Using SCADA rules, administrators can control the traffic flow of the supervisory control and data acquisition systems (SCADA) through UserGate. UserGate supports the inspection of the following SCADA protocols:
-
GOST R IEC 60870-5-104
-
Modbus
-
DNP3
-
MMS
The administrator is able to specify SCADA profiles of their own choosing, in which they can indicate the required set of protocols and commands and use them in rules.
To get started with SCADA, perform the following:
|
Name |
Description |
|---|---|
|
Step 1. Allow the SCADA service in the required zones. |
Go to Network-->Zones, edit the access control parameters for the zone to which SCADA clients will be connecting and allow the SCADA in this zone. |
|
Step 2. Create the necessary SCADA profiles. |
A SCADA profile is a set of elements each containing a SCADA command and an address. |
|
Step 3. Create the required SCADA rules. |
The SCADA rules define SCADA actions depending on the traffic type checked by the SCADA module according to the assigned profiles. |
To set up SCADA profiles, create a new profile in Libraries-->SCADA profiles and then add the necessary commands to it. Each record contains the following fields:
|
Name |
Description |
|---|---|
|
Name |
Name of the profile |
|
Description |
Description of the profile |
|
Protocol |
Select the required SCADA protocol |
|
SCADA command |
Select the necessary SCADA command |
|
SCADA address |
Provide the SCADA address. You can specify an integer 4-byte number. |
SCADA rules define a traffic to which a SCADA profile will be applied and an action that UserGate must perform when the rule is applied.
Important! Rules are applied from top to bottom in the same order as they appear in the console. Only the first rule for which all its specific conditions are met will be applied. Therefore, make sure to place more specific rules above the more common ones in the list. Use the Up/Down buttons to change the order of rules in the list.
Important! The rule will be applied only when all its specific conditions are met. The Negate checkbox makes the condition opposite to the initial condition, i.e. corresponds to logical negation (NOT).
To create a new SCADA rule, click Add in Security policies-->SCADA rules and fill out the fields in the rule.
|
Name |
Description |
|---|---|
|
Enabled |
Enable or disable the rule. |
|
Name |
Name of the rule. |
|
Description |
Description of the rule. |
|
Action |
The following options are supported:
It is also possible to select the option Log. If this option is enabled, the fact that a rule has been applied to traffic will be recorded in the corresponding log. |
|
Source |
A source zone and/or a list of source IP addresses for the traffic. |
|
Destination |
A destination IP addresses for the traffic. |
|
Service |
L4 service which will be used in the rule. |
|
SCADA profiles |
The list of SCADA profiles that have been created in the previous step |