By Michael Brost
For system integrators (SIs) working in the water and wastewater sector, cybersecurity has evolved from a technical concern to a commercial imperative.
In the evolving landscape of industrial control systems, traditional supervisory security architectures are being tested against increasingly sophisticated cyber threats.
While many SCADA platforms rely on client- or network-level defenses, these models struggle to prevent unauthorized internal actions once a session or protocol is compromised.
AVEVA System Platform introduces a fundamentally different approach: destination-level security, an architecture that enforces authentication and authorization directly at the data object rather than at the human-machine interface (HMI) or client layer.
This shift represents a quiet but significant transformation in industrial cybersecurity — particularly for operators seeking compliance with frameworks such as ISA/IEC 62443, 21 CFR Part 11, and the upcoming Cybersecurity Resilience Act (CRA).
Moreover, customers now expect solutions that combine operational efficiency, regulatory compliance, and defensible cybersecurity — without adding engineering complexity or cost.
The Limitation of Origination-Level Security
In conventional SCADA systems, security is typically applied at the “origination” point — the graphic interface, client application, or gateway that initiates a command. A user logs into an HMI, issues a write (for example, a pump start), and the client forwards that instruction to the controller or data server. If the workstation, protocol, or network path is exploited, the attacker can often inject unauthorized writes that bypass authentication.
This architecture assumes that the client environment remains trustworthy — a risky assumption in modern OT networks that now interact with cloud services, historians, and IIoT gateways. Even well-known commercial SCADA systems enforce access primarily through configuration at the user interface level.
Once an OPC UA or MQTT client connects with valid write credentials, writes can occur without further verification at the destination and cannot be differentiated to specific targets.
The AVEVA Paradigm: Security at the Destination
AVEVA System Platform reverses this logic. Instead of trusting the point of origin, every command must be authenticated and authorized by the target object attribute — the “destination.” This model is natively built into the Galaxy repository, the core data and logic engine of the platform.
When any write request is issued — whether from an HMI button, an OPC UA client, or an external application — the target object evaluates the request against its own embedded security rules before execution. If the user or client is not explicitly authorized for that operation, the command is rejected.
This principle extends across all communication pathways. The destination-level model is protocol-independent, applying uniformly to OPC UA, SuiteLink, or MQTT data exchanges.
Instead of trusting any authenticated connection or client, every write operation must be validated at the object attribute level in the Galaxy before the PLC receives it. This process ensures that even if an attacker connects via an external OPC UA client or a script, their command will be rejected unless it meets the destination’s access criteria.
While the PLC itself is not modified by AVEVA, System Platform acts as a trusted gatekeeper. The PLC can be configured to only accept commands that originate from the validated Galaxy namespace. Even if an attacker gains access to the network, direct writes to the PLC memory space are denied without the proper handshake and authentication sequence managed by the System Platform.
For SIs, this key security functionality dramatically simplifies secure deployment. Security configurations can be templated and inherited across multiple assets, meaning a ‘Secured’ or ‘Verified Write’ policy applied to a chlorine dosing pump template is automatically enforced at every instance across the system. No per-tag scripting required.
Granular Object-Attribute Control
The Galaxy repository supports six hierarchical security classifications assignable at the object or attribute level. Every tag, object, or attribute within the System Platform is assigned a specific security classification. Each classification defines the degree of authentication required for reads and writes:
| Security Classification | Access Level | Authentication Required | Use Case |
| View Only | Read only | None | Display-only values (trends, historical data). No write access to this target. |
| Free Access | Write After Login | Any Valid User | Non-critical values (display zoom, chart ranges) |
| Operate | Standard write | Security Group Role | Routine operator commands (valve open/close, pump start/stop) |
| Tune | Parameter adjustment | Security Group Role | Process tuning (PID setpoints, alarm limits) |
| Secured Write | Re-authentication required | Password or 2FA on every write | Safety-critical commands (chemical feed rate changes, emergency shutdowns) |
| Verified Write | Dual signature required | Two separate users authenticate | Ultra-critical operations (disabling safety interlocks, master pump station shutdown, chemical tank drains) |
| Configure | Engineering changes | Engineering role + password | Multi related values, Scaling Parameters, Input Sources |
This granularity allows control system engineers to balance operational efficiency and protection. Routine operator tasks proceed seamlessly under “Operate,” while safety-critical actions — such as changing chemical dosing setpoints or disabling an alarm — invoke additional authentication challenges.
Encryption and Certificate-Based Authentication
Modern deployments of System Platform include a native System Management Server (SMS) with encryption enabled by default. All communications are protected using TLS/AES-256 with certificate-based mutual authentication, fulfilling the IEC 62541 “Sign and Encrypt” mode specification. Certificates are generated and renewed automatically through the platform’s trust-store management, reducing configuration errors that often undermine industrial PKI implementations. By contrast, many SCADA systems require manual certificate provisioning and management.
Why It Matters for System Integrators
For SIs, cybersecurity is no longer a project deliverable — it’s a profit center. AVEVA System Platform architecture enables SIs to deliver secure-by-design solutions that meet IEC 62443 and CRA standards out of the box.
- Standardized Security Frameworks: Reduce engineering rework through preconfigured templates aligned to ISA/IEC 62443.
- Regulatory Readiness: Simplify compliance with EPA, CIRCIA, and state sanitary survey requirements.
- Lifecycle Service Opportunities: Position cybersecurity audits, patching, and access management as recurring service offerings.
- Reduced Integration Complexity: This avoids costly custom scripting or external security gateways to achieve IEC 62443 compliance.
Competitive Advantage
From a competitive perspective, the AVEVA model provides two measurable differentiators:
- Protocol Independence and Enforcement Depth: Security applies uniformly across all data pathways and credentials and security level are verified at the destination. It effectively prevents the common attack vector where an external tool or script writes directly to a PLC tag bypassing the HMI layer.
- Operational Audit Integrity: Because authentication and logging are executed at the object level, forensic data remains intact even during client compromise.
These distinctions make System Platform one of the few commercial SCADA capable of delivering object-centric zero-trust enforcement inside operational control environments — a necessary evolution as critical infrastructure adopts cloud and IIoT connectivity.
The Blueprint for Defensible Control Systems
The rise of cyber incidents targeting process control networks has exposed the fragility of HMI-centric security. AVEVA’s destination-level model offers a defensible alternative: a verifiable chain of trust from the user credential to the exact control variable being modified.
By authenticating every write at its endpoint, System Platform reduces both the probability and impact of unauthorized operations.
For System Integrators, it offers a proven, standardized framework to build, deploy, and support secure systems that safeguard the world’s most vital resources.
Michael Brost is Lead Solution Architect for Aveva.
This article is sponsored by Aveva.