Securing Your Geo SCADA Deployment: VPN Tunnels, Firewall Rules, and Remote Access Best Practices

Quick Answer

Securing a Geo SCADA deployment requires network segmentation between IT and OT zones, encrypted VPN tunnels for remote access, properly configured firewall rules for Geo SCADA ports, hardened ViewX and web client access, role-based authentication, and continuous audit logging. Defense in depth protects against both external threats and insider risk.

Threat Landscape for Geo SCADA Deployments

SCADA systems in the water, oil and gas, and power sectors face a growing threat environment. CISA advisories have highlighted multiple vulnerabilities in industrial control system software, including SCADA platforms. The convergence of IT and OT networks — once physically separated — creates attack paths that didn't exist a decade ago. Remote access capabilities added for operational efficiency also create potential entry points for adversaries.

The threat isn't theoretical. Ransomware attacks on water utilities, pipeline operators, and power producers have resulted in operational disruptions. The 2021 Oldsmar, Florida water treatment incident demonstrated that SCADA systems can be targeted for process manipulation, not just data theft. Geo SCADA deployments require the same security attention given to any internet-connected critical infrastructure system.

Network Segmentation: IT/OT Boundary

The foundational security control is network segmentation between the corporate IT network and the OT/SCADA network. The Geo SCADA server, ViewX client workstations, and communication infrastructure should reside in a dedicated OT network zone separated from the corporate network by a firewall or security gateway.

The recommended architecture includes a DMZ (demilitarized zone) between the IT and OT networks. Services that need to span both zones — such as the Geo SCADA web client or data feeds to enterprise systems — are hosted in the DMZ. Direct connections from the IT network to the OT network should be prohibited except through the DMZ.

VPN Options for Remote Access

WireGuard

WireGuard provides modern, high-performance encrypted tunneling with a minimal attack surface. Its cryptographic design uses state-of-the-art primitives (Curve25519, ChaCha20-Poly1305) and its small codebase (~4,000 lines) has been formally verified. WireGuard is well-suited for SCADA remote access where simplicity and reliability are priorities. However, it requires UDP connectivity and may not work through some corporate firewalls.

IPsec

IPsec is the traditional standard for site-to-site VPN tunnels. It's widely supported by enterprise firewalls and routers, making it the default choice when the VPN must integrate with existing corporate network infrastructure. IPsec configuration is more complex than WireGuard and requires careful key management, but it's well-understood by network engineering teams.

Vendor VPN Solutions

Some organizations use vendor-specific VPN solutions (Cisco AnyConnect, Palo Alto GlobalProtect, etc.) for SCADA remote access. These integrate with enterprise identity management and provide centralized policy enforcement. The tradeoff is complexity and dependency on the vendor's infrastructure and licensing.

Firewall Rules for Geo SCADA

Geo SCADA uses specific ports that must be permitted through firewalls while all other traffic is denied:

• TCP 5481: ClearSCADA Server to ViewX client communication (default). Configure firewall rules to allow only from authorized client subnets.
• TCP 443: WebX/Virtual ViewX HTTPS access. Restrict to authorized source IP ranges.
• TCP 1433: SQL Server (if external SQL access is required). Restrict to specific management hosts only.
• TCP/UDP for DNP3 and Modbus: Communication driver ports vary by configuration. Document and restrict to specific remote site IP addresses.

Apply the principle of least privilege: permit only the specific ports, protocols, and source/destination addresses required for each communication path. Deny all other traffic by default.

Remote Access: ViewX and Web Client Hardening

ViewX Client Over VPN

ViewX thick-client access should only be permitted over an encrypted VPN tunnel. Direct exposure of the ViewX port (TCP 5481) to the internet is never acceptable. VPN access should require multi-factor authentication before the tunnel is established.

Web Client Hardening

If WebX/Virtual ViewX is deployed for browser-based access, harden the web server configuration: enforce TLS 1.2 or higher, disable weak cipher suites, implement HTTP security headers (HSTS, Content-Security-Policy, X-Frame-Options), and restrict access to authorized users with strong authentication.

Authentication and Role-Based Access

Geo SCADA supports user accounts with role-based access controls. Security best practices include:

• Unique individual accounts for every user (no shared accounts)
• Role-based permissions aligned with job function (operators, engineers, administrators)
• Strong password policies with minimum complexity requirements
• Account lockout after failed authentication attempts
• Integration with Active Directory for centralized identity management where possible

Audit Logging and Monitoring

Enable comprehensive audit logging in Geo SCADA to record user logins, configuration changes, alarm acknowledgements, and system events. Forward logs to a centralized log management system (SIEM) outside the SCADA network for tamper-resistant storage and correlation with security events from other systems.

Monitor audit logs for anomalies: logins outside normal hours, failed authentication attempts, configuration changes during non-maintenance windows, and access from unexpected source IP addresses. Automated alerting on these anomalies provides early warning of potential security incidents.

For a security assessment of your Geo SCADA deployment, contact NFM Consulting. Our team evaluates network architecture, access controls, and monitoring capabilities against industry best practices and CISA guidelines for industrial control system security.