Centralised Security for stand alone SCADAs


Thread Starter

Mike Quilty

Is it possible to centralise security for a number of SCADA systems Fix32, WinCC so that they can be administered centrally and each user will only have to remember one user ID and password?

The systems are due to be networked shortly. Can Windows NT or other security be put on the SCADA systems?

Thanks in advance,

Cristian Gliga

First of all, the question you want to ask is “Can SCADA systems be put on WindowsNT or other OS with built-in security?”. The answer is Yes, provided that the particular SCADA package you chose was designed to work on WindowsNT. In the case Windows NT is the OS of your choice, you can setup the SCADA stations to auto log in, so one has to remember only one password. As a conclusion, it can be done but what if an unwanted person finds the password? He/she will have access to all the stations… .

Cristian Gliga - Systems Integrator

Jake Brodsky

If these systems use the Windows NT login IDs then the answer is a definite Yes. The question is whether it's a good idea. The tool is what Micro$oft calls a "Domain Controller." The problem is that you will need the domain controller to stay up at all times or you will not be able to log in with those accounts. Domain Controllers can be made reliable by having another on-line in case the primary one fails.

Unfortunately, many times the source of the failure is not related to Windows NT at all. It's not easy finding people who really know much about the physical network installation business. I've seen bulding LAN installations so shoddy that I would hesitate to put an office application on it, let alone a SCADA system. And the problem gets worse if there is a WAN between you and one of the SCADA systems.

Thus, for most control systems I tend to recommend against using a domain controller unless you have a very strong motive (such as a huge number of accounts or a mandate from your security administrator).

>The systems are due to be networked shortly. Can Windows NT or other security be put on the SCADA systems?

Ugh. Again, the answer is a qualified YES, <B> BUT </B> many applications were not developed with an eye to trying to coexist on a large network with other Office Applications. Typically we have used gateway computers with two LAN cards. This mitigates the traffic load on our LAN and it mitigates our IT folks security fears (because they don't control our system, they're naturally scared of what we could do).

If you feel comfortable with the IT side of the office and you are happy with getting them in to your SCADA systems, then by all means ignore the issue I just exposed. Just remember that there are many legitimate reasons why your needs and the Information Systems folks needs will not coincide. You may be better off building your own network as we have.

Jake Brodsky
mailto:[email protected]