Protecting your systems against modern-day cyber villains requires stronger control system cybersecurity than ever. That’s why security was such a big focus when we developed Ignition 8.3. We wanted to make it easy to integrate powerful, modern security into your systems, so you could build a force field of protection for your data and thwart the attacks that are, unfortunately, so rampant these days.
In honor of Cybersecurity Awareness Month, this blog will delve into some of the Ignition 8.3 features that help you better secure your systems. This blog is the second in our four-part blog series that explores how to get the most out of Ignition 8.3. Read on to get pro tips, use-case ideas, and pearls of Ignition 8.3 wisdom straight from Inductive Automation’s Sales Engineers, so you can achieve cutting-edge security in your systems in true superhero style.
Secrets Management Tips
The new industrial Secrets Management feature in Ignition 8.3 enables you to store secrets securely and protect them from unauthorized parties — a game-changer if you’re looking to boost SCADA password security. And coming soon in Ignition, you’ll also be able to integrate with third-party secrets management platforms such as HashiCorp Vault. Inductive Automation Sales Engineer Chase Dorsey says, “Your IT team will be overjoyed with Ignition’s built-in Secrets Management system. Easily protect sensitive information such as passwords, certificates, and encryption keys by removing them from gateway configuration, allowing for worry-free sharing of gateway backups with external parties.”
Another IA Sales Engineer, Tom Goetz, sheds a little light on why this is such a helpful new addition to your cybersecurity armory: "Now, when you are asked to share a gateway backup or project with integrators, IA support, or a sales engineer, you won't have to worry about exposing passwords to individuals outside your organization or stripping private information from the project. Furthermore, with forthcoming integrations for external secrets management, you can change common passwords for things like databases or API tokens in a single location rather than making the same modifications in multiple gateways."
For some additional context on the Secrets Management feature, IA Sales Engineer Brad Fischer explains that since Ignition is a unified industrial integration platform, it needs to communicate with a litany of external tooling, and in doing so, passwords, credentials, and access tokens must be accessible yet protected. “The new Secrets Management system provides a way to embed secrets within Ignition, facilitating easy connectivity to databases without the need to expose or disseminate secrets to unprivileged parties. Integrators can now create database connections without ever needing to know the credentials used to create the connection.” He goes on to dive deeper into one of the security tools that is now at your disposal: “By leveraging the new Secrets Key Management Command-Line Tool, administrators can generate new root and encryption keys, and even rotate them, providing a robust way to protect vital secrets stored and used by Ignition.”
Enhanced System Security Tips
With Ignition 8.3, you get multiple layers of control system threat protection that align with the latest industrial cybersecurity standards to keep your data and assets safe. To highlight some of the new features: we’ve expanded functionality for LDAP authentication security by enabling extra LDAP attributes to be defined for the Active Directory, AD/Database Hybrid, and AD/Internal Hybrid user sources. We’ve also added two additional properties for nested group membership lookup and group role attributes for the Active Directory user source. Three new properties are now available for Ignition Internal Authentication: “Prohibit Password,” “Prohibit Username,” and “Maximum Consecutive Repeated Characters.” And the Administrator role is now automatically listed under the Authenticated/Roles security level when installing a fresh gateway.
Goetz explains how the problem of failing a security audit due to weak internal passwords now has a quick fix that requires no scripting with the Password Policies Properties. He goes on to describe how you can satisfy strict compliance standards and secure your system in just a few clicks: “You can instantly harden your system by configuring the built-in password policies right from the gateway. Enforce critical security rules by setting a maximum password age for regular updates, requiring greater length and complexity, and enabling a password history to prevent users from reusing old credentials.”
When it comes to development/testing, IA Sales Engineer Maggie Rosenkrans offers some insight on how one of the new features in 8.3 can come in handy: “The new properties in the Internal User Source (prohibit username and passwords) can help you more closely simulate your externally managed users and roles in development/test environments.”
The new security features also enable integrators to have visibility of a system’s configuration, while still maintaining good security for the system. “Instead of securing top-level pages of the gateway webpage, 8.3 introduces gateway-wide write, read, and access permissions that all leverage security levels,” Fischer explains. “Rather than locking an integrator out of the configuration page, this lets administrators allow users to view the gateway’s existing configuration without the ability to make any changes.” He continues on to paint a broader picture of how things ultimately work together: “Coupled with LDAP nested group membership support and enhanced password policies for Ignition’s Internal Authentication User Source, 8.3 provides more ways to implement cybersecurity best practices in your industrial deployment.”
Improved Serialization Tips
You can majorly step up your SCADA communication security thanks to one important new 8.3 feature: more secure data serialization with Remote Procedure Call (RPC) technology that uses Google Protobuf instead of Java serialization. “Technology continues to move forward,” Fischer explains, “and Ignition’s adoption of Google Protobuf for serialization reflects Inductive Automation’s commitment to security.” This new RPC technology improves throughput of data for reliable, secure communication between clients and gateways, and has far fewer vulnerabilities than Java serialization.
Rosenkrans breaks down exactly how this improvement helps boost efficiency: “Replacing the store-and-forward engine’s use of Java serialization with Google Protobuf improves its efficiency by making the serialization and de-serialization process, as data moves through the engine, quicker.”
The benefits of the improved serialization are far greater than just faster performance, though. "This is a key security enhancement, not just a performance boost,” Goetz emphasizes. “We've proactively upgraded the communication protocol from traditional Java Serialization to the more modern Google Protobuf. This aligns with today's IT security standards and significantly hardens the platform against a class of potential threats, making it easier to pass security reviews and build confidence with your cybersecurity team."
OPC UA Roles Tips
The new OPC UA Roles feature in 8.3 enables you to pick and choose which users have access to which tags. And with the latest OPC UA 1.05 specification, you can allow third-party access to specific devices, tag providers, or folders, and can control the read and write permissions granted with that access. Thanks to this new functionality, you can build Industry 4.0 systems that are more secure and connected than ever.
“Ignition’s famous OPC UA server got a major upgrade,” Dorsey says. “No longer are security controls only on the server itself. In 8.3, OPC UA tag permissions allow for granular access control to individual tags for individual users. This allows for more modern, industry-standard, hardened SCADA systems.”
Rosenkrans adds, “The latest implementation of Roles and Permissions in devices and exposed tags takes the Ignition OPC UA server to the next level by allowing for better control over access to data when clients are connected to it.”
The ability to create Industry 4.0 security roles is exceptionally useful for those wanting to bridge the OT/IT gap. As Goetz explains, “The OPC UA Roles feature transforms Ignition from a self-contained SCADA system into a secure, multi-tenant data broker for your entire enterprise. You can now confidently serve live OT data to any number of IT applications (like MES, ERP, or cloud analytics platforms). You have fine-grained, cryptographic control over exactly which application can see which specific data. This is a foundational piece for building a secure and scalable Industry 4.0 architecture, enabling true IT/OT convergence.”
Start Building Next-Gen Security Solutions
It’s easier than ever for you to secure industrial control systems with Ignition 8.3. Download an unlimited free trial to see just how simple it is to optimize SCADA security and build a fortress for your data.
And keep an eye out for the next blog in this series, coming out in about a month — it’ll focus on improving visualization and reporting. In the meantime, if you missed the first blog in this series, “Ignition 8.3 Pro Tips: Achieve Better Industrial Data Management,” be sure to give it a read so that you’re all caught up!
