Use the Purdue Model to Protect High-Value Targets

essidsolutions

According to the Proofpoint 2019 State of the Phish reportOpens a new window , the number of phishing attacks is increasing. Production/operations networks are the most popular targets. These targets include all industrial control and management systems (ICS), including manufacturing and utilities. Another popular target category includes R & D systems.

Protecting these networks requires isolating them from the higher risk user environments in organizations. Use of software-defined perimetersOpens a new window is an approach recommended mainly by today’s security professionals for achieving zero-trust networks. However, it is not always appropriate for legacy production systems. Many of these systems were implemented many years ago with little or no attention to security. In these and other cases, the use of firewalls for microsegmentation is often a better choice.

Production Networks

Production networks and their relationship to business management networks is best described by the Purdue Enterprise Reference ModelOpens a new window (PERA). The Purdue Model separates production and related business management networks into three zones and five levels.

Enterprise Zone

  • Level 5: Enterprise network
  • Level 4: Site business and logistics

Industrial DMZ

Manufacturing/ Industrial Zone

  • Level 3: Site operations
  • Level 2: Area supervisor control
  • Level 1: Basic control
  • Level 0: The process

This model was designed to protect critical infrastructure. It easily applies to any manufacturing and service creation/delivery organization. However, we can adapt and apply it to any high-value target. For example, why would business users need direct access to R & D networks? This model also applies to isolating medical equipment.

We can place any high-value target in one or more levels of the Manufacturing/Industrial Zone when the target has little to do with general business administration.

Enterprise Zone

The Enterprise Zone includes the network segments used to run the business, including payroll, marketing, billing, email, and internet access (Level 5). In Level 4 are the IT services and infrastructure that support Level 5. Level 4 services interface with Level 3 to provide information to management needed for operational, tactical, and strategic planning.

When designing access to high-value network targets, we assume that all other areas of the business are hostile. For example, organizations should consider all resources in the Enterprise Zone (not just what is coming from the internet) as compromised.

Considering business user devices compromised is not a stretch. Malicious actors today focus on users and their devices to gain entry into target networks

Industrial DMZ

The Industrial DMZ separates the enterprise zone from the Manufacturing/Industrial Zone. It functions in the same way as the DMZ separating the business from the internet.

Manufacturing/Industrial Zone

The levels in the Manufacturing/Industrial Zone contain everything needed to monitor, manage, and operate production controls at a high level. We should view Level 3 systems as a central control room from which humans monitor and manage everything on the plant floor. Level 3 includes human-machine interface (HMI) systems.

Level 2 is one level lower, applying to sub-zones across the plant. It can also include HMI devices. Level 1 includes basic controls such as PLCs and other low-level devices used directly to control manufacturing equipment and delivery systems like pipelines. The services and devices controlled and monitored by the higher levels are in Level 0.

Microsegmentation

In the past, network architects considered segmentation with VLANs enough to protect high-value, high-risk resources. See Figure 1.

An increasingly popular solution is the use of firewalls to segment networks. rThis includes packet inspection and stronger segmentation control.

When using firewalls or software-defined perimeter solutions to implement microsegmentation, the traditional perimeter is split up to encompass each workload. Workloads are applications users and other applications access to perform business tasks.

MicrosegmentationOpens a new window is part of ca zero-trust network implementation. It controls traffic based on more than source and destination IP address/port pairs or VLAN membership. Instead, microsegmentation focuses on the user, device, and the workload accessed. More sophisticated solutions include additional session context information, including time and day of access; and location of the user/device attempting to reach a target.

Segmenting the Purdue

Model When architecting security based on the Purdue Model, security professionals and network architects can use next-gen firewalls (like those from Palo Alto NetworksOpens a new window ) and supporting services designed for microsegmentation to provide fine control of network traffic. Figure 2 shows one possible approach.

Industrial DMZ Controls

The Industrial DMZ is a high wall between the high-risk business network and the production and R & D networks, shown as manufacturing zones in Figure 2. It also manages internet access to Level 3 and below.

Security teams ensure the firewall in the DMZ is configured to allow access based on the target workload and the user/device attempting to access it. A user can be a human or another workload. Access is controlled based on the workload and the user/device seeking access, not merely IP addresses and port numbers. This allows access based on user role and other context information instead of just a port/IP address pair.

Using user/device as a determining access factor requires strong verification of the user and the device. Strong user verification requires multiple authentication factors and close management of user roles.

We usually verify devices with certificates. Organizations must implement solutions that verify the trustworthiness of devices attempting to access resources below the Enterprise Zone. Ensuring expected levels of trust requires tools that enable security to understand the state of the device’s health, including patch levels, up-to-data antimalware, and host-based firewalls running and properly configured. In addition to initial verification, security should continue to monitor both user and device behavior throughout approve sessions.

Note that there is no day-to-day direct access from the Enterprise Zone to levels 0 through 2. If an organization grants access for a minimal set of user/device pairs, security must closely monitor related sessions.

Next-gen firewalls usually include IPS functionality. What an IPS allows without blocking traffic can be modeled on a continuum, as shown in Figure 3. For regular business traffic, we try to achieve a balance between security and operations. This tends to reduce false alerts and enable efficient business operation. However, known high-value targets require a move to more security.

When mostly blocking access between the Enterprise Zone and Level 3, there is little effect on business

Access to Level 3 and Below

No business users in the Enterprise Zone should have direct access to Level 3 and below. Access to these levels should be given only for the following reasons:

  • Vendor support team access based on either a privileged access management shared account or an individual account. In either case, we need two-factor authentication. Further, vendor access requires device verification and trustworthiness analysis.
  • Level 3 systems send data to management database servers in the Enterprise Zone. Consider making this a one-way path from Level 3 to the database servers.
  • Organizations should only allow vendor access to Level 3 when data in Level 4 are not sufficient. aThis should happen in rare circumstances.

All Manufacturing/Industrial Zone data required by Enterprise Zone users are sent from Level 3 to Level 4 database servers for administrative business use.

Access to levels 0 through 2 have even stricter restrictions provided by the next-gen firewall separating them from Level 3. In most cases, administrators should allow only temporary access to individuals needing access to these levels. The requirements are the same for vendor support into Level 3 with the addition of human monitoring of explicitly approved sessions.

Note that the lowest layer of the Purdue Model includes three levels. Including all of these in the same zone enables service or product delivery if the connection to other areas of the organization’s network is interrupted.

Managing Access

As with any service provided by IT, access control for a high-value target must have one and only one owner. The owner is accountable for working with security and all other stakeholders to develop access policies and procedures. Procedures must include how to manage all permanent and temporary access to the lower levels of the model. Designing access could start with adapting the Purdue Model to the organization’s operational environment.

Conclusion

ICS and R & D systems are two of the most popular malicious actor targets. These high-value targets require special attention and isolation.

The Purdue Model helps understand how to segregate various parts of an organization’s network to protect high-value targets while maintaining efficient business operation. Any organization can adapt the model to isolate high-value targets and apply strong, monitored access policies.

Contact ESSID Solutions

    By clicking Send Message, you agree to our Terms of Use and Privacy Policy.

    Reach out to us for a free consultation on big data consultancy and development services.

    Contact

    Rua Alexandre de Sa Pinto 143
    1300-034 Lisbon
    Portugal

    [email protected] +351927159955
    Privacy Policy Terms of Service Refund and Returns Policy

    © 2024 ESSID SOLUTIONS LDA