Generic security concept 

Defense-in-depth design of automation systems is an important IEC 62443 process measure to achieve reliable security. The result is a generic layered architecture that leads step-by-step to a fully segmented network layer structure that describes the PLCnext Technology security architecture and the security use cases in the so-called security context.
The security context results from the combination of technological and organizational measures required by the IEC 62443 standard and the philosophy of a holistic security approach.

Defense-in-depth concept

A generic defense in depth design results in three layers or zones:

  • Perimeter security
    Perimeters are the outer boundaries of the network,
    protected by physical measures such as fences, doors, physical access controls, etc.
  • Network security
    This layer contains the enterprise or office zone and a service management zone, protected by well-known IT security concepts.
  • System integrity
    This layer contains OT devices and applications,
    to be protected by IEC 62443 concepts. 

PLCnext security context

The following figure shows the PLCnext generic security context (zones and conduits) focussing on the OT security based on IEC 62443-4-2 requirements. 

  • Blue-green connections () represent security mechanisms (e.g. TLS / HTTPS). 
  • Red connections ()represent virtual private networks (VPNs). 

The different layers (zones and conduits) are marked by numbers:

No. Description Details
1 Data Repository Server Provides data for patch management/asset management.
2 VPN Server Remote maintenance access via VPN
3 Enterprise / Office zone Factory IT; ERP (Enterprise Resource Planning) systems; production control systems.
Protected by firewall
4 Service management zone This zone can be considered as a Demilitarized Zone (DMZ) as it decouples the ICS networks (zones 5 to 7) from the external network by strictly controlling the information flow. Any communication between the external and ICS networks must pass this zone.
Implements central user management, patch/update management, and logging.
It contains the following infrastructure:
  • Active Directory/RADIUS server for authentication purposes
  • Firewall or VPN component (implemented, for example as jump host) handles the communication with the other zones (conduits).
5 System integrity Factory OT, consisting of zones 6 to 8
6 Manufacturing zone Management, monitoring and controlling of the main process and the sub-process.
Implements SCADA, time synchronization and engineering.
This zone is composed as follows:
  • Control center (SCADA = Supervisory Control and Data Acquisition)
  • NTP server which provides a GPS-based time base to the other devices involved
  • Ethernet switch
  • Engineering system (such as PLCnext Engineer)
  • Firewall which handles the communication with the other zones (conduits)
7 Machine level
Main process
Collects and processes of data from the process and the sub-process.
This zone is composed as follows:
  • PLCnext Control with I/O devices
    The controller integrates firewall and VPN server handling the communication with the other zones (conduits).
  • HMI for controlling and visualization purposes
  • Bus couplers
8 Production line level
Sub-process
Performs a specific automation function in a peripheral unit (remote station).
This zone is composed as follows:
  • PLCnext Control, each with distributed I/O devices connected to the field bus
  • HMI for controlling and visualization purposes.
  • Ethernet switch
  • mGuard VPN integrates firewall and/or VPN server handling the communication with the other zones (conduits)
  • Bus couplers

 

The PLCnext Security context is based on the Defense-in-Depth concept providing six security layers (zones/conduits):

 

Perimeter Security - the outer layer

Access protection for the enterprise network by the following measures:

  • Physical isolation
  • Digital isolation by network segmentation
  • Logical access controls
  • Use of specifically configured firewalls. The specified firewall must correspond to the identified threats and vulnerabilities.
  • VPN or other security measures for remote access
  • Documentation of all remote access points

Network Security layers

Protection of the factory network composed of the enterprise network zone and the service management zone which is considered as Demilitarized Zone (DMZ). Possible measures are:

  • Identifying all network devices and hosts
  • Analysis of protocols/traffic
  • Auditing of wireless communication/traffic
  • Analysis of switch/router configurations

Measures in the DMZ:

  • OS check for vulnerabilities
  • OS patch management
  • USB or removable devices prevention from use inside control room
  • Foreign computers restricted from connecting

System Integrity - the inner layers

Measures for SCADA applications:

  • Monitored network for clear text transfer and use of encryption
  • Ensured use of individual user accounts
  • Restricted access to desktop

Measures for control subnetworks layer at machine/production line level (main process and subprocesses):

  • Wired vs. wireless communications
  • Ethernet vs. serial communications
  • Capture traffic on Ethernet connections

Measures for field controllers:

  • Ethernet vs. serial connected devices
  • Ethernet devices tested in lab for vulnerabilities
  • Removed vendor default passwords

 

Further Information:
Details on the possible measures can be found in the Security measures topic. 

 

 

 


•  Web browser recommendation: Chrome, Firefox 78 or newer, Edge 88 or newer, or Safari • 
• Published/reviewed: 2023-01-13 • Revision 005 •