Managing the SCADA Base OS

[Daryl]

Folks, I'm trying to come up with a company guidance document for managing plant computers, not including designing interfaces, just managing the system itself, so I'm looking for advice on how you manage the base Operating System that your SCADA/HMI sits on. For example, if you use Windows, do you apply the security patches? Do you use anti-virus software? Do you lock down access to the OS outwith the SCADA project? Do users all have unique login IDs or just generic for each level (Op, Sup, Eng, etc) Do you differentiate between linked and stand-alone systems? Obviously some answers will depend on the system requirements, but it'd be nice to know if some people have set rules that they can apply wherever possible. Your time and advice, as always, is appreciated. thanks... Daryl

[drforsythe]

Daryl: We run RSView32 on WinXP systems here. We DO apply the security patches. However they can be quite a pain because they install upon a system boot. If a machine is not powered down or the PC rebooted for a time, the patches can be many. We have tried to get maintenance to reboot the systems weekly. Rebooting also helps clean out the buffers and closes out unused apps that may have been started and shut down. We use OfficeScan antivirus software because the machines are connected to a network with outside access. We also do remote monitoring and modifications, so the AV software helps. We do not lock down the OS, but operators do not mess with the PCs except for the HMI application running. Our systems automatically login to a generic user. If another level of access is needed, another generic account is used. We do not have individual logins. The process is the same for standalone systems as the ones that are linked to the outside or on our main network.

[Daryl]

Thanks drforsythe. The patch updates are the most concern to me in case of an issue arising whereby the OS becomes unusable, followed by an AV application hampering system performance. Although in all the years I've done IT work (I come from an IT background, tech support, networking, and then software development, as opposed to electrical/electronic engineering), I've never had an issue applying patches, either manually via disc, or manually via internet, or via a patch management server, but it's best to check with other people's experiences as I'm not yet over familiar with SCADA/HMI systems.

[DCS_GURU]

When we advise customers on this sort of thing the question has to be who's SCADA are you using and second how security concerned is the site? For example, if you use Windows, do you apply the security patches? - This depends on the software a product like Zenon fully supports all updates and patches from microsoft, however things like WinCC have very specifc patchs lists that must be checked before they are installed Do you use anti-virus software? again depends on the product, Most scada manufactures have One or two that are certified for use with there product. Do you lock down access to the OS outwith the SCADA project? This is a definate yes, however you maybe need to think about using ADAM or active directory to avoid lots of duplication Do users all have unique login IDs or just generic for each level (Op, Sup, Eng, etc) - this depends on your site but most site are moving towards dedicated logins Do you differentiate between linked and stand-alone systems? No just because it is stand alone now it may not be in the future, the same security policy should be used on all HMI's and SCADA's across site For more very useful comments on this topic have a look a tofino and especially there scada security blog, you should find this most helpful Edited May 25, 2012 by DCS_GURU