Please ensure Javascript is enabled for purposes of website accessibility
Powered by Zoomin Software. For more details please contactZoomin

Cybersecurity Deployment Guide - Security Concepts

TABLE OF CONTENTS

Recommended Actions to Secure the Host

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
  • Last UpdatedFeb 18, 2025
  • 4 minute read

Host Component

Recommended Action

Notes

Operating System (Windows)

Check that the Windows operating system on the host is a version that is under what Microsoft calls "mainstream support", which means Microsoft actively maintains and releases updates for it.

Automate Microsoft product updates using Microsoft Windows Server Update Services (WSUS), which enables you to manage and distribute updates to computers on your network.

Older versions of Windows are under Microsoft "extended support", which means they are not actively maintained and therefore might become vulnerable without notice.

Before installing Microsoft product updates ensure they have been tested and are officially supported by your ICS software.

Scan the host. Use both anti-virus and anti-malware software and file integrity checking software to regularly scan the host.

Windows includes Windows Defender by default, but you may choose to install and use additional security software from a reputable company that scans for more types of malware or performs other functions.

AVEVA ICS Software

Check that the AVEVA ICS software on the host has all the recommended patches and hot fixes installed.

See the Technology Matrix for AVEVA software products, published by AVEVA's Global Customer Support (GCS) group.

Content on the host

Protect applications and content on the host.

Enable Windows Firewall and configure it to close all ports that are not used by the AVEVA ICS software. For more information about port usage, see "Network Services and Ports" in Recommended actions to secure the network.

Disable Windows features like remote desktop and file sharing and remove unnecessary programs like games and social media.

Restrict access to the files, databases, registry and other resources on the host.

Use Windows BitLocker to encrypt the hard drive of computers that are either mobile or not located in a secure facility. However, BitLocker may impact the performance of computers.

Use server-class storage (SANs) infrastructure to avoid storing sensitive data on mobile devices.

Use Windows authentication for SQL Server data.

Protect data at rest. In the context of SCADA and other ICS systems, data at rest includes stored configuration data, historical data, backups, and other static data.

Data at rest is data that is not currently being used or accessed, such as data stored on a hard drive, laptop, flash drive, RAID array, network attached storage (NAS), storage area network (SAN), or is archived/stored in some other way.

Encrypt sensitive files or drives. Windows BitLocker Drive Encryption is available through the Windows Control Panel and can be used for whole-drive encryption.

Set authorization rights to view data.

Store data at rest in offline or off-site locations.

Protect data in transit. In the context of SCADA and ICS systems, this encompasses deploying a project to a run-time node, transmitting process variables, VTQ data, and other data that is sent between nodes in a running, production system. This includes alerts and alarms.

Ensure the latest TLS encryption is used for all communications using the HTTPS protocol as a best security practice.

Data protection in transit is the protection of this data while the data traveling, including the following examples:

  • From node to node within a network

  • From network to network

  • Accessed via internet

  • Transferred from a local storage device to a cloud storage device

Protect data in use. In the context of SCADA and ICS systems, data in use can apply to databases, such as those used actively by a historian or deployed to a run-time node. This needs to be safeguarded by a secure transfer channel.

Data in use typically is being processed or accessed either locally or remotely.

Use encryption, user authentication, and identity management to protect data in use.

Data in use can place data into RAM for access and processing by applications and users, potentially multiple users across different computers, mobile devices, remote terminals, or other devices. It is especially vulnerable.

Configure encryption in SQL Server. Enable encrypted connections for an instance of the SQL Server Database Engine and use SQL Server Configuration Manager to specify a certificate. The server computer must have a certificate provisioned. To provision the certificate on the server computer, you import it into Windows. The client machine must be set up to trust the certificate's root authority.

SQL Server can use Transport Layer Security (TLS) to encrypt data that is transmitted across a network between an instance of SQL Server and a client application. The TLS encryption is performed within the protocol layer and is available to all supported SQL Server clients.

  • An extra network round trip is required at connect time.

  • Packets sent from the application to the instance of SQL Server must be encrypted by the client TLS stack and decrypted by the server TLS stack.

  • Packets sent from the instance of SQL Server to the application must be encrypted by the server TLS stack and decrypted by the client TLS stack.

Related Links
TitleResults for “How to create a CRG?”Also Available in