LTS communicates with TDS on port 799

LTS being the one issuing requests, the previous permission took
also care of this communication issue.
S. Security of SCADA Protocols
system Communication protocols use various ports depending on their
own implementation. The most typical ones, such as ModBusIP,
Sofrel, Perax, uses port 502….
No specific configuration is required for Windows firewall as
Topkapi generates only an outgoing flow which is not blocked.
However, if you setup your controllers to initiate the
communication (for instance spontaneous emission often used for
GPRS network), then you need to change the configuration of the
firewall to let the request come in. The UDP or TCP port depends
Rzvisions Author on the protocol and can usually be changed in TOPKAPI.
01/02/2013 OU Initial document V5.0a
Webserv
Webserv rely on the Windows Web component called IIS
Until now, SCADA system security was not well developed as
(Internet Information Service). After installing this component,
most of SCADA softwares are running on a totally independent
port 80 (http port by default) has to be opened in order to let
network. But nowadays, the need to be connected to Internet is
remote browser have access to the hosted Web pages.
growing and threats found on the Web require powerful software
to protect against. This chapter lists our advices and constraints in In the Control Panel, go to System and Security, Windows
order to let you manage at best your security issues. Firewall menu and click on Allow a program or feature though
Windows Firewall.
1.1. Firewall Then click on Change Settings, and check the box World Wide
Web Services (HTTP), which will only displayed after installing
All versions of Windows include a built-in firewall that is IIS.
activated by default. Some anti-virus solutions also provide one
which comes in substitution of Windows’.
In all cases, we highly recommend to keep it active as its job is to
filter incoming data flows.
However, when it is on, some features are blocked and won’t
work as they could be threat to the operating system. Flows are
separated in two groups: Outgoing flow, for instance data requests
sent by Topkapi to controllers, and incoming flows, which can be
anything from the network or the Internet which try to
communicate, access or damage the computer. In general, the
latter do not need any specific configuration as the firewall is
meant to protect from outside threats. Below are the most common
ports you might need to open in your firewall settings in order to
be able to use Topkapi.

LTS communicates on port 700.

If your Windows firewall is enabled, the first time you start LTS,
you should get a warning asking you if LTS should be allowed to
communicate on the network. This warning is displayed because
LTS opens a port for listening. Of course, you need to answer
Allow access for Topkapi to run correctly.
Now if you type the IP address of your Web server in a browser
from another computer, you should be able to see the IIS welcome
page.

TOPKAPI Vision 32 V5.0a  Security of SCADA system  01/02/2013 Page S-1


1.2. Anti-virus
Installing an anti-virus program is essential today even without
any local or Internet connection. Viruses spread also very easily
though USB mass storage devices which can be connected for file
transfer following a request of AREAL support for instance.
We do not have any specific recommendation or any particular
concern with a particular brand of anti-virus. But, for all of them,
you should create a scan exclusion on the operating file
directory, and also directories where TOPKAPI writes log files,
that is your application directory and the sub directory
TDS_EXPLOIT (in the TOPKAPI installation directory).
Especially when using real-time controllers, log files are modified
very often and the anti-virus will scan each file each time Topkapi
adds a line. This mechanism leads to a high uses of your hard
drive which is the slowest part of your machine. The straight
consequence is a global slowdown of your computer.
Below is an example of how to do it with Avast.
Click on the Avast icon in the taskbar and then click on Option.
Go to the Exclusions menu and specify the path of the directory.
1.3. Windows user accounts
A user account with administrator privileges is only needed for the
installation of Topkapi, as well as setting permission on the
firewall, and creating a new application. Once all of this is set, it is
Page S-2
better to start Topkapi from a user environment for the following
reasons:
 Against Malwares, a user account will not be able to modify
the operating system.
 It prevents the installation of other softwares which could lead
to system instability.
 It prevents modification or removal of system files.
 It prevents modification of sensitive system parameters.
We also advise to disable the guest account, and use a strong
password (at least 6 characters with capital letters, numbers and
special characters) for all Windows Accounts (especially those
belonging to the Administrators group).
1.4. Windows network shares
Except for redundancy initiation, Topkapi does not need any
network share, even in client – server mode.
Therefore it is recommended to disable all network shares as soon
as the configuration is done.
At the most, you can keep open an empty network share meant to
transfer file from one computer to another.
In the redundancy implementation, it is necessary to create
network share with modify permission to allow the configuration
computer to write files on other computers. Theses network shares
are only used when modifying the configuration of redundancy
setup, in the Parameters, Network Parameters menu, Shared
proc button (for adding, removing or modifying a computer part
of the redundancy). Spreadsheet, mimics and other modifications
are sent to the other computers through LTS communications.
Even if Windows security is getting better with time, network
shares are potentially still an additional risk to the machine
integrity. Therefore, once the redundancy setup is done, you
should remove the network shares.
1.5. Locking the user interface
Along with Topkapi is provided a tool called Lockwindows
providing easy locking of the user interface.
We recommend using this tool to prevent any modification on the
workstation while Topkapi is running.
If some other programs are to be used at the same time as
Topkapi, create some appropriate shortcuts in order to start them
without having to go through the start menu.
1.6. Autorun
LockWindows can also disable autorun for CD, DVD and USB
mass storage devices connected to the computer.
This is recommended as USB mass storage devices are a typical
means of virus propagation.
For CD/DVD, it prevents automatic installation of unwanted
software.
01/02/2013 Security of SCADA system  TOPKAPI Vision 32 V5.0a