Automation Network Architecture

Published on 12 December, 2012 at 09:00

Purpose

The design of a well-protected automation network involves considering a number of different security aspects including appropriate physical security; logical security; network architecture and hardware design; and robust security policies and procedures. This blog post will describe a widely used and recommended Network Architecture and Hardware configuration that could be utilised as a basis to secure your automation network. As noted above, appropriate network architecture is only one facet of creating a secure and reliable automation system.

Unique Automation Requirements

With many automation systems adapting to common enterprise network technologies such as TCP/IP often automation network security has been left to those who understand and have experience in this field – namely the IT department.  This makes sense. However, those involved in securing automation networks must first understand that there are a number of critical differences between enterprise and automation network performance requirements. A good description of these differences can be found in Section 2.8 of the “IAONA Handbook Network Security” Version 1.5. The section is titled “Differences between Office and Automation Networks”.

A Recommended Architecture

Firewalls are central to securing a network. However, there are many different hardware configurations in use, let alone firewall rule configuration. An excellent resource for planning your automation network architecture is the UK’s Centre for the Protection of National Infrastructure’s. Good Practice Guide titled “Firewall Deployment for SCADA and Process Control Networks” (15th February 2005). The guide describes many different firewall architecture configurations, their advantages and disadvantages and rates each configuration for measures of “Security”, “Manageability” and “Scalability”.  One of the highest rated architectures, which will be described here, is the “Paired Firewall with Demilitarised Zone and VLAN” configuration. This configuration recommends spreading the automation assets and services across three separate sub-networks as described in Table 1 below.

Table 1 - Division of Typical Services and Hardware
Sub-Network Typical Services Provided Hardware Examples
Process Control Network (PCN) Monitoring, control and visualisation of the process I/O cards, PLC’s, RTU’s, SCADA servers, HMI clients (Typically ISA 95 Level 1&2 devices)
Process Information Network (PIN) Process data storage, Remote Access Servers, Web client servers for PCN Data Historian, Alarms and Events Server, VPN server (Typically ISA Level 3 devices)
Enterprise Network (EN Typical business network bus with PCN configuration, trending and reporting clients PLC and SCADA configuration client, trending and reporting client

The PIN network is placed in a demilitarised Zone (DMZ) which is created by using a paired-firewall configuration.  See figure 1 below for the example of a recommended network architecture.

Automation Network Architecture

Demilitarised Zone

A DMZ is by definition a separate sub-network that contains and exposes its services to a larger less trusted network such as the internet or the EN. A paired firewall configuration is used to create the DMZ. Under typical circumstances, both the PCN and EN shall be able to communicate with the PIN, but not with each other i.e. the PCN and EN shall not communicate directly with each other.

Virtual Local Area Network

The architecture described recommends that a separate Virtual Local Area Network (VLAN) be created for the PCN. A VLAN is a group of hosts with a common set of requirements that communicate as if they were attached to the same network regardless of their physical location. A VLAN is created via software configuration.

Those clients physically residing on the EN but requiring access to the PCN should be part of the PCN VLAN. An example of this may be an Automation Engineer’s PC residing on the EN. On this PC the engineer would typically have software that will allow him or her to monitor, trouble-shoot and reconfigure the PCN and its constituent devices.  Hence, the Automation Engineer’s PC would require direct access to the PCN.  Being located on the PCN VLAN would allow the engineer to achieve this.

Advantages of "Paired Firewall with DMZ and VLAN"

Some advantages of the paired firewall with DMZ and LAN are described below.

Separation of Responsibilities

One advantage of having a paired firewall configuration is that it allows the Automation and IT groups to have clearly separate device responsibility with the IT group managing the “Front-End” firewall and the Automation group managing the “Back-End” Firewall. This ensures that firewall management does not fall through the cracks as often one group can assume the other group has responsibility for firewall management.

Air-Gap Security Option

Each of the sub-networks described above are physically separate. Each sub-network is connected to a separate switch allowing IT and Automation managers to monitor a single connection for security threats.  Should a security issue arise within any one of the three networks; the network in question can be quickly disconnected preventing the infection of the other two networks. This method of protection is known as the “air-gap model”. It is sometimes referred to as the “draw-bridge” method.

The described architecture allows the PCN to carryout effective process control in the event that the “draw-bridge” is lifted. Certain processes and services would indeed be impacted if the PCN were required to operate independently (namely ISA 95 level 3 & 4 – Manufacturing Operations Management and Business Planning /Logistics).  However, the business would continue to have the ability to operate its industrial processes and equipment in a safe manner while still being able to satisfy the customer with product.

Front-End Firewall

The function of the front-end firewall is to allow only trusted traffic from the EN or internet to access the PIN hosts and vice versa. This is carried out by configuring firewall rules. The recommended default rule for the front-end firewall is to “Deny All” traffic with pin-hole exceptions made for traffic that is essential for business. The difficulty that arises here is trying to define what traffic is absolutely essential for business and does not impact network security. It is important that outgoing traffic rules be as carefully analysed and deployed as incoming traffic rules in order to prevent the PIN becoming the source of a virus that propagates to other sub-networks.

Back-End Firewall

The function of the back-end firewall is to allow only trusted traffic from the PIN to access the PCN or vice versa. Again the recommended default rule for the front-end firewall is to “Deny All” traffic with pin-hole exceptions made for traffic that is essential for business. Determining what traffic is “essential for business” communication between the PCN and PIN should be much easier than between the EN to the PCN. Again it is important that outgoing traffic rules be as carefully analysed and deployed as incoming traffic rules in order to prevent the PCN becoming the source of a virus that propagates to other sub-networks.

Brian O'Connell 

« Go Back