SCADA Security Design - How to Secure OT / ICS Network Environments

It is vital to take a holistic approach to SCADA security and the broader OT / Industrial Control System network design. You must consider every part of the network, both the IT and OT and investigate the systems and processes in each zone, identifying attack vectors and risk, so that the correct security controls can be implemented.

In order to take this holistic approach, the Purdue model is used, which was adopted from the Purdue Enterprise Reference Architecture (PERA) model by ISA-99 and used as a concept model for Computer Integrated Manufacturing (CIM). An industry adopted reference model that details the interconnections and interdependencies of all the main components of a typical Industrial Control System, dividing the ICS architecture into 3 zones and further subdividing these zones into 6 levels.

Applying Security to SCADA / ICS / OT should dissect the 6 Purdue layers and how they map them to an organisations network. The intent is to gain a detailed understanding of the communication flow between the levels in the Purdue model and how they should be secured.

SCADA Security Design Diagram

Following is a high-level diagram of a SCADA Security Design encompassing the IT and OT network environment employing the Purdue model methodology.

It is important to also consider the link between level 2 and 3 as this will vary based on the type of ICS environment. For example:

Manufacturing plant– A manufacturing plant is typically a single-site, combining both OT and IT at the same location.
Utilities and energy– Utilities providers such as gas, water and electricity are typically distributed environments with many sites communicating back to one or many central facilities over varying medium types. In these scenarios, bandwidth limitations will need to be considered in any proposed architecture.

S5 Technology Group - SCADA Security Design

Level 5 and 4: The Enterprise IT Network and Business Logistics Systems

Recommended Security Controls:

As this is the IT network where the users reside and where the internet egress point is located, it is recommended to enable the full Next Generation Threat Extraction feature set on the network level:

Firewall
IPS
Antivirus
Antibot
Threat Emulation / Sandboxing
Threat Extraction / Content Disarm
Application Control
Identity Awareness
URL Filtering
SSL inspection
MFA (Multi-Factor Authentication)
DDoS Protection
Endpoint XDR Security

It is critical to ensure a full Endpoint XDR suite such as Check Point Harmony Endpoint is installed on users’ machines.

It is also extremely important to secure (public) cloud services as these are typically connected to corporate systems and are therefore a potential attack vector.

Implementing suitable Network and Endpoint security controls at these levels will help help prevent an attacker or malware from breaching the ICS environment.

Level 3.5: The Industrial DMZ

Recommended Security Controls:

Firewall
IPS
Antivirus
Antibot
Application Control
Identity Awareness
URL Filtering
SSL inspection
MFA (Multi-Factor Authentication)
DDoS Protection
Endpoint XDR Security

To ensure maximum availability of the remote access gateway allowing for third parties to remotely manage and monitor the OT equipment, it is vital to protect the gateway with an anti-DDoS solution (preferably on premises and cloud-based/service provider supplied).

This design provides a jump server in the industrial DMZ which is commonly a Remote Desktop Server. The VPN Remote Access sessions are terminated on the perimeter gateway in level 5 and are subject to either certificate-based authentication of Active Directory joined devices or RADIUS multi-factor authentication. The gateway terminates VPN traffic, scans it for malware and inspects it for attempted exploitation of vulnerabilities, only allowing RDP traffic from approved source identities to the jump host.

Authentication against the jump host uses a combination of Active Directory credentials and multi-factor authentication for increased security. The jump host is then used to connect to operator workstations in level 3 for remote maintenance work.

This approach is significantly more secure than allowing inbound L3 VPN connections from the internet directly into the ICS networks and significantly reduces the risk of the OT network becoming compromised due to unsafe RAS connections originating from third parties.

The jump server itself is protected by the gateway, which will only allow inbound RDP and has the necessary security controls enabled such as IPS, Anti bot, Identity Awareness and Application Control. The jump server should also have a full Endpoint XDR suite such as Check Point Harmony Endpoint is installed.

Level 3: Manufacturing Operations Systems

Recommended Security Controls:

Anomaly and Asset detection and visibility
Firewall
Antivirus
Antibot
IPS (typically used as a virtual patch to protect the monitoring stations of the operators)
Threat Emulation / Sandboxing
Threat Extraction / Content Disarm
Application Control (An application control security policy that only allows specific authorized commands to be sent from the operator workstation to PLC’s)
Identity Awareness (Identity Awareness can add an extra layer of security to the policy by only allowing authenticated users (i.e. operators) to send specific commands to devices in Level 2)
URL Filtering (URL Filtering restrict internet access where required to specific trusted sites, such as the Bureau of Meteorology or Electricity supplier’s outage maps)
SSL inspection
Encryption of the control traffic between operators in L3 and PLC’s in L2 using IPsec to prevent eavesdropping and traffic replay attacks.
XDR Endpoint protection including Port Protection

Level 2 and 1: Securing Communications Between Levels

Recommended Security Controls:

Use gateways running IPS to protect vulnerable systems as a virtual patch.
The communication between level 2 and 3 can be encrypted using IPsec to protect sniffing and replay attacks.
A security gateway can be connected to a mirror (SPAN) port on a switch in this level, operating as a sensor and feeding information about asset discovery and anomaly detection to an Asset and Anomaly Detection appliance.
Customers willing to consider inline security gateways in level 1 could separate local operator workstations and HMI’s from PLC’s and RTU’s ensuring no unauthorized commands can be sent to them.
XDR Endpoint security should be considered on machines with supported operating systems.
Appropriate L2 security on switches
Consider the use of an out of band network solely used for management traffic, signature updates and firmware updates of equipment in this level. Only SCADA protocols should be seen in Level 1.
Do not allow remote technicians to directly connect to the level 1 network, prefer the use of a jump host in the DMZ in level 3.5.

Level 0: Physical Processes

Recommended Security Controls:

It is recommended to use point to point connections between the intelligent devices in level 1 and the field devices in level 0.

In the case that communication between level 1 and level 0 is done over IP, the preference is to use point to point connections. If point to point connections are not possible and Ethernet switches are used in level 0, ensure that appropriate L2 security is enforced: all unused switch ports should be shutdown, MAC authentication should be used on switch ports, consider the use of additional security gateways between Level 1 and Level 0 where applicable. The use of a trusted baseline policy with the application control blade can warn an admin if an unknown command is sent to a field device.

The technologies that S5 Technology Group recommend when deploying the Purdue model are:

Check Point Quantum Security Gateways with SandBlast Zero Day protection
Check Point Quantum Management
Check Point SmartEvent
Check Point Harmony Endpoint Security
Asset and Anomaly detection engine
Multi-Factor Authentication
Microsoft Active Directory Domain Services
Microsoft Active Directory Certificate Services

OT / ICS / SCADA Security Design Key Takeaways

Here are some key takeaways of a robust OT / ICS / SCADA Security Design:

Ensure proper segmentation is in place. This is not about having a lot of different VLAN’s or subnets and simply enabling routing between them. It is about having the correct security controls in place between the segments.
Threat Prevention is vital. Detection simply informs you that the damage has already been done.
The Check Point IPS blade provides many signatures that are specifically designed to secure ICS environments. IPS should always be enabled in prevent mode with alerting enabled wherever possible.
The application control blade supports many SCADA protocols down to the command-level and even parameter-level. This allows for the creation of a granular security policy that authorizes only specific commands to be sent to PLC’s and deny everything else.
Visibility is key. Ensure there is enough man power to monitor the environment. Tools like SmartEvent, AAD and a dedicated SIEM can reveal a lot of information that may otherwise go unnoticed. If you do not have adequate man power within your organisation, use an outsourced Managed Detection and Response service as offered by Check Point.

OT / ICS / SCADA Security Design References

This design has been largely based on Check Point’s Blueprint for Industrial Control Systems with variations on the design based on S5 Technology Group’s experience and newly developed security practices. Links to these reference articles are below.

About S5 Technology Group

S5 Technology Group is an Enterprise System Integrator and Managed Service Provider with offices based in Port Macquarie and Cowra NSW. We support Government, Education and Small to Medium Enterprise customers throughout Australia. Our focus technologies include Enterprise Security, Enterprise Network and Enterprise Data Centre.

Notable Partnerships :-

Check Point 4 Star Partner (The first and only in regional Australia)
Microsoft Gold Partner
Cisco Select Partner

S5 Technology Group were the first system integrator to supply and implement a Full Stack Security Enterprise Agreement in Australia. S5 Technology Group is one of only 7 Check Point 4 Star Partners in Australia, and are the only one located regionally.