OT/ICS Networking 2: Industrial DMZ
Firewalls all the way down...
We are picking up on the OT/ICS networking for cybersecurity by traveling up to the IDMZ or industrial DMZ. This acts as the barrier in between the IT network and the Controls or industrial network. This is simple enough but what is above and below this firewall? This time we are again assuming no prior knowledge of control systems and that the reader is coming to this article as an IT or cybersecurity professional.
PURDUE Model for ICS Networks
The Purdue Model, also known as the Purdue Enterprise Reference Architecture (PERA), is a framework developed in the 1990s for structuring industrial control systems and integrating various layers of enterprise architecture. It emphasizes the segmentation of operational technology (OT) and information technology (IT) to enhance security and efficiency in manufacturing processes.
What is the Industrial Zone?
For those without knowledge of industrial control systems the Levels might not be as clear as needed. SCADA, DCS, PLC, CIP… The new wave of acronyms was overwhelming to me when I first started working with ICS networks. However, we can simplify this down and I think provide the needed clarity to design secure ICS networks.
Level 0: Actuators, sensors, motors. These are the devices that interact with the world.
Level 1: Controllers, PLC. These are the devices that control the L0 devices.
Level 2: SCADA clients, HMIs. These are the screens or devices used for humans to interact with L1 devices.
Level 3: Controller servers. These are the servers inside the DMZ that are used to program and control the programs on the L2 and L1 devices. Since they need to talk down into the Cell/Zone areas (see our last OT/ICS Network article) they are below the firewall.
Level 3 Expanded
What is contained in this layer varies greatly between different manufacturers and so it’s hard to define. However, one of the things often here is a Remote Access Server that is used to access the controls network from Level 4 or networks outside the ICS network. So thinking about what is in Layer 3 you should consider devices that need to talk to the PLC, SCADA etc. This may have its own Active Directory servers or proprietary servers to make this work.
Level 3.5 the IDMZ
So now we have reached the IDMZ. So, what is in the DMZ are things that need to talk to the IT network or internet but also need to talk to devices (usually the servers) in the ICS network. Think about anti-virus updates or patch management. This is also where the jump box that can connect to the remote desktop system in the ICS should be held. This is a firewall between the world, the IT network etc. and the isolated controls network.
Firewall Rules on the IDMZ
The concept of the least privilege is critical to keeping the ICS network secure with only minimal or 0 holes between the ICS network and the rest of the world. However, if you are opening ports between these networks is that you never allow ICS protocols known as CIP (pronounces SIP and yes it still throws me off to this day). This will ensure that systems that are in the ICS cannot get commands or updates to their systems controls from outside the protected network. This is the chief use of the IDMZ in the design of secure ICS networks.
Next Time…
We will begin talking about ICS protocols and how to understand how their interactions can be monitored and protected and why you MUST use a firewall to stop communication coming from outside the network. Preview is that the ICS protocols are sometimes as simple as a HEX command, no encapsulation with no verification allowing a physical interaction with a simple to craft packet of data. Until next time.
Secure today to protect tomorrow!