Secure Your Application

After the application is secured, configuration is no longer available without signing in.

You can manage user accounts with VTScada or Windows or both.

• If using VTScada authentication and authorization, all accounts and security privileges are managed within VTScada. The SCADA manager has full control over all aspects of each account.
• If using Windows authentication, VTScada privileges are assigned only to roles, which are then associated with Windows groups. The Domain Administrator has control over creating and managing accounts, including which accounts are associated with which VTScada roles. The VTScada manager controls roles and the privilege set associated with each role.

Multifactor Authentication (MFA) / Two-factor authentication.
There are two options for this:
1) For those using the Anywhere thin client, you can configure OpenID Connect Authentication. Choose an OpenID provider that supports multifactor authentication. This option applies only to those will Connect Using the Anywhere Client.
2) For those using the VIC thin client or a workstation with VTScada installed, enable Windows Security Integration with Smart Card Support.

If you enable outside connections to your SCADA system then you must also take steps to secure the communication between the remote site and your server. This is done by implementing a Virtual Private Network (VPN) or by purchasing and installing a TLS/SSL Certificate. Refer to Internet Security (TLS, X.509, SSL).

The VTScada Internet Client (VIC), Anywhere Client, and the Mobile Browser Client (MIC) cannot access any application that is running in an unsecured state. Only a secured application will allow remote access and alarm acknowledgment via phone, email or text message, and then only to authorized accounts.
Similarly, you must secure your application before you can make use of the ODBC interface to query the VTScada database, or use the VTScada Excel Add-in. Note that the Excel Add-in cannot connect to a VTScada server that is not protected by a certificate.

"SSL" is the acronym for the Secure Sockets Layer security protocol. SSL is an older technology, but the term has become the de facto name for Internet security. VTScada uses the more modern Transport Layer Security (TLS) protocol (although, for the sake of compatibility with older Windows operating systems, it can use SSL.)
While the term "SSL Certificate" is in common use, "X.509 Certificate" is the correct term.

Privileges built into VTScada restrict access to VTScada features such as access to the built-in pages. To control access to your own pages and to operator controls that you build, you must create new privileges and apply them to the features that are to have restricted access. By default, all operator controls are protected from use when no-one is signed in, but most sites prefer to create a set of privileges so that they can control the access that each operator has.

Roles should be used to simplify account management, whether you are using VTScada or Windows authentication. A role is a named set of privileges and can be thought of as a job description. Changes made to a role's privilege set are automatically applied to the operators who have been assigned to that role. You can assign several roles to any account and one role can include another.

A set of functions and properties within the security manager are available to programmers, allowing them to check who is signed in or what privileges are in effect for the signed in user. With this information they can design their custom modules to enable or disable features for that user.

Terms:

General Privilege

A permission to access or use one of the VTScada system tools. Access to the Idea Studio, the ability to acknowledge alarms, etc., are controlled by general privileges.

Custom Privilege

A permission created by a VTScada developer. You can apply custom privileges to pages and to output tags to restrict access to these user-created items.

Alternate ID

A numeric identification associated with an account. Used to verify an account when signing in via the Alarm Notification System, or a proximity card reader. There can be only one alternate ID associated with any account.

Security Role

A named set of permissions. You can assign one or more security roles a user account to grant common privileges to people with similar job descriptions.

Security Rule

Refers to conditionally-granted privileges. You can limit the scope of a custom privilege so that it applies only to certain tags, or of any privilege be in effect only when a user is signed in at a named workstation.

Security Menu

Where you will find tools to open the various security-related dialogs. Available in the Application Configuration dialog in the Edit Security tab, and (after signing in) from the button at the top-right of the VTScada application window, labeled with your account name.

Account Locking / Multiple Sign-in Attempts

If a user fails to type their password correctly several times while attempting to sign in, their account will be locked for a period of time. This helps to protect your system from automated password-cracking programs. From the user's point of view, there is no difference between a sign-in that is denied due to an incorrect password and a sign-in attempt while the account is locked.

The number of incorrect attempts and the duration of the lock-out period are controlled by application properties. Refer to the Security Property List. The locking time will increase gradually if an account is locked multiple times within a short period.

A trip alarm (an alarm that is current but does not appear on the "Active" list) will be generated when an account is locked. Further sign-in attempts do not create new alarm events.

A security manager can use the Accounts dialog to view the time remaining before an account is unlocked and also to unlock that account immediately.

Disable Windows Controls (Kiosk Installations)

VTScada cannot disable access to Windows controls (file menu, close, minimize...) or keyboard commands (Ctrl-Esc, Alt-Tab, and Ctrl-Alt-Delete). This could be accomplished with a Windows logon script. Refer to:
https://docs.microsoft.com/en-us/windows/configuration/kiosk-single-app