ICS Network Architecture

Enumeration

Understanding ICS network architecture is crucial for effective security assessment. Proper segmentation is the primary defense for protecting industrial control systems.

The Purdue Model

The Purdue Enterprise Reference Architecture (PERA) defines zones and levels for ICS networks. Security controls should exist at each level transition.

Level 5: Enterprise
Internet Cloud Services
Level 4: Business Planning
ERP/MES Email Corp IT
Level 3.5: IT/OT DMZ
Firewall Historian Mirror Jump Server
Level 3: Site Operations
SCADA HMI Eng WS
Level 2: Area Control
PLCs RTUs DCS
Level 1: Basic Control
Field PLCs I/O Modules
Level 0: Process
Sensors Actuators

Purdue Enterprise Reference Architecture (PERA)

Zone Security Assessment

IT/OT DMZ Assessment

bash 
# The DMZ should be the only connection between IT and OT
# Assess DMZ components:

# 1. Firewall Rules Analysis
# Request firewall rules from client
# Look for:
# - Overly permissive rules (any-any)
# - Direct IT-to-OT connections bypassing DMZ
# - Unnecessary ports open

# 2. Jump Server/Bastion Host
# - Is MFA enforced?
# - Session recording enabled?
# - Principle of least privilege?

# 3. Data Diode Presence
# Check if unidirectional gateway exists
# Data should flow OUT of OT (to historian mirror)
# Minimal data should flow INTO OT

# 4. Patch Management
# How are updates delivered to OT?
# Is WSUS/patch server in DMZ?
# Are updates tested before deployment?

Firewall Rule Analysis

bash 
# Common firewall misconfigurations in ICS

# Bad: Allow all from IT to SCADA
permit ip 10.0.0.0/8 192.168.100.0/24

# Bad: RDP directly to HMI from corporate
permit tcp any 192.168.100.50 eq 3389

# Bad: Modbus from anywhere
permit tcp any any eq 502

# Better: Specific rules
# Only allow historian replication
permit tcp 192.168.200.10 192.168.100.20 eq 3306

# Only allow jump server access
permit tcp 192.168.200.50 192.168.100.0/24 eq 22

# Assess with firewall rule analyzer tools:
# - Tufin
# - AlgoSec  
# - Firemon

Network Segmentation Testing

VLAN Hopping Tests

bash 
# Test VLAN segmentation
# From corporate network, try to reach ICS segments

# Check for VLAN hopping vulnerabilities
# Switch Spoofing (DTP)
yersinia dtp -attack 1

# Double Tagging
# Craft packet with two 802.1Q tags
scapy
>>> pkt = Ether()/Dot1Q(vlan=1)/Dot1Q(vlan=100)/IP(dst="192.168.100.10")/ICMP()
>>> sendp(pkt)

# Test routing between zones
# Can you ping ICS network from IT?
ping 192.168.100.10

# Traceroute to identify path
traceroute 192.168.100.10

Lateral Movement Testing

bash 
# Once on the ICS network, test lateral movement

# Scan for other subnets
nmap -sn 192.168.100.0/24
nmap -sn 192.168.101.0/24

# Check for flat networks
# Can Level 3 systems reach Level 1 directly?
# Should be segmented by firewalls/ACLs

# Test access between zones
# From HMI, can you reach:
# - Engineering workstation?
# - Historian directly?
# - PLCs in different areas?

# Document all unexpected connectivity

Remote Access Assessment

Remote access is a major attack vector for ICS. Assess all remote access mechanisms.

bash 
# Common remote access methods in ICS:

# 1. VPN
# - Is it split-tunnel? (bad)
# - MFA enabled?
# - Dedicated ICS VPN or shared?
# - Vendor VPN access?

# 2. Jump Servers
# - Is access logged?
# - Session recording?
# - Time-limited access?

# 3. Vendor Remote Access
# - TeamViewer, AnyDesk, etc.
# - Always-on connections? (bad)
# - Shared credentials?

# 4. Modem/Cellular Connections
# - Legacy dial-up modems on PLCs?
# - Cellular routers for remote sites?
# - Are these inventoried?

# War dialing for legacy modems
# (get authorization first)
# Look for modems on phone lines connected to ICS

# Scan for remote access ports
nmap -p 3389,22,5900,5800,443,8080 192.168.100.0/24

Common Architecture Weaknesses

Flat Networks

No segmentation between IT and OT. All devices on same network. Compromise of one system leads to access to all.

Direct IT-OT Connections

Bypassing the DMZ. Database connections, file shares, or RDP directly from corporate to process control.

Dual-Homed Systems

Engineering workstations with NICs in both IT and OT. Creates bridge bypassing firewalls.

Uncontrolled Vendor Access

Always-on VPN connections for vendors. Shared credentials. No monitoring of vendor sessions.

Network Traffic Analysis

bash 
# Capture and analyze ICS network traffic
# Use SPAN port or network TAP

# Capture with tcpdump
sudo tcpdump -i eth0 -w ics_traffic.pcap

# Analyze protocols present
tshark -r ics_traffic.pcap -z io,phs

# Look for:
# - Unexpected protocols (should only see ICS protocols)
# - IT protocols on OT network (SMB, RDP, HTTP)
# - Cross-zone traffic
# - Unencrypted sensitive data

# Protocol-specific filters
tshark -r ics_traffic.pcap -Y "modbus"
tshark -r ics_traffic.pcap -Y "s7comm"
tshark -r ics_traffic.pcap -Y "enip"

# Identify all unique IPs communicating
tshark -r ics_traffic.pcap -T fields -e ip.src -e ip.dst | sort -u

Architecture Assessment Checklist

Segmentation

  • ☐ IT/OT DMZ exists and is properly configured
  • ☐ Each Purdue level is segmented
  • ☐ No direct IT-to-OT connections
  • ☐ VLAN hopping not possible
  • ☐ No dual-homed systems bridging networks

Firewalls

  • ☐ Rules follow least privilege
  • ☐ No any-any rules
  • ☐ ICS protocols only allowed where needed
  • ☐ Logging enabled
  • ☐ Rules reviewed periodically

Remote Access

  • ☐ All remote access through jump server
  • ☐ MFA required
  • ☐ Session recording enabled
  • ☐ Vendor access is controlled and monitored
  • ☐ No legacy modems present

IEC 62443 Zones

IEC 62443 defines security zones and conduits. A zone is a group of assets with similar security requirements. A conduit is a controlled communication path between zones.

Related Topics

OT/ICS Security

PLC/RTU Attacks

Active Discovery
← Industrial Protocols Next: PLC/RTU Attacks →