Drivers Guide - Use SSL Certificates for Driver Communications (Transport Layer Security (TLS))

Use SSL Certificates for Driver Communications

WARNING

POTENTIAL SECURITY BREACH

We strongly recommend using network-connected Geo SCADA Expert drivers in a private network only (either physical or virtual). We recommend against using such drivers for communications over the public Internet. If the drivers are used over the public Internet, as a minimum those drivers should use TLS to help provide a secure connection over the network.

Failure to follow these instructions can result in death, serious injury, or equipment damage. The breach in system security could expose sensitive data and the leave the database vulnerable to unauthorized and potentially malicious use.

With some advanced drivers in Geo SCADA Expert, to enable those drivers to communicate securely with another device or application, you can use TLS. This uses certificates during the communications establishment phase to initiate a secure connection between Geo SCADA Expert and the other device or application. TLS provides integrity and encryption. Additionally, if you use authentication (which is strongly recommended for SCADA), the identity of the other party is validated before communications commence between Geo SCADA Expert and the other device or application.

If you choose to use TLS to provide a secure connection, you will need a set of certificates and private keys for Geo SCADA Expert and for the device or application at the other end of the connection (see What Certificates do I Require?). (When Geo SCADA Expert is a TLS client, this is the device or application to which Geo SCADA Expert is to connect. When Geo SCADA Expert is the TLS server, this applies to each device or application that is to connect to the relevant driver in Geo SCADA Expert.)

You should use your organization's private certificate authority (CA) to issue certificates. (This is the recommended approach.)

Alternatively, you can create self-signed certificates and private keys.

In each case, you can only use a certificate and private key file type that is supported by the driver that you intend to use in Geo SCADA Expert (see Which SSL Certificate File Types does my Driver Support?).

WARNING

POTENTIAL security BREACH

You MUST ensure that private keys are kept and transferred securely. Failure to do so could compromise the security of your system; potentially, it could lead to unauthorized access to your system.

Failure to follow these instructions can result in death, serious injury, or equipment damage. The breach in system security could leave the database vulnerable to unauthorized and potentially malicious use.

In order for Geo SCADA Expert to use the certificates, you have to store the certificates in the Geo SCADA Expert database. With the procedures below, you will find the SSL Certificate and Key and SSL Certificate database items in the Security branch of the Create New menu. The configuration Forms of both database items merely contain tabs of properties that are common to many database items (see SSL Certificate Database Items).

If you intend using a certificate authority (CA) to generate certificates:

Obtain the required certificates and matching private key. You do this via one of the following (whichever is applicable):
- Create a certificate signing request (CSR) and the private key. Send the certificate signing request to your organization's certificate authority. The certificate authority will use this to issue you with an end-entity certificate, along with any intermediate certificates and the certificate authority's root certificate.
- Ask the certificate authority to issue you with an end-entity certificate and matching private key, along with any intermediate certificates and the certificate authority's root certificate.
Ensure that the certificates and keys are of the appropriate file type. Convert them to the require file type if need be (see Which SSL Certificate File Types does my Driver Support?).
Merge the end-entity certificate and any intermediate certificates into a single file (see What Certificates do I Require?).
Create an SSL Certificate and Key database item.
Use this database item to import and store in the database the end-entity certificate that the certificate authority has issued for Geo SCADA Expert, along with the matching private key, and any intermediate certificates (see Import an SSL Certificate into the Database). Each SSL Certificate and Key database item can only contain one end-entity certificate along with any intermediate certificates that are required to verify that certificate (the root is not required).
When Geo SCADA Expert is a TLS server, this certificate is used in the creation of the secure connection. Additionally, if the TLS client authenticates the TLS server (which is recommended), this certificate is also used for that authentication.
When Geo SCADA Expert is a TLS client, this type of database item is only required if the TLS server is configured to authenticate the TLS client (this is recommended). In which case, this certificate is used by the server to which Geo SCADA Expert is connecting to verify Geo SCADA Expert's identity.
Reference the SSL Certificate and Key database item from the relevant driver-specific item. This type of database item varies per driver, however for many advanced drivers, it comprises one of the following:
- An Outstation database item that represents a network connection and is a TLS client (see Configure the Security Properties of a Network Connected Outstation).
- A Channel database item that represents a TCP/IP connection and is a TLS client (see Configure the Security Properties of a TCP/IP Connection).
- A Channel database item that represents a network connection with a Listen Port enabled and is a TLS server (see Configure the Security Properties of a Network Connection).
(For database items not mentioned here, see the relevant driver-specific guide for details).
Create an SSL Certificate database item.
Use this database item to import and store in the database the certificate authority's root certificate, to trust all certificates that are issued by the certificate authority (see Import an SSL Certificate into the Database).
Reference the SSL Certificate database item from the same driver-specific database item that you used in step 5. This type of database item varies per driver, however for many advanced drivers, it comprises one of the following:
- An Outstation database item that represents a network connection and is a TLS client (see Configure the Security Properties of a Network Connected Outstation).
- A Channel database item that represents a TCP/IP connection and is a TLS client (see Configure the Security Properties of a TCP/IP Connection).
- A Channel database item that represents a network connection with a Listen Port enabled and is a TLS server (see Configure the Security Properties of a Network Connection).
(For database items not mentioned here, see the relevant driver-specific guide for details).

If you intend using self-signed certificates:

Create the self-signed certificate and private key for Geo SCADA Expert.
Ensure that the certificate and key are of the appropriate file type. Convert them to the require file type if need be (see Which SSL Certificate File Types does my Driver Support?).
Create an SSL Certificate and Key database item.
Use this database item to import and store in the database the self-signed certificate for Geo SCADA Expert, along with the matching private key (see Import an SSL Certificate into the Database).
Reference the SSL Certificate and Key database item from the relevant driver-specific item. This type of database item varies per driver, however for many advanced drivers, it comprises one of the following:
- An Outstation database item that represents a network connection and is a TLS client (see Configure the Security Properties of a Network Connected Outstation).
- A Channel database item that represents a TCP/IP connection and is a TLS client (see Configure the Security Properties of a TCP/IP Connection).
- A Channel database item that represents a network connection with a Listen Port enabled and is a TLS server (see Configure the Security Properties of a Network Connection).
(For database items not mentioned here, see the relevant driver-specific guide for details).
If you are configuring Geo SCADA Expert as a TLS client:
1. Obtain a copy of the device or application's certificate.
2. Create an SSL Certificate database item to import and store in the database the device's or application's self-signed certificate to trust it (see Import an SSL Certificate into the Database).
3. Reference the SSL Certificate database item from the relevant driver-specific item (the database item that represents the device or application to which Geo SCADA Expert is to make a secure outbound connection). This is the same database item that you used in step 4. The type of database item varies per driver, however for many advanced drivers, it comprises one of the following:
  - An Outstation database item that represents a network connection and is a TLS client (see Configure the Security Properties of a Network Connected Outstation).
  - A Channel database item that represents a TCP/IP connection and is a TLS client (see Configure the Security Properties of a TCP/IP Connection).
  (For database items not mentioned here, see the relevant driver-specific guide for details).
If you are configuring Geo SCADA Expert as a TLS server:
1. Obtain copies of the certificates of all of the devices and applications that are to connect to this TLS server.
2. Either merge all of the certificates into a single file, provide separate certificate files for each device or application, or provide a combination of merged and individual certificate files (see What Certificates do I Require?). You store each certificate file in an SSL Certificate database item.
3. For each certificate file that you produced in step ii, create a separate SSL Certificate database item. You will use each database item to import and store in the database the certificate file that contains the self-signed certificates of those particular devices or applications that are to connect to the server, in order to trust those certificates (see Import an SSL Certificate into the Database).
4. Repeat step iii for any other certificate files that you produced in step ii.
5. Reference each SSL Certificate database item from the relevant driver-specific items (the database items that represent each device or application that is to make a secure inbound connection to Geo SCADA Expert). This is the same database item that you used in step 4. The type of database item varies per driver, however for many advanced drivers, it comprises the following:
  - A Channel database item that represents a network connection with a Listen Port enabled and is a TLS server (see Configure the Security Properties of a Network Connection).
  (For database items not mentioned here, see the relevant driver-specific guide for details).

SSL certificates are referred to as 'digital certificates' in some third-party documentation.

NOTICE

LOSS of communication

If Geo SCADA Expert is unable to establish a secure TLS network connection, check that the certificate has not expired, and has not been revoked. Perform these checks in addition to those that you would otherwise perform if Geo SCADA Expert is unable to establish a connection with a device.

Failure to follow these instructions can result in loss of communications between Geo SCADA Expert and the network-connected device.

Further Information

For more information about Geo SCADA Expert security, see the Geo SCADA Expert Knowledge Base.