Network segmentation

The first step in designing a security conscious ICS network architecture is defining network segmentation. A network segment, also known as a network security zone, is a logical grouping of information and automation systems in an ICS network. The ICS network should be divided into manageable network segments in order to limit the broadcast domain, restrict bandwidth usage, and reduce the attack surface. A network security zone has a well-defined perimeter and strict boundary protection. Security zones are given a security trust level (high, low, or medium). Within the context of an ICS network, the Industrial Zone is considered the high security zone and the Enterprise Zone the low security zone. This allows systems with similar security requirements to be placed within the same zone. For example, an Original Equipment Manufacturer, or OEM, vendor—supplied workstation that is custom built by that vendor, is used to control a critical part of the production process that is contractually prohibited from getting updates applied without the vendor's strict approval, which would be hosted in the Industrial Zone where it can be shielded from direct access from less secure zones by means of the IDMZ. On the other hand, a desktop computer is merely used to run production reports and has no update restrictions and no particular value to the production process and will be placed in the Enterprise Zone, where it can be restricted from directly accessing critical production systems and devices by means of the IDMZ:

Establishing a small number of network security zones with clearly defined security requirements limits the complexity and removes ambiguity when selecting a zone for new systems and devices. A typical ICS network incorporates the following network security zones with the corresponding trust levels:

  • Enterprise Zone: Low trust
  • Industrial DMZ: Medium trust
  • Industrial Zone: High trust
  • Cell Area Zones: Subzones of the Industrial Zone - High trust

Next, let's look a little closer at the security requirements of each of these zones.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.191.181.36