ClearSCADA

Encryption Overview

Encryption is one of many possible solutions to assist to protect your system against attackers. In the case of ClearSCADA encryption is used specifically to improve the confidentiality and integrity of the system by encrypting the connection between servers, and between server and client, as well as in WebX using certificates helping to ensure the https server you are connecting with is who they say they are.

Encryption Methods

Encryption is used in a number of places for connecting components of ClearSCADA in a more secure way, the following lists the specific areas:

ViewX to Server

Since ClearSCADA 2015 R1 client connections to the server using the ClearSCADA client components, for example ViewX and ODBC, have the option to encrypt all data using TLS_RSA_WITH_AES_256_CBC_SHA. Since ClearSCADA 2015 R2 the server has the additional configuration option to only accept encrypted clients.

WebX

WebX has the option of using http or https for its connection and is configured differently depending on how WebX is hosted. Schneider Electric does not recommend the use of http for WebX use over untrusted networks. For information on the industry standard protocols used, i.e. SSL or TLS, refer to third party reference websites, e.g. https://en.wikipedia.org/wiki/Transport_Layer_Security

Original WebX (DBServer Hosted)

For original WebX the minimum supported protocol can be define on each server using the ClearSCADA Server Config tool at 'System Configuration' -> 'WebX'. Schneider Electric recommends TLS1.1 or newer, however this setting will limited the supported operating systems and browsers that can connect to ClearSCADA. Ensure browser compliance with any minimum protocol and cipher prior to implementing any change.

The hashes used for the cipher are controlled in the ClearSCADA Registry settings on each ClearSCADA server using HKEY_LOCAL_MACHINE\SOFTWARE\Schneider Electric\ClearSCADA\Server\ and the values starting with SSL_. Schneider Electric recommend disabling any hash based on NULL, MD5 and RC4, which are also disabled by default on new installations from ClearSCADA 2015 R2 onwards.

New WebX (IIS Hosted)

New WebX uses Microsoft Windows' standard IIS feature for the hosting and so any configuration options defined within the Windows environment, for example the schannel (Microsoft Secure Channel) configuration, will also be applied to WebX. Schneider Electric recommends you follow your standard corporate hardening guidelines, however should you not have any there are third party websites on the Internet that can provide assistance, for example https://www.hass.de/content/setup-microsoft-windows-or-iis-ssl-perfect-forward-secrecy-and-tls-12. Note this script has not been specifically tested to work with ClearSCADA.

The use of self-signed certificates should also be avoided in production environments, any https certificate used should be larger than 1024 bits and be using a more secure certificate hash than provided by SHA1. As weaknesses with either protocols or ciphers are found, or your clients' operating environment is updated, the configuration of the web server should be reviewed and updated.

Server to Server

Since ClearSCADA 2015 R1, TLS_RSA_WITH_AES_256_CBC_SHA has been an encryption option between ClearSCADA servers. This setting can be enabled via Server Config under System Configuration -> Partners and can be enabled and disabled per server connecting using the 'Encrypted' tick box. It does not change the ports used for server-to-server communications.

Server to Driver

Since ClearSCADA 2015 R1, TLS_RSA_WITH_AES_256_CBC_SHA is used between drivers and servers. There is no option to disable this.

Driver Specific Encryption

Some drivers support encryption as part of their native protocol, and these are listed below. For additional protocol information refer to Supported Interface and Protocol Versions.

SNMP

Since ClearSCADA 2014 R1 the SNMP driver has supported SNMPv3 which includes encryption for authentication (MD5 and SHA1) and privacy (AES-128 and DES).

DNP3

ClearSCADA currently supports DNP3Secure version 2 to authenticate write actions, however encryption of the data content during read or write is not covered by DNP3Secure. If true encryption is required then solutions such as IPSec or AGA-12 should be used.

Additional Information

Schneider Electric takes the security of our products seriously and should you need to report a vulnerability refer to http://www2.schneider-electric.com/sites/corporate/en/support/cybersecurity/cyber-security-vulnerabilities-sorted.page or contact support.

The encryption algorithms used by ClearSCADA components are industry standard and are not bespoke written algorithms. As weaknesses are identified in these standard algorithms additional, more secure, algorithms will be added.

Schneider Electric recommends a defence-in-depth approach to securing your ClearSCADA installation from deliberate or accidental attackers. Risk assessments should be performed periodically to ensure that suitable countermeasures are used to ensure an adequate managed protection of your whole system, and not just for the ClearSCADA component.