13 July, 2006

A vision of an Ideal Process Security Environment

What the Operator should have to do
  • Install preconfigured networking hardware
  • Install Primary DCS server
  • Install USB device provided by vendor
    Follow wizard to generate keys
    Lock USB device away just in case
    Follow Wizard to identify Networking hardware and other key settings/trusts
    If desired integrate to MOC process/software for desired level of control
  • Physically Install new PLC’s
  • Goto Configuration screen and accept the PLC’s individually
    Discover devices on legacy PCN and accept them into the system
  • Operate/engineer as normal

PLC’s have default communication access mechanisms to ensure that they receive commands from the proper locations.

  • Asymmetric key pair (very likely to hard to administer but still ideal)
    Installed in the factory
    Public key accessible to the purchaser probably within the historian or DCS server via licensing
    Keys can be changed and updated via appropriate DCS server on initial configuration and afterwards as needed
    This is used as an authentication mechanism to ensure that they do not communicate with any other systems. They use SSH or another tunnel to communicate with each other and with the DCS servers to ensure they are not easily subject to redirect attacks.
  • Host level firewall is configured to allow the plc to receive and send communications only in specific ways. All other traffic is dropped without response. This does not need to actually be a firewall it could be done with a customized stack that only allows specific communications.
  • Integrated SNMP (V3), Syslog or similar capabilities for logging and alerts configurable via authenticated trusted source and preconfigured to supply security data to a remote point
  • Log ties changes to authentication source and authority
  • Failsafe settings can (but don’t have to) require local physical action to change

DCS servers

  • DCS servers (whether they are historians or more) have multiple layers of protection all of which have approved (and specifically defined) configurations by the applicable vendors.
    A host based firewall (HFW)
    Integrated communication authentication capabilities tied to the key structure used in the PLC’s and elsewhere in the architecture.
    Integrated signature based IPS capability in the HFW with signatures driven from a trusted authenticated source.
  • Approved AV software with specific recommendation on DAT update mechanisms that are consistent with specific AV vendor methodologies
  • Behavior based IPS with DCS vendor approved configuration
  • Memory Protection/Control
  • Integrated management architecture
    Release management capabilities for servers, all software on them and for associated Controllers
    MOC (management of change) mechanisms with coordinated approval levels for changes on the server, for software and for controllers
    Might (should?) be integrated with AV and IPS update architecture
  • Primary/Secondary DCS security servers
    The primary DCS server serves as the center of the key architecture for the PLC’s and a security aggregation point for interfacing with external security and authentication
    Security functions should be on the normal central DCS server
    Capable of redundant configurations
  • Defined trust structure that will allow integration


The network is divided in to several segments.

  • Firewall (or firewall IOS) controls access to all segments
    Statefull packet inspection
    Signature based NIPS capability
    Secure Remote Monitoring and update capability
    Dynamic redundancy capability
    Devices (HA, VRRP, HSRP) load sharing not strictly necessary
    Availability biased failure ability for interfaces
    Industrialized/Static safe
    DCS vendor provides specific configurations for integration to their security architecture
  • NAC (or similar mechanism) used to control access to each segment
    NAC splits the segments into two separate VLAN’s Trusted and Untrusted
    Trusted VLAN is home to configured authenticated systems (using the key structure to provide an automated authentication)
    Untrusted PCN has all traffic routed to an initial configuration DCS security server
    (Optional) Default untrusted network for devices that connect that do not even have a manufactures key or similar capability but still have direct
  • PIN Network (PCN DMZ)
    Serves as home to the Historians and other DCS servers with Open loop controlling functions or serving as data aggregation points for external feeds and monitoring
    Provides neutral zone between vendors
    Provides interface capability to control functions
  • PCN Network
    Home to PLC’s and DCS servers with closed loop controlling functions
    Authentication for communication via NAC with the key architecture providing access authentication
    NAC splits the PCN into two separate VLAN’s Trusted and Untrusted PCN
    Trusted VLAN is home to configured PLC’s and systems
    Untrusted PCN has all traffic routed to an initial configuration DCS server
    (Optional) Default untrusted network for devices that connect that do not even have a manufactures key or similar capability but still have direct control functionality
    Separate PCN's Possible for Redline (highly critical or Safety essential) systems
  • ESD Network
    Used as protected network for Emergency Shutdown PLC’s and associated servers/services
    Very tightly controlled access
    All changes logged, documented and tied to an engineering authority
    Home of the key fail safe mechanisms
  • (Optional) Monitoring Network
    Home of controllers that have monitoring only capability and do not participate in closed loop controlling functions
    Servers that provide outgoing data for troubleshooting and performance management
  • (Optional) Utility Network
    Home to support server and systems that need integration with DCS systems but serve no actual control functionality
  • (Optional) Legacy Network

How it could work

The organization installs and configures the networking equipment in accordance with DCS vendor recommendations leaving a legacy LAN (or LANs) for existing equipment. The Primary DCS security server is installed and configured with the organization providing (or generating) its top level key pair (and backing it up securely). Network authentication is configured to the server. New controllers are connected to the PCN or Monitoring network. They try to authenticate to the network and either succeed based on preconfigured factory keys or fail and are routed to a secure server that will use the vendor default key to tell them they need to update their key pairs to ones provided by the Primary DCS security server. This could be automated or the new devices could show up in "unidentified" list that requires an operator to permit key distribution. The configured and identified controllers send/stream log data to the DCS security server along with their normal traffic. If the controller does not have the capability to handle a key its MAC is used to assign it to a legacy PCN and allow future access from that separate controlled VLAN. Controller software and possibly firmware updates are periodically checked and updated (after engineering authority approval) from the Primary DCS server. Trust relationships are strictly controlled and limited to information access in default settings. All setting changes are logged. All setting changes can be configured to require a vote for permission from the system authority. Different levels of change capability for operators, administrators and for MOC approval.

No comments: