The preponderance of ICS security professionals recoil with the concept of smart phones having any role in SCADA or DCS. As covered in an early blog entry, there is a big difference between using smart phones for control and using them to view data that has been pushed out to the corporate or other external network. Security people who just say no to a legitimate business need are of limited value to an organization and often are ignored. If the business insists that some process information is required on smart phones or iPads, and they understand and accept the risk of the potential information confidentiality compromise, then let’s find the best way to do this.
Transpara Visual KPI is a good example of how data can be provided to smartphone users without increasing the risk of an impact to the integrity or availability of the SCADA and DCS.
The first step is to get the SCADA or DCS data out to the corporate network. OSIsoft’s PI server or another historian can do this, and in fact most organizations are pushing data out to a DMZ or corporate network. The best practice is to push the data from the control center to ICS DMZ and then from the ICS DMZ to the corporate network, but many owner/operators either allow corporate access to the PI server on the ICS DMZ or push it out directly to the corporate network. Of these two sub-optimal options, we prefer allowing corporate access to the ICS DMZ because the firewall can significantly limit the attacks on a PI server that then communicates with a PI server in the control center.
The Transpara application server is installed on the corporate network, and the connection between the Transpara server and the PI server is tied to a PI user account. Access control measures are applied to the Transpara PI user. So now we already have two restrictions on what data can be viewed on smart phones. First, you can control what data is pushed to the external PI server. And second, you can control what data the Transpara application server can access by its associated PI user.