Why are the OT environment never an air-gapped/isolated networks but are ultimately connected to the external?

-

In an OT environment, the Purdue Model is a widely used reference architecture that segments industrial control systems (ICS) into different hierarchical levels. While Level 1 (Controllers, PLCs, RTUs, and IEDs) is often considered isolated for security reasons, it is ultimately connected to higher levels (Levels 2, 3, and beyond, including external networks). Here’s why this connection exists and why it is necessary despite security concerns:

1. Need for Monitoring and Supervision (Connection to Level 2 - SCADA, HMIs, and Engineering Workstations)

  • Real-Time Control and Feedback:
    Level 1 devices, such as PLCs, RTUs(Remote Terminal Units) and IEDs(Intelligent Electronic Devices) are responsible for controlling and executing industrial processes. However, these processes need to be monitored and supervised by human operators.
  • HMI & SCADA Systems:
    • SCADA and HMI systems, residing at Level 2, collect real-time data from Level 1 controllers and present it in a user-friendly format.
    • Operators use this data for visualization, alarms, and process control adjustments.
  • Engineering Workstations & Configuration:
    • Engineers require access to Level 1 controllers for programming, maintenance, firmware updates, and troubleshooting.
    • These workstations typically reside at Level 2 and must communicate with controllers in Level 1.

2. Production Management & Business Operations (Connection to Level 3 - Manufacturing Execution Systems, Data Historians, and ERP Integration)

  • Data Logging & Historian Systems:
    • Industrial processes generate vast amounts of data, including sensor readings, operational logs, and error reports.
    • Level 3 (Manufacturing Execution Systems - MES & Data Historians) collects and stores this data for trend analysis, quality control, and process optimization.
  • Production Scheduling & Efficiency:
    • MES applications optimize production workflows based on real-time factory conditions.
    • They must retrieve real-time process data from Level 1 controllers to adjust production schedules, allocate resources, and ensure process efficiency.
  • Alarm & Incident Management:
    • Level 1 controllers generate alarms (e.g., machine failure, safety events, or process anomalies).
    • These alarms must propagate to Level 3 management systems for escalation and response coordination.

3. Enterprise & External Network Connectivity (Connection to Level 4/5 - Business & External Networks)

  • Enterprise Resource Planning (ERP) & Business Integration:
    • The ERP system, residing at Level 4, needs access to real-time and historical production data for supply chain planning, inventory management, and reporting.
    • MES (Level 3) acts as a bridge, relaying data between Level 1 controllers and ERP.
  • Remote Monitoring & Cloud Services:
    • Many industrial environments now leverage IIoT and cloud-based analytics to improve operational efficiency.
    • This requires Level 1 data to be sent up the Purdue hierarchy and sometimes to external cloud services for advanced analytics, AI-based optimizations, or predictive maintenance.
  • Third-Party Vendor Support & Maintenance:
    • Some control systems require remote support from OEMs, integrators, or cybersecurity monitoring teams.
    • This necessitates a secure but active connection from Level 1 controllers up to external networks.

Security Risks & Mitigation Strategies

While these connections are necessary, they introduce cybersecurity risks, such as:

  • Lateral Movement Attacks: A breach in Level 3 (IT systems) could allow attackers to move downward and compromise Level 1 controllers.
  • Data Exfiltration & Integrity Attacks: If improperly secured, attackers could manipulate Level 1 process data, leading to production downtime or safety incidents.
  • Remote Exploits: If external vendors or cloud services are compromised, attackers may gain unauthorized access to controllers.

To mitigate these risks, OT environments implement:

  1. Firewalls & DMZs: Segmentation using industrial firewalls to tightly control data flow.
  2. Zero Trust Architectures: Enforcing strict authentication and access control between Purdue levels.
  3. Network Monitoring & Anomaly Detection: Using IDS/IPS and behavioral analysis to detect suspicious activity.

Conclusion

While Purdue Level 1 (Controllers & Field Devices) ideally should be isolated, real-world OT environments require connections to Levels 2, 3, and external networks for supervision, production management, and business operations. However, due to increasing cybersecurity threats, these connections must be carefully secured to minimize risks while maintaining essential functionality.


#CPS #OT #XIoT #IoT #IIoT #IoMT #CPSSecurity #OTSecurity #IoTSecurity #CPS보안 #OT보안 #IoT보안

Comments

Post a Comment

Popular posts from this blog

Don't confuse DCS, PLC and SCADA in front of OT specialists

-
Image
DCS, PLC and SCADA are not the same. If you keep talking only about PLC security in front of the Oil&Gas industry executives where DCS is the main focus, they will not recognize you as a proper expert. We need to understand the characteristics of OT systems such as DCS, PLC, and SCADA accurately, also respect each OT culture uniquely and finally approach the sites in the right way. Don't be confused, here’s a clear and accurate explanation of DCS, PLC, and SCADA . 1. Distributed Control System (DCS) Concept A DCS (Distributed Control System) is an automated control system used for large-scale industrial processes that require continuous operation and high reliability. It consists of multiple controllers distributed throughout the system, which communicate with each other to manage complex processes. Key Features Used in large-scale, continuous processes (e.g., oil refineries, power plants). Decentralized control architecture with multiple controllers working together. Pr...
Read more

Top 20 Threat Scenarios & Playbooks for OT Security

-
Image
A comprehensive list of 20 threat scenarios in OT security along with detailed descriptions and detection rules that can help identify and respond to these threats. This playbook-style table covers different types of attacks—from unauthorized access to insider abuse—with corresponding rules and indicators to alert security teams. # Threat Scenario Detailed Description Detection Rules & Indicators 1 Unauthorized Remote Access Attempt An attacker uses stolen or weak credentials to access OT networks remotely. - Log Analysis: Monitor VPN/RDP logs for unusual login times, geolocation mismatches, and failed/successful login bursts. - User Behavior Analytics (UBA): Alert on deviations from normal remote access patterns. - Anomaly Detection: Trigger an alert when a remote session is initiated from an unusual IP or geographic region. 2 Malware/Ransomware Infiltration in OT Network Malicious code is introduced into the OT network via compromised endpoints or phishing, potentially encr...
Read more

Let's create our own ICS Labs in the VMs!

-
Image
Let's create our own ICS Labs in the VMs: A Step-by-Step Guide Building an Industrial Control System (ICS) lab in a virtualized environment allows security researchers, engineers, and penetration testers to safely simulate industrial networks, study threats, and test security defenses. Below is a detailed step-by-step guide to creating an ICS lab , including HMI, EWS, PLC, and other critical components. 1. Lab Architecture Overview Key Components in an ICS Lab: HMI: Graphical interface for controlling industrial processes. Engineering Workstation (EWS): Used to configure PLCs and SCADA systems. PLC: Controls physical processes (e.g., motors, valves). SCADA System: Supervisory control and monitoring of ICS networks. Historian: Logs and stores process data for analysis. Networking Components: Virtualized switches, routers, and firewalls to segment ICS networks. Attacker Machine: Kali Linux or Metasploit for penetration testing. 2. Choosing the Virtualization ...
Read more