Visual Presentation on Federal State and Gateway User Sources

How to Use

Ignition’s Security Features

Kent Melville

Sales Engineer / Inductive Automation

What We’ve Already Said

•

Steps for Protecting Your Ignition System 

– ICC 2017 (Carl Gould)

•

Open and Secure SCADA: Efficient and Economical Control, Without

the Risk 

– Webinar (Travis Cox and Chris Harlow - Bedrock Automation)

•

Ignition Hardening Guide 

(Website)

•

Java Security and Ignition 

(White Paper)

Introduction

•

Today’s Focus:

–

The Application: Ignition’s Security Features

Table of Contents

1.

Existing Features

2.

Upcoming Features

3.

Q/A Security Panel

Existing Features

1.

Roles

2.

Zones

3.

TLS Encryption

4.

User Sources

5.

Active Directory

6.

7.9.4

Roles

Operator

Which is the username and which is the role?

JSMITH

Roles

Operator

Not a username

Which is the username and which is the role?

JSMITH

Zones

•

Roles care about 

WHO.

•

Zones care about 

WHERE.

TLS Encryption

•

Enable SSL – Get a Cert

–

Certificate Authority

–

Self-signed Cert

–

Third Party services (Let’s Encrypt)

•

OPC UA

•

Client

•

Gateway Network

User Sources

•

Where to manage your users and roles:

–

Option #1 - Internal Authentication - Users and roles are stored

internally to Ignition.

–

Option #2 - Database Authentication - Users and roles are stored in

a SQL database. Managing users is done via direct interaction with

the database.

Active Directory Integration

–

Option #3 - Active Directory Authentication - Users are managed

by Active Directory. Users are authenticated through the LDAP

protocol.

•

Where are the roles managed?

–

Active Directory Groups

–

Internal Ignition

–

Database

7.9.4 Changes

•

Client Permissions

–

For upgrades from

previous versions

all are disabled

–

For fresh installs all

are Enabled

7.9.4 Changes

•

Named Queries are

defined and run at the

gateway but can be

referenced from the

project.

•

They accept parameters to

be dynamic but prevent

the client from running

arbitrary queries.

Upcoming Features

1.

System Commissioning

2.

Federated Identities

3.

Multi-Factor Authentication

4.

Security Levels

System Commissioning

Terminology

•

Authentication

 - the process of verifying a user’s identity.

•

Authorization

 - the process of determining who should have access

to what, or who should be able to undertake what actions.

•

7.9

–

Authentication: Internal Ignition User Source or AD

–

Authorization: Roles and Zones

•

8.0

–

Authentication: ?

–

Authorization: ?

Federated Identities

•

Authentication

 in Ignition 8 is done through Federated Identity

Providers (often shortened to IdP).

•

What is a Federated Identity?

Federal

State

State

State

Federated Identities

Ignition 8 will include three different IdP types out of the box:

•

Ignition IdP

–

Legacy User Sources

•

OpenID-Connect IdP

•

SAML IdP

Federated Identites

•

Benefits

–

Web Single Sign On (SSO) - Better UX and more Secure

–

Single Source of Record for Identity Data

–

Simplified Provisioning and De-Provisioning

Multi-Factor Authentication

•

Passwords (or any one factor of authentication) alone are generally

insufficient in protecting modern digital identity systems

•

Multi-factor authentication (MFA)

•

Two-factor authentication (2FA) is a subset of MFA where exactly 2

mechanisms are used to prove one’s identity

Multi-Factor Authentication

•

The three most common types of identity proofing mechanisms are:

–

What you know

•

Typically a password or passphrase

–

What you have

•

Badge which you can scan

•

A software or hardware based one-time-password (OTP) generator

•

A device such as a smartphone which is capable of receiving

authentication requests

–

What you are (biometrics)

•

Fingerprint

•

Facial or Voice Recognition

•

Retina scan

Security Levels

Next up - 

Authorization

.

Introducing 

Security Levels

…

•

A

 platform-level construct aimed to make the permission modeling

inside Ignition more convenient, portable

•

Introduce a stand-alone permission modeling system for use within

Ignition, regardless of how identity was established

Put another way: security levels allow Ignition to have its own authorization

system, independent of the authentication system being used.

Security Levels

•

Security Levels will look a lot like roles:

–

User

–

Operator

•

LineA

•

LineB

–

Supervisor

Security Levels

•

There are two “special” security levels defined by the platform

–

Public

•

All users are always granted the Public security level, 

even if they are not

authenticated

•

Demo Project is almost entirely using the Public security level.

–

Authenticated

•

If a session has authenticated against the configured IdP successfully,

they will have the “Authenticated” security level

Security Levels

•

If the IdP used 

did

 provide “role” information, the roles provided will be

added as child security levels underneath “Authenticated”

–

Public

–

Authenticated

•

A

•

B

•

The legacy role information underneath Authenticated provides a way to

bridge this new method of permission modeling with the role-based

permission modeling from Ignition 7

Security Architecture

Perspective:

Federated Identities

and Security Levels

Gateway:

User Sources

Vision Client:

User Sources

Designer:

User Sources

Demo

Kent Melville

Sales Engineer

Software Developer

Joel Specht

Cyber Security Risk Officer

Jason Waits