Arguably the most important tactical step that can be taken to improve the security of your industrial automation system is network segmentation. The concept of network segmentation is to partition the system into distinct security zones and implement layers of protection to isolate the most critical parts of the system.
Analogous to physical security controls, such as those found in an airport, a network can be segmented into various network security zones. The most critical assets should be placed in higher security zones. As in an airport, a user wishing to access a critical asset may have to pass through several gates or screening points.
ANSI/ISA-99 introduces the concepts of “zones” and “conduits” as a way to segment and isolate the various sub-systems in a control system. A zone is defined as a grouping of logical or physical assets that share common security requirements based on factors such as criticality and consequence. Equipment in a zone has a security level capability. If that capability level is not equal to or higher than the requirement level, then extra security measures, such as implementing additional technology or policies, must be taken.
Any communications between Zones must be conducted via a defined Conduit. Conduits control access to Zones, resist Denial of Service (DoS) attacks or the transfer of malware, shield other network systems and protect the integrity and confidentiality of network traffic.
Typically the controls on a conduit are intended to mitigate the difference between a zone’s security level capability and its security requirements. Focusing on conduit mitigations is typically far more cost effective than having to upgrade every device or computer in a zone to meet a requirement.
Zone and conduit design starts with the facility being analyzed to identify groups of devices that have common functionality and common security requirements; these groups are the “zones” of equipment that require protection. For example, a facility might first be divided into operational areas, such as materials storage, processing, finishing, etc. Then within these areas it could be further divided into functional layers, such as Manufacturing Execution Systems (MES), Supervisory Systems (i.e. operator HMIs), primary control systems (i.e. PLCs) and safety systems. Often the models from other standards such as ANSI/ISA-95.00.01-2000 or the Purdue manufacturing model are used as a basis for this division. Vendor design documents can also be helpful.
The next step is to discover the pathways in the network through which data is passed between these zones; these are the network “conduits”. Each conduit should be defined in terms of the zones it connects, the technologies it utilizes, the protocols it transports and any security features it needs to offer its connected zones.
Typically, determining the information transfer requirements between zones over the network is straight forward. Tools like traffic flow analyzers or even simple protocol analyzers can show which systems are exchanging data and the services they are using.
It is also wise to look beyond the network to determine the hidden traffic flows. For example, are files ever moved via USB drive between the lab and the primary control systems? Do people remotely connect to the RTUs using a dial-up modem? These flows are easy to miss, but can result in serious security issues if not managed carefully.
Once the conduits and their security requirements are defined, the final phase is to implement the appropriate security technologies. Firewalls and Virtual Private Networks (VPNs) are two popular options for this stage. Industrial firewalls can be installed in these conduits and configured to pass only the minimum traffic that is required for correct plant operation, blocking all other unnecessary traffic. The firewalls should implement an alarm-reporting mechanism to alert operations or security personnel any time that abnormal behavior (i.e. – blocked traffic) is observed in the network. Combined, the entire zone and conduit approach implements a strategy of “defense in depth” – multiple layers of defense distributed throughout the control network. It is a strategy that has been proven in the military, financial and IT communities as the best way to obtain the most effective security at the lowest overall cost.
Most manufacturers of integrated control system platforms such as DCS systems or PLC systems have defined reference architectures they recommend for good network segmentation with their systems. These can be useful when analyzing the systems in your plant that are based on these manufacturer’s systems. However, it is important to bear in mind that each application and system is unique and that reference architectures are only meant to provide general guidance.