Security Profile: Generic security concept
Defense-in-depth design of automation systems is an important IEC 62443 process measure to achieve reliable security. The result is a generic layered architecture that leads step-by-step to a fully segmented network layer structure that describes the PLCnext Technology security architecture and the security use cases in the so-called security context.
The security context results from the combination of technological and organizational measures required by the IEC 62443 standard and the philosophy of a holistic security approach.
Defense-in-depth concept
A generic defense in depth design results in three layers or zones:
- Perimeter security
Perimeters are the outer boundaries of the network,
protected by physical measures such as fences, doors, physical access controls, etc. - Network security
This layer contains the enterprise or office zone and a service management zone, protected by well-known IT security concepts. - System integrity
This layer contains OT devices and applications,
to be protected by IEC 62443 concepts.
PLCnext Technology security context
The following figure shows the PLCnext Technology generic security context (zones and conduits) focussing on the OT security based on IEC 62443-4-2 requirements.
- Blue-green connections (―) represent security mechanisms (e.g. TLS / HTTPS).
- Red connections (―)represent virtual private networks (VPNs).
The different layers (zones and conduits) are marked by numbers:
| No. | Description | Details |
| 1 | Cloud connectivity | PLCnext Store: for downloading and managing apps; Data Repository Server: provides data for patch management/asset management; Proficloud.io: cloud coupling level, where a cloud can be selected depending on the application, e.g. Proficloud.io |
| 2 | mGuard Secure Cloud | Remote maintenance access via mGuard Secure Cloud |
| 3 | Enterprise / Office zone | Factory IT; ERP (Enterprise Resource Planning) systems; production control systems. Protected by firewall |
| 4 | Service management zone | This zone can be considered as a Demilitarized Zone (DMZ) as it decouples the ICS networks (zones 5 to 7) from the external network by strictly controlling the information flow. Any communication between the external and ICS networks must pass this zone. Implements central user management, patch/update management, and logging. It contains the following infrastructure:
|
| 5 | System integrity | Factory OT, consisting of zones 6 to 8 |
| 6 | Manufacturing zone | Management, monitoring and controlling of the main process and the sub-process. Implements SCADA, time synchronization and engineering. This zone is composed as follows:
|
| 7 | Machine level Main process |
Collects and processes of data from the process and the sub-process. This zone is composed as follows:
|
| 8 | Production line level Sub-process |
Performs a specific automation function in a peripheral unit (remote station). This zone is composed as follows:
|
| * | Cabinet | Prevents unauthorized access to hardware, interfaces or service ports that could otherwise be easily manipulated. The lockable control cabinet with a supervising function can provide information about unauthorized access. |
| 9 | Device | Protection of critical interfaces and ports from unauthorized physical access. |
* Clarify which devices and parts of the machine network should be installed together in a lockable control cabinet following a risk analysis.
Eight security layers
The PLCnext Technology security context is based on the Defense-in-Depth concept providing eight security layers (zones/conduits):
Perimeter Security - the outer layer
Access protection for the enterprise network by the following measures:
- Physical isolation
- Digital isolation by network segmentation
- Logical access controls
- Use of specifically configured firewalls. The specified firewall must correspond to the identified threats and vulnerabilities.
- VPN or other security measures for remote access
- Documentation of all remote access points
Network Security layers
Protection of the factory network composed of the enterprise network zone and the service management zone which is considered as Demilitarized Zone (DMZ). Possible measures are:
- Identifying all network devices and hosts
- Analysis of protocols/traffic
- Auditing of wireless communication/traffic
- Analysis of switch/router configurations
Measures in the DMZ:
- OS check for vulnerabilities
- OS patch management
- USB or removable devices prevention from use inside control room
- Foreign computers restricted from connecting
System Integrity - the inner layers
Measures for SCADA applications:
- Monitored network for clear text transfer and use of encryption
- Ensured use of individual user accounts
- Restricted access to desktop
Measures for control subnetworks layer at machine/production line level (main process and subprocesses):
- Wired vs. wireless communications
- Ethernet vs. serial communications
- Capture traffic on Ethernet connections
Measures for field controllers:
- Ethernet vs. serial connected devices
- Ethernet devices tested in lab for vulnerabilities
- Removed vendor default passwords
Physical layers
Measures for the cabinet:
- Clarify which devices and parts of the machine network should be installed together in a lockable control cabinet following a risk analysis.
- Protect the interfaces by installing the devices in a lockable and supervised control cabinet.
- CabinetDoorState library providing the possibility to generate security notifications based on lockable, supervised cabinets.
- Make sure that only authorized persons have access to the control cabinet key.
- Run cables in such a way that they are protected against unauthorized access.
Measures for devices:
- The critical interfaces and ports of the devices are protected against unauthorized physical access to comply with the secure-by-design specifications.
- Security seals (security void) to protect the housing as well as indicating opening attempts.
- Disabled communication on external interfaces, e.g. SD card slot, USB connector, JTAG
Details on the possible measures can be found in the Security measures topic.