Ok, here’s the deal. I have a client that I (alone) VPN into to access the Ignition gateway and other SCADA stuff. The Ignition SCADA network is isolated except for my IPCop DSL interface, which is configured to block everything. No automatic Windows updates for the client PCs, no client PC virus protection updates.
Now the customer wants others to be able remotely benefit from Ignition. I have been looking for a way to “proxy” the Ignition gateway to my public website (hosted on GoDaddy) so they can launch a project applet on their browser, while keeping the gateway obscured and inaccessible from the user. A “keep them at arms-length” type of defense.
My attempts thus far have failed. The Java JNLP files point directly to the gateway IP address, and unless I enable IPCop’s port forwarding for the client’s IP, it won’t work. That is unacceptable from a security standpoint.
Do I just fold my tent and permit direct gateway access? Obviously I would have to open up the router to internet access so the gateway and client PCs can get automatic security and virus updates. That opens up another big can of worms, which I’d rather avoid.
Let the IT dept handle it you say? My experience is that the IT depts conveniently disown SCADA networks, leaving them in the hands of the SCADA integrator. That’s been fine up to now, but I realize that I need more advanced schooling in industrial network security to provide safe remote acccess to client’s SCADA systems. My own web research has been unsatisfying in regards to a Java-based system like Ignition.
Does anybody have experiences they’re willing to share, specific to safe remote Ignition Gateway access? Any good white papers or tutorials on the web dealing with this specific topic? Your help is greatly appreciated!