With cybersecurity threat vectors increasing and attacks on industrial control systems on the rise, it’s more important than ever to take proper safety precautions when developing HMI or SCADA applications. In this webinar, we’ll go over how your application can be integrated with LDAP, and some best practices for developing more secure SCADA/HMI systems.
3. Agenda
• Brief InduSoft Overview
• InduSoft Security Overview
• LDAP and Active Directory
– What are they? And why do you need them?
– How do I use it/them
– Configuration Options
4. Security is important
• This presentation is not meant to supersede your
corporate policies.
• Informational only.
• Please make sure you refer to documentation and work
with your IT group.
• Changing all of the time.
6. www.InduSoft.com | info@InduSoft.com
Value Proposition
InduSoft Web Studio is an easy-to-use, powerful, and affordable
HMI/SCADA software for PCs, industrial panels, embedded &
mobile devices
Design the applications in an integrated development environment and
deploy/run it on multiple platforms, including any current Microsoft Operating
system - Windows CE/Mobile, Embedded, Desktop and Server Editions,
Linux, VxWorks, among others.
11. Security Overview
Local Only
This is the standard mode for most projects: users and groups are created in the project
development environment, and they apply only to the project for which they are created.
Distributed – Server
This is similar to Local Only, except that the project's security system configuration is also made
available to other projects (that are set to Distributed – Client) on the same network. Furthermore, if
the project loses its security system configuration for some reason, it can reimport the configuration
from one of its client projects.
Distributed – Client
When this mode is selected, the project gets its entire security system configuration from another
project (that is set to Distributed – Server) on the same network. The project caches this
configuration and can continue to run even if it loses communication with the server project.
Domain (LDAP)
The Lightweight Directory Access Protocol (LDAP) is a recognized standard for managing users and
groups across many different applications on a network. When this mode is selected, the project
gets its users and groups from an LDAP-compliant domain server, such as Microsoft Active
Directory for Windows or OpenLDAP for Linux. However, only the user names, passwords, and
group memberships are taken from the domain; specific rights for each group must still be
configured within the project.
12. Difference between LDAP and AD
• LDAP (Lightweight Directory Access Protocol)
• AD is a directory services database
• LDAP is one of the protocols you can use to talk AD
13. Why?
• Centrally managed
– Usually at the corporate level
– By IT department (not Controls Engineers)
• No need to duplicate users and managment
14. Active Directory Levels
The Active Directory framework that holds the objects can be
viewed at a number of levels. The forest, tree, and domain
are the logical divisions in an Active Directory network.
– Forrest
– Trees: Set of Trees make up Forrest
– Domains: Set of Domains make up Trees
Source: Wikipedia
15. Active Directory Levels
Within a deployment, objects are grouped into domains.
The objects for a single domain are stored in a single database (which can
be replicated). Domains are identified by their DNS name structure, the
namespace.
A domain is defined as a logical group of network objects (computers,
users, devices) that share the same Active Directory database.
A tree is a collection of one or more domains and domain trees in a
contiguous namespace, linked in a transitive trust hierarchy.
At the top of the structure is the forest. A forest is a collection of trees that
share a common global catalog, directory schema, logical structure, and
directory configuration. The forest represents the security boundary within
which users, computers, groups, and other objects are accessible.
(Ref.: https://en.wikipedia.org/wiki/Active_Directory)
16. Authentication vs. Rights
Authentication is the process of verifying someone or something is
who/what they say they are.
Rights (within IWS): The specific rights that a member of the group has
when they use a project thin client to access your project during run time
17.
18. User and Group Configurations
• Users about Authentication
• Groups configure Rights (Authorization)
20. LDAP Server Settings
LDAP Server Credentials
• Must have admin rights
• Can be {stringTag}
• Status tag
Value Description
0 Connection timeout
1 Bind timeout
2 Query timeout
3 Disconnected
4 Connected
5 No users or groups returned
by query
6 Invalid user or group
21. LDAP Server Settings
LDAP Advanced
• If for some reason the LDAP server
cannot be accessed using its
domain name, then you can
manually configure the server's IP
address
• Simple Bind (ADAM)
– Credentials are sent in clear text, so you
should secure the connection by other
means such as VPN, TLS/SSL, or
proxies.
• Save Rights to server
– Usually local, but can configure server
to save those rights back to the LDAP
server. Need to create Custom
Attributes for the group security settings
to accept these parameters
22. LDAP Server Settings
LDAP Query
• By default, the LDAP server provides a
list of all registered users and groups
– Could be huge, thousands or millions
– Provide a way to filter or isolate users
– Could take a long time, longer than practical time
out
• Query syntax
Queries ARE case sensitive
•= (EQUAL TO) Example: (givenName=John)
•& (logical AND) Example:
(&(givenName=John)(l=Dallas))
Resources/References:
https://technet.microsoft.com/en-
us/library/aa996205(v=exchg.65).aspx
http://ldapwiki.com/wiki/LDAP%20filters%20Syntax%
20and%20Choices
25. Licensing
US and Canada Toll-Free: 855-274-8381
Direct dial from anywhere: 512-910-8044
Support
US and Canada Toll-Free: 855-269-4489
Direct dial from anywhere: 512-879-4107
Additional New InduSoft Numbers
26. www.InduSoft.com | info@InduSoft.com
Email
(US) info@indusoft.com
(Brazil) info@indusoft.com.br
(Germany) info@indusoft.com.de
Support support@indusoft.com
Web site
(English) www.indusoft.com
(Portuguese) www.indusoft.com.br
(German) www.indusoft.com.de
Phone +1 (512) 349-0334 (US)
+55 (11) 3293-9139 (Brazil)
+49 (0) 6227-732510 (Germany)
Toll-Free 877-INDUSOFT (877-463-8763)
Fax +1 (512) 349-0375
Contact InduSoft Today
Germany
USA
Brazil