- Install preconfigured networking hardware
- Install Primary DCS server
- Install USB device provided by vendor
Follow wizard to generate keys
Lock USB device away just in case
Follow Wizard to identify Networking hardware and other key settings/trusts
If desired integrate to MOC process/software for desired level of control - Physically Install new PLC’s
- Goto Configuration screen and accept the PLC’s individually
Discover devices on legacy PCN and accept them into the system - Operate/engineer as normal
PLC’s/Controllers
PLC’s have default communication access mechanisms to ensure that they receive commands from the proper locations.
- Asymmetric key pair (very likely to hard to administer but still ideal)
Installed in the factory
Public key accessible to the purchaser probably within the historian or DCS server via licensing
Keys can be changed and updated via appropriate DCS server on initial configuration and afterwards as needed
This is used as an authentication mechanism to ensure that they do not communicate with any other systems. They use SSH or another tunnel to communicate with each other and with the DCS servers to ensure they are not easily subject to redirect attacks. - Host level firewall is configured to allow the plc to receive and send communications only in specific ways. All other traffic is dropped without response. This does not need to actually be a firewall it could be done with a customized stack that only allows specific communications.
- Integrated SNMP (V3), Syslog or similar capabilities for logging and alerts configurable via authenticated trusted source and preconfigured to supply security data to a remote point
- Log ties changes to authentication source and authority
- Failsafe settings can (but don’t have to) require local physical action to change
DCS servers
- DCS servers (whether they are historians or more) have multiple layers of protection all of which have approved (and specifically defined) configurations by the applicable vendors.
A host based firewall (HFW)
Integrated communication authentication capabilities tied to the key structure used in the PLC’s and elsewhere in the architecture.
Integrated signature based IPS capability in the HFW with signatures driven from a trusted authenticated source. - Approved AV software with specific recommendation on DAT update mechanisms that are consistent with specific AV vendor methodologies
- Behavior based IPS with DCS vendor approved configuration
- Memory Protection/Control
- Integrated management architecture
Release management capabilities for servers, all software on them and for associated Controllers
MOC (management of change) mechanisms with coordinated approval levels for changes on the server, for software and for controllers
Might (should?) be integrated with AV and IPS update architecture - Primary/Secondary DCS security servers
The primary DCS server serves as the center of the key architecture for the PLC’s and a security aggregation point for interfacing with external security and authentication
Security functions should be on the normal central DCS server
Capable of redundant configurations - Defined trust structure that will allow integration
Network
The network is divided in to several segments.
- Firewall (or firewall IOS) controls access to all segments
Statefull packet inspection
Signature based NIPS capability
Secure Remote Monitoring and update capability
Dynamic redundancy capability
Power
Devices (HA, VRRP, HSRP) load sharing not strictly necessary
Availability biased failure ability for interfaces
Industrialized/Static safe
DCS vendor provides specific configurations for integration to their security architecture - NAC (or similar mechanism) used to control access to each segment
NAC splits the segments into two separate VLAN’s Trusted and Untrusted
Trusted VLAN is home to configured authenticated systems (using the key structure to provide an automated authentication)
Untrusted PCN has all traffic routed to an initial configuration DCS security server
(Optional) Default untrusted network for devices that connect that do not even have a manufactures key or similar capability but still have direct - PIN Network (PCN DMZ)
Serves as home to the Historians and other DCS servers with Open loop controlling functions or serving as data aggregation points for external feeds and monitoring
Provides neutral zone between vendors
Provides interface capability to control functions - PCN Network
Home to PLC’s and DCS servers with closed loop controlling functions
Authentication for communication via NAC with the key architecture providing access authentication
NAC splits the PCN into two separate VLAN’s Trusted and Untrusted PCN
Trusted VLAN is home to configured PLC’s and systems
Untrusted PCN has all traffic routed to an initial configuration DCS server
(Optional) Default untrusted network for devices that connect that do not even have a manufactures key or similar capability but still have direct control functionality
Separate PCN's Possible for Redline (highly critical or Safety essential) systems - ESD Network
Used as protected network for Emergency Shutdown PLC’s and associated servers/services
Very tightly controlled access
All changes logged, documented and tied to an engineering authority
Home of the key fail safe mechanisms - (Optional) Monitoring Network
Home of controllers that have monitoring only capability and do not participate in closed loop controlling functions
Servers that provide outgoing data for troubleshooting and performance management - (Optional) Utility Network
Home to support server and systems that need integration with DCS systems but serve no actual control functionality - (Optional) Legacy Network
How it could work
The organization installs and configures the networking equipment in accordance with DCS vendor recommendations leaving a legacy LAN (or LANs) for existing equipment. The Primary DCS security server is installed and configured with the organization providing (or generating) its top level key pair (and backing it up securely). Network authentication is configured to the server. New controllers are connected to the PCN or Monitoring network. They try to authenticate to the network and either succeed based on preconfigured factory keys or fail and are routed to a secure server that will use the vendor default key to tell them they need to update their key pairs to ones provided by the Primary DCS security server. This could be automated or the new devices could show up in "unidentified" list that requires an operator to permit key distribution. The configured and identified controllers send/stream log data to the DCS security server along with their normal traffic. If the controller does not have the capability to handle a key its MAC is used to assign it to a legacy PCN and allow future access from that separate controlled VLAN. Controller software and possibly firmware updates are periodically checked and updated (after engineering authority approval) from the Primary DCS server. Trust relationships are strictly controlled and limited to information access in default settings. All setting changes are logged. All setting changes can be configured to require a vote for permission from the system authority. Different levels of change capability for operators, administrators and for MOC approval.
No comments:
Post a Comment