IT Security Consultant, Control System Security Consultant, Network Security Consultant, IT Audit and Security Compliance Consultant

Switch to desktop Register

Layers Segregation of ICS

Defense-in-Depth Management with ICS Segregation Layers

Align with the more integrated and distributed ICS environment, consist of so many devices and systems entities, connected through open protocol with the COTS server and computing environment platform, the more concrete solutions to handle each parts of the entities has become more difficult.

The segregation layers of level hierarchy on the ICS environment as per stated by IEC 62443 has give the professional ICS players a better way of system management and security defense-in-depth architecture.

Refer to IEC 62443,following are the hierarchy layers of ICS environment:

• Layer 4: Business Network

• Layer 3: Historian/PI/Apps Server/SCADA/DMC

• Layer 2: DCS/Control Server

• Layer 1: Basic Control Devices, DCS Controllers, PLC, RTU

• Layer 0: Process I/O Devices

From the cyber security on ICS perspective, the main concerns of ICS cyber security assurance is reside on Layer 1, 2 and 3, with Layer 3 and 4 interface architecture & configuration is also becoming one of the critical concern on this perspective.

Defense-in-Depth Architecture

Adopting the concept of Defense-in-Depth in IT world, the ICS environment security architecture should also designed by implementing secure gateway and filtering point for each layer interconnection.

The use of router, switch and also firewall have been the most common platform of Defense-in-Depth architecture in ICS layers networking segregation. The static route deployment along with IP address and MAC address lock assignment will give more confidence on ensuring the AAA of the system operations.

Protecting the channel for unauthorized use also can be implemented by managing the port and protocol based on actual purpose. Access control management to the networking devices and computing environment should also be governed and managed.

Defense-in-Depth is not just only concerning about how we design the system to be as secure as possible, but also concerning on how we run the system in operations phase.

Last Updated on Wednesday, 20 June 2012 04:33

The Modern ICS Environment

F ully integrated ICS environment, with the DCS or SCADA as the main top control and supervision platform, has bring the new way of running the plant. Monitoring and control functions can be done from one place, leverage the efficiency of the supervision and control activities, and one window for plant activities and changes parameter can be centralized with better management.

The core platform that being used by the modern ICS era are COTS and open platform. COTS (Commercial-off-the-shelf) means the use of products technology such as hardware and software that available commonly on public market, such as Windows operating system, VB platform, Office applications, .NET environment, anti virus application and definition, server platform, UNIX/LINUX environment etc. While the Open platform means the use of open protocol such as ModBus, Ethernet TCP/IP, FF, HART, etc. as the common backbone protocol for devices communications within the ICS environment. The use of the above concept of technology has bring the inherent security concerns to the ICS environment.

The deep analysis against the SWOT of the existing ICS environment against the cyber threats including virus and malware attacks, emergency response readiness (BCP/DRP), vulnerabilities and threats analysis, risk and network assessment, etc. should be put on the top urgent tasks if we want to ensure the security assurance of the ICS.

The integration of IT and ICS in term of operations and technology backbone has bring the inherent risks from IT into the ICS environment

Last Updated on Wednesday, 20 June 2012 04:13

Evolution of ICS

The First Era of Control System

Back to 60's to 70's era, where the computer technology still on the earliest stage of its invention. The Industrial Control System (ICS) just started the journey with the first Distributed Control System (DCS) that was launched on 1975.

Honeywell and Yokogawa started to produce their own DCS, TDC 2000 and CENTUM, back to that time. By using panel based control system, analog signal and pneumatic control as the core technology.

This environment is an isolated system from cyber security perspective. Relatively secure system with type of access from logical channel is not available. Physical access control is the main control point in order to restrict the system perimeter.

Some plants still using this kind of technology, with the obsolescence issue behind the operations. Most of this type of system have been upgraded into the more advance system, for easier operations, maintenance and integration of the control system environment.

Summary of the core technology on this era:

> Push buttons
> Single loop controls
> Stand alone
> No networks
> No communication

The Legacy Era

Move to the 80's era when some major automation controls company developed and produced their new DCS product, the panel based control era has been shifted into the legacy era, with proprietary infrastructure (protocol, communication framework, devices control, etc.) as the major platform.

The integration within the same platform of control system has gave more integration and distribution on the operations during this era. But it still limited by the use of proprietary communication protocol that can communicate only with its own devices platform. No open protocol was available to use to integrate the cross platform.

Nevertheless, this technology has gave the solution to deal with more spread out site operations and more complex process control coverage.

From cyber threat perspective, this system is “exploitable – but not a trivial task”. Since the core technology is using proprietary platform, only someone that has deep knowledge on this type of product that may have ability to "explore more" against the system.

Summary of the Legacy Era Technology

> Proprietary network
> Proprietary Operating System
> No Ethernet or common open protocol
> No Intranet connections

The Modern Era of ICS

The milestone of this era was started on 90's, with the invention of the Ethernet protocol and some other common open protocol as one of the trigger of the advance integration and distribution of the ICS environment. Also the use of common server platform with Windows based Operating System has became another catalyst of having open era of ICS.

The major DCS principles, such as Honeywell, Yokogawa, Emerson, Bailey have been playing such a significant roles on building the open technology against their product. By allowing communication interface using Ethernet TCP/IP platform, it has opened the fully distributed system with the cross platform interconnection. Nowadays, the use of microwave, satellite and fiber optic as physical communication media can be connected easily into the Ethernet platform. The broader coverage area and remote site locations can be supervised centrally, unmanned platform is no more an operations obstacle.

But on top of all the open protocol and common system platform, there is one heritage that will always threatening, the cyber security concern. From cyber security perspective, this modern era has become the huge challenge to ensure the security. The system is readily exploitable , with the inherent vulnerabilities and threats that came as one part of the open platform.

The core technology from this modern era are:

Open protocols, Ethernet everywhere, Remote configuration, Windows environment, Unix/Linux platform, Integrated system

Last Updated on Wednesday, 20 June 2012 03:03

Industrial Control System Overview

What is Industrial Control System (ICS)

ICS is refer to automation control system that cover varies of system which has the main function to:

• Control the plant entities

• Ensure the plant safety operations

• Plant monitoring and surveillance

ICS typically used in some critical industries such as Oil and Gas, Petrochemical, Power Plant, Nuclear Plant, Discrete Manufacturing (automobile, aerospace), etc.

For those industries, the ICS has the core function to ensure the business continuity operations on the daily production operations of the company. That's why the ICS become one of the critical infrastructure that should put more concern, in term of reliability performance, maintenance standard, and also cyber security compliance.

Millions dollar can be suffered by couple of hours shutdown ICS system in some critical industries infrastructure, such as in oil production system. Also the worst impact can be safety fatality (injury or death of people) due to an error on ICS operations, e.g. in nuclear plant with sensitive materials being treated that needs secure operations including system security assurance against cyber threat.

ICS infrastructure typically took around 15% of the whole project cost in common Oil and Gas Plant project, but during the operational phase, the suffering cost of the malfunction ICS infrastructure can bring the whole plant shutdown, and can end up with worse impact especially if fatality incident happens.

Nowadays, the integration between each entities on the ICS environment has become the advantage on managing the plant production operations. The interconnected DCS and SIS system will give more value on controlling the plant and ensuring the safety operations. The custody transfer monitoring aspects can be done by just sitting in front of on operator station in central control room. Basically, one integrated control station has give the more manageable and efficient supervision of the whole plant entities.

By the changes of the technology, especially computerize infrastructure, and the use of open protocol in the ICS environment, it has bring also the inherent risk of having the typical vulnerabilities and threats that reside on IT common infrastructure. And this is still be the BIG homework for the ICS professionals on how to deal with this real challenges.

Last Updated on Wednesday, 20 June 2012 03:22

Page 1 of 7

Start
Prev
1
2
3
4
5
6
7
Next
End

Top Desktop version