What is the Purdue Model for ICS Security?
In the 1990s, Theodore J. Williams, along with members of the Purdue University Consortium for computer integrated manufacturing, developed the Purdue Enterprise Reference Architecture (PERA) as a model for enterprise architectures. The Purdue model does an excellent job of defining the different levels of critical infrastructure that are used in production lines and the way to secure them. PERA was clearly ahead of its time when it was introduced and, implemented correctly, could have achieved the air gap between industrial control systems (ICS) or Operational Technology (OT) and IT systems. Here is a quick overview of the different levels:
- Level 4/5 – Enterprise: This is typically the IT network as we know it today, where the primary business functions occur. This is the level that provides business direction and orchestrates manufacturing operations. Enterprise resource planning (ERP) systems drive plant production schedules, material use, shipping, and inventory levels. Popular ERP systems include offerings from Oracle, SAP, Microsoft, and Epicor. Any disruptions at this level can lead to days or even weeks of downtime, creating the potential for significant revenue loss with downstream processes delayed or stopped.
- Level 3.5 – Demilitarized zone (DMZ): A recent addition over the last decade, this level includes security systems, such as firewalls and proxies, used to separate or air gap the IT and OT worlds. This is where the IT and OT worlds “converge,” increasing the attack surface for the OT systems. Many plants either do not have this layer or have very limited capabilities. The rise of automation leading to higher efficiencies has created an increased need for bidirectional data flows between OT and IT systems. This OT-IT convergence is ultimately creating a formidable competitive advantage for companies that are accelerating digital transformation.
- Level 3 – Manufacturing operations systems: This is where the production workflow is managed on the manufacturing floor. Customized systems based on operating systems, such as Windows, are used to perform batch management, record data, and manage operations and plant performance. The systems at this level are called manufacturing execution systems (MES) or manufacturing operations management systems (MOMS). MES/MOMS are specific to the products being processed/manufactured. This layer also consists of databases or historians to record the operations data. The communication between the enterprise level and manufacturing level typically occurs through a dedicated backhaul network to the main data center or headquarters. Like the enterprise level, any disruptions at the manufacturing level can lead to hours or days of downtime, with enormous potential for revenue loss, as it impacts the entire manufacturing plant.
- Level 2 – Control systems: Supervisory control and data acquisition (SCADA) software is used to supervise, monitor, and control physical processes. SCADA can manage systems over long distances from the physical location of the plants, while the distributed control system (DCS) and programmable logic controllers (PLCs) are usually deployed within the plant. The human-machine interface (HMI) connected to DCS and PLCs allow for basic controls and monitoring, while the SCADA systems aggregate data and send it upstream for recording by the historian in level 3. PLCs typically do not have keyboards and monitors. Remote Terminal Units (RTUs) allow operators to log in to the SCADA systems. Siemens, Schneider Electric, ABB, GE Digital, and Rockwell Automation are some of the major providers of SCADA systems. Devices and strategies at this layer typically communicate over the modbus and dnp3 protocols, and data diodes can help bolster security.
- Level 1 – Intelligent devices: Sensing and manipulating physical processes occurs at this level with process sensors, analyzers, actuators, and related instrumentation. To drive efficiencies, sensors are increasingly communicating directly with their vendor monitoring software in the cloud via cellular networks.
- Level 0 – Physical process: Defines the actual physical processes.
The diagram below represents the workflow and the interactions between the different systems:
The need for zero trust in ICS
OT environments use flat networks with production equipment from multiple vendors working together. While microsegmentation at the network level seems like a good idea, it is logistically challenging to implement physical devices inline in production environments because device installation requires significant planned downtime and can also cause unplanned downtime due to factors, such as the age of the ICS systems and the proprietary protocols in use. Any security devices deployed inline in the communication path of ICS systems have to prove their reliability and are possibly subject to regulatory compliance. Above all, OT plant operations teams are not typically aware of IT best practices let alone advanced network security concepts. The goal of an OT plant is production efficiency and uptime, and cybersecurity is a lesser priority especially if it is complex and involves downtime.
While Ethernet is still the backbone of most factories and warehouses, wireless connectivity is gaining traction as private cellular brings with it mobility, reliability, deterministic networking, and standardized technology for these markets. Wireless connectivity will enable Industry 4.0 applications, such as autonomous mobile robots, asset tracking, cobots, industrial robots, and smart glasses.
Rather than stockpiling historic data, manufacturers now have the tools to collect data in real time, allowing them to run performance analytics in the cloud that yield immediate results. Unsurprisingly, applications and data-generating activities once reserved for local operations—PLCs, SCADA, and DCSs for manufacturing and warehouse management systems (WMSs) for logistics—are finding their way to the cloud, making OT networks more complex.
A zero trust architecture can simplify security for critical infrastructure and solve key challenges, such as secure remote access for ICS systems, without requiring cumbersome physical segmentation at each layer. The National Institute of Standards and Technology (NIST) proposed the Zero Trust Architecture for industrial and enterprise networks and stated, “Perimeter-based network security has also been shown to be insufficient since once attackers breach the perimeter, further lateral movement is unhindered.”
Applying the zero trust guiding principles of IT networks for workflow, system design, and operations can simplify and improve the security posture of the OT networks and help organizations accelerate digital transformation.
Find out more about zero trust here.
To take this one step further, the word “resource” can be substituted for “data” so that ZT and ZTA are about resource access (e.g., printers, compute resources, Internet of Things [IoT] actuators) and not just data access.NIST, August 2020, Zero Trust Architecture