securing access to controls applications with apache...
TRANSCRIPT
Piotr GolonkaPiotr Golonka11, , Hannu KamarainenHannu Kamarainen22
Poster: WEPGF010Track: “Control System Infrastructure”
1 CERN, Geneva, Switzerland, [email protected] Jyväskylä University of Applied Sciences, Institute of Information Technology, Jyväskylä, Finland
Securing Access To Controls ApplicationsSecuring Access To Controls ApplicationsWith Apache Httpd ProxyWith Apache Httpd Proxy
Solution: Solution: HTTP Reverse ProxyHTTP Reverse Proxy
ConclusionsConclusions
A standard WWW proxy technology was successfully applied in an atypical context as an alternative to the filesharing-based access control. The important case of redundancy is properly addressed and performance for large applications is significantly better than with file-sharing. The system is in the pilot deployment phase.
Operator consolesin Control Room
Remote Access
https://App2.SCADA.CERN.CH
https://App3.SCADA.CERN.CH
https://App4.SCADA.CERN.CH
TerminalServer
CERN User AccountsLDAP, Egroups
HTTP ProxyHTTP Proxy
*.scada.cern.ch
AuthenticationAuthenticationAuthorizationAuthorization
PSEN (#1)
PSEN (#2)
WinCC OARedundantSystem
App1
App2
App4
App3
Control Servers
http://cs-ccr-psen1:8081
http://cs-ccr-srv2:8082
http://cs-ccr-srv2:8081
TLS/SSLCertificate
http://cs-ccr-srv3:8080
HTTPauthentication
SCADA Application Service
SystemConfiguration
Database
SCADA Application Service
SystemConfiguration
Database
Configure.pyConfigure.pyConfigure.pyConfigure.py
MotivationMotivation● The access to Controls Applications needs to be protected by an authorization The access to Controls Applications needs to be protected by an authorization enforcement mechanism, such as filesystem-access rights for panels, enforcement mechanism, such as filesystem-access rights for panels, libraries, etc. The configuration of NFS and Samba file-shares becomes libraries, etc. The configuration of NFS and Samba file-shares becomes complex with the growing number of applications. The WinCC OA complex with the growing number of applications. The WinCC OA httphttp file file access mechanism is an interesting alternative, yet scalability and security for access mechanism is an interesting alternative, yet scalability and security for large setups needs to be addressed.large setups needs to be addressed.
● Embedded web-servers are routinely found in Embedded web-servers are routinely found in controls hardware nowadays, providing a controls hardware nowadays, providing a convenient way to configure, maintain and also convenient way to configure, maintain and also operate them. Securing access to the services operate them. Securing access to the services as well as keeping the firmware up to date is as well as keeping the firmware up to date is often neglected, as availability and reliable often neglected, as availability and reliable operation is of priority for production systems.operation is of priority for production systems.
Control Server
NFSUI
Linuxconsole
WinCC OAApplication
SMB
ActiveDirectory
UIs
Process data
authauth
auth
Control Server
WinCC OAApplication
UIs
HTTPserver
Process data
UILinux
consolehttp
0
5
10
15
20
25
30
35
40
34
2123
16
PerformancePerformanceTime in seconds to start the User Interface for a large SCADA
(CERN electrical network supervision) on a Windows Terminal Server
SAMBASAMBA
Local filesLocal files
HTTP no HTTP no cachecache
HTTP cachedHTTP cached
[s]
0
5
10
15
20
25
30
35
40
34
2123
16
PerformancePerformanceTime in seconds to start the User Interface for a large SCADA
(CERN electrical network supervision) on a Windows Terminal Server
SAMBASAMBA
Local filesLocal files
HTTP no HTTP no cachecache
HTTP cachedHTTP cached
[s]
> WCCOAui -noTunnel -server https://PSEN.SCADA.CERN.CH
http://cs-ccr-psen2:8081
.pnl
.pnl
.pnl