Avoid Risk: Why Cybersecurity is important now more than ever | GE Vernova
Hey guys, I'm gonna be on audio only, so you'll have to move the slides. Behind every great result, there's a story of innovation and collaboration. There's a lot more collaboration between our customer and us, and it's because we can share data. Our Proficy software customers aren't just clients. They're partners in progress.
For more than 20 years, we've worked with you to accelerate the digital revolution and drive real results within your industrial operations. The software takes production data and the use to make sure that some machine operators and, uh, managers are able to make the right decisions at the right time. Proficy isn't just a tool it. The engine driving your success forward and the solution enabling your enterprise to decrease costs, increase profits, reduce waste. Improve efficiency and much more. The data's in the Proficy system, but it's not just about the numbers, it's about the people.
Together, we empower teams, accelerate innovation and drive toward a future that's brighter, more sustainable, and more profitable than ever before. We invite you to experience. The power of smart and sustainable operations with Proficy from GE Vernova Hey, good morning.
Uh, my name is Paul Adams. I'm the Director of the Solution Provider Program, uh, based in the Americas. I'd like to welcome everyone to our second webinar of the Tech Talk series, avoiding Risk, avoiding Risk, why Cybersecurity is important Now more than ever, manufacturer. For cyber attacks that can disrupt operations data and impact their, about Horton, uh, for preventing cybersecurity threats.
And it's crucial. So just if we can move, let me see if I can move there. Uh, housekeeping items before we get started, I'd like to, uh, go over. Slide yet. There we go.
Um, so if you look at this, uh, we have the orange chat button. Uh, we can submit your questions, uh, throughout the session. Uh, we'll, we'll try to get to all of them if we can. If we can't, um, contact myself for more information on our.
Solution provider program, so that please reach out to me with, uh, your feedback. Would love to be out with more of the sis. Um, that, um, the blue paper clip icon, you can, uh. Um, the orange, uh, you can access by, um, refreshing your browser, which is something I had to do already this morning.
So I, and finally, um, and we will send. The recording and the slides as well. Your audio preeminent expert.
Uh, can you switch to your phone or I can take over? Yeah, take it away, Chad. Okay. Take it away, Chad. Yeah, we're okay. Hey everyone. Sorry about the audio issues.
Um. Hopefully you caught enough of that or you can see on the slide here that you know what the different parts of the webinar will do. So, uh, let us know if you have any questions in the chat, but, uh, yeah, so I'll get just to do a quick introduction of myself. I'm Chad Smith. I am the, uh, Product Manager for our, um, CIMPLICITY product, but I work closely together with our product management team and cover the Proficy portfolio.
Um, I'm happy to kind of talk to you today about our, about cybersecurity, so I'll just get started on that. Hit the next button here. Okay, so yeah, here's our agenda today. We're gonna go over some of the, over some of the challenges that, you know, we face in manufacturing and in in our work. Uh, when it comes to cybersecurity.
We'll talk about how to secure. You know, your, your systems, your, your, um, manufacturing systems, how we can help you with that. And then we'll have time for q and a and, and as we, I think you can see on the over review slide, you can go ahead and put, um, you can go ahead and put, uh, um, questions in the chat at any time.
And at the end we'll go through those. So I'll just go to the next slide here. So. Um, you know, you're probably aware that, you know, cyber attacks are prevalent in the world today. Uh, this slide just kind of gives a bit, you know, some surveys that have shown where we see the percentage of cyber attacks in, you know, in different industries.
Uh, this was done in 2023, so you can see manufacturing is the top attacks, um, area from a cyber attack. Um, landscape. Even just this morning, you know, I opened up my email and the very first, uh, newsletter, you know, listed, suspected four chan hack could expose longtime, um, anonymous admins.
So it's, it's very prevalent. We see it more and more, it's settling. That definitely has to be top of mind as we design our systems to be, um, protect them. Um, especially in the manufacturing environment where we run critical infrastructure and it has. You know, important consequences when things don't, when things are attacked.
So, you know, from that perspective, this is some of the top kind of challenges that, that your customers, our customers are facing when it comes to cybersecurity and, and attacks, you know, all the way from, uh, you know, malicious, you know, direct attacks to, um, just things that can happen through human error. Um, I. You know, our customers are having to think about it, not just from an attack perspective, but also just from reacting to regulatory pressure to implement standards, uh, and, and spend time and money, um, to comply. Um, so, you know, the whole spectrum of, of, um, areas that need to be thought of and taken into consideration as you secure systems, uh, out there. So, um. Just pause, I'll just kind of let you scan through that.
There's, you know, a number of, like I say, a number of different challenges that are being faced today and that's why we're talking about it. And that's why we wanna, um, walk through some of these, um, things that we can do or we can, and that we can help you with in securing our, your, your implementations and, um, implementations of our software in our customer environments. So the, uh. You know, I've mentioned critical infrastructure, you know, water wastewater is one an example of that, that, you know, this is a, it's a critical infrastructure and various, you know, to the point that various government, uh, government and organizations have put together standards to help secure that critical infrastructure from CISA in the United States to, to nist and then other you European initiatives, um, that are being implemented and, and discussed and, and actually enforced. In some cases to make sure that we protect our critical infrastructure.
Let's talk a bit about, you know, securing the systems that we imp that, uh, we deploy our software into. So, you know, security is always a balancing act. Uh, the more secure something is, often it is harder to set up and use.
On the other hand, it the less secure it is, you know, or the more easy it is to use and, and make available the less secure it can be. So, you know, there's this, uh, model called the CIA model, which is confidentiality, integrity, and availability of the systems and data. And typically from an IT perspective, the most focused on areas, typically confidentiality, making sure that only those people that need to see information can see information and then, you know. To the lower priority of, you know, you know, um, making sure anybody that wants or needs to get information can get to it. So the, the, the focus in it is generally on confidentiality, followed by integrity and availability. Whereas often in OT systems, it's, it's almost a reverse where it's really important that the availability of the system is, you know, um.
That, that the right people can get to the right data at the right time to make sure that they, you know, the system is, is running well. That, that there's visibility into, you know, what's going on. You know, you know, not to say that, you know, these other pieces aren't important, but there's just a balancing act that has to be considered as you implement, um, the IT and OT systems, you know, as part of, um. In, you know, implementing solutions for our customers.
And so there's no one right answer. It really is one of those things where you have to kind of take a look at the situation, take a look at what we're trying, you know, what you're trying to, um, manufacture or monitor, and make sure that the right balance is being struck between availability, you know, confidentiality, confidentiality, integrity, and availability. So these are some of the things that you can do and you're, as you, uh, to kind of bolster the defense against cyber attacks. So it really comes down to, um, you know, mo, you know, being aware really and being intentional about it. So you can do this by starting, you know, to just be on watch for alerts or advisories of.
You know, um, vulnerabilities or, or, or updates that may be available and maybe needed to be applied to the system. As you know, um, vulnerabilities are encountered or attacks happen. You know, typically when an attack happens, there's a response and, and, you know, fixes offered. And, you know, often in the form of patches to software or to common components or to open source, um, components. And if you're not aware of those and watching for those, you may be vulnerable without even realizing it.
So, you know, there's lots of resources like we mentioned with the cisa, um, you know, websites and, and publications to kind of explore. So the next recommendation is really to explore those resources and understand kind of the, the recommendations and the standards being, being, uh, implemented So that. You can apply them to the situations that you're helping to solve with our, with your customers. So, you know, as you become aware and or stay aware of what's happening on the cybersecurity landscape, it allows you to then organize yourselves, um, or, or help your customers organize themselves to be, you know, to be, um, monitoring for these things, which. You know, may involve designating representatives or across team, um, representatives to make sure that there's awareness and training happening, um, and implementations happening in your systems to, to be aware of and secure, um, your data, your. Your software, et cetera, which then, you know, requires you to think about, you know, how do we plan for that? How do we, do we need to create an instant response plan if something happens? How do we react to that? Are we regularly, you know, are you regularly monitoring the network and the system that's that's implemented this to, and using tools to, um, to watch for, you know, who's accessing the system and where, you know, how.
What is the state of your devices across the network? Are they online? Are they, are they being flooded? Are they, are there any attacks happening? So there's tools out there I showed on monitoring tools and, and, um, and just, so it really just requires, you know, intentionality and planning, um, in this, in the current landscape to, to be aware of these things and to, to put um, uh, influence, put things in place, plans in place to, to be aware of and to respond to. Any threats that may happen. And then as you know, as part of that, you know, it would, if you don't, like, if you were, I remember growing up, you would, in your, in school, you would have your fire drills, right? And that's so that when something does happen, it's not the first time you've run through and tried to figure out what to do. So simulating, um, running drills, um, simulating what could happen and, and measuring how you're responding to it and, and making adjustments so that you are ready when a real time.
Event may happen, and then, you know, out of all of that work, you can then start to plan and minimize the attack surface that is available, whether that's through consolidating and having, um, consolidating your system, working together with your IT team, um, and just, you know, looking to secure, you know, firm up the parts of your system that's not, that are not, um, strong enough based on those simulations and on that planning and those investigations. All of these steps can help you to kind of help, you know, in your, in the systems that you implement and the customers you work with to help to, to create a strong defense against cyber attacks. So, um, so there's this concept of zero trust, which it's an interesting concept where, you know, zero trust doesn't sound very great, but when it comes to.
Um, protecting critical infrastructure or critical systems, you need to really start at a place of zero trust and then only move towards trust in, in, in, when it makes sense and in the right way. So one of the interesting ways to maybe think about this, uh, uh, uh, um, a system is in terms of like a medieval castle if, and, and protecting against attacks. So, for example, on the right hand side there, you know, when you think about identity. Those that are accessing the system, you know, if they approach the castle, are they are, are they who they say they are? Are they a citizen of the realm or someone trying to sneak in? Right? Um, how have you make sure that, that, that they haven't stolen somebody's credentials and are, are, are, you know, are coming in under false pretenses? So identity and who, who's accessing the system and if they're allowed to, um, come in is important. Which kind of leads to the next. Uh, type, um, part of the equation, which is what can someone entering the castle, do you know what someone who is logging into the system, what, what are they allowed to do? Are they only allowed to do the things that, that they have permission to do? You know, have, do they have a room? Do they have a key to their, their room in the yin, or do have you inadvertently given them, you know, keys to the armory or the vault? So, you know, just.
Different ways to think about it. So, and then session management, this is, you know, have they stayed longer than they should have stayed? Are they, you know, you know, when I go and, you know, I live in Canada, when I go to the US and I cross the border, they ask, how long are you gonna stay? And if I stay longer than that, that could be flagged. Right.
So, you know, in terms of session management, so they, you know, are we, are we, um, making sure that sessions are, are being, um. Aren't staying up longer than they need to, especially if they can be accessed by anyone. Um, walking down the hall, uh, the administrator, you know, is that need to be sparing and careful about who has administrative access and has that, you know, and, and does that need to be, you know, changed or updated in terms of passwords, you know, does that, you wanna make sure that some trusted guard at the castle hasn't been bribed and, and, and, you know, is now. Uh, a bad actor, uh, client connections. You know, are people only entering by the drawbridge or is somebody tunneling underneath the wall? Right? Being aware of and restricting who can access the system and monitoring who's accessing the system can be a key part of, of the zero trust equation.
Service to service connections. You know, even once inside is something going on that shouldn't, shouldn't be happening is the, is the night Flirting with the Queen behind the king's back, so to speak. Right. Like there's still, you know, even within this, the system and the software that you implement in the system, are you ensuring that the, the, the right levels of trust are being set up, delivery of ins of an, of the installer? You know, this is kind of like the Trojan horse, like as we deliver software and install software, as we download software, are we making sure that it's, you know, software, you know, it's, it's the software we think it is, and it's not something that's been snuck in. Either through, you know, human delivery or through the network.
Um, and speaking of the network, you know, that's a critical kind of gateway that needs to be, um, um, monitored and controlled of who, you know, what, you know, many systems are. Air gap, right? They don't have access to the internet. There's a reason for that. You know, are we making sure that we're, um, securing that? And finally, the software itself, like the brick and mortar, are they, you know, are they. Kinda like the castle.
There's make sure that there's not, it's not crumbling on the inside or the lumber isn't rotting, like keeping the software up to date. Um, having, you know, really old versions of software means they probably are missing some critical patches and critical security, um, capabilities that have been added to the software in response to vulnerabilities that have been found if we're not running software that is up to date and, and, um, able to handle these kind of attacks. Then you're at risk, right? So that's kind of the zero, the zero trust concept. And, you know, our SCADA solutions have a lot of features that allow you to kind of guard against these and make sure that, that you're following that, um, those patterns that keep things safe. So, for example, like I mentioned, you know, on a regular basis, we, we update our software with the latest, not only with new features and not only with bug fixes, but also. Patches for, um, open source software that our software may use, or even patches for any vulnerabilities found, um, you know, with our software.
So keeping up to date is a key part of that. Uh, you know, the authentication provider that you use has, you know, is it up to date? Is it, does it allow for modern, uh, implementations of authentication? So, for example, our proxy authentication software or component of our, of our portfolio. Allows you to do multifactor authentication and, and, and, and manage, um, those identities and those per user permissions and the access, who has access and, and passwords and all those kinds of things are, are, you know, the latest, the Proficy authentication software is where we're updating the latest technologies and, um, capabilities when it comes to authentication. So incorporating that into your solutions. Can be a great way to keep things secure.
Um, you know, just monitoring and making sure the user permissions that are granted to different users. Um, the, you know, the software allows you to do that, whether in proxy authentication or in the products themselves. You have the ability to, to designate which users can do which, um, uh, functions in our software as they run the systems.
Our software also allows you to, you know. Have allowed lists for what clients can connect to the SCADA server, for example, or which projects are allowed to run, or which screens, um, you know, checking to make sure that screens haven't been tampered with. All of, you know, these are features that, that our SCADA solutions offer that you can set up, um, to make sure that your system stays secure. Um, enabling session timeouts and being able to, um, have fallback to. To lower, um, lower, uh, accessible users, you know, for permanent displays or, or, or, or displays that may be, you know, unmonitored for a while and anybody can access. It's important to kind of keep those in a session state where that, that makes sense for, for who's using it and when, um, you know, back to the, the delivery of the installer, like as you bring software into the system and install it.
Or you can, you know, we. We digitally sign our software, which allows you to check to make sure that it's, you know, it's delivered by who says that we're delivering it so you can check and make sure that it's signed by ge. Ge. Right.
And then of course, just in, in the communication protocols, you know, more and more that the protocols are, that are being developed in a modern way, like O-P-C-U-A are based on, uh, or have built in, um, security. Using, uh, certificate based protocols. And so we'll talk more about some of these things, but these are some of the areas that, that we, uh, we, we provide features and capabilities for in our SCADA solutions to help you maintain that zero trust environment and to keep things safe. So this is just a little bit, this is a slide a little bit, kind of going over a bit more of what our proxy authentication formerly called.
You know, it was called UAA originally. We've, uh, changed that name to Proficy authentication, but this is really around centralizing and simplifying the authentication management and PRI providing improved security. So what Proficy Authentication allows you to do is essentially have a single sign-on across all of our Proficy portfolio, allowing you to manage your users and groups, uh, from a single location and enable things like multifactor authentication.
Um, it's, you know, it supports. Um, uh, active directory and ldap, um, connections, allowing you to have a nested active directory group support, uh, you know, support more than one LDAP server or, and having multi domain support as well as SAML support, um, which allows you to do that, that, uh, um, multifactor authentication. So this is something that, if you haven't already considered it, is something we would encourage you to look at as you implement systems for our customers. I talked, we talked a little bit about O-B-C-U-A, um, you know, O-B-C-U-A is, you know, our, our SCADA solutions leverage O-P-C-U-A heavily in terms both of bringing data into this data for management, but as well as exposing data from our data servers through O-P-C-U-A servers and O-P-C-U-A is inherently built to be securable. Through different levels of encryption, um, and through certificate, um, trust requirements so that only those who are trusted can actually retrieve the data from a SCADA system, for example. And we provide, you know, um, some tooling and capabilities to allow you to manage that.
You know, one of the, like I mentioned, you know, security is one of the things where the more secure you are sometimes the harder it is to set up and use. And so, um. Over the years, we've developed tooling to help manage certificates.
One of those, one of those capabilities is our global discovery server, which is part of the O-P-C-U-A specification for being able to manage and sign certificates, um, and keep them up to date and manage trust lists and things like that, as well as, as we are, you know, in our, in our proxy portfolio. As we going forward, we have, you know, we continually on our roadmap look for ways to, um, make it easier to, uh, manage and, and, um, centrally, uh, manage your certificates and be able to keep them up to date when they expire. Um, be able to make sure that we can, uh, have proper trust as we, as the communications, um, are built between our products and our services.
So where can we help? Um, let's, so, you know, in our, as we build the Proficy portfolio and the, and the, and the products and the capabilities within that portfolio, we follow up a rigorous software development lifecycle. And I just wanted to highlight some of the things that we do as we do that. So.
You know, that starts with, you know, as we, as we start to, um, plan for the features that, you know, based on the feedback from yourself and from customers, as we, as we lay out the requirements and the design, you know, through proper, you know, through training of our development, um, organization. And, and we, you know, we have regular trainings on, you know, building secure software. As we do the design, we're always thinking about, you know. How is this going to, you know, affect, you know, the security of the system? And that comes down to doing things like threat modeling.
As we review the design, thinking about the attack vectors that may be, um, being exposed, for example, as, as we make it easier to use our software by exposing, you know, rest interfaces into configuration or runtime data. You know, that becomes a threat vector and. And we have to think about how are we protecting that, those rest interfaces, making sure that only those who have the right permissions in the system can actually come in through an API and make changes or retrieve data. So that's all part of the planning and the modeling that we do. Um, you know, and then of course, you know, we take advantage of the latest tools for, for scanning our software. Either, you know, at rest or in dynamic, um, runtime kind of.
Uh, data transfers where we have not, you know, we run this on a regular basis with it as we do development, as well as at the time of, you know, release. We, we work closely with a red, we call 'em our red team or our security team that essentially, you know, does a rigorous pass on our release ready software to make sure that, and, and tests of attack vectors and simulates it, you know, attacks to, to call out and find those areas where it may be. Vulnerable so that we can, we can address those before we actually deploy them out to, um, to be used by our customers. So those, all of these steps allow us to kind of, you know, start from the beginning and build in, um, secure software and secure access to our software as we go forward. So. Uh, you know, kind of going on that same theme, you know, it, it is a high priority for, uh, GE Vernova to, to be, um, able to, to have this secure process.
And so as we, we do this, we are, you know, certified in a number of certifications that, that really kind of, uh, a kind of a check to see that we're following processes that are, that, that, that will create secure, um, products. So those, um. Those certificates. You, if you want to go kind of see some of what we have in place there, you can go to our, um, our, our, our website at gevernova.com/software/cybersecurity,
and we kind of go through some of what I just talked about in terms of our process as well as our certifications and also what we, what's available, um, both on this site and on in our online health. For all of our products, we, we, we, um, we have developed and we keep up to date on a regular basis. Our, um, secure deployment guides or SDGs as we call them. So if you go to our, you know, for example, if you're to go to the CIMPLICITY Online, help you'll, or iix or any of our products, you'll see a link that will allow you to see our secure deployment guide.
And this is a guide that walks through. You know, how to harden a system and how to set up our software in a way that's secure and working together, you know, both with the features and capabilities that are built into the software, as well as, you know, just the system, um, tools that are out there, whether it's securing windows or IP security, um, setups that allow you to secure your system and, and gives you guidance. On, you know, what ports you should or shouldn't, maybe consider opening how to, you know, architecture diagrams to be able to see how to, you know, where, where trust should be and, and, um, kind of garden and, and firewalls should be put in place and, and, um, you know, DMZ zones and things like that. All of those are outlined in our SDG or our securement deployment guides and are really good resources to allow you to. Um, make sure that you're helping your cust our customers to, uh, and your customers to, to build secure systems.
So here's some facts to consider, um, that, you know, kind of go along with this whole, um, attack, you know, concept of being, of, of making sure that you're running systems that are, that are secure. So one of the things to consider is that Microsoft will stop supporting Windows 10. By October, 2025. Um, and you know this, you know, when you continue to run software that it, that goes out of support. You know, you run the risk that you're not getting the latest updates and security patches that will, you know, potentially make those systems a target, um, for hackers.
So here's some things, you know, as you think about that and as you think about the systems that you may be, um, involved in, in, um. Taken care of or implementing. You know, as you know, sometimes those, uh, moments when, uh, you know, operating systems go out of, out of date and you need to think about upgrading. That upgrade process is a great time to think about a number of other factors that you know, since you're already going to be having to update to newer operating systems or newer hardware.
These are some things to think about as you, as you do, you know, go through that process. So that's a great time to think about enhancing the security of your systems. You know, are you following the secure deployment guide that we outlined? And, and making sure that as you kind of refactor the system that you're avoiding obsolescence through updating to the latest software, um, and patches as well as, you know, doing some of those steps to make sure your system is, is set up securely.
Um, it's also a good chance to think about, you know, how are, is there an opportunity to mod, modernize your user experience? Um, you know, as we, you know, if you've been running older versions of, of your, so of our software, now's a good time to take a look at what we offer, um, with our latest versions from things like Operations Hub that lets you modernize your user experience and make it available. Um, anytime, anywhere in browser form or being able to start to, uh, use some of those capabilities to mobilize your application so it can be accessible, um, you know, from mobile devices. You know, also thinking about taking a, you know, as we, in our modern age, you know, AI and, and the analytics are a, you know, a hot topic and it's, it could be a real enabler for, um, how you either implement systems or how you help. Your, your operators or your users to, um, take advantage of, of the data that they have, they're collecting from their system. So, um, one of the things that to be aware of is that in the last release, we are now going forward, we offer, um, a free runtime license to our cense analytic package that allows you to try out and start using, um, the analytics built in and, and created in our portfolio. So be aware that, you know, we're trying to make it easier and easier for you to be able to use the tooling and the capabilities, um, to do analytics, um, within the processing portfolio.
Great. And with that, I'll, I'll hand it over to Paul to kind of close this out here and, um, it's been a pleasure speaking with you fan. Fantastic. Thank you Chad.
I hope you can hear me better now. Yeah, we definitely can. Oh, okay. Fantastic.
That was excellent. Thank you so much. I apologize, uh, for the audio, uh, before, such as the peril of being in a hotel room. Um, so while we wait, uh, please take a look at the orange question mark icon and uh, post your questions. Um, while we wait for questions to come in, I just wanted to.
Make sure that everyone is aware of the resources that are available, um, to the system integrators. So, uh, there's a wealth of information available to the sis. Um, so this slide shows where you can go to for one, to roll in the edge, um, to get all the training that is available.
There's a lot of. Of free on-demand training, uh, available. Also, there are badges, um, for CIMPLICITY , iix, operations, hub plan applications, a lot of great stuff there. Always new stuff being added as well as certifications, um, and automation as well as manufacturing. Um, number two is the, the seismic portal.
Uh, for support materials you can take for, uh, information to, to help with, uh, sales and marketing. Uh, there's a lot of customer stories up there, um, as well that you may find, uh, helpful. Uh, number three is the customer center, so ensuring that, uh, you have access to the customer center so you can, uh, enter cases against products you can have access to, to knowledge base, et cetera. Uh, and then finally, um, the solution provider LinkedIn page is available. So, you know, we, we put out information there on upcoming events, et cetera.
So a great way to stay connected. So, so try to, uh, grab that, um, as well. Um.
So there is a, a take action button where you can kind of reach out, um, to us and give us feedback more about the program, et cetera. So please take advantage of that. I also wanted to, uh, direct your attention to the pink survey icon.
So. Take some time to fill that out around today's session as well as, uh, what you're hearing, um, from our customers. Um, one other item of note, we are sending out our annual, uh, VOC survey to, um, sis at the end of the month. So look for that in the mail and it helps us, uh, improve the program.
So please take a look at that and, uh, we go from there. Okay. So, uh, with that, uh, we'll start going through some of the questions and there's a few here, um, Chad, so I'll read them out to you and you can, uh, answer. Um, the first one is, if you keep the OT network isolated or air gap, is there still a need for the same level of security? Yeah, I'll, I'll, I'll take a crack.
You know, kind of like that slide I showed about the top security challenges facing customers, right? There's multiple ways to, for a attack to happen, not just through a network, right? So whether that's like doing one of the people that are working on the plant, walking in and inserting their USB feed in and pushing something in, or clicking on a malicious email or it gap. Actually comment if you have any thoughts there. Yeah, I mean the strongest security systems are always multi-layered. Um, you know, as Chad mentioned, there are other levels of, of security risk other than those coming in from the network. And you know, nowadays a lot of modern networks, you know, they do have.
You know, DMZs and paragraphs, but there's always, you know, for need of being able to apply updates and allow remote access, there's always some way through in many systems. And, you know, it's very important to have multiple layers of security that can help prevent, um, you know, the spread of any kind of security, um, infiltration that has occurred through some hole in your air gap or. Some other, you know, mechanism, you know, like bring somebody, bringing a laptop into the corporate network, I mean, into the OT network and, um, you know, introducing something that way. Um, so multi-layer security is the best approach.
Okay. Very good. Okay, great. Uh, another question I noticed when we started working with Configuration Hub that we require certificates, which are difficult to configure. Are these required? Yeah. Again, I'll take the first crack and then hand it over to Doug, but I, um, you know, ultimately when you're talking from machine to machine, there is that need to have that level of trust and, and, and the, you know, the modern TLS, you know, way of.
Or, um, communicating between machines and across networks, um, you know, does use certificates. I think I, I would agree that often they are, can be difficult to use. Um, our documentation has, you know, detailed instructions on how to do that. And more and more we're looking to provide, um, you know, tooling, like I mentioned before in our, in our, um. Um, to be able to manage those certificates and be able to have a visibility into when they're going to expire, to be able to, to update them easily. So definitely a a valid point.
Um, I'll let Doug, uh, make any comments there. Yeah, I mean, some of the difficulty with managing certificates is, um, you know, a lot of times when we're deploying our software, um, we're using self sign certificates a lot, so they all have. You know, it's a lot of point to point, um, trust configuration that is needed to do with a system like that.
Um, so some of the better approaches would be to have a central signing certificate and then all of the clients of. Connecting to that certificate and would only need to trust that route signing certificate. And that's some functionality that our global discovery server provides.
So you can use the global discovery, you know, the OPC way Global Discovery server to manage that route certificate and apply signatures to all of the certificate signing requests to help complete the certificate generation. Um, and you know, that same. Um, methodology can be applied to, you know, the web server certificates that are used in various places.
Um, you know, if, and that way you're just managing distribution of your route signing certificate, um, you know, the public key of the route signing certificate to all the clients for them to trust. So there, there are ways to make it less cumbersome. Um, and, you know. You know, so it's very important to stay abreast of like, what are the lifetimes of certificates so you can manage to, um, regenerate them and re trusts them or re-update your central signing certificate if it's expiring. So, so yeah, there are challenges, but there are ways to make it less challenging also.
Great. Okay. There's one more question. Uh, so while I ask this, you know, go to the orange icon if there's any questions, you got a couple more minutes, if you have a few left that we want to ask our presenters. Um, here is the last question in here. Uh, you mentioned Proficy authentication.
Can I use this to leverage my business SSO and can I set permissions for the SCADA? Yeah, good question. Um, you know, I'll take again first crack and let Doug comment, but, um, but, you know, proxy, the authentication is set up to be able to have, you know, providers behind the, the authentication service. You know, so you can leverage your, your businesses ldap. Um, um. Permissions and, and, um, and users and groups and, and tie those into the Proficy authentication setup.
And then, you know, there is, you know, our SC is, for example, CIMPLICITY and iix are, are set up to be able to, um, kind of tie together or, or map the groups from the proxy authentication and the LDAP groups, uh, together and tie them to, to, uh, groups at the SCADA level. So that when a user logs in, we know what groups they have permission for and we can tie those two permissions in this data. So you can set up, you know, SCADA um, permissions for different parts of accessing the database or changing data. Those permissions get kind of passed through the group mappings that go back all the way to your LDA, um, setups.
But Doug, if there's anything you wanna add there. Um, I think you've covered it pretty well. You know, just, you know, as you're configuring the, you know, the cada system, it publishes what groups it has available and, you know, to privacy authentication, and then you can take your privacy authentication, you know, either your LDAP groups or other groups you configure in proxy authentication to, um, those groups.
That the SCADA systems, um, configured into proxy authentication, and you can do the mapping there inside of proxy authentication. Um, particularly in the case of CIMPLICITY , where, you know, if you're the roles and resources that you configure and CIMPLICITY end up being published as, uh, a group of resources in the role together and you just map the roles and resources in. And, uh, I mean the groups in privacy, authentication to those so you can tailor it to each project specifically. Um, great.
That's all I have to add. That's it. Okay, great.
Okay. Alright. I'm looking here and there are no, there are currently no other questions. Um, so we'll wrap up.
Um, look for next month's webinar. You know, tell your friends, uh, to come, like I said, uh, that take action there. You can send, uh, feedback on the program. If there's anything you want to do, set up a call with me, that'd be fantastic.
Um, looking forward to, uh, talking in the future. So thank you everybody. Thank you to our presenters and uh, have a great day.
2025-04-30 13:50
