Secure network architecture, things in order
The architecture of the current industrial network
The network of any traditional industrial system consisted of isolated sets of devices, which communicated through proprietary buses and serial communications. The evolution of communications also reached these control systems, where devices began to include Ethernet communications, which has subsequently ended up becoming the predominant type of communication.
The pressing communication needs that current control systems have, with a multitude of interconnected devices, including those belonging to IIoT, continuous information transfers between the corporate and industrial world, cloud services or access by manufacturers for maintenance or programming changes, they have made the different devices that make up the industry connected to favour these functionalities. The problem arises because these connections have been made according to necessity criteria, and not through a complete study of the network and growth possibilities. Now it's time to fix these problems, by creating a network architecture that is secure, sized and scalable for each control system, or by reforming the current one to improve it and to ensure that it complies with these characteristics.
Talk is cheap, the reality is very different
The vast majority of the industrial architecture redesign approaches presented come from systems departments, which must now also manage these networks to offer them the services they require, but from which they may not know the vast majority of the components that they integrate nor the protocols they use. This has led to the creation of reference network architectures, which, on paper, have sufficient security features for any control system, as seen in the following image, but which are difficult to apply directly to the real industrial world, due to the multiple IP changes required, the incorporation of new devices, segmentation in networks that do not correspond to the reality of the operation, etc.
- Secure network architecture scheme. Source: DHS (Department of Homeland Security). -
The most visible changes in the secure network architecture model are the creation of new networks to separate the different computers according to their criticality or functionality. This modification usually involves many problems in the control systems, since there are many computers, mostly obsolete, that do not allow a change of IP, or whose modification can implies too many problems, such as errors in communications or services provided to other devices. The change of architecture and IP addressing also involves changes with respect to the certified architecture of the installation, which may involve the loss of warranty with the manufacturer.
Another important change is the inclusion of new equipment in the network, in this case security devices, such as firewalls, anomaly detection devices, IDS/IPS, etc. All these devices are new points of failure in the industrial chain, and, as a general rule, they are not usually looked upon favourably by operators because they can generate problems in the execution chain. This view is diametrically opposed to that of security personnel, who always encourage the inclusion of such devices.
These problems mentioned, and whose characteristics, needs and regulations applicable to each particular industry have not been considered, make the transposition of the secure network architecture model from paper to reality less immediate or direct as it seems. Although all these problems can be salvageable through the effort and appropriate means, there are other problems of greater importance that affect their implementation, such as the inaccuracy of the asset inventory, since it is vital to have an updated and complete inventory in an architecture redesign.
However, the biggest problem facing a change in the network architecture of a control system is that operators may reject it. For them the system works, they have solved the specific problems using 3G/4G devices to access the Internet, through RDP accesses to provide maintenance accesses, etc., and they do not see the need for a large-scale change that will cause them to lose autonomy in favour of a systems department, even if that all means achieving a safer network in general.
The need to particularise each case
The industry is made up of many very different sectors, and that makes each industrial system completely different from another, even if they share the type of devices and the operational concept. For example, a water bottling factory has a control system that is very different from SCADA, responsible for managing energy distribution. That is why each architecture redesign must be customised according to the specific real needs of each business and plant, rather than general theoretical approaches.
Some of the aspects that must be considered to particularise the architectural redesigns in search of a safer model are:
- Real needs of the company: you always have to consider the needs of the company and what it can address. It is useless to generate a complete network architecture for an entire plant, with an overall level of security so high that it prevents the correct operation of the plant, or with the latest developments in security products, if they make its implementation economically impossible.
- Identification of network protocols: it is very important to keep a list of the protocols that are used in each plant and how different locations, if they exist, communicated with each other, since that can greatly determine the security devices that are going to be able to use.
- Assets/systems involved: often the redesign does not cover the entire plant, either because it is too ambitious, or because certain equipment does not have the minimum characteristics for the change. This identification will make it possible to define the groups of devices following the definition of zones and conduits set out in standard IEC 62443.
- Type of work: it is very important to know how the process is carried out in order to identify areas of the plant that work in the same way, such as assembly lines, or devices that apply to the whole process, such as the devices that are part of the MES (Manufacturing Execution System).
- Roles and responsibility: it is very important that all the key people who are going to be affected by the network changes take an active part in the project. In this way there will be less rejections to the necessary changes and the process will be better understood, allowing to offer the best solution in each case.
Conclusions
Changing the network architecture of control systems may be necessary to correct possible mistakes that have been made in the past due to their disorderly growth. But that must not make us lose focus on the fact that the new architecture must be, above all, sustainable, for the control system, which allows its functioning and operation, and for the organisation, being manageable and scalable.
A redesign of network architecture should not spare resources, especially personnel, and should give voice to all involved, so that each contributes their experience and knowledge for the benefit of the control system. For example, regarding operators, their extensive knowledge of the system in question, its operation and maintenance; and about systems and security technicians, their knowledge in security solutions and technologies.