Process control network (PCN) evolution
A Process Control Network (PCN) is a network composed of real-time industrial control systems which manage, monitor and control industrial infrastructure. PCNs make use of software, hardware, networks and their connectivity for accessing, controlling and transferring data with each other. PCNs are also known as Distributed Control Systems (DCS) or Supervisory Control and Data Acquisition (SCADA).
SCADA systems are used in various production environments. To name a few, they are used in power generation, wastewater treatment/purification, transportation systems, oil/gas pipeline/production, wind farms and more.
Learn ICS/SCADA Security
PCN overview and setup
PCN networks more or less consist of the following components:
- Human-Machine Interface (HMI): The Human-Machine Interface (HMI) is a device which shows data to the human operator for monitoring and controlling remotely installed systems. Examples include command-line interfaces, web-based interfaces, touchscreen interfaces and Graphical User Interface (GUI)
- Programmable Logic Controller (PLC): The Programmable Logic Controller (PLC) is a kind of controller for various processes like water flow and water level, speed, status of valve, temperature and so on. A PLC has a set of inputs for various processes and accordingly produces outputs for controlling them
- Remote Terminal Unit (RTU): The Remote Terminal Unit (RTU) is a system which is connected to various sensors involved in the process. It converts sensor data to digital form and sends it to SCADA systems
- Master Terminal Units (MTU): Master Terminal Units (MTUs) is the master of the PCN network. What the CPU is to the computer, MTU is to the PCN. They are central monitoring and control stations which control multiple RTUs placed at remote locations
General overview of PCN communication
The steps listed below give a small overview of how communication happens in the PCN. They are:
- End user/operator has access to the Human-Machine Interface (HMI)
- The HMI is further connected to the Master Terminal Unit (MTU), whose role/job is to control the Remote Terminal Units
- These RTUs monitor and control various Programmable Logic Controllers (PLCs), and PLCs are connected to various actuators and sensors deployed at a remote location
Communication network options
The communication steps mentioned above can transfer and receive data through a number of mediums. Below are a few of them:
- Ethernet network
- Telephone line (for system utilizing electric signals)
- Optical fiber
- Radio/wireless
- Cellular
- Satellite
- Wi-Fi
Usage of communication medium relies on many factors like the finance involved in setting up the PCN system, legacy of SCADA systems, infrastructure setup requirements and so on.
PCN architecture development
PCN systems have existed since the 1970s and have been through four generations. They are:
- Standalone/monolithic: These systems were the first/earliest SCADA systems involving minicomputers. These systems were standalone systems and weren’t connected to other systems. The protocols used were written and developed by RTU equipment vendors and were proprietary
- Distributed: In distributed systems, all the data and information processing were distributed among multiple stations/systems and these stations were connected in a LAN. Each station/system was assigned a particular task, and they shared information with other stations/systems in the LAN
- Networked: One major improvement in these systems was the use and support of WAN protocols such as Internet Protocol (IP). These systems use the IP protocol for communication with the master station and other equipment for sharing and transferring data. Also, the RTUs used in these generation of systems make use of an Ethernet connection, thus making it easier and simple to monitor, process and control the PCN
- Web-based: This is the latest generation of PCNs in which operators make use of web browsers like Chrome and Firefox as the GUI. These systems have been on the market since 2000 and enable operators to access PCN systems from browser-based systems on mobile, server, laptop, tablet and so on
Security in a PCN system
PCN systems and computers perform sensitive and critical tasks for managing and handling critical infrastructure. Thus, these systems are considered to be excellent targets by cyberattackers, and a successful attack on one can incur a huge loss to the country and its economy.
In fact, vulnerabilities and attacks on PCN and SCADA systems have gone up 600% since 2010. (Source)
The main problem with PCN/SCADA systems is that they were not designed to be connected to the internet This means that issues pertaining to the digital security of these systems were not considered during development and design.
PCN security overview
Some of the prime reason why PCN/SCADA systems are so vulnerable are:
- Unsupported/outdated systems
- Increased connectivity to internet: Many PCN systems are now widely being connected to the internet via LAN or a wireless access point, resulting in an increase in unauthorized access to PCN systems and exposing it to the internet
- Lack of server hardening and procedures for the protection of PCN systems
- Software: Poor configuration and implementation
- Inadequate authentication and authorization
- Inadequate monitoring
How to mitigate/prevent attacks
Majority of the attacks on PCN systems can be mitigated by implementing available frameworks, legislation and guidelines. The following are the sources for frameworks, legislation and guidelines available:
- Critical Infrastructure Protection (CIP)
- Department of Homeland Security guidelines
- Guide to Industrial Control Systems (ICS) Security by NIST
- Good practice guide process control and SCADA security by CPNI
- Control System Cyber Security Self-Assessment Tool (CS2SAT)
- NISCC [NISC09] — Good Practice Guide Process Control and SCADA Security
- ISO 27001 guidelines for PCN/SCADA systems
- NIST Special Publication 800-53
Conclusion
PCN systems are complex in design and implementation due to integration with different components, but it’s imperative to implement security in these systems. The security audit process must be a part of an industrial system project, and the timely audit of such systems should take place during the entire life cycle of the system.
Learn ICS/SCADA Security
Sources
- 3 generations of SCADA system architectures you should know about, EEP
- Process Control Network Security, S.F. (Sjoerd) Peerlkamp, M.B. (Maarten) Nieuwenhuis
- Fact sheet: Process Control System and Network Security, NOREA
- Communication Network, University of Kentucky