ICS Information Security Assurance Framework 18

ICS Information Security Assurance Framework 18

March 4, 2020 | Mina Hao

Manufacturing Sector

  • Network Architecture of a Cigarette Factory

The network architecture of a cigarette factory consists of the production network and management network, as shown in Figure.

At the top level, the management collaboration layer information system is responsible for the enterprise’s internal operation and management and control, facilitating business collaboration between an industrial enterprise and its upstream and downstream enterprises. Its key application system is the enterprise resource planning (ERP) system that integrates the enterprise logistics, information flows, and capital flows to facilitate the enterprise’s operations, planning, controls, and performance appraisals. This system ensures smooth communication and facilitates effective collaboration between the cigarette production management department and the production execution department forming an organic whole. This helps realize integrated management of production management information and production control information, integrated management of operation information and production information, integrated management of device resources and human resources, and achieve effective control and governance of enterprise production and operation management. Other application systems of the management collaboration layer include many subsystems, such as production management, financial management, quality management, workshop management, energy management, sales management, personnel management, equipment management, technology management, and integrated management subsystems. The management information system provides information service and decision support.

At the product execution layer, the manufacturing execution system (MES) is between the management coordination layer and the industrial control layer. In the production process of tobacco enterprises, the MES is an important bridge between production automation and IT-based management. It is mainly responsible for management execution for the upper production planning and scheduling for the lower protection control system, playing a key role in the two-way channels between the management collaboration layer and the industrial control layer. The data of the MES comes directly from the production process control system (PCS). The real-time data collected by the monitoring system and data acquisition system is processed to generate production process information for the MES’s use. The MES is responsible for production planning and scheduling, resource (personnel and equipment) optimization and scheduling, material management, production quality control, process control, energy supply control, and production process monitoring as well as data integration and application like necessary data and information conversions.

Directly oriented to cigarette machines, the industrial control layer is responsible for collecting real-time production data generated by the automatic control system of various cigarette production devices and receiving control instructions (such as production operations) issued by the MES. The production control system of the tobacco industry refers to such production systems as the tobacco treatment line, rolling and packaging, power energy center, and logistics center of the production workshop. It is mainly responsible for processing, test and manipulation, and operation management.

  • Security Issues Facing the Cigarette Factory

Security issues facing the cigarette factory are mainly from the network and communication layer, and the controller, host and application layer.

Security issues of the network and communication layer:

1. The security isolation mechanism between the production network and the management network are improper.

Currently, security isolation mechanisms between the production network and the management network include the following:

As shown in Figure 4.8, the access control mechanism features double adapters installed on the data acquisition server or OPC server. One adapter communicates with the management network and the other with the production network. These two adapters are on different network segments. Access control policies are configured on the server (and front-end switching device at the production execution layer) to isolate the management network and production network.

Since the data acquisition server or OPC server is in both the production network and management network at the same time, the dual-adapter isolation method has a risk of unauthorized access and data transmission between the production network and the management network.

In addition, the data acquisition server or OPC server in the dual-adapter mechanism has been exposed to the management network (which is possibly connected to the Internet), and therefore it is at the risk of being scanned and attacked. Furthermore, the server is interoperable with the internal production network. If the server is infected by a virus in the management network, the virus will spread to the industrial control system of the production network, directly affecting the production.

This access control mechanism is implemented only via a switch device connecting the management network and production network and by configuring an ACL policy specifying who are allowed to directly access production network devices. Generally, only specified network administrators can directly access these devices.

Although some switch devices also have control filtering functions (such as an access control list on the firewall), they cannot defend against network attacks like professional firewalls and do not have the dynamic packet filtering function. Therefore, if a switch device is used as a substitute of professional security isolation devices (such as firewalls), the attack and intrusion risk remain quite high.

So far, some cigarette manufacturers with proper good network structure planning have built a security isolation mechanism between the management network and the production network, most of which use professional firewalls for access control and attack defense. However, due to inconsistent standards and specifications for firewall security policies, some traditional firewalls only support access control and packet filtering but not support security audits or malicious behavior identification. Such firewalls even cannot identify industrial Ethernet control protocol-based (such as OPC, ProfiNet/ProfiBus, and ModBus) packets. Therefore, this isolation method has limitations.

2. Control command data is transmitted in plaintext.

The transmitted data mainly includes communication data within the management network and industrial control commands (such as ProfiNet/ProfiBus, ModBus, and DNP3).

3. The management and control mechanism for the wireless network in the production network is absent or incomplete.

For example, the Automated Guided Vehicle (AVG). It consists of the wireless access point (AP), configuration software of the master device, and in-vehicle PLC. Wi-Fi is adopted for communication between the controller and the in-vehicle PLC.

4.The configuration of network device security is incomplete.

Most network devices on the production network are managed by the workshop system administrator (not security administrator) who leaves the configuration at default values. Therefore, these devices are at a high risk of unauthorized access or attack.

5.The industrial control security audit mechanism is absent.

As there is no audit management of O&M personnel’s daily operation and maintenance of the industrial control network, it is impossible to trace human factors for abnormal events in the cigarette production business and find the root cause. As a result, no qualitative analysis can be carried out.

System Security Protection Solutions

The production network is the core security zone of cigarette manufacturers, mainly including the business system and devices used for cigarette production. According to the workshop scale, the production network can be subdivided into four sub-zones, namely, the energy access zone, packaging access zone, logistics access zone, and power energy access zone. The production network is hierarchically built and divided into different security zones. Its security isolation mechanisms for security domains is as follows:

At the management collaboration layer outside the production network, the access control among the production execution layer is provided by traditional firewalls, including access control, address translation, application proxy, event audit, and alert functions. However, within the industrial control layer of each cigarette manufacturer, in the ring network and at cigarette device nodes of the bus network, professional industrial control firewalls dedicated for industrial control network environments are required. The reason is that, in this scenario, we need to identify industrial control protocol-based packets, and parse and check the content of industrial network protocols and application data. In addition to the basic access control function of traditional firewalls, industrial control firewalls can conduct fine-grained check and in-depth filtering for common industrial protocols-based (such as Modbus and OPC) packets, so as to block the spreading of viruses and hacker attacks from the management network, thereby preventing any impact exerted on the production network and production services.

To be continued.