The control room of Ling Ao Phase II Nuclear facility.

The control room of Ling Ao Phase II Nuclear facility.

We are continuing our “ICS & Cybersecurity Series”, with a description of Industrial Control Systems. If you haven’t read it already, you can also read “Industrial Control Systems are ruling the world”.

ICS systems are generally conceptualized on several different levels – from enterprise through to factory or processes, control and then field. These levels represent a functional hierarchy of different parts of critical infrastructure, be that in an industrial operation, a power plant or a public facility.

The architecture of ICS networks

Enterprise level refers to the general IT network of an organization, where the general purpose IT systems are connected such as Enterprise Resource Planning (ERP) or Manufacturing Execution Systems (MES).

The enterprise level lies above the factory or process level. This may involve a large physical distance between the hub of the network (particularly in a SCADA system), meaning that data needs to be transmitted via radio, telephone cables or satellite between the different levels, posing a possible security risk.

In a SCADA network, the control level functions as the nerve centre of the network, sending coded information between higher level coordinating components of the ICS and the industrial machinery itself. It’s what links PLCS and sensors into the broader network. The information carried via this level is generally relayed via wired networks, but could be wireless in some cases and it may or may not be connected to the wider internet. To protect against cyber-attack, the data carried by the ICS may be firewalled, but this is not always the case.

At the field level, sensors collect information about the industrial process and relay this to the PLC, which then transmits it across the wider ICS. A number of different field sites may be linked up to a single control centre (as in a power plant with several reactors, or a production line with a number of lathes).

In theory, every PLC in the network is connected to a relevant SCADA server. This means that sensors can be monitored periodically, and field sites can be reprogrammed and repaired when necessary, while alarms provide a reliable way to ascertain whether any faults have developed.

The main control centre is crucial, as it processes decisions which take into account data generated across the whole network. So, in the example of a train station, different field sensors record when sections of rail are occupied, and when trains are boarding. They relay this information to control centres, which decide whether to allow trains to arrive at certain platforms and program announcements for the benefit of passengers.

Constraints faced by ICS systems

Some of the potential security flaws in ICS systems have been noted above, but ICS networks in general must deal with many different constraints that don’t apply to ordinary IT networks.

For example, ICS networks usually need to focus more on carrying out tasks reliably and regularly, rather than dealing with a high throughput of information. They also need to function continuously (when in use), often incorporating redundant systems when a component fails. They can’t be rebooted like computer networks.

ICS network managers also have to make sure that every field unit is safe. They also often have to deal with situations where a network failure can have serious and immediate real-world repercussions (such as the contamination of drinking water or a reactor meltdown). Risk management becomes a vital aspect of their job.

Another difference with IT networks is that ICS generally involves elements that have direct physical contact with an industrial process. This can involve high temperatures and forces which create demanding conditions for the components involved.

The software used on ICS systems may also be unfamiliar to conventional IT managers. Often packages are developed by specialist firms and are proprietary, making upgrading them problematic. This can also mean that security patches are implemented in an untimely fashion, which is rarely the case with a well run IT network. After all, many ICS networks cannot easily be turned off so that software can be changed. Any alterations must be planned well in advance, and this lag can lead to serious vulnerabilities.

The hard work to make ICS more secure

ICS networks are more specialised than most IT networks – and trained personnel have to maintain and update them. Commonly, the network operator and their ICS supplier will work closely to ensure that networks are kept protected, but in some cases ICS systems can become outdated and vulnerable when this relationship is absent.

With the right expertise, any ICS can be made more secure. The key is to find ways to effectively map every node in the ICS, highlighting any points of weakness and finding the best solution in every case. A well-mapped ICS can be constantly monitored to resolve cybersecurity concerns, but it takes thorough planning to make this a reality.