Piercing The Purdue Model: Zero-Trust In Operational Technology
The Purdue Enterprise Reference Architcture is a 1990’s reference model for Enterprise architecture, specifically relating to enterprises that comprise manufacturing or process controls. It provides a set of levels (not to be confused with the layers of the ISO networking model) and their interconnects. The Purdue Model is incorporated by reference into ISA-95 and from there into IEC 62264. The interconnects between the levels in IEC 62264 are termed conduits, and the levels ‘zones’.
The Purdue Model compartmentalises security by incorporating north-south firewalls between (most) levels, with the assumption that the internal of a level is infinitely trusted, but the level above it is not. And this is where the primary difference with Zero-Trust comes in.
A Zero-Trust Network Architecture operates on the principle that there is no trusted-location, no trusted-level. Each resource must prove who it is, and what it proposes to do to communicate to each other resource. This in turn reduces the risk of lateral traversal.
So how can the Purdue Model, tried and true, and Zero-Trust, new and scrappy, come together and support each other, rather than compete?
But first, the components (AKA the acronymn soup) explained.
Operational Technology (OT) is hardware and software running in the ‘non-carpeted’ parts of your business. It supports “the direct monitoring and/or control of industrial equipment, assets, processes and events.“
Industrlal Control Systems (ICS) are a subset of Operational Technology. It is the hardware and software which runs the process control and manufacturing (distrinct of e.g. the building heating and door locks).
Building Management System (BMS or sometimes BAS) is the hardware and software that manages the building in which your business operates. It controls temperature, humidity, door-locks and access control, surveillance, alarm systems.
Distributed Control System (DCS) is an architectural model of industrial control where the sensors, the actuators, and the decision-making are separated. A temperature control sends a signal, a decision is made to turn off the heating element, all in separate devices.
Supervisory Control and Data Acquisition (SCADA) typically comprises a historical database (historian), a set of signals (sensors), a set of decision making (PLC), and, most importantly, the Human Machine Interface (HMI) which may be physical (e.g. a touchscreen) or logical (e.g. a web page).
Industrial Internet of Things (IIoT) is a Distributed Control System where cloud computing or remote components are allowed. Rather than sensors being directly wired to the PLC, they may use a messaging bus such as MQTT or AMQP. IIoT is a key component of Industry 4.0.
OK, the terminology is out of the way, lets examine the Purdue Model in some more detail. The Purdue Model is conceptual, each company implements it in a different way. The most common is the level 0/1/2 are not segregated, 1 big network for each.
A typical Purdue Model diagram is shown below. Level 0 has sensors, Level 1 control systems, Level 2 supervisory, Level 3 is the plant management, Level 4 is the typical corporate world, and Level 5 is things that interact with the Internet. The Purdue Model dates to the mid 1990s where the Internet was nearly unfathomable for the typical corporation, the idea that part of the core services would be run on “other peoples hardware” was not included. Industry 4.0 was far on the horizon.
The ‘Firewall’ shown between each of the layers is typically a set of Access Control Lists (ACLs) on existing routers. The rules usually are nearly wide open due to layering violations that have occurred over the years. Reporting products run in the cloud, on big data systems, requiring access to each layer, breaking down the protections once inherent.
Remote maintenance and support requires team members, and extended teams from suppliers, to remote in through the Internet, through each firewall layer.
Lateral traversal becomes a challenge as each layer has its own inherent weaknesses. What were once immutable physical control systems became desktop PC’s, but retained the same life-cycle expectations of the industrial world. Patch Tuesday from the corporate world met the need to not take production down. Todays plant might have a Windows XP or CE PC still in operation, long past its safe update cycle.
In “Industrial Zero-Trust Micro-Segmentation” we discussed a method to use an identity-aware firewall to bridge this gap. To create a logical ‘1-device airgap’ where each resource is individually addressable without risk of lateral traversal. This allows that vital remote maintenance and support function to safely occur, lowering the mean-time-to-repair.
By having each person or resource use its identity to unlock the path to only the things it needs to get its job done we implement a narrowly-tailored, least-privilege network. We create a practical airgap. We reduce the cognitive load of configuring the complex ACLs on the switches. We implement defense in depth, meaning that, when something bad happens, it doesn’t happen everywhere to everything at the same time.
So, how do we reconcile and get the best of each layer? Zero-Trust-Purdue? First, keep the levels. They serve their purpose. Second, use private-vlan technology on the switches, removing the ability to communicate east-west. Third, implement an identity-aware firewall managing the north-south (and the east-west where appropriate).
A Zero-Trust implementation, centred on the existing Industrial PCs and using the existing switches makes it simpler, safer for remote workers, regardless of origin, regardless of company, to use todays best security practices like Single Sign On and Multi-Factor, to provide remote maintenance and lower mean-time-to-repair.
Lower risk, higher efficiency, higher uptime, lower cost. Modern Zero-Trust augments battle-tested Purdue Model.
Would you like to learn more?
The Agilicus team has the expertise, and loves to discuss Zero Trust implementations in Industrial Control Systems.
The Chat button on the left goes directly to the team, and, feel free to…