Industrial Control Systems ( ICS) are composed of various automation control components and process control components for real-time data acquisition and monitoring. These components include Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), Programmable Logic Controllers (PLCs), Remote Terminal Units (RTUs), Intelligent Electronic Devices (IEDs), and interface technologies that ensure communication between these components. A typical ICS control process is usually accomplished by three components: the control loop, the Human-Machine Interface (HMI), and remote diagnostic and maintenance tools. The control loop performs control logic operations, the HMI handles information exchange, and the remote diagnostic and maintenance tools ensure the stable and continuous operation of the ICS.
1.1 Potential Risks of Industrial Control Systems
(1) Operating system security vulnerabilities
Due to compatibility issues between industrial control software and operating system patches, patches are generally not applied to the Windows platform after the system is started, resulting in the system running with risks.
(2) Antivirus software installation, upgrade and update issues
Windows operating systems used in production control systems typically do not install antivirus software due to compatibility considerations between industrial control software and antivirus software, leaving room for the spread of viruses and malicious code. (3) Virus propagation problems caused by the use of USB flash drives and CDs
Because management terminals in industrial control systems generally lack technical measures to effectively manage the use of USB flash drives and optical discs, security incidents caused by the disorderly use of peripherals occur frequently.
(4) The problem of arbitrarily connecting laptops during equipment maintenance
The management and maintenance of industrial control systems are threatened by the fact that laptops connected to these systems do not meet certain safety baselines.
(5) There is a risk that the industrial control system may be intentionally or unintentionally controlled.
Without monitoring and response measures for the operational behavior of industrial control systems, abnormal or human actions within these systems can pose significant risks.
(6) The problem of delayed response due to failure to detect faults in industrial control system control terminals, servers, and network equipment in a timely manner.
Monitoring the operational status of IT infrastructure in industrial control systems is fundamental to the stable operation of industrial control systems.
1.2 Risks Brought to Industrial Control Systems by the Integration of Informatization and Industrialization
Initially, industrial control systems and enterprise management systems were isolated. However, in recent years, to achieve real-time data acquisition and production control, meet the needs of "integration of informatization and industrialization," and facilitate management, logical isolation has been adopted to allow direct communication between industrial control systems and enterprise management systems. Enterprise management systems are typically directly connected to the Internet. In this scenario, the scope of industrial control systems' access has expanded beyond the enterprise network, and they also face threats from the Internet. Simultaneously, to achieve integrated management and control, improve enterprise informatization and overall automation levels, and realize high efficiency and effectiveness in production and management, enterprises have introduced Manufacturing Execution Systems (MES) to integrate industrial control systems and management information systems, enabling data exchange between management information networks and production control networks. This has resulted in production control systems no longer operating independently but needing to interconnect with management systems and even the Internet.
1.3 Risks arising from the use of general-purpose hardware and software in industrial control systems
Industrial control systems are evolving towards industrial Ethernet architectures, becoming increasingly open. OPC technology based on TCP/IP Ethernet communication is widely used in this field. Due to the ease of integration and use of industrial systems, industrial Ethernet ring networks and OPC communication protocols are extensively used for industrial control system integration. Simultaneously, PC servers and terminal products are widely used, and operating systems and databases largely utilize general-purpose systems, making them vulnerable to attacks from viruses, Trojans, and hackers originating from enterprise management networks or the internet . II. Industrial Control System Security Design. Through the above analysis of the security status of industrial control systems, we can see that the use of general-purpose platforms increases the security risks faced by industrial control systems. The security risks caused by the "integration of informatization and industrialization" and the inherent defects of industrial control systems are mainly addressed through two aspects of security protection. First, a "three-layer architecture, two-layer protection" system is used to layer, domain, and classify industrial enterprise information systems, thereby strictly and exclusively controlling the operational behavior of the industrial control system and ensuring the uniqueness of operations on the industrial control system. Second, an industrial control system security management platform ensures the security and reliability of HMIs, management machines, control services, and industrial control communication facilities.
2.1 Construct a security system with a "three-tier architecture and two-tier protection"
Industrial control systems require horizontal layering, vertical domain segmentation, and regional hierarchical security protection. Otherwise, if management information systems, production execution systems, and industrial control systems are on the same network plane with unclear layers and interdependencies, intrusions or viruses originating from management information systems can easily damage industrial control systems. Network storms and denial-of-service attacks can easily consume system resources, rendering normal service functions impossible.
2.1.1 Three - tier architecture of industrial control system
Information systems in general industrial enterprises can be divided into three layers: management layer, manufacturing execution layer, and industrial control layer. Between the management layer and the manufacturing execution layer, security measures include authentication, access control, detection and auditing, link redundancy, and content inspection. Between the manufacturing execution layer and the industrial control layer, the main focus is on preventing direct access from the management layer to the industrial control layer, ensuring the uniqueness of operations performed by the manufacturing execution layer on the industrial control layer. The three-layer architecture of an industrial control system is shown in the diagram below:
In recent years, the industry has proposed a defense-in-depth strategy [1, 6-7] to protect the network security of a typical ICS system, which mainly includes the following:
1) Implement a multi-layered network topology for the ICS system, and enforce the most stringent security and reliability measures at the most secure and reliable layer.
2) Provide logical isolation between the enterprise network and the ICS network (i.e., configure a stateful inspection firewall between the two networks).
3) Configure the DMZ network structure (i.e., prevent direct communication between the enterprise network and the ICS network).
4) Ensure that critical components are redundant and deployed on redundant networks.
5) If testing confirms that it will not affect ICS operation, disable unused ports and services on the ICS device.
6) Strictly limit physical devices from accessing the ICS network.
7) Establish role-based access control rules and configure the permissions of each role according to the principle of minimizing privileges.
8) Consider using separate authentication mechanisms for users of the ICS network and the enterprise network.
9) Implement security controls, such as antivirus software and file integrity checking software, where technically feasible, to prevent, detect, and reduce the entry and spread of malware.
10) Apply security technologies such as encryption in the storage and communication of ICS data.
11) In a field environment, all patches must be tested on a test system before being installed into the ICS system and the security patches configured.
12) Track and monitor audit logs in critical areas of the ICS. This approach emphasizes multi-layered, multi-level security protection within the ICS's three-layer network architecture. Firewalls are deployed at each layer boundary for effective isolation. Specifically, a commercial firewall, commercial IDS, and IPS are deployed at the information management layer to filter, monitor, and coordinate attacks on layers 2-7. An industrial firewall for production process control is deployed at the production management layer, while dedicated VPN devices are used for external users and third-party connections at the information management layer. A unidirectional network gateway with physical isolation capabilities is deployed at the production management layer to ensure strict control over information flow in industrial processes through its unidirectional data import and physical isolation capabilities. Furthermore, antivirus servers and terminal management systems are deployed in the access area, and an audit system is deployed for the commercial database to meet data management requirements. An operation and maintenance audit system is deployed on the management and maintenance client to meet configuration management requirements and strengthen password and access control. Effective management of operating system-level vulnerabilities on PCs/servers is achieved by deploying commercial vulnerability scanning products. Wireless security products are deployed for systems using wireless connections. Through the above-mentioned multi-layered and multi-level protection, the requirements of the "Notice on Strengthening the Information Security Management of Industrial Control Systems" (MIIT [2011] No. 451) can be basically met.
