Industry experts worldwide struggle for long time with the question how to protect their industrial processes from a catastrophic consequence caused by severe malfunction, manipulations, incorrect maintenance, mistaken actions or cyber-attack. Industrial processes serving water and sewage operations, power plants and a broad range of manufacturing facilities are supervised by Industrial Control Systems (ICS). ICS cyber experts know well that there is no single method, no matter how advanced or expensive which can provide absolute defense (“there is no silver bullet”). Furthermore, the intensive use of Industrial Internet of things (IIoT) deployed across the production plant increase the risk. Therefore, cyber defense methods shall include several layers of protecting measures applicable for all layers of the Purdue model.
The traditional solution is to deploy firewalls, antivirus, wide range of Intrusion Detection Systems (IDS), visibility analysis, encryption and authentication in order to prevent a severe damage. While these methods are suitable for protecting the ICS operation, the obvious question asked by experts is, if these measures are strong enough to assure the operating safety and reliability?
Layered defense across the plant
The typical Purdue model is describing 6 layers in a typical organization (Level 0 to Level 5), while only 3 levels in the bottom of this model (level 0 to level 2) refer to the ICS operation. However, when we discuss the ICS defense, we must refer to 7 zones according to the list outlined below:
- Level 3, where you may find manufacturing operation computers which monitor the plant process and store data.
- Data transfer zone between Level 2 and level 3 is typically using TCP-based protocols compatible for ICS.
- At level 2, you find computers and HMIs which monitor and control the floor-level production process
- The data transfer zone between level 1 and level 2, serial or Ethernet ports using standard ICS compatible protocols
- At the level 1 you may find the Programmable Logic Controller (PLCs), and Remote I-O Devices which control the machinery.
- The information transfer zone between level 0 and level 1, typically forward analog or status signals and commands
- The level 0 is a zone, where you actually find the sensors and the actuators which monitor and control the local conditions
While reviewing the various ICS-related zones outlined above, you will instantly realize that each zone must be monitored by using different methods, processes and precisely adapted tools.
- Computers at Level 3 are located in the Demilitarized Zone (DMZ) among the IT and ICS section. These shall be protected from atta
- cks by an Antivirus and an adapted Host-based IDS.
- For monitoring the data transfer between level 2 and level 3 deploy a communication-oriented IDS which detect the frequency of access, analyze the IP addresses and the volume of the data flow.
- The HMI and Engineering computers at level 2 are in the ICS zone. These shall be controlled by detecting program changes and variety of anomalies by an Antivirus and a Network-based IDS.
- For monitoring the data transfer between level 1 and level 2 you may use a communication-oriented IDS which detect the frequency of access, analyze the detected IP addresses and the volume of the data flow. In legacy systems you may specific tool to monitor serial communication protocols.
- In the level 1 you shall protect the PLCs from direct access from a device in a foreign zone, and assure that the application program and the operating system were not affected by a manipulation.
- The information transfer between level 0 to leve1 utilize analog signals; 4-20 mA, 0-10V, HART protocol, etc. In modern systems you may also find smart sensors and Intelligent Electronic Devices (IED), which utilize serial or TCP-based protocols. For strong monitoring this zone you may have to add another PLCs with enhanced processing capability and using out of band communication.
- The most critical sensors and control devices protected from manipulation, as someone might alter their wiring, change their mechanical position, replacing them with a fake device, etc. As these devices have non or very light computing authentication capabilities, they must be protected from unauthorized physical access and also by use of CCTV cameras conducting perimeter surveillance.
Risks and defense at the Purdue level 0 zone
According the specific defense processes described in para f) and para g) above, in order to generate an outage or damage, the attacker must somehow reach the level 0 zone. It can be done by an internally generated attack (access the ICS zone) or externally generated attack via the corporate IT. Therefore, ICS experts who are we are committed protecting the level 0 zone, need special measures and methods. Important mentioning again, that the intensive use of IIoT deployed across the production plant increase the overall risk. The following describes how such defense can be achieved:
- Monitoring the analog signal and status conditions and detect unusual changes such as disconnecting and reconnecting the wires, detecting operating values which are out of the safety band – a good example for such a solution is the SigaPlatform™ anomaly detection system.
- Monitoring the critical signals using a 2nd PLC with strong sampling capability, use of a 2nd sensor and analyzing anomaly conditions which the existing/installed legacy-type PLC cannot perform
- When detecting an unusual condition, these systems may generate an alarm instantly forwarded to the ICS Operator, and also forwarded to the Network IDS monitoring the plant operation.
Summary and Conclusion
Strong cyber defense is achievable trough adherence to the PPT Triad (People-Processes-Technologies). When prioritizing the cyber defense across all levels of the Purdue model, ICS cyber security experts shall make sure the selected measures properly refer to risk management factors. Therefore, organizations must employ highly skilled people with background in ICS technology. Deployment of cyber defense measures at level 0 of the Purdue model helps achieving operating Safety, Reliability and Productivity (SRP).
Daniel Ehrenreich, BSc. is a consultant and lecturer acting at Secure Communications and Control Experts, and periodically teaches in colleges and present at industry conferences on integration of cyber defense with industrial control systems; Daniel has over 27 years of engineering experience with ICS for: electricity, water, gas and power plants as part of his activities at Tadiran, Motorola, Siemens and Waterfall Security. Selected as the Chairman for the ICS Cybersec 2019 conference taking place on 16-9-2019 in Israel and for the Asia ICS Cyber Security conference taking place in Singapore on 7-11-2019. LinkedIn