It is 3:00 AM on a Sunday morning and your cell phone goes off. There is a high-level alarm in the reservoir in the next town. Your water plant feed pumps are running and will fill the reservoir faster than it can drain in the off-peak hours. You stumble to the coffee maker and the computer, log in to the remote access link, and look at the SCADA graphics. Yep, there is a major operational malfunction — the pump control valves are open and the recirculation line is closed. You contact the on-call engineer at Industrial Systems, we log in to our remote access and take a look. Together you determine the second-shift operator left the pump controls in manual mode when leaving and no one caught it. You switch the pumps back to auto and wait for the reservoir to return to normal level.
How did that happen? Well, it takes the right network architecture and security settings to make it possible. If the water plant has a SCADA system — which of course it does if it is sending you alarm notifications via text or email — and the system connects to the internet for some or any service, there is a definite possibility that remote access connections can be established.
The question becomes: how do you provide remote access connections and maintain security on the plant SCADA system? Obviously a VPN is the first step in protecting network traffic from being compromised. But how about on the inside? If your corporate network connects to the internet and there is also a connection to the plant SCADA network, a VPN into the corporate network could allow access to the plant network and computers. Most of the common firewalls available have VPN server features to establish a secure connection to the corporate network for remote access, but that doesn’t mean they offer any security between the corporate network and the SCADA network.
The answer lies in network architecture using a DMZ (Demilitarized Zone). Today’s multi-port firewalls provide a solution with three or more ports of access. One port for the internet link, one for the corporate network, and one for the SCADA network. The firewall has the ability to configure security settings between each of the zones as well as an individual VPN for each zone.
Using this technology, it is possible to remotely connect to your SCADA system for monitoring and troubleshooting in those late-night situations directly via a VPN connection through the SCADA zone rather than exposing the corporate network first. Additionally, the firewall can be configured to block any traffic to the SCADA network from the corporate side and to block any traffic to the corporate network from the SCADA side. They both can talk to the internet.
The only thing missing from this solution is a dial-out-only cellular connection from within the SCADA network so that SCADA system alarm notifications can be received.