Security Enhancements

CitectSCADA 7.10r0

 

The CitectSCADA 7.10 release includes changes that are designed to reduce the security exposure of the product from external threats via the network. The product features that have been affected are detailed below. Please review the list to understand what effect they may have on your system with regards to the upgrade and design process.

Managing surface area

A set of new configuration parameters have been added to provide control over the CitectSCADA network interfaces. These parameters help you protect your system by allowing control over unused features of the product. The following services can be enabled or disabled: DDE, Remote CTAPI, LAN, ODBC, OLEDB and FTP.Theseservices are disabled by default.

User login required for control actions

A user is now required to be configured and logged in to CitectSCADA to allow the display process to perform a tag write (control) action. CitectSCADA projects should be designed to avoid Cicode tasks that perform tag writes that are not issued by a user.

Note: Due to improvements in security CitectSCADA no longer supports projects having multiple users with the same name and different passwords.

We recommend projects be configured to take advantage of the change to provide increased system security protection. If your system has existing network security protection in place and does not require the additional security protection, it can be turned off using the following parameters to avoid the impact of the changes:

 

Parameter for the client/display node:

[LAN] SecureLogin

Parameter for the server node:

[LAN] AllowLegacyConnections

These parameters may be required during an upgrade process when there is a mix of old and new version CitectSCADA nodes in a running system.

The System Parameters that have been introduced or modified as part of the security enhancements are as follows. See below for more details.

After upgrade it is strongly recommended these parameters are set to their default values which enhance security.

Citect.INI Parameters

Client Parameters

[Client] AutoLoginMode- Set to enable auto login. Users can select one of seven modes.

Mode 0 – Auto login is disabled. Control Client starts in view-only mode.

Mode 1 - System logs in with the current windows user at startup

Mode 2 - System logs in with the current windows user at startup and on logout. If the startup login fails the user will be prompted to login at startup and on logout so the system will not switch to view-only mode.

Note: Modes 1 and 2 act as the same as modes 3 and 4 if the start up login of current windows user fails.

Mode 3 - User will be prompted with an empty login form at startup.

Mode 4 - User will be prompted with an empty login form at startup and on log out. If the user selects cancel, the process will shut down.

Note: This mode should not be used on server process (where the Server Login is disabled).

Mode 5 - Automatically login with saved user credentials at startup. If login fails or there is no saved user credentials user will be prompted to login.

Mode 6 - Attempt to automatically login with saved credential at start up and on logout. If saved credential is not available (or fails to login) it will prompt the user at start up to log in. The re-login of initial user on logout does not validate the user, therefore does not need to prompt even if the password is changed (e.g. in case of windows user).

To remove or change the credentials saved during modes 5 or 6, the user needs to set the mode to 3 or 4 and restart to be prompted for login. When the user successfully logs in the saved credential will be removed and the user can set the mode back to 5 or 6 and restart to be prompted again.

Note: In modes 1, 3 and 5 when the user logs out, system reverts to view-only mode and no further action is taken.

 

Allowable Values:

0 - (Auto login disabled. Control client starts in view-only mode, until valid user logs on)

 

1 - (Login current windows user at system start up)

 

2 - (Login current windows user as system default user at start up)

 

3 - (Prompt user for login at startup)

 

4 - (Prompt user for login at startupand logout)

 

5 - (Try login with saved credential at startup)

 

6 - (Try login with saved credential at startupand on logout)

 

 

Default Value:

0

LAN Parameters

[LAN] AnonymousLoginName The name of the default identifier to allow ‘view-only’ data access for a client process to the SCADA server(s). This is used when no user is logged in on the client. This can be changed to provide a site specific identifier for increased security.

 

Allowable Values:

Default Value:

"Anonymous"

[LAN] AllowLegacyConnections- Disables access restrictions. When set to 1 previous versions of client can connect to the server. This can be used when [LAN ] SecureLoginis enabled.

 

Allowable Values:

0 or 1

Default Value:

0

[LAN] SecureLogin- Security measures are active.

When set to 0 security measures are disabled and the system acts as it did in versions prior to 7.10. When disabled, [LAN ] AllowLegacyConnectionssetting is not used, as legacy connections are allowed.

Note: This option should be used with caution and only if the network is not accessible to outsiders.

 

Allowable Values:

0 or 1

Default Value:

1

 

  [LAN] ServerLoginEnabled-When CitectScadais configured to run in multi-process mode, the IO, Alarm, Trend and Report servers run separate processes, and need to connect to other servers.

Server login uses the specified identifier (similar to anonymous login) to establish this initial communication between servers. Users can configure the name of the identifier or disable it. If disabled the server process will act similarly to a control client, depending on the value set for [Client ] AutoLoginMode.

 

Allowable Values:

0 or 1

Default Value:

1 (default server login enabled)

 

[LAN] ServerLoginName- The name of the default identifier to allow data access for a server process to another SCADA server process( es). This can be changed to provide a site specific identifier for increased security.

 

Allowable Values:

Default Value:

" SuperUser"

 

CtAPI Parameters

[ CtAPI] AllowLegacyConnections- CTAPI server only accepts connections from the current version of the CTAPI client. When [ CtAPI ] AllowLegacyConnectionsis set to 1 the CTAPI server will accept connections with previous versions of CTAPI client.

 

Allowable Values:

0 - (Do not allow connection)

 

1 - (Allow connection)

Default Value:

0

 

[ CtAPI] AllowLegacyServices- When set, the Citect Web Service and the Citect OLEDB Provider can connect to the CTAPI server.

 

Allowable Values:

0 - (Disable connection)

 

1 - (Allow connection)

Default Value:

0

 

[ CtAPI]Remote - Determines whether remote computers using the CTAPI interface can call in to this computer.

Note: To use the CTAPI on a remote computer without installing CitectSCADA, you will need to copy the following files from the \CitectSCADA\BIN directory to your remote computer: CTAPI.DLL, CT_IPC.DLL, CTENG32.DLL, CTRES32.DLL, and CTUTIL32.DLL.

 

Allowable Values:

0 - (Do not allow remote access)

 

1 - (Allow remote access)

Default Value:

0

 

DDE Parameters

[DDE] AllowCicode- Allows Cicode to be run on the Citect server via the DDE Execute command.

 

Allowable Values:

0 or 1

Default Value:

0

 

 

[DDE] AllowWrites- Allows tag writes to the Citect server via the DDE Poke command.

 

Allowable Values:

0 or 1

Default Value:

0

 

ODBC Parameters

[ODBC] Server - When set ODBC connections are accepted.

 

Allowable Values:

0 - (Not listening to ODBC connections)

 

1 - (Listening for ODBC connections)

Default Value:

0