Home / Blog / Evolving ICSnetwork infrastructure

Evolving ICSnetwork infrastructure

Posted on 10/13/2015, by INCIBE
employee in a manufacturing plant

Just as with devices and software, and as was commented in other articles (“The evolution of software in industrial control systems” and “Device evolution in industrial control systems”), the evolution of infrastructures within control systems has also been noteworthy. This evolution has brought about progress and advances that have led to improvements in system and communication security within the organisation.

In industrial control systems evolution becomes evident over time, mainly affecting network infrastructures.  These advances have primarily been centred around network segmentation and fortification by using mechanisms and devices that, if correctly configured, enable access and communication in a much more secure manner.

Among the network devices utilised to minimise the risk of possible system intrusions, some that stand out are smart switches (layer-3), routers with access control lists, firewalls, network building such as DMZs (demilitarized zones), IDS, IPS and data diodes. Nowadays many companies have implemented security measures that they did not have before. This has happened thanks to awareness-raising concerning industrial cybersecurity, and to the standards that make using these devices mandatory in many environments.

Security and design plan for a fortification strategy

In order to select the devices that are going to be integrated into a network, it is crucial to carry out an asset analysis and to identify the resources, procedures and activities considered essential to the production process within the industrial control system. In response to this need we can find ISA-95 which was developed to tackle the potential problems we might encounter when developing a segmentation strategy between enterprise and control systems.

The ISA-95 defines 5 levels for industrial companies:

ISA-95 Levels

- ISA-95 Levels -

ISA-95 offers many advantages, among which stand out:

  • Cost reduction: It can be used as a method for drawing a new line of work serving to identify the most vulnerable systems and devices as well as the most intricate networks to segment. This way, it is easier to focus efforts and investments on the most important issues.
  • Reducing risks and preventing errors from occurring: Carry out a risk analysis involving the company’s assets and define a series of countermeasures as well as a combination of good practices, measures and protocols to be followed for reducing the impact of risks.
  • Improved communications: The use of standardised technical terminology helps companies to interact with external professionals in terms of more accurately describing functions, activities and departments.

 

Network design and implementation of a security plan

Once appropriate devices for the network have been identified, it is crucial to correctly position and configure them in order to take full advantage of the resources they have to offer. Properly segmenting a network offers us a degree of security against potential system intrusions that we would not be able to achieve if all company networks were linked. This design will take into consideration the protocols involved in order to offset their possible weaknesses.  In this regard, INCIBE offers the following guide: “Protocols and network security in ICS infrastructures” which can be useful.

Segmentation

In order to achieve network segmentation it is important to use firewalls, IPS (Intrusion Prevention Systems), IDS (Intrusion Detection Systems), data diodes or properly configured switches.

With regard to switches, if it is possible to use VLANs it is a good practice to properly configure these logical networks within the same physical network for the segmentation of existing traffic.

Firewalls must separate elements of varying criticality and, depending on the network where they are located, apply security measures that are more or less stringent in terms of the accesses and ports open to network traffic.

 

Control of communication flow
If using data diodes to control the direction of traffic, it is important to remember that this type of device only allows for unidirectional data flow. For this reason, networks such as the DMZ always be a diode destination data because should not initiate communications. An Operational Technology (OT) network, as we will see later on images, is the best network to install these devices on. These devices are generally used in nuclear plants and in military facilities.

Traffic inspection
Other elements that are necessary for proper configuration are IPS and IDS. Their use depends on whether we are looking to simply inspect traffic using IDS, or, if apart from inspection we also wish to cut communications using IPS upon detecting certain unusual browsing behaviour.

Logging and analysing events: SIEM
The combination of all of the previously discussed mechanisms will offer both IT and OT networks a fairly high degree of security against potential intrusions. Or, if an attacker is able to break into the system, said mechanisms will ensure that the intrusion is restricted to one segment, thus preventing the attacker from jumping between networks while detecting all access attempts made. Another advantage that the abovementioned devices offer us in the face of intrusions is the capacity for data analysis. This is due to the fact that traffic analysis gathered by these devices following an intrusion would provide us with adequate information for improving our network segmentation. This would be done by detecting existing potential vulnerabilities and classifying the most critical devices or processes that an attacker would try to gain access to.

Some functional examples
2 images will be displayed below. Both images include examples of network segmentation with varying degrees of security. The first image shows simple network segmentation, while the second image a more complex segmentation. The latter example uses almost all of the mechanisms and devices previously mentioned. It is important to point out that firewalls are able to perform the same tasks as IPS or IDS if necessary and depending on both the position we are in and the system’s necessities.

Example of simple network segmentation

- Example of simple network segmentation -

Example of a more complex network segmentation

- Example of a more complex network segmentation -

As can be observed in both images, the concept of air gap is not utilised owing to evidence showing that it is not efficient in relation to the security it offers.

On the other hand, the use of network islands (work cells that are not interconnected), is appealing when a company has different sites that have stations. This could be the case with a construction company that needs remote terminals at each of their work sites in order to communicate with a central hub through which the data gathered can be handled.

With regard to communications security, industrial control systems are evolving towards using increasingly more secure communications. Extra security can be added by using encryption on some of the OSI layers or, as with the application layer, it is possible to segment traffic by specifying industrial protocols (Modbus TCP/IP, DeviceNet, Ethernet IP, OPC, etc.) thanks to the use of DPI (Deep Packet Inspection) firewalls. For instance, with Modbus TCP/IP it is possible to define a rule that prevents a master from running the function codes 05 write coil and 06 write register on a slave. If using OPC to communicate, the firewall is responsible for assigning one single port to OPC in order to carry out secure communications between clients and servers.

Conclusions

Below is a tabular summary which includes the trends and evolutions that your industrial control system network has undergone. 

Table

An investment in security: always necessary and...costly?

Finally, it is important to point out the different possibilities that are currently available in terms of securing networks with proper segmentation without having to resort to acquiring costly devices. In the current market there are rather affordable hardware options such as raspberry pi that, when combined with Linux distributions that are specialised in the implementation of firewalls such as IPCop or IPFire, allow for creating a firewall at a very affordable price. Understandably, making budget cuts when it comes to security is an issue that must be very carefully evaluated. Regardless of product costs or quality, however, we must always conduct a very thorough configuration, a proper design, a review and regular security updates on facilities.