Industrial Control Systems (ICS), as an important component of the national critical information infrastructure, have their security directly related to the stable operation of industrial production and public safety. Under the dual requirements of cybersecurity level protection and commercial password application security assessment, how to systematically build an ICS security protection system has become an important issue that enterprises must face.This article systematically organizes the components of industrial control systems, the requirements for level protection and security evaluation, and provides feasible security construction plans based on practical cases.
01
Overview of Industrial Control Systems1. Core Components of ICSIndustrial control systems are integrated systems that include various hardware and software, mainly consisting of the following key components:
- SCADA System: Implements monitoring and control of field devices, most widely used in power systems.
- DCS System: Centralized management and decentralized control, suitable for process industries.
- PLC: The “smart command center” in industrial automation, receiving sensor signals and outputting control commands.
- HMI: Human-Machine Interface, making information human-readable.
- RTU: Remote Terminal Unit, commonly used for remote monitoring and control.
2. Five-Layer Architecture of ICSIndustrial control systems are typically divided into five levels:
- Field Device Layer (L0): Sensors, actuators, etc.
- Field Control Layer (L1): PLCs, DCS controllers, etc.
- Process Monitoring Layer (L2): SCADA, HMI, OPC servers, etc.
- Production Management Layer (L3): MES systems, responsible for production scheduling and management.
- Enterprise Resource Layer (L4): ERP systems, providing decision support for enterprises.
02
Security Requirements under Level Protection and Security Evaluation1. Differences between ICS and IT Systems
2. Key Items of Extended Requirements for Level Protection[Physical Protection of Outdoor Control Equipment]
- Industrial site environments need to implement measures for waterproofing, fire protection, ventilation, heat dissipation, and anti-theft.
- Prevent electromagnetic interference and strong heat sources.
The IP protection level of industrial safety equipment generally requires meeting IP40.[Network Architecture Security]
- Industrial systems must be unidirectionally isolated from the enterprise network (industrial network gateway/industrial firewall).
- Within the control system, security domains should be divided according to business, with technical isolation between domains.
- Real-time control systems should use independent network devices to achieve physical isolation.
[Communication Transmission Security]
- Systems above level three must use cryptographic technology to ensure integrity and confidentiality (e.g., IPSec/SSL VPN).
- Authentication based on cryptographic technology should be performed before communication.
- Cryptographic operations and key management should be based on hardware cryptographic modules.
- When transmitting control commands over wide area networks, encryption + authentication + access control are required.
[Access Control Security]
- Access control devices should be deployed at system boundaries, with access control policies configured.
- Timely alarms should be triggered when boundary protection mechanisms fail.
- Limit the number of users with dial-up access permissions.
- Dial-up servers and clients should use securely hardened operating systems, implementing digital certificate authentication, transmission encryption, and access control measures.
[Control Device Security]
- Meet identity authentication, access control, and security audit requirements. For older devices that cannot meet these requirements, compensatory measures should be taken through upper-level machines or management methods.
- Implement a “whitelist mechanism” where only software on the whitelist can run.
- Disable or remove floppy drives, CD drives, USB ports, serial ports, or redundant network ports from control devices.
- Strictly monitor and manage essential communication peripheral interfaces.
- Patch updates must be tested before implementation to avoid affecting production continuity.
03
Practical Case of Security ConstructionThe following is a typical case of level three construction for an industrial control system:
1. Security Requirement AnalysisFrom the perspective of level three protection, the main security requirements of this system include:
- Overall Division Requirement:Reduce the scope of risk impact by dividing network security domains.
- Network Isolation Requirement between MES System and Centralized Control System:Prevent security issues such as viruses and worms in the MES system from affecting the centralized control system.
- Vulnerability Checking and Protection Requirements for Monitoring Terminals and Servers:Detect and manage system vulnerabilities, restrict employees from using USB drives freely to avoid virus spread.
- Real-time Monitoring Requirement for Network: Monitor the industrial control network of centralized control and business control in real-time to assist in fault location and resolution.
- Communication Security Protection Requirements for Information Systems Connected to External Networks:Authenticate identities before communication, ensure the integrity and confidentiality of messages during communication, and maintain the integrity of boundary access control information and the authenticity of access devices.
- Security Protection Requirements for Various Devices and Computing Environments:Device identity authentication, login user identity authentication, remote channel security, and authenticity of executable programs.
- Security Protection Requirements for Business Data:User identity authentication, access control, application source assurance, data collection, transmission, storage, and processing security, etc.
Click below to watchthe case explanation video Followed Follow Replay Share Like <!– –> Watch morePassword and Data Security
0/0
00:00/15:09Progress bar, percentage 0Play00:00/15:0915:09Full screen Playing at speed 0.5x 0.75x 1.0x 1.5x 2.0x Ultra clear Smooth
Continue watching
Guidelines for Industrial Control System Security Protection: From Infrastructure to Security Evaluation Practices
Original, Guidelines for Industrial Control System Security Protection: From Infrastructure to Security Evaluation PracticesPassword and Data SecurityAdded to Top StoriesEnter comment Video Details 2. Security Domain Division
- Production Management Domain: MES servers, etc.
- Process Monitoring Domain: Business servers, upper-level machines, engineer stations.
- Field Control Domain: Divided into control zones 1, 2, and 3 according to process segments.
3. Security Protection Deployment
- Physical Environment Security:Ensure the availability of industrial control systems, avoiding other production accidents caused by control device downtime, short circuits, fires, theft, etc.
- Communication and Network Protection:Deploy industrial firewalls at the network boundaries of the production management layer and process monitoring layer to prevent security risks from penetrating downwards. Deploy industrial firewalls in each security area to prevent security risks from spreading internally. Deploy industrial anomaly monitoring and auditing systems next to the core switches in the process monitoring layer to monitor network intrusions from outside and inside, and to monitor abnormal network traffic and behavior in real-time, triggering alarms. Establish encrypted channels using SSL/IPSec VPN for Ethernet transmission, equipped with digital certificates for identity authentication; system operation and maintenance should use bastion hosts that support national cryptographic algorithms.
- Computing Environment Security:Install industrial control host protection systems on various servers and workstations in the process monitoring layer and production management layer to ensure host security. In terms of passwords, deploy digital signature servers for data integrity protection, deploy encryption machines for data encryption and key lifecycle management, and equip digital certificates for identity authentication.
- Unified Security Management:Divide an independent security operation and maintenance area in the production management layer, deploying industrial control vulnerability scanning systems and industrial control information security management systems to achieve unified security management of security vulnerabilities and security events.
- SCADA System Password Application:Deploy identity authentication systems and key management systems, embed password cards in operator stations and engineer stations, embed password modules in RTUs and PLCs, and use the identity authentication system to issue digital certificates to operator stations, engineer stations, RTUs, PLCs, and key management systems. The key management system distributes keys, and when the operator station collects data from RTUs or PLCs, it is done in encrypted form, with the engineer station downloading configurations from the operator station.
- Industrial Wireless Network Password Application:Industrial wireless networks are also quite common. Wireless APs and wireless access devices embed password modules, and wireless access devices are installed on AGV carts. The identity authentication system issues digital certificates to these devices. When gateways communicate with field devices, encrypted communication and MAC calculation verification are implemented.
Conclusion:Security construction of industrial control systems must follow the concept of “one center, threefold protection”, consideringphysical security, network security, host security, and management security, while also balancing the dual requirements oflevel protection and security evaluation.In actual deployment, the principle ofbusiness priority should always be adhered to, and all security measures must not affect the reliability and functional safety of the industrial control system itself. Through partition isolation, protocol analysis, host whitelisting, unified operation and maintenance, and password protection, a truly “operable, manageable, and auditable” industrial security protection system can be constructed.