Zero Trust In Operational Technology

Compare, contrast, merge, enhance. How the Purdue model for Industrial Control Systems interacts with the Zero Trust Network Architecture.

Purdue Conceptual Model

What is the Purdue Model?

Created in the 1990s, the Purdue Enterprise Reference Architecture catered primarily to manufacturing and process control enterprises. Distinguished by its ‘5 levels’, often confused with the ISO networking model’s layers, it found its inclusion in standards like ISA-95 and IEC 62264. With zones defining levels and conduits connecting them, its impact lay in the compartmentalization of security.

While the Purdue Model assumed complete trust within a level, it inherently distrusted the level above. And here, the shift towards the Zero Trust Network Architecture is evident.

Zero Trust, with its principle of “never trust, always verify,” operates on the concept that there are no trusted locations or levels. Every interaction must be authenticated, curtailing the menace of lateral movements. The quintessential question then is – can the stability of the Purdue Model and the agility of Zero Trust coalesce to augment each other?

Acronyms And Modules Explained

But first, let’s explain the components (AKA the acronym soup):

Operational Technology (OT) is hardware and software running in the ‘non-carpeted’ parts of your business. It supports “the direct monitoring and/or control of industrial equipment, assets, processes and events.

Industrial Control Systems (ICS) are a subset of Operational Technology. It is the hardware and software that runs the process control and manufacturing (distinct of e.g. the building heating and door locks).

A Building Management System (BMS or sometimes BAS) is the hardware and software that manages the building in which your business operates. It controls temperature, humidity, door locks and access control, surveillance, and alarm systems.

Distributed Control System (DCS) is an architectural model of industrial control where the sensors, the actuators, and the decision-making are separated. A temperature control sends a signal, a decision is made to turn off the heating element, all in separate devices.

Supervisory Control and Data Acquisition (SCADA) typically comprises a historical database (historian), a set of signals (sensors), a set of decision-making (PLC), and, most importantly, the Human Machine Interface (HMI) which may be physical (e.g. a touchscreen) or logical (e.g. a web page).

Industrial Internet of Things (IIoT) is a Distributed Control System where cloud computing or remote components are allowed. Rather than sensors being directly wired to the PLC, they may use a messaging bus such as MQTT or AMQP. IIoT is a key component of Industry 4.0.

OK, the terminology is out of the way, lets examine the Purdue Model in some more detail. The Purdue Model is conceptual; each company implements it in a different way. The most common is levels 0/1/2 are not segregated; there is 1 big network for each.

A typical Purdue Model diagram is shown below. Level 0 has sensors; Level 1 control systems; Level 2 supervisory; Level 3 is the plant management; Level 4 is the typical corporate world, and Level 5 is things that interact with the Internet. The Purdue Model dates to the mid-1990s when the Internet was nearly unfathomable for the typical corporation and the idea that part of the core services would be run on “other people’s hardware” was not included. Industry 4.0 was far on the horizon.

The ‘Firewall’ shown between each of the layers is typically a set of Access Control Lists (ACLs) on existing routers. The rules are usually nearly wide open due to layering violations that have occurred over the years. Reporting products running in the cloud on big data systems, require access to each layer, breaking down the protections once inherent in and between layers.

Remote maintenance and support require team members, and extended teams from suppliers, to remote in through the Internet and through each firewall layer.

Lateral traversal becomes a challenge as each layer has its own inherent weaknesses. What were once immutable physical control systems became desktop PCs, but retained the same life-cycle expectations of the industrial world. Patch Tuesday from the corporate world met the need to not take production down. Today’s plant might have a Windows XP or CE PC still in operation, long past its safe update cycle.

Zero Trust and Purdue With Industrial Micro-Segmentation

In “Industrial Zero-Trust Micro-Segmentation” we discuss a method to use an identity-aware firewall to bridge this gap. To create a logical ‘1-device airgap’ where each resource is individually addressable without risk of lateral traversal. This allows vital remote maintenance and support functions to safely occur, lowering the mean-time-to-repair.

By having each person or resource use its identity to unlock the path to only the things it needs to get its job done, we implement a narrowly tailored, least-privilege network. We create a practical airgap. We reduce the cognitive load of configuring the complex ACLs on the switches. We implement defense in depth, meaning that, when something bad happens, it doesn’t happen everywhere to everything at the same time.

So, how do we reconcile and get the best of each layer? Zero-Trust-Purdue? First, keep the levels. They serve their purpose. Second, use private-VLAN technology on the switches, removing the ability to communicate east-west. Third, implement an identity-aware firewall managing the north-south (and the east-west where appropriate). A Zero-Trust implementation, centered on the existing industrial PCs and using the existing switches, makes it simpler and safer for remote workers, regardless of origin or company, to use today’s best security practices like single sign-on and multi-factor, to provide remote maintenance and lower the mean-time-to-repair. Lower risk, higher efficiency, higher uptime, and lower cost. Modern Zero-Trust augments battle-tested Purdue Model.

Conclusion: Enhance the Purdue Model with Zero Trust

Marrying the resilience of the Purdue Model with the dynamism of Zero Trust redefines security, efficiency, and productivity. It’s not just about juxtaposing two concepts; it’s about crafting a seamless synthesis for the future.

Ready To Learn More?

Agilicus AnyX Zero Trust enables any user, on any device, secure connectivity to any resource they need—without a client or VPN. Whether that resource is a web application, a programmable logic controller, or a building management system, Agilicus can secure it with multi-factor authentication while keeping the user experience simple with single sign-on.

9f758437 agilicus logo horizonta

info@agilicus.com, +1 ‪519 953-4332‬

300-87 King St W, Kitchener, ON, Canada. N2G 1A7

partner

info@partner.com, +1 ‪555 555-5555

1 Main Street, Townsville, ON, Canada. POST-CODE