As the number of cyberattacks in the energy field has been continuously increased, it is mandatory for organizations to ensure that the appropriate technical controls are in place, detect, and promptly mitigate any potential security event. While in our previous article we presented our overall methodology for an effective Cybersecurity Management, in this article we focus on the ICS architecture review process as an important tool for the evaluation of the security controls and the enhancement of cybersecurity within the energy field.

Industrial Control Systems (ICS) are crucial for industrial units and critical infrastructure worldwide, serving the most essential and necessary functions of modern societies. ICS have some unique functionalities, such as the need for real-time response, and extremely high availability, predictability, and reliability. The ICS architecture should be regularly reviewed taking into account the identification of ICS assets, the network flows between the ICS network and the corporate network, the roles and responsibilities of the personnel who maintain ICS systems and have access to ICS systems, and the business requirements of an organization.

An inventory of ICS assets should be in place including the asset name, the asset category, the architecture level, the type of machine, the location, the asset owner, the serial number, the SW version, the protocol, the patching level etc. The most secure and effective way to design a network architecture for developing ICS systems on critical infrastructure is to separate the ICS network from the corporate network, because the nature of network traffic on these two networks is different.

Networks should be segregated based on the Site Owners’ business levels. However, ICS should be in a network segment separated from business systems, development, or application test systems, and the network should be segregated horizontally and vertically. Network firewalls and VLANs should be implemented and reviewed to control the network traffic between networks, restrict connectivity to and from internal networks servicing sensitive functions, and prevent unauthorized access to critical systems and areas.

Traffic should be prevented from transmitting directly from the control network to the corporate network and terminated in the DMZ. Any protocol allowed between the control network and DMZ should not be allowed between the DMZ and corporate networks (and vice-versa). All outbound traffic from the control network to the corporate network should be source and destination-restricted by service and port. Outbound packets from the control network or DMZ should be allowed only if those packets have a correct source IP address that is assigned to the control network or DMZ devices.

Network devices logs should be monitored on a regular basis. Specifically, firewall and ICS logs should be checked daily by the IT Manager of the plant. Network security monitoring is valuable to characterize the normal state of the ICS and can provide indications of compromised systems when signature-based technologies fail. Additionally, strong system monitoring, logging, and auditing should be implemented to troubleshoot and perform any necessary forensic analysis of the systems.

Intrusion Detection Systems (IDS) should also be in place for monitoring events on an ICS network or system and identifying a potential intruder. The two most commonly used types of IDS are Network-Based IDS for monitoring network traffic and Host-Based IDS for monitoring one or more types of characteristics of a system (log files, configuration changes, access to sensitive data). All network equipment should be physically protected, placed in a Control Center where only authorized persons have access.

Access to all Industrial Control Systems should be controlled to limit access to authorized users, including secure time-out log-on and session timeout procedures. In addition, default passwords should be changed immediately, multi-factor authentication should be enabled, and password complexity should be enforced at all critical ICS systems. Finally, all remote access should take place via a Virtual Private Network (VPN) and through Jump host (where appropriate) and only to persons authorized by their domains.

One of the most common and secure architectures for ICS systems is the Purdue Model. This model has been proposed by major organizations such as NIST, ENISA and SANS as the best and most secure practice for securing the systems architecture and network of an ICS environment. The Purdue Model helps provide security for industrial communication by separating the layers and defining the mode of operation and interaction between the equipment in a field and the corresponding processes. In other words, this model provides an excellent picture of the different levels used in production lines and how they are secured in critical infrastructure. Properly implemented, it can create the necessary safeguards between ICS and IT systems.

The typical six levels of the Purdue Model that the ICS assets should be categorized in the Asset Inventory are analyzed below.

Level 5: Enterprise (Enterprise Zone)

This level includes corporate IT infrastructure systems and applications such as VPN remote access and corporate Internet access services. Direct communication between systems in the enterprise zones and the ICS environment is usually discouraged based on the level of risk that this would expose the organization to. Access is managed into the ICS environment through a Demilitarized Zone (DMZ).

Level 4: Site Business Planning and Logistics (Enterprise Zone)

This level includes IT systems that deal with reporting, scheduling, inventory management, capacity planning, operational and maintenance management, e-mail, phone and printing services. The services, systems and applications in Levels 4 and 5 are normally managed and operated by the IT Department of an Organization.

Level 3.5: Demilitarized Zone (DMZ)

Here, we find security systems such as firewalls and proxies that are used to separate or air gap the IT and ICS worlds. The level also includes systems such as:

• Remote Access Server
• Patch Management & Update Server
• IDS

Level 3: Site Manufacturing Operations and Control (Manufacturing Zone)

In this level, we find systems responsible for managing control plant operations to produce the desired end product. Applications, services, and systems that are found here include:

• Data historian
• Engineering workstations
• Network File servers
• IT services such as DNS, DHCP, Active Directory, and NTP
• Remote access services

The systems and applications in Level 3 communicate with the systems in Enterprise Zone through a DMZ. Direct communication between systems in Manufacturing and Enterprise zones is not allowed. Additionally, systems in Level 3 may communicate with systems in Levels 1 and 0.

Level 2: Site Manufacturing Operations and Control (Manufacturing Zone)

This level includes the manufacturing operations equipment for an individual production area, such as:

• Human Machine Interfaces (HMI)
• Alarms/Alert systems
• Control room workstations

These systems may communicate with systems in Level 1 and interface with systems in the Manufacturing and Enterprise zones through the DMZ.

Level 1: Basic Control (Cell/Area Zone)

In the first level, we find process control equipment that receives input from sensors, processes the input data by using control algorithms, and sends the output data to a final element. Devices at this level are responsible for continuous, sequence, batch and discrete control. Some devices that exist in this level are Programmable Logic Controllers (PLC), and Remote Terminal Units (RTU). These devices run vendor-specific operating systems and are programmed and configured from engineering workstations.

Level 0: Process (Cell/Area Zone)

The zero- level includes sensors, actuators and instrumentation elements that directly connect to and control the manufacturing process. These devices are controlled by devices found in Level 1.

INACCESS Architecture Review Methodology

The Architecture Review process ensures that the ICS infrastructure and SCADA application architecture adequately meet all relevant security and compliance requirements, and sufficiently mitigates identified security threats. The INACCESS Architecture Review Methodology consists of two main Phases, as shown below: Phase I - ICS Network Architecture Review & Phase II- ICS SCADA Application review and are depicted below:

Phase I- ICS Network Architecture Review

The main goals of this phase are to:

• verify that all applicable security and compliance requirements are effectively taken into account during the design phase of the ICS architecture
• verify that appropriate technical controls are in place against typical and specific threats of the ICS infrastructure
• propose the appropriate mitigation / improvement actions for all identified gaps and areas of non compliance with the plant specific security & compliance requirements
  
  

Overview of the ICS Network Architecture Review methodology's Phase I by Inaccess.

Phase II - ICS Application Security Review

In this phase, the goals are to:

• verify that all applicable security and compliance requirements are effectively taken into account during the configuration of the ICS Applications (i.e. HMI, CMS, etc.)
• verify that any known vulnerabilities are properly identified and the appropriate mitigation actions are taken
• verify that appropriate technical controls are in place based on the criticality of the plant
• verify that the authorized communication flows between the applications and rest field components are identified and approved
• verify that only secure protocols are used
• verify that the application features in terms of security are in place (i.e. Password complexity, Multi Factor Authentication , Encryption, etc.) based on best practices
• propose the appropriate mitigation / improvement actions for all identified gaps and areas of non compliance with the plant specific security & compliance requirements

Overview of the ICS Network Architecture Review methodology's Phase II by Inaccess.

References

• ENISA - Communication network dependencies for ICS/SCADA Systems, 2016
• NIST - Special Publication 800-82 Revision 2, Guide to Industrial Control Systems Security, 2015
• SANS - Secure Architecture for Industrial Control Systems, 2020
• NERC - https://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx

Need help in reviewing your ICS infrastructure and SCADA application architecture?  Contact us!