Cybersecurity

Overview

The SQL Gateway functions support secured connections over TLS (Transport Layer Security) / SSL (Secure Socket Layer) between the SQL Gateway and MySQL databases or Microsoft SQL Server databases. If you configure these connections properly, the databases may be located outside your industrial network.

The SQL Gateway functions also support secured connections between the controllers and the SQL Gateway. If your controller does not support secured communication, you can configure unsecured communication between the controller and the SQL Gateway. In this case, communication must only be performed inside your industrial network, isolated from other networks inside your company and from the Internet.

NOTE: Schneider Electric adheres to industry best practices in the development and implementation of control systems. This includes a "Defense-in-Depth" approach to secure an Industrial Control System. This approach places the controllers behind one or more firewalls to restrict access to authorized personnel and protocols only.

WARNING
	UNAUTHENTICATED ACCESS AND SUBSEQUENT UNAUTHORIZED MACHINE OPERATION Evaluate whether your environment or your machines are connected to your critical infrastructure and, if so, take appropriate steps in terms of prevention, based on Defense-in-Depth, before connecting the automation system to any network. Limit the number of devices connected to a network to the minimum necessary. Isolate your industrial network from other networks inside your company. Protect any network against unintended access by using firewalls, VPN, or other, proven security measures. Monitor activities within your systems. Prevent subject devices from direct access or direct link by unauthorized parties or unauthenticated actions. Prepare a recovery plan including backup of your system and process information. Failure to follow these instructions can result in death, serious injury, or equipment damage.

WARNING

UNAUTHENTICATED ACCESS AND SUBSEQUENT UNAUTHORIZED MACHINE OPERATION

Evaluate whether your environment or your machines are connected to your critical infrastructure and, if so, take appropriate steps in terms of prevention, based on Defense-in-Depth, before connecting the automation system to any network.
Limit the number of devices connected to a network to the minimum necessary.
Isolate your industrial network from other networks inside your company.
Protect any network against unintended access by using firewalls, VPN, or other, proven security measures.
Monitor activities within your systems.
Prevent subject devices from direct access or direct link by unauthorized parties or unauthenticated actions.
Prepare a recovery plan including backup of your system and process information.

Failure to follow these instructions can result in death, serious injury, or equipment damage.

For more information on organizational measures and rules covering access to infrastructures, refer to ISO/IEC 27000 series, Common Criteria for Information Technology Security Evaluation, ISO/IEC 15408, IEC 62351, ISA/IEC 62443, NIST Cybersecurity Framework, Information Security Forum - Standard of Good Practice for Information Security.

Firewall Settings

The SQL Gateway uses a specific TCP port for secured and another TCP port for unsecured communication through which the controllers send their SQL queries. Set up your network structure and configure your firewall so that the ports you are using are accessible to the controllers.

Password Protection

During initial start of the SQL Gateway, you are requested to decide whether you want to assign a password to help protect the software from unauthorized access.

WARNING
	UNAUTHENTICATED ACCESS Use password protection if your SQL Gateway PC is in any way accessible to unauthorized personnel. Failure to follow these instructions can result in death, serious injury, or equipment damage.

If password protection is active, you must enter the password each time you open the SQL Gateway Console.

After you have started the SQL Gateway, you can activate / deactivate password protection in the Settings tab by selecting the Password Protection node:

Select the Password Protection Active option to activate / deactivate the password for the SQL Gateway Console.
Click the Change Password button to modify the password for the SQL Gateway Console.

SSL Certificates

With each SSL encrypted connection, SSL certificates are verified. This helps to ensure that the SSL client is connected to the intended SSL server and vice versa.

For SSL encryption, two different types of certificates are available:

Server certificates:

Certificates for the SSL servers. They serve two purposes:
- Providing public and private keys to be used for encrypting data that is sent from the SSL client to the SSL server.
- Providing information that allows the client to verify that it is connected to the correct SSL server.
Client certificates:

Certificates for the SSL clients. They are not needed for encrypting data but only for client authentication. The usage of client certificates is optional, but may be required by the server to verify whether the SSL client is allowed to connect to the SSL server.

You can create self-signed certificates or you can use certificates signed by a certificate authority (CA). A short description on how to create self-signed certificates is provided in the Configuring SSL Encrypted Connections chapter for each SQL database type.

Validation of the Server Certificates

It is a good practice that the SSL client validates the server certificate in order to make sure that it is connected to the intended server when a connection is established.

There are two different validation procedures that can be executed by the client:

Validate Certificate: This procedure verifies whether the server certificate or one of its root certificates is a trusted certificate. This means that it is available in the Trusted Root Certification Authorities folder of the certificate store.
Verify Name: This procedure verifies whether the subject name in the server certificate matches the name of the server in the TCP connection.

Managing Certificates in the Certificate Store

The certificate store is a Windows component for managing certificates.

To open the certificate store, proceed as follows:

Step	Action	Comment
1	On a Windows PC, execute the command `mmc`.	Result: The Microsoft management Console opens.
2	Execute the command File > Add/Remove Snap-In....	–
3	In the Add or Remove Snap-ins dialog box, select Certificates, and click the Add > button.	–
4	In the Certificates snap-in dialog box, select the option Computer account and click Next, then click Finish.	–
5	Close the Add or Remove Snap-ins dialog box by clicking OK.	Result: The Microsoft management Console contains two relevant Certificates folders: Personal: Contains the server and client certificates. Trusted Root Certification Authorities: Contains the trusted root certificates.

To import a certificate, right-click the Personal or Trusted Root Certification Authorities folder, and execute the command All Tasks > Import.... Follow the instructions provided by the Certificate Import Wizard. Select the option Automatically select the certificate store based on the type of certificate.

To assign access rights for a server account to a certificate, proceed as follows:

Step	Action
1	Right-click the certificate in the certificate store, and execute the command All Tasks > Manage Private Keys.
2	In the next dialog box, click the Add button.
3	Select the option Object Types > Service Accounts.
4	Click the button Locations, select the entry of your local PC, and click OK.
5	Copy the name to the text box.

To copy the thumbprint information of a certificate, proceed as follows:

Step	Action
1	Double-click a certificate.
2	In the Details tab, select the Thumbprint entry, and copy its Value.