EcoStruxure Geo SCADA Expert Forum
Schneider Electric support forum about installation, configuration, integration and troubleshooting of EcoStruxure Geo SCADA Expert (ClearSCADA, ViewX, WebX).
Link copied. Please paste this link to share this article on your social media post.
Posted: 2022-04-05 10:21 PM . Last Modified: 2023-05-02 11:57 PM
In a standard SCADA/ICS environment with HMI's, PLC's, Engineer workstations, SCADA servers, etc. How do you all group systems and segment?
Mainly talking about Purdue model level 3-0.
Link copied. Please paste this link to share this article on your social media post.
Link copied. Please paste this link to share this article on your social media post.
Posted: 2022-04-06 09:08 PM
I'd recommend moving to a more modern conceptualisation of security around OT networks, like 62433.
Then you'd apply a risk management approach to the assets (and data), and separate your system into security zones and conduits between the security zones.
The security zones may align with the Purdue model zones, but often will also entail some 'silos' to separate areas within the same Purdue layer.
We have customers that have very flat open networks, once you're in the OT space it's a free for all, with essentially no firewalls / security controls. We also have customers that have each remote site which often just contains a modem and an RTU as a separate IPSec subnet with full firewall rules (and IDS) isolating it from every other remote site (and the SCADA).
These kind of decisions come down to the corporate risk appetite vs the financial availability.
There's no one 'correct' answer.
I would generally consider identifying your core functional assets and applying significant resources to secure these.
For things like alarming and control this would often be the SCADA Servers, but for onsite operation it would often be the PLC/RTU controller.
For something like a Sewer Pump Station the consequence of an RTU/PLC triggered event may not be as severe as for something like a Fluoride / Chlorine dosing unit.. so a lesser degree of security may be warranted on SPS sites vs Chlorinators.
There's not really a 'standard SCADA/ICS environment', all of the operating conditions are different for each situation, so each should be assessed separately (again the likes of 62443 provide some guidance on how the assessments should be performed for certain aspects).
Link copied. Please paste this link to share this article on your social media post.
Create your free account or log in to subscribe to the board - and gain access to more than 10,000+ support articles along with insights from experts and peers.