General Information on Configuring Microsoft SQL Server Connections

Overview

This chapter provides information on how to configure a connection to a Microsoft SQL Server database.

Microsoft SQL Server Software Components

The following SQL components are required to establish a connection to a database:

SQL server (not supplied by Schneider Electric):
- Microsoft SQL Server 2014 Standard or
- Microsoft SQL Server 2014 Express
SQL client (not supplied by Schneider Electric)
- Microsoft SQL Server 2014 Management Studio
Microsoft SQL Server database created with the SQL client

Supported Data Types

The following data types are supported for Microsoft SQL Server:

Category	Data types
Integer	BIGINT SMALLINT TINYINT INT BIT
Real	FLOAT REAL DECIMAL MONEY NUMERIC SMALLMONEY
Text	CHAR NCHAR NTEXT NVARCHAR TEXT VARCHAR
Temporal	SMALLDATETIME DATE DATETIME DATETIME2 DATETIMEOFFSET TIME
Other	SQLVARIANT UNIQUEIDENTIFIER

Considerations Concerning Cybersecurity for Microsoft SQL Server Connections

For database connections, consider the following:

Secured connections over TLS (Transport Layer Security) / SSL (Secure Socket Layer) are supported between the SQL Gateway and the Microsoft SQL Server database. The database may be located outside your industrial network; make sure to protect the TCP port of the SQL Gateway PC that is connected to the Internet by a firewall.
Communication must only be performed inside your industrial network, isolated from other networks inside your company and from the Internet.

NOTE: Schneider Electric adheres to industry best practices in the development and implementation of control systems. This includes a "Defense-in-Depth" approach to secure an Industrial Control System. This approach places the controllers behind one or more firewalls to restrict access to authorized personnel and protocols only.

WARNING
	UNAUTHENTICATED ACCESS AND SUBSEQUENT UNAUTHORIZED MACHINE OPERATION Evaluate whether your environment or your machines are connected to your critical infrastructure and, if so, take appropriate steps in terms of prevention, based on Defense-in-Depth, before connecting the automation system to any network. Limit the number of devices connected to a network to the minimum necessary. Isolate your industrial network from other networks inside your company. Protect any network against unintended access by using firewalls, VPN, or other, proven security measures. Monitor activities within your systems. Prevent subject devices from direct access or direct link by unauthorized parties or unauthenticated actions. Prepare a recovery plan including backup of your system and process information. Failure to follow these instructions can result in death, serious injury, or equipment damage.

WARNING

UNAUTHENTICATED ACCESS AND SUBSEQUENT UNAUTHORIZED MACHINE OPERATION

Evaluate whether your environment or your machines are connected to your critical infrastructure and, if so, take appropriate steps in terms of prevention, based on Defense-in-Depth, before connecting the automation system to any network.
Limit the number of devices connected to a network to the minimum necessary.
Isolate your industrial network from other networks inside your company.
Protect any network against unintended access by using firewalls, VPN, or other, proven security measures.
Monitor activities within your systems.
Prevent subject devices from direct access or direct link by unauthorized parties or unauthenticated actions.
Prepare a recovery plan including backup of your system and process information.

Failure to follow these instructions can result in death, serious injury, or equipment damage.

For more information on organizational measures and rules covering access to infrastructures, refer to ISO/IEC 27000 series, Common Criteria for Information Technology Security Evaluation, ISO/IEC 15408, IEC 62351, ISA/IEC 62443, NIST Cybersecurity Framework, Information Security Forum - Standard of Good Practice for Information Security.

Authentication

SQL Server supports two types of authentication:

Windows authentication
SQL Server authentication

Select the suitable Authentication Mode in the Configuration tab of the SQL Gateway.

Authentication Mode > Windows uses the Windows user account of the SQL Gateway.

NOTE: If you use the Windows authentication, make sure that the SQL Gateway service is running under the correct Windows user account. Adapt the settings of the SQL Gateway (service name: SchneiderElectric SqlGateway Service) in the Windows Service Control Manager, if necessary.

Authentication Mode > SQL Server uses User Name and Password that are defined for the SQL Server login in the Configuration tab of the SQL Gateway.

NOTE: If you use the SQL Server authentication, make sure that your SQL Server installation allows this mode. To achieve this, select the option Mixed Mode in the SQL Server setup Database Engine Configuration > Server Configuration > Authentication Mode.