Why On Earth Would You Put SCADA On The Internet?
By Chris Little
It pits SCADA teams, seeking to maximize system uptime, against IT departments, working to keep their systems secure. The divide has become especially acute as municipal monitoring and control infrastructure rapidly expands towards an Industrial Internet of Things (IIoT).
What follows is a very brief overview of why water and wastewater utilities choose to allow remote access and what steps should be taken to minimize the risk.
SCADA Through “Thick” and “Thin”
To understand how SCADA systems provide remote access, we should define the difference between thick and thin clients.
- Thick Clients are the computers on which SCADA software is installed. SCADA/HMI applications all require at least one Thick Client. These servers communicate with PLCs and RTUs and log process values to a database. Depending on your software license, thick clients can serve as operator workstations and development nodes. Typically, two or more thick clients can be configured to automatically synchronize historical data and take over for one another should one fail or go offline. Some products, such as VTScada software by Trihedral, go as far as to support bi-directional synchronization of historical data, alarms, and configuration history.
- Thin Clients allow authorized users to monitor and control their systems from devices that do not have the SCADA software installed on them. These can be networked computers, smartphones, or tablets. Many SCADA platforms, including VTScada, allow thin client access from any device with an HTML5 compliant web browser. In addition to remote access, many utilities also use thin clients within their firewalls as a flexible approach to operator workstations. Note, thin clients cannot act as redundant SCADA servers.
So Why Take the Risk?
With record numbers of utilities being targeted for some form of cyber-attack, why open another potential vulnerability?
Increased Response Time – This is one of the most common arguments made for allowing remote access. The ability to remotely view alarms and live process data and immediately take appropriate control actions can make all the difference to an emerging situation. In many jurisdictions, the consequences of a major spill or loss of service can be stiff fines for the utility and in some cases serious legal consequences for managers and superintendents.
Changing Operator Roles – It is becoming less common for operators to spend their days sitting in front of SCADA screens waiting to be told when something goes wrong. They are more likely to be out in the field adding new sites, dealing with current issues, or performing preventative maintenance. On-site access to real-time and historical data can drastically reduce maintenance time and improve operator safety.
Weathering Storms – Thin clients can also play an important role during dangerous weather events like those recently experienced in the southern United States. Remote access allows operators to manage their systems in real-time in situations where traveling to site is unsafe or impossible. Bryan Sinkler provides technical sales support to VTScada software users across the southeast US from our office in Orlando, Florida. Following Hurricane Irma, Bryan made a point of following up with his affected customers. Many reported the important role that remote access played before, during, and after that weather event. “The City of Ocala, where I came from, uses that extensively. During the storm, that was one of the key benefits of VTScada for them. They called and told me that it was a life saver.” For some, the storm was a wake-up call that they needed to expand their remote access. “Several utilities ran out of mobile client connections. They use them quite a bit for going out to the sites and checking on their phones, their tablets, their laptops; so that they don’t have to rely on the dispatchers to give them information.”
“SCADA in the Cloud” or “Head in the Clouds”?
Hosted or “cloud-based” SCADA systems take the idea of Thin Client access even further. In this approach, an integrator hosts a single application that serves multiple end users who access their private data using Thin Clients. This subscription model makes it possible for utilities with limited means to quickly adopt an enterprise-level SCADA solution without dipping into their capital budgets.
Ben Manlongat is a controls engineer with Kennedy Industries Inc. in Michigan. They have been operating their own cloud-based SCADA system for over nine years using VTScada software. “Hosted solutions eliminate the upfront hardware costs and software licensing fees required to install a traditional SCADA system,” explains Manlongat. “In addition, there is no need to maintain licensing support contracts, server computers, or an IT department. These are replaced with simple monthly fees for each online site.”
Though some worry about the security of hosted systems, Manlongat maintains that security is one of their most important selling points. “I often come across utilities with an existing SCADA system running on an unloved Windows XP computer collecting dust on somebody’s desk,” relates Manlongat. “Sure, there may be no Internet connection but there’s also no Windows updates, no anti-virus, no redundancy, and no backups. That is an insecure SCADA system.” Kennedy runs their hosted application at a local server farm, with automatic local and off-site failover plus guaranteed 24/7 power and Internet connection. “Customers have peace of mind knowing that their system is supported by a team of dedicated experts.”
Best Practices for Online SCADA Applications
If you do decide to connect your application to the Internet, here are some best practices that you should keep in mind.
- Have a Firewall – If you have a network, you need a mechanical or software firewall to control access to and from the Internet, SCADA or no SCADA. We have met a surprising number of utilities who have neglected this seemingly obvious precaution. Though many SCADA platforms include security features, this does not eliminate the need for firewalls.
- Use Encryption – To protect security information exchanged between the server and Thin Clients, make sure that your SCADA software supports encryption protocols like Transport Layer Security (TLS) and Virtual Private Networks (VPNs). Login credentials should not be held in any way that can be decrypted and recovered. Note: TLS has replaced SSL which is no longer secure.
Doug Spurrell, a familiar voice at the end of the VTScada support line for decades, has the following advice for configuring Thin Clients.
- Use a Static IP or a Good Dynamic DNS Forwarder – “This is more for convenience,” says Spurrell. If you don’t have a static IP or Dynamic DNS, then every time your ISP changes your IP, all your end users will need to be notified so their Thin Client connections will function again. For example, some ISP’s, especially on DSL, force a renew of the IP every 24-48 hours. Others get a new one every time the computer is re-booted.”
- Designing Screens for Multiple Devices – Doug says, “Design for the smallest screen size that you are using. In most cases, this will be a phone or a tablet. This avoids overcrowding and forces you to make decisions about what is most important on each screen.” VTScada’s Idea Studio is a familiar drag-and-drop development interface with built-in libraries of images and widgets that allows you to create customized screens according to your preferred design methodology such as High Performance HMI.
But My SCADA is Offline, So I’m Safe, Right?
No. Keeping your system secure is a process that must be taught to all users and regularly re-examined even if your servers are not connected to the Internet. This includes physically securing server locations, applying Windows® security updates, running anti-virus scans, creating individual SCADA user accounts with strong passwords, deleting accounts when employees leave, and taking care with USB drives or other external media, and maintaining the latest version of the SCADA software. VTScada customers with valid support can move to the latest version anytime. Never assume that a single technical decision will protect your application.
Risk vs. Benefit.
Simply put, if there is no benefit to connecting your SCADA system to the Internet then don’t. Online risks are real. However, remote access can allow you to respond to developing issues in time to prevent costly spills or service interruptions. This assumes that you have done your due diligence in protection for your system, which you should be doing even if your system is isolated. Talk to your systems integrator about what best practices they recommend. To learn more about the unique ways that VTScada helps you protect remote connectivity contact Trihedral at info@trihedral.com.
About VTScada Software
VTScada is award winning software that represents over 32 years of dedication to SCADA and HMI excellence. Over 50 million North Americans currently rely on VTScada for their water and wastewater needs. This instantly intuitive platform removes frustration from every stage of the SCADA software lifecycle; from pricing and licensing, to development and support. Its unique architecture integrates all core SCADA components into one easy-to-use package. Finely crafted tools and training options combined with the most reliable support in the industry allow you to confidently start creating fully-featured applications immediately.