Piotr GolonkaPiotr Golonka11, , Hannu KamarainenHannu Kamarainen22

Poster: WEPGF010Track: “Control System Infrastructure”

1 CERN, Geneva, Switzerland, Piotr.Golonka@CERN.CH2 Jyväskylä University of Applied Sciences, Institute of Information Technology, Jyväskylä, Finland

Securing Access To Controls ApplicationsSecuring Access To Controls ApplicationsWith Apache Httpd ProxyWith Apache Httpd Proxy

Solution: Solution: HTTP Reverse ProxyHTTP Reverse Proxy

ConclusionsConclusions

A standard WWW proxy technology was successfully applied in an atypical context as an alternative to the filesharing-based access control. The important case of redundancy is properly addressed and performance for large applications is significantly better than with file-sharing. The system is in the pilot deployment phase.

Operator consolesin Control Room

Remote Access

https://App2.SCADA.CERN.CH

https://App3.SCADA.CERN.CH

https://App4.SCADA.CERN.CH

TerminalServer

CERN User AccountsLDAP, Egroups

HTTP ProxyHTTP Proxy

*.scada.cern.ch

AuthenticationAuthenticationAuthorizationAuthorization

PSEN (#1)

PSEN (#2)

WinCC OARedundantSystem

App1

App2

App4

App3

Control Servers

http://cs-ccr-psen1:8081

http://cs-ccr-srv2:8082

http://cs-ccr-srv2:8081

TLS/SSLCertificate

http://cs-ccr-srv3:8080

HTTPauthentication

SCADA Application Service

SystemConfiguration

Database

SCADA Application Service

SystemConfiguration

Database

Configure.pyConfigure.pyConfigure.pyConfigure.py

MotivationMotivation● The access to Controls Applications needs to be protected by an authorization The access to Controls Applications needs to be protected by an authorization enforcement mechanism, such as filesystem-access rights for panels, enforcement mechanism, such as filesystem-access rights for panels, libraries, etc. The configuration of NFS and Samba file-shares becomes libraries, etc. The configuration of NFS and Samba file-shares becomes complex with the growing number of applications. The WinCC OA complex with the growing number of applications. The WinCC OA httphttp file file access mechanism is an interesting alternative, yet scalability and security for access mechanism is an interesting alternative, yet scalability and security for large setups needs to be addressed.large setups needs to be addressed.

● Embedded web-servers are routinely found in Embedded web-servers are routinely found in controls hardware nowadays, providing a controls hardware nowadays, providing a convenient way to configure, maintain and also convenient way to configure, maintain and also operate them. Securing access to the services operate them. Securing access to the services as well as keeping the firmware up to date is as well as keeping the firmware up to date is often neglected, as availability and reliable often neglected, as availability and reliable operation is of priority for production systems.operation is of priority for production systems.

Control Server

NFSUI

Linuxconsole

WinCC OAApplication

SMB

ActiveDirectory

UIs

Process data

authauth

auth

Control Server

WinCC OAApplication

UIs

HTTPserver

Process data

UILinux

consolehttp

0

5

10

15

20

25

30

35

40

34

2123

16

PerformancePerformanceTime in seconds to start the User Interface for a large SCADA

(CERN electrical network supervision) on a Windows Terminal Server

SAMBASAMBA

Local filesLocal files

HTTP no HTTP no cachecache

HTTP cachedHTTP cached

[s]

0

5

10

15

20

25

30

35

40

34

2123

16

PerformancePerformanceTime in seconds to start the User Interface for a large SCADA

(CERN electrical network supervision) on a Windows Terminal Server

SAMBASAMBA

Local filesLocal files

HTTP no HTTP no cachecache

HTTP cachedHTTP cached

[s]

> WCCOAui -noTunnel -server https://PSEN.SCADA.CERN.CH

http://cs-ccr-psen2:8081

.pnl

.pnl

.pnl