ClearSCADA

Encryption Overview

Encryption is one of many possible solutions to protect your system against attackers, in the case of ClearSCADA it is specifically in an attempt to protect the confidentiality and integrity of the system by encrypting the connection between servers and between server and client, and for WebX using certificates ensuring the server you are connecting with is who they say they are.

Encryption Methods

Encryption is used in a number of places for connecting components of ClearSCADA securely, the following lists the specific areas:

Server to ViewX

Since ClearSCADA 2015 R1 client connections to the server, for example ViewX and ODBC, have the option to encrypt all data using TLS_RSA_WITH_AES_256_CBC_SHA. Since ClearSCADA 2015 R2 the server has the addtionally configuration option to only accept encrypted clients.

WebX

WebX has the option of using http or https for its connection and is configured differently depending on how WebX is hosted. Schneider Electric does not recommend using http for WebX use. For information on SSL or TLS refer to third party reference websites, e.g. https://en.wikipedia.org/wiki/Transport_Layer_Security

Original WebX (DBServer Hosted)

For original WebX the minimum support protocol can be define on each server using the ClearSCADA Server Config tool at 'System Configuration' -> 'WebX'. Schneider Electric recommends TLS1.1 or newer, however this setting will affect the operating systems and browsers that can connect to ClearSCADA so check with the browser provider on supported protocols prior to implementing any change.

The hashes used in the encryption process are controlled in the ClearSCADA Registry settings per server at HKEY_LOCAL_MACHINE\SOFTWARE\Schneider Electric\ClearSCADA\Server\ using the values starting with SSL_. Schneider Electric recommend disabling any hash based on NULL, MD5 and RC4, which are also disabled by default on installations from ClearSCADA 2015 R2 onwards.

New WebX (IIS Hosted)

New WebX uses Microsoft Window's standard IIS feature for the hosting and so any configuration options defined within the Windows environment, for example the SChannel configuration, will also be applied to WebX. Schneider Electric recommends you follow your standard corporate hardening guidelines, however should you not have any there are third party websites on the Internet that can provide assistance, for example https://www.hass.de/content/setup-microsoft-windows-or-iis-ssl-perfect-forward-secrecy-and-tls-12, however this script has not been specifically tested to work with ClearSCADA.

The use of self-signed certificates should also be avoided in production environment, any https certificate used should be larger than 1024 bytes and be using a more secure certificate hash than provided by SHA1. As weaknesses with either protocols or ciphers are found, or your clients' operating environment is updated, the configuration of the web server should be reviewed and updated.

Server to Server

Since ClearSCADA 2015 R1 TLS_RSA_WITH_AES_256_CBC_SHA has been an encryption option between ClearSCADA servers. This setting can be enabled via Server Config under System Configuration -> Partners and can be enabled and disabled per server connecting using the 'Encrypted' tick box. It does not change the ports used for server-to-server communications.

Server to Driver

Since ClearSCADA 2015 R1 TLS_RSA_WITH_AES_256_CBC_SHA is used between drivers and servers. There is no option to disable this.

Driver Specific Encryption

Some drivers support encryption as part of their native protocol, and these are listed below. For additional protocol information refer to Supported Interface and Protocol Versions.

SNMP

Since ClearSCADA 2014 R1 the SNMP driver has supported SNMPv3 which includes encryption for authentication (MD5 and SHA1) and privacy (AES128 and DES).

DNP3

ClearSCADA currently supports DNP3Secure version 2 to authenticate write actions.

Additional Information

Schneider Electric takes the security of our products seriously and should you need to report a vulnerability refer to http://www2.schneider-electric.com/sites/corporate/en/support/cybersecurity/cyber-security-vulnerabilities-sorted.page or contact support.

The encryption algorithms used between ClearSCADA components are industry standard and are not bespoke written algorithms. As weaknesses are identified in these standard algorithms additional, more secure, algorithms will be added.

Schneider Electric also recommends a defence-in-depth approach to securing your ClearSCADA installation from deliberate or accidental attackers. Risk assessments should periodically be performed to ensure that the right countermeasures are used to ensure the ongoing protection on your whole system, not just for the ClearSCADA component.