Please ensure Javascript is enabled for purposes of website accessibility
Powered by Zoomin Software. For more details please contactZoomin

AVEVA™ System Platform

TABLE OF CONTENTS

Common security evaluation topics

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
  • Last UpdatedAug 12, 2024
  • 3 minute read

The following security topics are critical parts of an effective security strategy.

Policies and procedures

Security policies and procedures are the foundation of a solid security strategy. Many automation, control, and access areas must have well-defined security policies and procedures. The security policies and procedures (and their enforcement) will have a profound effect on enhancing automation and control system security.

Accounts

Types and uses of security accounts need to be defined by strong security policies and must comprise useful account creation and maintenance procedures. The policies that govern system accounts should be fully developed, documented and communicated by IT, automation engineering, and management in a collaborative environment.

The following items must be considered when developing or reviewing account policies:

  • Only validated users have accounts.

  • User IDs must have unique names with strong passwords.

  • Individuals are accountable for the use of their User ID.

  • User access should be restricted as much as possible.

  • Make sure that account lockout duration is well defined.

  • Groups should be defined by user access needs and roles.

  • Guest accounts and default vendor accounts should be removed or reset as applicable.

  • Process operator station accounts should be limited and defined by operational area.

  • Service accounts should exist on the local domain or local machine and should not be used to logon to a server.

Passwords

Passwords are one of the most vulnerable security components. Define a solid password policy and configure your system to enforce the policy.

Using complex passwords and changing them regularly lessens the likelihood of unauthorized access to the control system.

The following list provides guidelines for effective password management:

  • Enforce password history to limit the reuse of old passwords.

  • Enforce password aging to force periodic changing of passwords.

  • Enforce minimum password length and complexity requirements to reduce the chances of successful password guessing.

  • Ensure passwords are not stored using reversible encryption.

Remote access

The need for access to process information, configuration information and system information from outside of the systems domain is common. Well-defined policies and procedures to manage remote access to the system by other company business units and or suppliers and venders greatly reduces the possibility of security threats penetrating the system.

The following list contains guidelines for remote access:

  • Limit access as much as possible by defining different access levels based on need (job function).

  • Enforce mandatory PC checkups of any equipment that is brought onsite.

  • Configure a separate role-based user group for temporary accounts and review this user list often.

  • Define and document all outside system access routes and accounts.

Physical access

Most production facilities have physical security plans in place. These plans should be an integral part of an overall security program. By not allowing unchecked computers and unauthorized users to have access to critical infrastructure components, many security threats can be eliminated.

Critical process control components such as servers, routers, switches, PLCs, and controllers should be protected under lock and key and have personnel assigned who are directly responsible for the components.

Backup and recovery plan

The backup and recovery plan is a critical security component. Recovery from any level of failure due to either a security or natural interruption of the system must be included in the security policy.

The following items must be considered when defining a backup and recovery plan:

  • Define and document how each part of the system will or can be backed up.

  • Ensure backups are included in routine system maintenance plan and when improvements or other changes to the system occur.

  • Document backup procedures for all system configurations and assign administrative responsibility to appropriate personnel.

  • Document and keep current all versioning of system software and hardware.

  • Provide a protected off-site repository for copies of all system backups

  • Provide a documented escalation plan for recovery and documented processes assigned to qualified personnel for implementing a recovery.

Virus protection

Add an additional security level at each access point of the system by defining where and what virus protection is to be implemented. Document the proper configurations for the virus protection software.

Mandatory virus definition file updates are essential.

Note: For more information about configuring anti-virus software, see Tech Note TN10567, "AVEVA System Platform 2020 AntiVirus exclusions."

Security patch implementation

Security patch management is a critical evaluation topic that has the largest impact on Microsoft operating system-based supervisory and control systems.

Careful planning and attention to detail is required when developing and documenting your procedures and policies for implementing security patches. Request a detailed support plan from each automation vendor and security software vendor, and review them with the goal of inclusion as part of any security patch management procedure or policy.

In This Topic
TitleResults for “How to create a CRG?”Also Available in