names, passwords, and group
memberships are taken from the domain and specific rights are
configured within the project. For customers with domains, this
feature greatly simplifies security administration in Visual Designer
projects because they can use powerful Windows security tools
with which they are already familiar. This feature may be used
with XP models, but this mode is not supported on XV models.
You can create as many security groups as you like in the
development environment, but cannot add or modify group settings
during runtime. There are a number of runtime functions you can
do for users, such as changing passwords, creating and deleting
users, locking and unlocking users, and exporting and importing
the security system to an encrypted file, etc.
Security users
You can create as many users as you like in the development
environment, and add, delete and modify user settings at runtime.
User settings include the User Name and Password plus group
membership assignment. Password rules apply based on the
settings for the group to which the user is assigned and a user may
be a member of more than one Security Group, in which case, the
user inherits all privileges from all assigned groups.
8
EATON www.eaton.com
Cybersecurity concerns? Secure remote
access with your operator interface
White Paper WP048001EN
Effective September 2016
Managing security
How to secure the network
In the security configuration dialog, you may assign a Master
Password for the entire project that must be used when importing
an exported security file. This provides an extra layer of protection so
that an encrypted security file cannot be un-encrypted without the
Master Password. Once the security system has been configured,
it may be exported and imported into other Visual Designer projects
from within the development environment. The runtime environment
also allows importing and exporting the security system so that
when making runtime changes to the security system you can
make sure those changes are automatically exported so they can be
imported at the next project startup. The following are some of the
runtime functions for security:
The level of remote access and the nature of the network
infrastructure will have a major effect on the task of securing your
network hardware. For instance, if you work in a large distributed
corporation with offices all over the world and VPN access available
to all your remote support individuals, then much of the work is
already done at the Internet access level. The IT department will
have secure firewalls in place and VPNs set up to access the plant
network remotely. In this case, you will need to provide a list of
ports that you need to have open to certain individuals and have
them forwarded to the appropriate equipment on the network. If
instead you have a small site with a single Internet connection and
you want to allow remote access, then you will need to completely
configure your security from the Internet connection through to the
piece of equipment you need to access.
•
Create/Remove User—Add new users and delete existing user
accounts
•
Set Password—Specify a new user password
•
Block/Unblock User—Temporarily block a user from access and
unblock users who have been blocked
•
Get User State—Determine the block/unblock status of a user
•
Get User Names—Get a list of users and optionally their groups
•
Get User Password Aging—Returns the time remaining before
the password for a specific user expires
•
Import/Export Security System—Restore/backup the security
system to an encrypted file
To enable remote access, there will be one or more routers,
firewalls, and VPN devices that need to be configured. In large
corporations, the IT department will have the necessary expertise
and in most cases they will be responsible for securing all networks
in the company. Typically, factory floor networks are isolated from
the plant network through a local router/firewall and you or your IT
department will need to configure that local router to protect against
other potential threat vectors as shown back in Figure 2.
The following is a list of recommended steps to take to configure
your network and application to promote secure remote access to
your plant floor devices.
Router/firewall setup
Most routers have similar mechanisms for setting up security
features. You should refer to your router’s documentation for user
interface details.
1. Internet port routing/forwarding—In Figure 5 we see a typical
table for setting up a routing table for Internet or upstream WAN
ports. You can set up incoming traffic on the WAN port to be
directed to a specific computer name or IP address. You can
also set up which protocols (TCP, UDP, Both, or other) you pass,
when to forward them (Always, Never, or Specific Schedule), and
whether to filter inbound sources (Allow All, Deny All, or Specific
Filters) based on host name or IP address.
EATON www.eaton.com
9
White Paper WP048001EN
Effective September 2016
Cybersecurity concerns? Secure remote
access with your operator interface
Figure 5.
It is recommended that you use this table to allow only those
specific ports needed by the application and only to those
specific host PCs to which you trust access; then, close all other
ports with Deny All.
10
EATON www.eaton.com
2. MAC address filtering—In Figure 6 we see a typical table for
filtering which specific MAC (Media Access Control) addresses
are either allowed or denied access to this local network. There
are two ways to do this: a “White List” of only those you wish
to allow; or, a “Black List” of those PCs that are not allowed. In
most cases, a white list approach is the best choice because it
requires the least amount of maintenance.
Cybersecurity concerns? Secure remote
access with your operator interface
White Paper WP048001EN
Effective September 2016
Figure 6.
It is recommended that you use this to only allow specific user’s
PC, PLCs, and HMIs to be connected to this local network.
This will give you the ability to allow only trusted PCs on the
network. This is especially true if the router also allows wireless
connections, because many wireless devices, cell phones,
tablets, etc. are not necessarily secure.
Depending on the router, there will be many other ways of locking
out specific Internet websites and hosts, creating inbound filters and
rules, and for creating custom routing tables. By taking the first two
steps, you can generally achieve a secure network. The following
are some additional recommendations from the U.S. Department of
Homeland Security on Small Office/Home Office Router Security:
•
Change the default login user name and password—
Manufacturers set default user names and passwords for these
devices at the factory to provide users access to configure the
device. These default user names and passwords are readily
available in different publications and are well known to attackers;
therefore, they should be immediately changed during the initial
router installation. A strong password that uses a combination of
letters and numbers with 14 characters or more is recommended.
Furthermore, change passwords every 30 to 90 days.
•
Disconnect the network when not in use—Disconnecting
the network uplink/WAN port, creating what is called an air gap,
will most certainly prevent outside attackers from breaking in.
While it may be impractical to connect and disconnect the uplink
frequently, consider this approach when someone will be in the
plant to turn on or connect the router when remote diagnostics
are necessary.
•
Disable or monitor wireless access—If wireless access to the
router is not required, disable this feature. If it is required, then
regularly monitor the wireless traffic to identify any unauthorized
use of the network. If an unknown device is identified, then a
firewall or MAC filtering rule can be applied to the router.
•
Logging—Enable router logging and periodically review the
logs for important information regarding intrusions, probes,
attacks, etc.
•
Disable UPnP—Universal Plug and Play (UPnP) is a handy feature
allowing networked devices to seamlessly discover and establish
communication with each other on the network. Though the UPnP
feature eases initial network configuration, it is also a security
hazard. For example, malware within your network could use
UPnP to open a hole in your router firewall to let intruders in;
therefore, disable UPnP when not needed.
EATON www.eaton.com
11
White Paper WP048001EN
Effective September 2016
•
•
Upgrade firmware—Just like software on your computers, the
router firmware (the software that operates it) must have current
updates and patches. Many of the updates address security
vulnerabilities that could affect the network.
Use static IP addresses or limit DHCP reserved addresses—
Most routers are configured as Dynamic Host Configuration
Protocol (DHCP) servers. DHCP makes configuration of client
devices easy by automatically configuring their network settings
(IP address, gateway address, DNS info, etc.). However, this
also allows unauthorized users to obtain an IP address on your
network. Disabling DHCP and configuring clients manually is
the most secure option, but it may be impractical depending on
the size of your network and support staff. If using DHCP, limit
the number of IP addresses in the DHCP pool. It may limit the
number of users, potentially including unauthorized users that
can connect to your network.
•
Disable remote management—Disable this to keep intruders
from establishing a connection with the router and its
configuration through the wide area network (WAN) interface.
For applications where plant or corporate IT is managing your
plant floor router, this does not apply.
•
Disable remote upgrade—This feature, if available, allows the
router to listen on the WAN interface for TFTP traffic that could
potentially compromise the router firmware. Therefore, it should
be disabled. For applications where plant or corporate IT is
managing your plant floor router, this does not apply.
•
Disable DMZ—The router’s demilitarized zone (DMZ) creates a
segregated network exposed to the Internet, used for hosts that
require Internet access (Web servers, etc.). Disable this feature
if not needed. Users or administrators sometimes enable it for
troubleshooting reasons and then forget to deactivate it, exposing
any system inadvertently placed there.
•
Disable ping response—The ping response setting is usually
disabled by default. With this feature enabled, reconnaissance on
the router becomes easier than when it is disabled. It allows your
router to respond to ping commands issued from the Internet,
and it potentially exposes your network to intruders. Although
disabling this feature will not shield you from discovery, it will
at least increase the difficulty of discovery. Verify that the service
is disabled.
How to secure the device
There are a number of steps to be taken to secure the XP and XV
units from malware. These can be broken down into four sections:
physical security, password management, firewall setting, and
system backups.
12
EATON www.eaton.com
Cybersecurity concerns? Secure remote
access with your operator interface
Physical security setup
While this paper focuses on network threat vectors, it is always
good to first ensure physical security. Locked cabinets and wellcommunicated security policies will keep users from plugging in
USB devices that could pose a security threat. You should also
disable the USB and CD/DVD auto-play feature if you have such
ports/drives in a network HMI system.
It is also recommended that the local control network have its own
secure router/firewall with an uplink to the plant network. That uplink
could then be physically disconnected when the corporate firewall
has been breached and the corporate network compromised. This
will create a temporary air gap that will disable remote functions
while allowing the local control network and process to stay running.
On an XP-503, you can take the extra step of utilizing the two
available Ethernet ports to separate the control and plant network
from an external network for remote assistance from outside the
corporate VPN and firewall. This other network can be disconnected
normally and connected only when you want accessibility from
OEMs, Sis, or other support personnel that are outside the
corporation. You can also keep this second network locked from
remote user access and use tools like Cisco’s WebEx or AT&T’s
Web Meeting services to initiate a secure Web meeting and invite
support personnel to the meeting to view or take remote control for
troubleshooting purposes.
Password management
Designated individuals should administer all application password
accounts, and passwords should be guarded against sharing or theft.
Sticky-notes stuck to computer screens are not a good place to keep
passwords, but it’s also not necessarily a good idea to password
protect every screen or input unless for regulatory purposes. Be
judicious about where you use passwords and make sure there are
good reasons for protecting certain operator interface functions.
Furthermore, it is recommended that strong passwords be required
and that password aging, auto log off, and account lockout are
enabled so as to ensure a secure operator interface application.
Visual Designer applications automatically support these features.
Remote Access features like Remote Desktop Server, FTP Server,
and Remote Agent all have passwords disabled by default. You
should enable passwords and use strong passwords to prevent
unwanted access to these services. Because these services do not
support password aging, you should schedule changing them every
several months.
Firewall setting
As shipped, the XP-503 has the Windows Firewall enabled but with
exceptions configured, which allow certain remote functions through
the firewall. Also, if you install third-party software such as RealVNC
or UltraVNC, they will create additional firewall exceptions to allow
them to function. Figure 7 shows a complete exception list for an
XP-503 running Visual Designer with UltraVNC installed.
Cybersecurity concerns? Secure remote
access with your operator interface
White Paper WP048001EN
Effective September 2016
Figure 7.
If you wish to remove some of these exceptions because you don’t
plan to use some remote features, they can be unchecked from the
Exceptions list to close the port or service; or, if you want to block all
exceptions, you can go to the General tab and check the checkbox
labeled “Don’t Allow Exceptions.” You should be aware that blocking
services such as IIS will disable any Web serving; and, blocking
Remote Agent will disable remote changes to the project. You can
also choose to open and close these features as needed, which will
prevent malware from having full access to these vulnerabilities all
the time.
If you want to see which ports and services are open, you can
download an open source tool such as Nmap that will scan the
remote device and report on all open and closed ports. Figure 8
shows a sample output from NMAP connected to an XP-503 with
all exceptions checked.
EATON www.eaton.com
13
White Paper WP048001EN
Effective September 2016
Figure 8.
14
EATON www.eaton.com
Cybersecurity concerns? Secure remote
access with your operator interface
Cybersecurity concerns? Secure remote
access with your operator interface
White Paper WP048001EN
Effective September 2016
In Figure 9, we see the results from disabling all selections in the
firewall, which closes all ports to completely secure the unit from
remote access.
Figure 9.
An XV-102 or 152 unit runs a Windows CE 5.0 Professional operating
system and does not have a built-in firewall. As shipped from the
factory, when the XV unit starts up, the Autoexec.bat file starts the
FTP Server, Remote Desktop server, VNC Gateway server, Web
server and the Visual Designer Remote Agent. All these remote
features have separate passwords that are blank from the factory,
but can be configured easily on the unit. It is recommended that
these services are either prevented from starting by editing the
Autoexec.bat file, or that strong passwords be created for each
service. If these services are disabled in the Autoexec.bat file, then
all their associated ports are unavailable remotely and the unit is
secure from remote access.
System backups
You should assume that every HMI/SCADA system and PLC will
fail at some point in time. Assume that either a hardware failure or,
despite all your best efforts, a security breach will bring the system
down and halt production. Not all applications will warrant a hot
standby or even a spare for each critical piece of equipment. For
these cases it is recommended that your PC-based systems have
a protected operating system, like the Eaton XP and XV operator
interface models, so that you can recover from all but catastrophic
hardware failures with a simple reboot. If you don’t have an HMI/
SCADA with a protected OS, then you should make sure you
minimize the most common hardware failure by insisting on all solidstate memory; keeping antivirus definitions and Windows security
patches up to date; and, performing periodic backups using Ghost,
Power Quest, or other backup utility.
EATON www.eaton.com
15
White Paper WP048001EN
Cybersecurity concerns? Secure remote
access with your operator interface
Effective September 2016
Conclusion
About the author
Remote access is now a necessary and largely beneficial feature
of the IT environment. Although cybersecurity risks continue to
evolve and persist, careful attention to the proper selection, use, and
configuration of security capabilities within the operator interface
and control environment can effectively help guard against potential
losses from attack, interruption, or downtime. Remember, the most
reliable and readily available defenses against any security attack are
always awareness, forethought, and due diligence. Eaton’s XP and
XV Operator Interface Stations with Visual Designer come ready and
equipped with a thoughtful range of flexible and easy-to-configure
options capable of meeting both the ordinary and extraordinary
requirements of any automation scenario. By breaking the remote
access security needs down into smaller, more manageable zones
and simply addressing both the recommendations and exceptions
of each area—platform, software, network, and device—the
vast majority of threats from common security vectors can be
significantly minimized and avoided.
Kerry Sparks
Kerry Sparks has worked in the process control and automation
industry for over 40 years and has focused on PLC, HMI, and
SCADA. He is currently Product Manager for Eaton’s automation
product solutions.
Additional Help
In the event additional help is needed:
In the United States or Canada, please contact the Technical
Resource Center at 1-877-ETN-CARE or 1-877-326-2273.
Location
Contact
United States
and Canada
Europe
Technical Resource Center at 1-877-ETN-CARE or
1-877-326-2273 or email at: [email protected]
European Technical Support at +49/228/602-1001 or email at:
[email protected]
About Eaton
Eaton’s electrical business is a global leader with expertise in
power distribution and circuit protection; backup power protection;
control and automation; lighting and security; structural solutions
and wiring devices; solutions for harsh and hazardous environments;
and engineering services. Eaton is positioned through its global
solutions to answer today’s most critical electrical power
management challenges.
Eaton is a power management company with 2015 sales of
$20.9 billion. Eaton provides energy-efficient solutions that
help our customers effectively manage electrical, hydraulic
and mechanical power more efficiently, safely and sustainably.
Eaton has approximately 96,000 employees and sells products
to customers in more than 175 countries. For more information,
visit www.eaton.com.
Eaton
1000 Eaton Boulevard
Cleveland, OH 44122
United States
Eaton.com
© 2016 Eaton
All Rights Reserved
Printed in USA
Publication No. WP048001EN / Z18627
September 2016
Eaton is a registered trademark.
All other trademarks are property
of their respective owners.