classic | mobile
 

Search...

SA Instrumentation & Control Buyers' Guide

Technews Industry Guide - IIoT 2018

Technews Industry Guide - Maintenance, Reliability & Asset Optimisation

 

Industrial control system cybersecurity - Part 5: ICS network segmentation.
October 2018, This Week's Editor's Pick, IT in Manufacturing


In the last three articles on cybersecurity in ICS environments, we have covered risk assessments, asset discovery and vulnerability management, environment hardening and security monitoring. In the penultimate article, we will cover network segmentation in ICS networks.

Historically, many ICS/engineering departments were not focused on protecting the inside of their networks, only the perimeter was protected with the firewall being seen as the single line of defence against the malicious insiders, third-party vendors and the bad guys from the outside. This strategy, while effective for its day, does not hold true in the modern digital world. Today’s attacks are being facilitated by large and well-funded groups of cyber criminals looking to steal intellectual information, stop production and extort companies. Once access is gained by breaching the perimeter, these cyber criminals are able to move freely within your network. This is why it is strongly recommended to implement a network segmentation framework.

Splitting up the network

ICS network segmentation is the process of splitting up your network into different segments or sub-networks, to improve performance, but more importantly, to make it more difficult for an adversary to freely move around if they compromise a part of your network. To define this further, it is the process of grouping similar assets and then enforcing a segment between the levels both above and below.

To put this into perspective, Target Corporation, a leading USA retailer, lost 40 million credit and debit card numbers in December 2013. The first part of this compromise is that the cyber criminals stole credential information from a third party HVAC supplier. The second part is that these credentials were then used to gain access to the Target Corporation network. The third part is that once the cyber criminals gained access they targeted the POS systems, by installing malware on them. There is more to this incident (an entire article on its own), but it does highlight the need for strong effective network segmentation. If there was proper network segmentation between the POS network, the third party network and the main corporate network, it would have been much more difficult to steal the information.

Purdue Enterprise Reference Architecture

One of the most commonly used models is that of the Purdue Enterprise Reference Architecture model, more commonly known as PERA or just the Purdue model. I strongly urge all of those responsible for ICS cybersecurity to review this method. It was developed by the Industry-Purdue University Consortium for Computer Integrated Manufacturing, and has been widely adopted by major industrial control system cybersecurity frameworks such as NIST 800-82 and ISA/IEC 62443.

From a hierarchical view the model is comprised of 6 levels and 5 zones. The 6 levels are:

• Level 0: Process.

• Level 1: Basic control.

• Level 3: Operations and control.

• Level 4: Business planning and logistics.

• Level 5: Enterprise network.

And the five zones being:

• Enterprise zone.

• Demilitarised zone (DMZ).

• Manufacturing zone.

• Cell/area zone.

• Safety zone/Safety Instrumented System (SIS).

The diagram is a very basic control network depicting how the Purdue model should logically be implemented.

One aspect to take note of from the diagram is that no control system protocol should traverse the ICS network into the enterprise or business network. All too often we still find ICS traffic on the IT network(s), which not only slows down network performance by having unnecessary traffic ‘on the wire’, but also provides huge security risks as these protocols have no, or very limited, built-in security. If ICS traffic is absolutely required to traverse the ICS network through to the IT network, ensure that is it is strictly controlled.

Each ICS system is different and requires certain tweaks and changes to the customer’s specific ICS network segmentation framework. Where the Purdue model helps is that it assists in designing a base framework which you can then build on. As I’ve stated previously, there is no ‘one size fits all’ framework that is right for everyone, and there are other models that you might want to consider to suite your organisation’s needs. The Industrial Internet of Things (IIoT) and Software-Defined Networking (SDN) is also changing the way we see and segment our networks.

Tommy Thompson

Tommy Thompson is a passionate cybersecurity professional with some 15 years’ experience. Starting as a firewall engineer in 2001, Thompson has assisted a variety of companies in numerous roles with their cybersecurity problems. He holds a BComm degree in Information Management from Oxford Brookes University (UK) and he is certified by PECB (Canada), as a Scada Security Professional (CSSP).

For further information contact Tommy Thompson, +27 (0)11 463 0096, tommy@nclose.com


Credit(s)
Supplied By: Nclose
Tel: +27 11 463 0096
Fax:
Email: tommy@nclose.com
www: www.nclose.com
Share via email     Share via LinkedIn   Print this page

Further reading:

  • First rack-mounted switches that comply with the IEC 61850-3 Edition 2 Class 2 Standard
    November 2018, RJ Connect, This Week's Editor's Pick
    In today’s industrial processing environment, industrial Ethernet has become a de-facto standard to connect to the company’s PLCs in manufacturing, IEDs in substations and cameras for CCTV, in harsh environments. All of these demand ruggedised networking switches to ensure stable communications to the company’s scada, ERP and MES software. Often, industrial networking products are installed in and around the production areas where they are subjected to high temperatures, vibrations and electrical noise from VSDs and motors.
  • Nick Denbow's European report: Japan reopens nuclear power plants while progress is slow elsewhere
    November 2018, This Week's Editor's Pick
    The Fukushima nuclear power plant accident occurred back in March 2011. Following that disaster, Japan ordered the close-down of all the nuclear generating plants in the country – there were 42 of them, ...
  • The Digitalisation Productivity Bonus
    October 2018, Siemens Digital Factory & Process Indust. & Drives, This Week's Editor's Pick
    Siemens researches the value of digitalisation to manufacturers.
  • The 5 stages of cybersecurity awareness
    October 2018, IT in Manufacturing
    Before any of these recommendations can be implemented, managers must first understand and accept the risks they face and the potential consequences. An understanding of human behaviour can help. The ...
  • How adding services to products could start your journey towards an Industry 4.0 solution
    October 2018, Absolute Perspectives, This Week's Editor's Pick, IT in Manufacturing
    For manufacturers, digital transformation involves understanding a range of new technologies and applying these to both create new business and to improve the current operation. Industry 4.0 provides ...
  • Energy management software
    October 2018, Yokogawa South Africa, IT in Manufacturing
    Energy management solutions from KBC, a subsidiary of Yokogawa Electric Corp.
  • Using IIoT analytics to build customer solutions
    October 2018, Parker Hannifin Sales Company South, IT in Manufacturing
    Parker’s Voice of the Machine platform contextualises the data collected from machines.
  • Key considerations when designing IIoT networks for smart businesses
    October 2018, RJ Connect, IT in Manufacturing
    In the era of the IIoT, industries have opportunities to become more productive, more efficient and more dynamic. For example, the IIoT provides businesses with new capabilities such as dashboards that ...
  • Nick Denbow’s European report: Vision sensors, the brain and intelligent data processing
    October 2018, This Week's Editor's Pick
    At a certain age, around 70, our bodies begin to show signs of wear. What becomes apparent is that our built in control loops and data processing software steps in to compensate, and covers the gaps in ...
  • Economic thought and lessons from China
    October 2018, This Week's Editor's Pick
    Through my past experience occupying various roles across multiple industries and institutions in South Africa, in both the private and public sectors, one thought that inextricably captures my imagination ...
  • Case History 162: Optimising an interesting temperature control.
    September 2018, Michael Brown Control Engineering, This Week's Editor's Pick
    I have often written about the huge advantages of using cascade control on processes with very slow dynamics. It is particularly useful when it comes to most temperature related processes, which are normally ...
  • Yokogawa releases Platform for Advanced Control and Estimation R5.02
    September 2018, Yokogawa South Africa, IT in Manufacturing
    An OpreX solution for large-scale applications that enables plant-wide optimisation of control.

 
 
         
Contact:
Technews Publishing (Pty) Ltd
1st Floor, Stabilitas House
265 Kent Ave, Randburg, 2194
South Africa
Publications by Technews
Dataweek Electronics & Communications Technology
Electronic Buyers Guide (EBG)

Hi-Tech Security Solutions
Hi-Tech Security Business Directory

Motion Control in Southern Africa
Motion Control Buyers’ Guide (MCBG)

South African Instrumentation & Control
South African Instrumentation & Control Buyers’ Guide (IBG)
Other
Terms & conditions of use, including privacy policy
PAIA Manual





 

         
    classic | mobile

Copyright © Technews Publishing (Pty) Ltd. All rights reserved.