Editor's Choice
Analytical Instrumentation & Environmental Monitoring
Data Acquisition & Telemetry
Electrical Power & Protection
Enclosures, Cabling & Connectors
Fieldbus & Industrial Networking
Flow Measurement & Control
Industrial Computer Hardware
Industrial Wireless
IS & Ex
IT in Manufacturing
Level Measurement & Control
Maintenance, Test & Measurement, Calibration
Mass Measurement
Motion Control & Drives
News
Operator Interfaces, Switches & Relays
PLCs, DCSs & Controllers
Pneumatics & Hydraulics
Pressure Measurement & Control
SAIMC
SCADA/HMI
Sensors & Transducers
Smart Home Automation
System Integration & Control Systems Design
Temperature Measurement
Training & Education
Valves, Actuators & Pump Control


Editor's Choice



Print this page printer friendly version

Industrial control system cybersecurity - Part 5: ICS network segmentation.

October 2018 Editor's Choice IT in Manufacturing

In the last three articles on cybersecurity in ICS environments, we have covered risk assessments, asset discovery and vulnerability management, environment hardening and security monitoring. In the penultimate article, we will cover network segmentation in ICS networks.

Historically, many ICS/engineering departments were not focused on protecting the inside of their networks, only the perimeter was protected with the firewall being seen as the single line of defence against the malicious insiders, third-party vendors and the bad guys from the outside. This strategy, while effective for its day, does not hold true in the modern digital world. Today’s attacks are being facilitated by large and well-funded groups of cyber criminals looking to steal intellectual information, stop production and extort companies. Once access is gained by breaching the perimeter, these cyber criminals are able to move freely within your network. This is why it is strongly recommended to implement a network segmentation framework.

Splitting up the network

ICS network segmentation is the process of splitting up your network into different segments or sub-networks, to improve performance, but more importantly, to make it more difficult for an adversary to freely move around if they compromise a part of your network. To define this further, it is the process of grouping similar assets and then enforcing a segment between the levels both above and below.

To put this into perspective, Target Corporation, a leading USA retailer, lost 40 million credit and debit card numbers in December 2013. The first part of this compromise is that the cyber criminals stole credential information from a third party HVAC supplier. The second part is that these credentials were then used to gain access to the Target Corporation network. The third part is that once the cyber criminals gained access they targeted the POS systems, by installing malware on them. There is more to this incident (an entire article on its own), but it does highlight the need for strong effective network segmentation. If there was proper network segmentation between the POS network, the third party network and the main corporate network, it would have been much more difficult to steal the information.

Purdue Enterprise Reference Architecture

One of the most commonly used models is that of the Purdue Enterprise Reference Architecture model, more commonly known as PERA or just the Purdue model. I strongly urge all of those responsible for ICS cybersecurity to review this method. It was developed by the Industry-Purdue University Consortium for Computer Integrated Manufacturing, and has been widely adopted by major industrial control system cybersecurity frameworks such as NIST 800-82 and ISA/IEC 62443.

From a hierarchical view the model is comprised of 6 levels and 5 zones. The 6 levels are:

• Level 0: Process.

• Level 1: Basic control.

• Level 3: Operations and control.

• Level 4: Business planning and logistics.

• Level 5: Enterprise network.

And the five zones being:

• Enterprise zone.

• Demilitarised zone (DMZ).

• Manufacturing zone.

• Cell/area zone.

• Safety zone/Safety Instrumented System (SIS).

The diagram is a very basic control network depicting how the Purdue model should logically be implemented.

One aspect to take note of from the diagram is that no control system protocol should traverse the ICS network into the enterprise or business network. All too often we still find ICS traffic on the IT network(s), which not only slows down network performance by having unnecessary traffic ‘on the wire’, but also provides huge security risks as these protocols have no, or very limited, built-in security. If ICS traffic is absolutely required to traverse the ICS network through to the IT network, ensure that is it is strictly controlled.

Each ICS system is different and requires certain tweaks and changes to the customer’s specific ICS network segmentation framework. Where the Purdue model helps is that it assists in designing a base framework which you can then build on. As I’ve stated previously, there is no ‘one size fits all’ framework that is right for everyone, and there are other models that you might want to consider to suite your organisation’s needs. The Industrial Internet of Things (IIoT) and Software-Defined Networking (SDN) is also changing the way we see and segment our networks.

Tommy Thompson

Tommy Thompson is a passionate cybersecurity professional with some 15 years’ experience. Starting as a firewall engineer in 2001, Thompson has assisted a variety of companies in numerous roles with their cybersecurity problems. He holds a BComm degree in Information Management from Oxford Brookes University (UK) and he is certified by PECB (Canada), as a Scada Security Professional (CSSP).

For further information contact Tommy Thompson, +27 (0)11 463 0096, [email protected]





Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

The thermal combustion balancing act
Editor's Choice
From carbon taxes to export tariffs, and cost containment to security of supply and sustainability, companies are under increasing pressure to switch to greener fuel sources. Associated Energy Services warns that this pivotal change has some potentially serious knock-on effects.

Read more...
What’s driving the IE3 motor revolution?
WEG Africa Editor's Choice
The International Efficiency 3 (IE3) motor standard will soon become South Africa’s legal minimum standard, mandating that local suppliers offer more efficient electric motors. What is driving this change, and how does it affect the many industries that rely on these modern electric workhorses?

Read more...
Unlocking the smart factory
ElectroMechanica Editor's Choice Motion Control & Drives
At ElectroMechanica, we recognise that transitioning to smart automation isn’t just about adopting new technology; it’s about solving real challenges. Labour shortages, rising costs and downtime due to outdated machinery make digital transformation essential for long-term competitiveness.

Read more...
Case History 197: Bad reboiler temperature control.
Michael Brown Control Engineering Editor's Choice Flow Measurement & Control
It is very important that reboiler temperature controls operate well in petrochemical refineries, or the product quality can really suffer. I was asked to check such a control in a refinery where they were having problems with one of these controls.

Read more...
The future of industrial automation: fieldbus and industrial networking
LAPP Southern Africa Editor's Choice
As a global leader in integrated solutions in the field of cable and connection technology, LAPP recognises that fieldbus and industrial networking technologies are pivotal in shaping the future of manufacturing and production processes.

Read more...
AI-driven innovations with CCTV and cyber security
RJ Connect Editor's Choice Fieldbus & Industrial Networking
The fast progress of artificial intelligence (AI) and video analytics is redefining the rail surveillance landscape. Advancements have bolstered proactive event detection, predictive maintenance and enhanced situational awareness.

Read more...
Loop signature 27: SWAG tuning of simple integrating processes.
Editor's Choice
The chief control engineer of one of the largest petrochemical refineries in South Africa once sent me an email after a course at his plant. He wrote that he had found the section on SWAG tuning of simple integrating processes one of the most informative of the whole course.

Read more...
Harnessing industrial AI agents for reliable automation
Editor's Choice IT in Manufacturing
The excitement around generative AI (GenAI) has been undeniable, promising wide-ranging changes across industries. However, for those of us in the world of industrial control and automation, the realities of implementing these powerful technologies are a little more nuanced.

Read more...
Futureproof your industrial network security with OT-centric cyber security
RJ Connect Editor's Choice
To achieve digital transformation, industrial operators must first address the daunting task of merging their information technology (IT) and operational technology (OT) infrastructure. In this article, we focus on the importance of strong OT network security and provide some tips on how to strengthen cybersecurity for industrial operations.

Read more...
The symbiotic relationship between OEMs and SIs
Schneider Electric South Africa Editor's Choice System Integration & Control Systems Design
While businesses tend to turn directly to original equipment manufacturers OEMs or vendors when embarking on IT projects, the role of the SI as a key facilitator and partner cannot be overstated.

Read more...











Published by Technews

»  Dataweek Electronics & Communications Technology
»  Electronics Buyers' Guide (EBG)

»  Hi-Tech Security Solutions
»  Hi-Tech Security Business Directory

»  Motion Control in Southern Africa
»  Motion Control Buyers' Guide (MCBG)

»  South African Instrumentation & Control
»  South African Instrumentation & Control Buyers' Guide (IBG)



© Technews Publishing (Pty) Ltd | All Rights Reserved