Ignition SCADA Migration: Regional Deployment to Replace Cygnet (Texas, USA)

The South Texas operating region was selected as a full scale migration pilot prior to rollout to the entire midstream organization. Cygnet had become too expensive to maintain, did not have the desired features requested by Operations and was not secure enough for modern OT environments. The midstream operating company elected to migrate to Ignition, and to re-architect their SCADA network to facilitate a secure deployment, harden their control room endpoints, and build-in fault tolerance and rapid data recovery.

Security for a SCADA system must be robust and effective but transparent to the end user, and should not be security for security’s sake. Security measures should be built in, should work in the background, be intuitive, and not require additional time or effort from operating personnel who are already busy with their control system duties.

Work Stream A: Protocol and Communication Traffic Analysis
During this workstream all Cygnet system to system traffic patterns were collected and analyzed. Connected systems were identified and documented, Cygnet users were rationalized using a least-privileged methodology and an Operating Philosophy was developed for how SCADA would be run and maintained going forward.

Work Stream B: Secure Architecture and Design
Based on the data from Workstream A and supported by the previously developed Reference Architecture, a secure design that optimized the Ignition SCADA system was created and implemented. Using IEC62443-3 Zones and Conduits, an architecture was established and new security groups were implemented to allow Operations personnel to manage the SCADA system with less overhead than Cygnet previously required.

Work Stream C: Endpoint Hardening
Endpoints were hardened by closing unnecessary ports, restricting user rights, limiting admin accounts, renaming and disabling unneeded accounts, and by disabling services and applications not required for Ignition to be used. As expected, a robust patch and update cycle was implemented for the new Ignition servers and workstation endpoints.

Work Stream A: Protocol and Communication Traffic Analysis
• Cause: Lack of documentation on what system to system traffic and what protocols and ports were being used across the various operating assets.
• Effect: Continued use of insecure legacy protocols like OPC-DA and others exposed the organization to significant risk from network exploitation, as well as firewall rules that were overly generalized, allowing too broad a range of network traffic to and from the IT and OT networks.
• Solution: Implementing Ignition using its built-in secure protocols and architecture, plus rationalizing all network traffic to determine how essential each systems communication patterns were.
• Outcome: By taking the time to identify Cygnet traffic patterns and user account status, the new Ignition SCADA system was streamlined and more efficient, with tighter control over network protocols and user access. A resilient and secure network was implemented allowing for growth and future changes.

Work Stream B: Secure Architecture and Design
• Cause: Cygnet had been organically grown and expanded over the years without a formal operating philosophy.
• Effect: There were limited controls on user access, and no oversight to what systems were allowed to communicate, effectively allowing most insecure protocols to connect to anywhere in the organization.
• Solution: A secure design was implemented that rationalized exactly what systems were allowed to communicate, and eliminated insecure protocols, or limited their use to internal network zones only, for example.
• Outcome: The organization had a strong baseline and a robust operating philosophy that allowed for secure operation and secure growth as the organization expanded, including mergers, acquisitions and divestitures.

Work Stream C: Endpoint Hardening
• Cause: Cygnet had previously not been using a patch or security update cycle, or a hardware lifecycle management plan.
• Effect: Legacy systems were not monitored for health status, anomalous traffic, unauthorized user access or excessive use of privilege, and were not patched with any frequency, leaving them vulnerable to Ransomware or Malware attack.
• Solution: An operating philosophy was developed which included patch frequency, criticality matrix, rationalized user account access and endpoints were deployed already hardened to Ignition specifications as well as appropriate industry recommendations. USB control was implemented along with only using secure protocols, eliminating unnecessary ports, Windows level personal firewalls and not installing any software not strictly necessary for operating the asset.
• Outcome: Ignition was deployed from the ground up in a secure manner, with appropriate asset management, patch cycles, least privileged user access and fault tolerance with rapid disaster recovery capabilities.