Editor's Choice

Industrial control system cybersecurity - Part 5: ICS network segmentation.

October 2018 Editor's Choice IT in Manufacturing

In the last three articles on cybersecurity in ICS environments, we have covered risk assessments, asset discovery and vulnerability management, environment hardening and security monitoring. In the penultimate article, we will cover network segmentation in ICS networks.

Historically, many ICS/engineering departments were not focused on protecting the inside of their networks, only the perimeter was protected with the firewall being seen as the single line of defence against the malicious insiders, third-party vendors and the bad guys from the outside. This strategy, while effective for its day, does not hold true in the modern digital world. Today’s attacks are being facilitated by large and well-funded groups of cyber criminals looking to steal intellectual information, stop production and extort companies. Once access is gained by breaching the perimeter, these cyber criminals are able to move freely within your network. This is why it is strongly recommended to implement a network segmentation framework.

Splitting up the network

ICS network segmentation is the process of splitting up your network into different segments or sub-networks, to improve performance, but more importantly, to make it more difficult for an adversary to freely move around if they compromise a part of your network. To define this further, it is the process of grouping similar assets and then enforcing a segment between the levels both above and below.

To put this into perspective, Target Corporation, a leading USA retailer, lost 40 million credit and debit card numbers in December 2013. The first part of this compromise is that the cyber criminals stole credential information from a third party HVAC supplier. The second part is that these credentials were then used to gain access to the Target Corporation network. The third part is that once the cyber criminals gained access they targeted the POS systems, by installing malware on them. There is more to this incident (an entire article on its own), but it does highlight the need for strong effective network segmentation. If there was proper network segmentation between the POS network, the third party network and the main corporate network, it would have been much more difficult to steal the information.

Purdue Enterprise Reference Architecture

One of the most commonly used models is that of the Purdue Enterprise Reference Architecture model, more commonly known as PERA or just the Purdue model. I strongly urge all of those responsible for ICS cybersecurity to review this method. It was developed by the Industry-Purdue University Consortium for Computer Integrated Manufacturing, and has been widely adopted by major industrial control system cybersecurity frameworks such as NIST 800-82 and ISA/IEC 62443.

From a hierarchical view the model is comprised of 6 levels and 5 zones. The 6 levels are:

• Level 0: Process.

• Level 1: Basic control.

• Level 3: Operations and control.

• Level 4: Business planning and logistics.

• Level 5: Enterprise network.

And the five zones being:

• Enterprise zone.

• Demilitarised zone (DMZ).

• Manufacturing zone.

• Cell/area zone.

• Safety zone/Safety Instrumented System (SIS).

The diagram is a very basic control network depicting how the Purdue model should logically be implemented.

One aspect to take note of from the diagram is that no control system protocol should traverse the ICS network into the enterprise or business network. All too often we still find ICS traffic on the IT network(s), which not only slows down network performance by having unnecessary traffic ‘on the wire’, but also provides huge security risks as these protocols have no, or very limited, built-in security. If ICS traffic is absolutely required to traverse the ICS network through to the IT network, ensure that is it is strictly controlled.

Each ICS system is different and requires certain tweaks and changes to the customer’s specific ICS network segmentation framework. Where the Purdue model helps is that it assists in designing a base framework which you can then build on. As I’ve stated previously, there is no ‘one size fits all’ framework that is right for everyone, and there are other models that you might want to consider to suite your organisation’s needs. The Industrial Internet of Things (IIoT) and Software-Defined Networking (SDN) is also changing the way we see and segment our networks.

Tommy Thompson

Tommy Thompson is a passionate cybersecurity professional with some 15 years’ experience. Starting as a firewall engineer in 2001, Thompson has assisted a variety of companies in numerous roles with their cybersecurity problems. He holds a BComm degree in Information Management from Oxford Brookes University (UK) and he is certified by PECB (Canada), as a Scada Security Professional (CSSP).

For further information contact Tommy Thompson, +27 (0)11 463 0096, tommy@nclose.com

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Loop Signatures 1: Introduction to the Loop Problem Signatures series
May 2020, Michael Brown Control Engineering , Editor's Choice
Over the years I have had many requests to write a book giving more detailed explanations of some of the problems I have encountered in my work on practical loop optimisation. I am by nature and inclination ...

The emergence of a new future in the energy sector
April 2020 , Editor's Choice
Adaptively complex and persistent challenges in Africa are driving the need for a new future in the energy sector. Lack of access to energy, (more than 600 million people in Africa with no access to energy) ...

Case History 171: Instability in a metallurgical plant
March 2020, Michael Brown Control Engineering , Editor's Choice
I have written several articles about the unique problems I have encountered, specifically in the mining processing industry. This article is about some experiences in a mining operation where recently ...

Case History 170
January 2020 , Editor's Choice
As mentioned in earlier articles, the integral (or I term) in the controller is a brilliant thing. It is an extremely elegant and simple solution for eliminating offset in control. However, like everything ...

Case History 169: Tuning a very difficult temperature control loop
November 2019 , Editor's Choice
As I have mentioned in previous articles, Greg McMillan, one of the world’s top control experts, has said that he finds temperature control loops generally the worst optimised processes as most people ...

Siemens extends Sinumerik Edge to include artificial intelligence
November 2019, Siemens Digital Industries , IT in Manufacturing
With edge computing, large volumes of data can be processed locally on the machine tool. This also reduces storage and transmission costs for users, as large data volumes can be pre-processed and only ...

Navigate the fourth industrial revolution with PwC
November 2019 , IT in Manufacturing
Using the building blocks of 4IR to transform business processes into manufacturing advantages requires a holistic approach.

Artificial intelligence in manufacturing – a practical and simplified view
November 2019, Altron Bytes Systems Integration , IT in Manufacturing
Looking at and interpreting data generated during the manufacturing process to find ways to reduce waste, improve quality and increase yield is not new. However, the increased use of digital technologies ...

Beyond Capex and Opex
November 2019 , Editor's Choice
How do we finance IT? We identify a need, we test the waters with a PoC (proof of concept), then we get the green light after we prove the value. We know roughly how much it will cost by looking at the ...

The technology landscape: insights from 2019 conferences
November 2019, SAIMC , Editor's Choice
Industry leaders and governmental agencies across the globe recognise technology as the cornerstone for economic development. President Cyril Ramaphosa famously posited: “The clear implication for South ...