Encrypt Plant SCADA Folders using SMB3

You can use the SMB3 network protocol to protect your Plant SCADA data from eavesdropping occurrences on untrusted networks. This can be achieved by enabling SMB encryption on the Microsoft™ Windows Server that hosts your Plant SCADA data. Encryption can be enabled on Windows Server on a per-share basis, or for the entire file server.

If you are using any features that require you to specify a directory path, you should consider using SMB3. This could include the use of the following parameters:

• Path Parameters

• [CtEdit]Copy

To use SMB3 encryption with Plant SCADA you need to follow procedures in both Windows Server (2016 or 2019), and Plant SCADA.

Enable File Server on Microsoft Windows Server

File Server is used to manage shared folders on a Windows Server. You can access it via the Add Roles and Features Wizard.

Confirm that File Server is selected on the Select server roles page of the Wizard, then work your way through the wizard to install the required components.

Refer to the Windows Server documentation provided by Microsoft for more information.

Enable SMB Encryption

You can enable SMB encryption for the entire files server, or only for specific file shares.

To enable encryption for the entire file server:

You can create a procedure in Windows PowerShell. For example, you could use:

Set-SmbServerConfiguration -EncryptData $true

You could also confirm the status of the server with the following:

Get-SmbServerConfiguration | Select EncryptData

Note: You should confirm the correct usage for PowerShell procedures in the documentation provided by Microsoft.

To enable encryption for a specific file share:

You can configure file shares in Windows Server using Server Manager. Locate File and Storage Services in Server Manager to access the Shares page.

The Shares page provides access to a New Share Wizard. This can be used to configure the following:

• A Share Profile for the file share (for example, "SMB Share - Quick").

• The Share Location (for example, "C:\ProgramData\AVEVA\Plant SCADA <VersionNumber>\User").

• A Share Name (for example, "Plant SCADA Users").

• Share Settings including a required option to Encrypt Data Access.

• Permissions that allow access to the shared files.

When the share is successfully created, it will appear on the Shares page in Server Manager. From here, you can access the properties for the share and make any required adjustments.

You should confirm the correct procedures for configuring shares in the documentation provided by Microsoft.

Note: You can also use PowerShell to add a new file share and enable SMB encryption. For example, you could use
"New-SmbShare -Name User -Path C:\ProgramData\AVEVA -EncryptData $true".

Connect Plant SCADA to a File Share

When you have finished configuring a file share in Windows Server you can access it across an encrypted connection from Plant SCADA.

Note: The file share you use needs to be high-performance and resilient as any delays (such as network latency) will affect the performance of Plant SCADA's configuration and runtime tools.

For example, you can add a new project link in Plant SCADA Studio that connects to the file share (see Link to an Existing Project). You can then run the Plant SCADA project directly from the shared folder.

Note: You need to confirm that you are using the correct version of SMB (SMB3) on the server and client machines. A PowerShell cmdlet is available that can tell you which version of SMB a client has negotiated with the File Server. You can access a remote file server (or create a new mapping to it) and use "Get-SmbConnection" to determine the SMB version that is currently being used. Refer to the PowerShell documentation provided by Microsoft for more information.