Geo SCADA Expert Security

Anonymous user · ‎2021-06-09

Security is vital for SCADA systems and associated infrastructure.

Recommendations for Good Practice

Whether on-premises or in-cloud, you need to secure Geo SCADA Expert implementations using current and best practice guidelines for security.

The Technical Guides section of this Knowledgebase contains various documents and links
A Schneider Electric Security Hardening Guide for Geo SCADA Expert
The Schneider Electric document Recommended Cybersecurity Best Practices, which covers the use of all Schneider Electric products

We recommend a whole-system approach to cybersecurity. This includes the setup of infrastructure for networking, remote access, anti-virus, firewalls, Windows, Azure, and Internet Information Server (IIS), as well as the Schneider Electric and AVEVA products such as Geo SCADA Expert.

You should secure any remote access for administration, engineering and operations (such as Windows Remote Desktop, Geo SCADA Expert Virtual ViewX, Geo SCADA Expert Mobile, Reporting) using technologies such as a VPN, TOTP and Bastion host access.

Best practice guides for securing Windows, Azure and IIS are available from Microsoft. We suggest that you start with: https://docs.microsoft.com/en-us/security/compass/compass

We also recommend that you install the latest versions of all software that you require, including the security patches. Schneider Electric has made the process of upgrading Geo SCADA Expert a simple activity. The latest version of Geo SCADA Expert includes the most recent security fixes and features and is available at this page. New releases of supported versions are produced approximately monthly. If you have a valid support contract, then you can upgrade to a new release with new features. If you do not have a valid support contract, then you can only upgrade to a new monthly release of the same version.

Consult the Schneider Electric Security Notifications web page for the latest notifications of vulnerabilities for all Schneider Electric products including Geo SCADA Expert. The documents provide mitigations and software upgrade information.

Security Warnings

Windows Updates

⚠️ CAUTION

DO NOT SET LIVE SYSTEMS TO AUTO-UPDATE AS THIS CAN RESULT IN A LOSS OF SERVICE AT UNEXPECTED TIMES
System Administrators should first check whether Geo SCADA Expert is compatible with operating system updates at this page on the Knowledgebase:
https://community.se.com/t5/Geo-SCADA-Knowledge-Base/Microsoft-Update-Testing/ba-p/279120
If compatible then upgrades can be actioned, otherwise wait for a new release of Geo SCADA Expert.
Failure to follow these instructions can result in equipment damage and injury.

Files

⚠️ CAUTION

CHECK ALL FILES FOR INTEGRITY BEFORE COPYING THEM TO THE SERVER AS THEY MAY CONTAIN MALWARE
Check the checksum/hash of installation kits before transferring them to the production system. You can verify Geo SCADA Expert downloads against the hash codes in the following index: https://community.se.com/t5/Geo-SCADA-Knowledge-Base/File-Hashes/ba-p/278415
Failure to follow these instructions can result in death or serious injury.

Isolation

⚠️ CAUTION

KEEP THE PRODUCTION SYSTEM ISOLATED FROM TEST AND DEVELOPMENT COMPUTERS WHICH ARE MORE SUSCEPTIBLE TO MALWARE
It is good practice to test upgrades of operating systems and software on a separate server, isolated from the production system.
Failure to follow these instructions can result in death or serious injury.

Support Links

Get support by country: https://www.se.com/ww/en/work/support/country-selector/contact-us.jsp
Report a vulnerability: https://www.se.com/ww/en/work/support/cybersecurity/report-a-vulnerability.jsp

Security Features

Geo SCADA Expert provides security features designed to:

Encrypt and authorize communications with servers and clients using certificates
Restrict user access to items and features so that users only make use of those features for which they have been suitably trained
Allocate security permissions quickly and with minimal effort.

Setting Up Geo SCADA

Please refer to the Security Hardening Guide in the Technical Guides page. This document takes you through the hardening steps for the Operating System and many aspects of Geo SCADA. Also refer to the Virtual ViewX page.

Setting Up Security Certificates

The guide and associated scripts attached below to this page are intended to help you set up certificates with a Geo SCADA system. This configuration will help servers to connect to each other with assurance of identity, and clients to connect to servers with that assurance too.

See below for the attachments.

Users and User Groups

You can allocate permissions to each User account and User Group. Every item in the database can have its own set of permissions, or can be set to inherit the permissions that have been set for a parent Group or a Group Instance. The default setting for every new database item is for that item to inherit the security permissions of its parent Group (the Group that contains the item, which is the System group if the item is not within a Group folder).

The permissions determine whether a user can access the features for an item, including configuration features, alarms, and controls. By allocating different permissions to different users and User Groups, you can restrict system activities. For example, you can restrict the configuration of security settings so that only users with system administration knowledge or training can access the Security window.

The permissions that you allocate on the Security window for a database item define which of the item's features are available to the defined users and User Groups.

Please refer to the F1 Help pages and also the links below for details.
Home

More Links:

Security Hardening in Technical Guides

Microsoft Update Testing

Unknown Error When Changing a User's Password
Geo SCADA Service User Account
User Logon Events after Server Restart
Differences Between English Locales
Defining Security Permissions
Why Home Pages may not Display When User Logs On
Configuring User Displays to Format Time Appropriately
Integrating Users with Windows Security
Releasing Exclusive Control
Disabling the SSL server Null cipher

Geo SCADA Expert Security