Application Encryption

📖 Home  Back  

Encryption Overview

Encryption is one of many possible solutions to assist to protect your system against attackers. In the case of ClearSCADA encryption is used specifically to improve the confidentiality and integrity of the system by encrypting the connection between servers, and between server and client, as well as in WebX using certificates helping to ensure the https server you are connecting with is who they say they are.

Encryption Methods

Encryption is used in a number of places for connecting components of ClearSCADA in a more secure way, the following lists the specific areas:

ViewX to Server

Since ClearSCADA 2015 R1 client connections to the server using the ClearSCADA client components, for example ViewX and ODBC, have the option to encrypt all data. Since ClearSCADA 2015 R2 the server has the additional configuration option to only accept encrypted clients.

WebX

WebX has the option of using http or https for its connection and is configured differently depending on how WebX is hosted. Schneider Electric does not recommend the use of http for WebX use over untrusted networks. For information on the industry standard protocols used, i.e. SSL or TLS, refer to third party reference websites, e.g. https://en.wikipedia.org/wiki/Transport_Layer_Security

Original WebX (DBServer Hosted)

For original WebX the minimum supported protocol can be define on each server using the ClearSCADA Server Config tool at 'System Configuration' -> 'WebX'.

The hashes used for the cipher are controlled in the ClearSCADA Registry settings on each ClearSCADA server using HKEY_LOCAL_MACHINE\SOFTWARE\Schneider Electric\ClearSCADA\Server\ and the values starting with SSL_. Schneider Electric recommend disabling any hash based on NULL, MD5 and RC4, which are also disabled by default on new installations from ClearSCADA 2015 R2 onwards.

New WebX and Virtual ViewX (IIS Hosted)

New WebX uses Microsoft Windows' standard IIS feature for the hosting and so any configuration options defined within the Windows environment, for example the schannel (Microsoft Secure Channel) configuration, will also be applied to WebX. Schneider Electric recommends you follow your standard corporate hardening guidelines, however should you not have any there are third party websites on the Internet that can provide assistance, for example https://www.hass.de/content/setup-microsoft-windows-or-iis-ssl-perfect-forward-secrecy-and-tls-12. Note this script has not been specifically tested to work with ClearSCADA.

The use of self-signed certificates should also be avoided in production environments, any https certificate used should be larger than 1024 bits and be using a more secure certificate hash than provided by SHA1. As weaknesses with either protocols or ciphers are found, or your clients' operating environment is updated, the configuration of the web server should be reviewed and updated.

Server to Server

Since ClearSCADA 2015 R1, there has been an encryption option between ClearSCADA servers. This setting can be enabled via Server Config under System Configuration -> Partners and can be enabled and disabled per server connecting using the 'Encrypted' tick box. It does not change the ports used for server-to-server communications.

Server to Driver

Since ClearSCADA 2015 R1, encryption is used between drivers and servers. There is no option to disable this.

Driver Specific Encryption

Some drivers support encryption as part of their native protocol, and these are listed below. For additional protocol information refer to Supported Interface and Protocol Versions.

SNMP

Since ClearSCADA 2014 R1 the SNMP driver has supported SNMPv3 which includes encryption for authentication (MD5 and SHA1) and privacy (AES-128 and DES).

DNP3

ClearSCADA currently supports DNP3 Secure Authentication version 2 to authenticate write actions, however encryption of the data content during read or write is not covered by this. If true encryption is required then solutions such as IPSec or AGA-12 should be used.

Additional Information

Schneider Electric takes the security of our products seriously and should you need to report a vulnerability refer to http://www2.schneider-electric.com/sites/corporate/en/support/cybersecurity/cyber-security-vulnerabi... or contact support.

Schneider Electric recommends a defence-in-depth approach to securing your ClearSCADA installation from deliberate or accidental attackers. Risk assessments should be performed periodically to ensure that suitable countermeasures are used to ensure an adequate managed protection of your whole system, and not just for the ClearSCADA component.

Go: Home Back