Sun Sep 14 19:45:17 PDT 2014

Zones: Sensor and actuator connections to PLCs: How should sensors and actuators be connected to PLCs?


Options:

Option A: Connect sensors and actuators to PLCs on isolated network segments.
Option B: Connect sensors and actuators to PLCs over ICS-only restricted access network zone local segments.
Option C: Connect sensors and actuators to PLCs over dedicated encrypted tunnels through intervening infrastructure to distant ICS restricted zones.
Option D: Connect sensors and actuators to PLCs over non-dedicated encrypted tunnels through intervening infrastructure using ICS-only restricted zones.
Option E: Connect sensors and actuators to PLCs over encrypted tunnels through intervening infrastructure using normal open networks.
Option F: Connect sensors and actuators to PLCs using otherwise unprotected open networks.

Decisions:

Sensor and actuator connections to PLCs should be protected as follows:

Consequence Threat Other factor Approach(es)
High High-- Connect sensors and actuators to PLCs on isolated network segments
High Med- -- ANY of the above
OR Connect sensors and actuators to PLCs over ICS-only restricted access network zone local segments
Med HighExpertise Med- ANY of the above
Med HighHigh expertise ANY of the above
OR Connect sensors and actuators to PLCs over dedicated encrypted tunnels through intervening infrastructure to distant ICS restricted zones
Med Medreal-time behavior IS critical ANY of the above
Med Medreal-time behavior is NOT critical ANY of the above
OR Connect sensors and actuators to PLCs over non-dedicated encrypted tunnels through intervening infrastructure using ICS-only restricted zones
Med Lowreal-time behavior IS critical ANY of the above EXCEPT Connect sensors and actuators to PLCs over non-dedicated encrypted tunnels through intervening infrastructure ...
Med Lowreal-time behavior is NOT critical ANY of the above
OR Connect sensors and actuators to PLCs over encrypted tunnels through intervening infrastructure using normal open networks
Low ---- ANY of the above
Connecting sensors and actuators to PLCs

Basis:

The relevant part of the option space is characterized by the mix of connection locality, use restriction, and encryption. The options can be understood in terms of the expression {Direct connect | {Plant-local network {ICS-only | Mixed restricted} | {Multi-location network {ICS-only | Mixed restricted | Open}}} x {Encrypted tunnel | Open}}. This fits over the threat vs. consequence space with the addition of available expertise. Here are the basic options in detail:

Connections:
Sensors and actuators should never need to connect to anything other than programmable logic controllers (PLCs), less frequently supervisory control and data acquisition (SCADA) systems, rarely human machine interfaces (HMI)s, remote terminal units (RTUs), and in some cases data historians. To the extent that they are connected to other components, this is problematic from a security standpoint. In most cases, sensors and actuators require connection only to PLCs and should be so limited. So-called intelligent sensor and actuator connections normally require 2-way communications with PLCs, so complete isolation or one-way connections are infeasible, while simple sensors need no such protection because they are not programmable and onle send what they sense and act on what they are sent.

The list of alternatives is given in order from the most sure to the least sure, with the weaknesses of each accruing to those later in the list.

Encryption: Encryption takes substantial time. For a PLC that has to interact in real-time with sensors and actuators and with feedback times on the order of milliseconds, encryption isn't fast enough in most cases to allow both the necessary computations and the encryption to take place in time to meet the demands of signal timing.

Restricted access network zone: Such a zone reduces the sources that can be used to directly influence and observe sensor and actuator inputs and outputs. When such a zone is available, it should be used unless there is a reason not to use it. Restricted zones can often be extended over intervening infrastructure through the use of encrypted tunnels, subject to surety limits associated with the encryption and intervening infrastructures.

Note that except for the direct connect modes, "smart" IP- or other protocol-enabled devices are required for operatin in this way.

Copyright(c) Fred Cohen, 1988-2012 - All Rights Reserved