Implementing Secure Architecture for

Industrial Control Systems

Engr.Abiodun Odewale MNSE, MNIEEE

Siemens.com/industrialsecurity
 About (me):
• Over 18 years in IT, Instrumentation, Control & Automation
• Masters Degree in Industrial Automation from EIT Australia
• Masters Degree in Engineering Management from NorthWest University,
South Africa
• Masters in Business Administration (MBA) from Lincoln University, USA
• Advanced Diploma in Industrial Automation from EIT Australia
• Post-Graduate Diploma in Electrical & Electronics Engineering from FUTA
• Certified OPC Professional, Level 4 from OPC Training Institute, Canada
• Certified Process Control Network CyberSecurity Practitioner
• Cisco Certified Network Professional, CCNP
• Microsoft Certified systems Administrator, MCSA
• A member of COREN, NSE, NIEEE, IEEE & ISA
• Strong Expertise in Yokogawa & Allen Bradley Control Systems Architecture
• Currently PCN / CyberSecurity Engineer for Chevron Nigeria
Security Trends
Globally we are seeing more network connections than ever before

Trends Impacting Security

• Cloud Computing approaches

• Increased use of Mobile Devices
• Wireless Technology
• Reduced Personnel Requirements
• Smart Grid
• The worldwide and remote access to remote
plants, remote machines and mobile applications
• The “Internet of Things”

Source: World Economic Forum, 50 Global Risks

Industrial Security
The corporate security chain is only as strong as its weakest link

Security Can Fail at Any of these Points

• Employees
• Smartphones
• Laptops
• PC workstations
• Network infrastructure
• Mobile storage devices
• Tablet PC
• Computer center
• Policies and guidelines
• Printer
• Production systems/plants
Industrial Security
Vulnerability disclosures are headline news

Pressure SCADA Developers on Security

U.S. at Risk of Hack Attack

Dangerous Security Holes in U.S.

Power Plant & Factory Software

Hacking the Grid

Aging industrial control systems increasingly

vulnerable to cyber attack

Source: https://ics-cert.us-cert.gov/sites/default/files/Monitors/ICS-
CERT_Monitor_Sep2014-Feb2015.pdf
Feb. 12, 2013: „Now our enemies are also seeking the ability to sabotage our power grid, In the ICS-CERT fiscal year (October 2013 until September 2014) ICS-
our financial institutions, and our air traffic control systems. We cannot look back years CERT analyzed 245 attacks to control systems in the USA.

from now and wonder why we did nothing in the face of real threats to our security and
our economy. That’s why, earlier today, I signed a new executive order that will strengthen
our cyber defenses... Now, Congress must act as well, by passing legislation to give our
government a greater capacity to secure our networks and deter attacks.“
- U.S. President Barack Obama
Example of Cybersecurity Incidents
Ukranian Blackout:

• Occurred in 2015
• Blackout for nearly 250,000 customers
• First successful attempt on power grid
• Increasing threat to Utilities sector
Example of Cybersecurity Incidents
Shamoon Attack on Saudi Aramco :

• Occurred in 2012
• Ochestrated by a privileged user
• Unleased a Computer Virus
• The virus erased data on ¾ PCs
• 35,000 computers were destroyed

Photo credit: money.cnn.com

Example of Cybersecurity Incidents
WannaCry Ransomware Attack :

• Occurred in May 2017

• Frozen 200,000 PCs in about 100
countries
• Affected National Health System in UK
• A security researcher activated a kill-
switch for rescue effort.
• Crippled public utilities and large
corporations
• Delayed vital medical procedures
Photo credit: https://www.youtube.com/watch?v=5ecLMl34E-U
Example of Cybersecurity Incidents
Fake Sms Account Balance :

• Occurred in March 2018 in Nigeria

• Specialized in fake sms account
balances
• Boasted that Nigerian banking system
is the easiest to manipulate
• Including Government-owned
accounts
• Bought several exotic cars using same
strategy
Photo credit: https://www.vanguardngr.com/2018/05/993772/
Purdue Model for ICS Architecture (Contd)

• Typically known as “Purdue Model”

• Consists of 5 levels
• Introduced to keep Computing &
Networks deterministic
• Introduces Network segmentation as a
means of keeping traffic
• Each level highlights functional
components meant for the level
Purdue Model for ICS Architecture - Contd
Level 0 : Process

• Includes the sensor and

instrumentation elements
• Directly connected to and control the
process
• The devices in this level are typically
controlled by devices found in level 1
• Typically includes sensor elements for:
• Level
• Pressure
• Temperature
• Flow
 Purdue Model for ICS Architecture (Contd)
Level 1 : Basic Control

• Includes process control equipments

receiving input from sensors
• Processes inputted data using control
algorithm
• Sends output data to a final element
• These devices are responsible for
continuous, sequence, batch and discrete
control
• Some of the devices on this level are:
• Distributed Control System (DCS)
• Programmable Logic Controller (PLC)
• Remote Terminal Units, RTUs
 Purdue Model for ICS Architecture (Contd)
Level 2 : Supervisory Control

• Includes operations equipment for an

individual production control
• Level 2 typically includes
• Human Machine Interfaces (HMI)
• Alarms / Alert Systems
• Control Room Workstations
• These systems may communicate with
systems in level 1
• They may also communicate with
systems in Level 3 and Level 4 through
De-militarized zone, DMZ (Level 3.5)
 Purdue Model for ICS Architecture (Contd)
Level 3 : Manufacturing Operations & Control

• Also known as Process Control Network, PCN

• Responsible for managing and controlling
plant operations to produce desired end
product
• Applications, services and systems on this
level are:
• Engineering Workstations
• Plant Historian
• Production reporting systems
• Remote Access Services
• Reliability Assurance
• IT Services such as DNS, DHCP, Active
Directory, and NTP
 Purdue Model for ICS Architecture (Contd)
Level 3.5 : De-Militarized Zone, DMZ

• This is a physical or logical sub-network that

separate internal network from untrusted
network
• The systems in level 3 communicate with
Enterprise / Business level 4 through this
layer
• It provides additional layer of security to the
ICS network
• Restricts the ability of hackers to directly
access internal servers and data via the
internet
 Purdue Model for ICS Architecture (Contd)
Level 4 : Enterprise / Business Network Layer

• Consists of Corporate IT Infrastructure

systems and applications
• Includes VPN Remote Access & Internet
Access Services
• No direct access from this level to level 3
• Contains the following systems and
applications
• Reporting
• Scheduling
• Inventory Management
• Capacity Planning
• Operational and Maintenance
management
 Modified Purdue Model for ICS Architecture (Contd)

• Latest trends in cyber attacks and

technologies are challenging existing Purdue
Model
• Most cyber attacks are as a result of
Vulnerabilities in level 4
• An ICS Cloud is proposed on level 4
• ICS Cloud on level 4 should interact with
Level 3 via level 3.5, DMZ
Industrial Security
Foundation and measures for secured operation in a Digital Enterprise

Secured Secured Secured

Communication Access Integrity Identification

• Encryption and • Access control for • Protection of the data • Authentication of devices
monitoring for industrial components transmission and storage and user
communication and networks

Foundation for continuous reliable operations in a Digital Enterprise

• Robust products with security characteristics & security services
• Security concepts like Defense in Depth and Holistic Security Concept
• Security philosophy like “need to connect”
 CIA Triad of Information Security
Confidentiality: Ensures that data or an information
system is accessed by only an authorized person. User Id’s
and passwords, access control lists (ACL) and policy based

Risk Management
security are some of the methods through which
confidentiality is achieved
Confidentiality
Integrity: Integrity assures that the data or information
system can be trusted. Ensures that it is edited by only Integrity
authorized persons and remains in its original state when
at rest. Data encryption and hashing algorithms are key Availability
processes in providing integrity
Availability: Data and information systems are available
when required. Hardware maintenance, software
patching/upgrading and network optimization ensures
availability
Industrial Security Concept :
Defense in Depth based on IEC 62443 / ISA 99

Plant security
• Physical access protection
• Processes and guidelines
• Holistic security monitoring

Network security
• Cell protection and
perimeter network
• Firewalls and VPN

System integrity
• System hardening
• Patch management
• Detection of attacks
• Authentication and access
protection
Other Security Considerations for ICS
Access Control
• Access control mechanisms guarantee that the person who is attempting access to a
system or application is who she/he says it is. Access control involves a user
submitting a unique identifier, such as a user ID, and the corresponding authenticating
information, such as a password.
Network Security
• Network security protects the confidentiality, integrity, and availability of information
systems against internal and external threats using a variety of security controls.
Log Management
• Critical applications and systems should generate important security- related events to
assist in identifying threats to information, troubleshooting network or system-related
issues, and comply with regulatory requirements.
Remote Access
• Remote users and vendors seek access into the ICS environment for remote
maintenance and support.
Thank you !
References

Baseline Security Requirements for Network Security Zones in the Government of Canada
(ITSG-22). Retrieved from https://www.cse-cst.gc.ca

Boyer, S. A. (2004). SCADA: Supervisory control and data acquisition. Research

Triangle Park, NC: ISA-The Instrumentation, Systems, and Automation Society.

Cisco and Rockwell Automation (2011). Converged Plantwide Ethernet (CPwE) Design and
Implementation Guide. Cisco Systems, Inc. (n.d.). Retrieved from http://www.cisco.com/

Homeland Security (2009). Recommended Practice: Improving Industrial Control Systems

Cybersecurity with Defense-in-Depth Strategies.

Information Security Forum (2014). The Standard of Good Practice for Information Security.
Retrieved from http://isflive.org

ISA99 Committee (2004). Manufacturing and Control Systems Security Part 1: Models and
Terminology. Retrieved from http://isa99.isa.org/
Krutz, R. L. (2006). Securing SCADA systems. Indianapolis, IN: Wiley Pub.

NIST (2014). NIST Cybersecurity Framework Core: Informative Reference Standards. ISA
62443-3-3:2-13.