Emerson’s Nick Janouskovec shared his practical tips for attaining and managing Ovation system security at the 2018 Ovation Users’ Group Conference. With so many different standards, regulations, technologies and approaches to cybersecurity, it can be challenging to figure out what you really need.
Developing a security program that truly secures your control system, meets your compliance obligations and doesn’t add tremendous burden to your operations team can be quite a task. Nick’s objective for this session is to provide system owners and users with practical approaches for truly securing systems through simple yet effective techniques – many already a part of the Ovation system.
Nick opened explaining that an allowed function in the Ovation system requires point security group, computer security and user security settings.
From an Ovation point security standpoint, in Developer Studio there are 16 point groups. They are assigned to the point at the time of the build. Control Builder is the master of the point security for algorithms. If an operator is not assigned to a particular point through point security, they cannot operate that point.
Ovation Security Manager (OSM) manages users, computers, point security groups, Ovation roles, group policies, domain policies, administrators and database users. Some options are only available in OSM and not the underlying Active Directory security.
OSM can create new users, reset passwords and change roles & security levels. It can apply group policies for both users and computers.
Windows group policies are a collection of Windows operating system rules that can be assign to a user or computer accounts to configure a custom desktop environment. They are typically assigned to user accounts. A default policy is applied to the creation of new users. All other group policies inherit global policies unless specifically overridden. Some global policies cannot be overridden nor deleted from the list of group policies.
Security group policies are applied in order: global user policy, assigned user policy, global computer policy, assigned computer policy.
Th point security group is checked first before computer and user roles.
A domain policy consists of one or more policy rules that can only be set globally and they apply to all computers in that domain. These domain policy rules do not require computer account assignments. There are two classes—default domain policies and default domain controller policies.
The default domain controller policies are group policies that apply only to the computer in the security domain that is a domain controller. Some examples in OSM include account lockout policies and password rules.
Managing administrators is a critical function. Nick stressed the importance of limiting domain administrator access since not everyone needs this level of access to perform Ovation system tasks. Also, do not use the administrator account. Instead create other administrator accounts and consider using individual accounts. Enforce strong password rules.
The Microsoft Active Directory can be browsed in OSM. It’s very important to make the changes in OSM and not native Active Directory management tools to avoid decoupling the records.
One other tip Nick shared was to define a maximum log size for application, security and system logs and set a retention period—90 days for example.
For Ovation users, refer to the Ovation Users’ Group website to download a copy of the presentation for Nick’s extensive times on troubleshooting these policies if you are not getting the expected results of these policies applied at the different levels for users and computers.