The control devices that make up control systems are increasingly interconnected to communication networks for purposes of automation, process efficiency, and safety. Control systems in a wide range of environments including, but not limited to, manufacturing, oil and gas production and processing, transportation, energy production and transmission, UAS (Unmanned Aerial Systems), automated vehicles, and others all share common control characteristics—they include one or more logic circuits responsible for controlling physical devices to operate physical processes. Those control devices can be networked together over operational technology (OT) networks, also known process control networks (PCNs) or platform information technology, to provide process control systems with the ability to enable control and monitoring of the control system behavior and provide convenience to operators responsible for running the system.
Because of this interconnectivity, these systems can be vulnerable to cyber security threats. Although typical cyber security protections applied in information technology (IT) networks, such as firewalls, virus protection, network segmentation, and virtual networks, can be applied to help reduce the attack apertures for cyber attackers to launch attacks in the OT network, they do little to address the specific vulnerabilities faced by OT networks that are designed for process efficiency and safety, not cyber security. There is, in fact, little cyber security designed into conventional control systems, let alone a host of legacy control systems that have no security at all.
As shown in FIG. 3, a conventional OT system typically includes industrial control devices (ICDs) 320 and industrial devices 330, such as for electrical distribution. Conventional control systems are designed using a hierarchical control device structure to control system processes. This begins, at the lowest level (level 0), with the industrial devices 330 that actually perform a function within the OT system. These industrial devices 330 includes physical devices, such as valves, relays, pumps, compressors, electronic breakers, starter motors, and actuators, and also arrays of sensors that provide data about the state of a system, such as pressure, temperature, current and voltage flow, flow rate, level, and indicate how the system is performing. The control and sensor data flows through a series of industrial control devices (ICDs) 320 that house the logic that controls how a system should behave. Some of the functions of the system are controlled automatically by ICDs 320 and some are controlled by operators whose view into the system is provided by Human Machine Interfaces (HMIs) 315. HMIs 315 receive information from the ICDs 320 and display a computer graphics view of the control system, its state, and provide controls that allow the operator to change or control the parameters that run the control system process.
The ICDs 320 can be implemented by commercial control systems, such as programmable logic controllers (PLCs) or proprietary embedded control technology designed and built for particular devices (e.g., industrial relay). It is common for the ICDs 320 to reside on a wired or wireless network. These networks can be the same data networks that are used to carry data and command and control functions. The control devices 320 and industrial devices 330 are inherently not secured against cyber threats. Communication protocols, such as a common industrial protocol (CIP) can provide a unified communication architecture to manage the communications within the OT network and between control system devices.
FIG. 4 shows the Purdue ICS (Industrial Control System) Reference Architecture 300 illustrating various levels at which operations are performed in a control system. The Purdue ICS Reference Architecture is described, for example, at https://en.wikipedia.org/wiki/Purdue_Enterprise_Reference_Architecture. The Purdue ICS Reference Architecture 300 includes five levels of operations. Level 0 includes the process I/O devices corresponding to the industrial devices 330, and is associated with the actual physical processes performed by these devices. Level 1 includes intelligent devices, such as ICDs 320 and safety instrumented systems. Level 1 operations include sensing and manipulating the physical process associated with Level 0 devices 320 by providing control logic. Level 2 includes area and supervisory control systems for supervising, monitoring, and controlling the physical processes using an HMI 315, namely supervisory and data acquisition (SCADA) software. Levels 0-3 typically make up the OT system. Then there is typically an interface to the Enterprise IT network (Level 4). That interface point is an important part of the OT network because it can be used to provide access from business application environment in an organization into the control system but also can be a source of cyber security vulnerabilities.
Level 3 of the Purdue ICS Reference Architecture 300 is associated with plant production and operations systems that manage production workflow or operational processes. Management of the business-related activities of the enterprise system is performed at Level 4 of the Purdue ICS model. Typical cyber security devices and solutions available for the information technology space can be used to provide security for Level 3 and 4 operations but are inadequate for providing security against cyber threats for operations at Levels 0-2.
For example, one of the biggest differences between traditional IT-based cyber security for Level 4 operations and control system specific security for OT Levels 0-3 in an OT network is that the primary objective of enterprise and plant IT systems is to protect data (confidentiality), whereas the primary security objective of OT networks is to maintain the integrity of operational processes. Cyber attacks on OT networks can be launched by actors operating outside the OT networks and exploiting security holes at Level 4 systems or by internal actors, such as malicious programs (instructions) embedded within the control processes of Levels 0-3. While traditional IT cyber security solutions can provide some protection against threats to Level 3 and 4 operations or processes, control system specific solutions are required to adequately protect Level 0-2 processes from cyber attacks that can degrade production or operations, cause loss of control, damage equipment, or result in possible safety issues. IT security protection typically does not have the policies, procedures, tools, and expertise in place to manage the Purdue ICS specific Level 2 control systems, Level 1 network and ICDs 330, and the Level 0 industrial equipment or devices 320.
Control systems have some very important differences from an IT system. Solutions for addressing cyber threats in the IT system tend to rely on generating, collecting, and analyzing log information from every level and resource within the IT network. In contrast, an OT system is highly resource limited and most communications within the lowest levels of the PT network are in the form of analog signals, which do not lend themselves to logging and forensic analysis. Further, communications between the HMI and the ICD can be in digital format and need to be compared against the analog signals for data validation and to determine whether the control system is operating normally.
Furthermore, a man-in-the-middle (MITM) adversary with access into the OT network can insert attacks at the most impactful level and time to mask information reported up the OT network hierarchy (such as the HMI or operations and control systems where decisions are made), creating a false state of the physical control system. Without having the log information that starts at the most base level (Level 0) and up, there is no way to perform the data fusion needed to enable the analysis/correlation necessary to indicate the presence of a MITM attack.
In addition, OT networks can have a reduced level of system resource capacity as compared to an IT network. Typical IT networks feature operate within a network with greater capacity (e.g., bandwidth) and tolerance (e.g., longer latencies) than are acceptable in a deployed OT network. Resource constraints and the requirement for reliable process control and monitoring for the safe and stable operation of ICS processes play a role in this problem. This forces limitations on the potential of what can be captured, stored, and processed within the control system.
There remains evermore a greater need to protect OT networks, which have little or no cyber-security protection. The present development addresses this need.