Encryption, locking USB ports, and hardening servers

Encryption

Configure the system to use the latest version of Transport Layer Security (TLS), at least version 1.2.

PO supports the ability to encrypt communication between PO components using latest Transport Layer Security (TLS) version. Communication is encrypted between:

  • Server(s) and client(s)
  • Server to server.
Locking-down USB ports on server computers

Power Operation supports electronic software keys to allow IT departments to lock-down USB ports on server computers.

The configuration setup steps are:

  1. Create a project.
  2. Add all the devices on the network.
  3. Configure the rules for the network that define the traffic that can pass through which firewall.

We recommend that you begin with the firewalls in test mode so you can see what would be blocked and then adjust accordingly. The firewall configurations should be then loaded onto a USB flash drive that is used to upload the configuration to each firewall.

The following is an example architecture that can serve as reference for how one of the networks might be constructed. It is a small network that can be scaled out to fit a much larger system.

Configuring a System Management Server

Power Operation needs post-installation configuration to use encrypted communications. Only one of the machines in the network can be identified and configured as the System Management Server.

Use the Configurator to establish a trust relationship between one or more machines running Power Operation. This configuration allows for encrypted communication between these machines, which is achieved through a common System Management Server on which a certificate is created and used to encrypt communications. Certificates may be generated automatically on the System Management Server or provided by the IT department.

To connect to the System Management Server, you need to be a member of either the “aaAdministrators” or the “Administrators” group on the machine where the System Management Server is installed.

To configure a system management server:

  1. Start the Configurator.
  2. In the left pane, select Common Platform > System Management Server. The following is displayed:
    Configurator window for AVEVA software. The left navigation pane includes sections labeled "Citect SCADA" with options like "Computer Setup," "Encryption," and "Deployment Client," and "Common Platform" with "System Management Server." The main panel presents three setup options: connect to an existing server, designate the current machine as the server, or proceed without configuration. An "Advanced" button is available for further settings. At the bottom are buttons labeled "Refresh," "All Messages," "Configure," and "Close." Instructional text explains setup choices and mentions certificate and port configuration.
  3. Select This machine is the System Management Server. Review the notes on the screen before you start the configuration.
  4. Select Configure. If an existing binding is found for the specified ports, the following message is displayed:
    Dialog box titled "Warning". The message states that a TLS certificate is currently bound to HTTPS port 443. It includes the friendly name "Citect Deployment server port binding" and issuer "Citect Deployment CA." The dialog asks whether to continue and replace the existing certificate binding. Two buttons labeled "Yes" and "No" appear below the message.
  5. Select Yes if you wish to replace the binding. The Configurator starts configuring the System Management Server.
    If you select No, the following message is displayed in the Configuration Messages area:
    Configuration Messages window. The message reads: "User decided not to replace existing port binding. Failed to configure the device. Please check ArchestrA Logger for more information."
  6. On successful configuration, the message “Device configuration completed” is displayed. The security code is displayed in the Configurator as shown below. To view more information about the certificate, select Details.
    Configurator window for the System Management Server in AVEVA software. The interface presents three options: connect to an existing server, designate the current machine as the server, or proceed without configuration. A security code is displayed for validation during setup on other machines. Configuration messages below indicate certificate setup, server connection, device registration, and completion. The layout includes instructional text and status updates related to system setup.
  7. If the configuration is unsuccessful, check the ArchestrA Logger. You can access this by typing \Program files (x86)\common files\archestra\aaLogviewer.exe at the Windows command prompt. Alternatively, view details of the errors in the System Management Console. For more details, refer to the ArchestrA documentation.
  8. Select Close to exit the Configurator.