SCADA & Industrial Networking
Engineering Determinism in Hardened Environments
IT vs. OT: The Priority Inversion
In a standard office network, the primary goal is protecting the data (Confidentiality). In a SCADA (Supervisory Control and Data Acquisition) environment, the primary goal is protecting the machine and the human operator (Safety). This creates a fundamental inversion of the standard CIA triad.
IT vs. OT Priority Spectrum
Comparing Commercial vs. Industrial Success Metrics
- Confidentiality: Encrypt all data.
- Integrity: Prevent unauthorized change.
- Availability: Business continuity.
- Safety: Protect human life/machine.
- Reliability: Deterministic performance.
- Productivity: OEE and output volume.
The Purdue Model (Hierarchy of Control)
To secure industrial sites, we use the Purdue Enterprise Reference Architecture (PERA). This divides the network into logical levels:
- Level 0 (Physical Process): Sensors, actuators, and motors. Communication is typically 4-20mA analog or Fieldbus (HART, Profibus-DP).
- Level 1 (Basic Control): PLCs (Programmable Logic Controllers) and RTUs. These execute the safety logic and process interlocks.
- Level 2 (Area Supervisory): HMI terminals and engineering workstations. Operators monitor and adjust processes from this layer.
- Level 3 (Site Operations): Historians (OSIsoft PI, AspenTech) and local site management servers aggregate process data.
- Level 3.5 (DMZ): The firewall barrier between the factory network and the office network. No direct routing across this boundary should exist.
- Level 4/5 (Business): The enterprise IT network, ERP systems (SAP), and cloud services.
The Purdue Model (PERA)
ISA-95 Logical Segmentation Hierarchy
Level dmz
SCADA Protocols: Modbus, DNP3, and PROFINET
Old SCADA protocols were designed for serial lines and have zero built-in security features. When wrapping these in Ethernet (Modbus TCP, DNP3 over TCP), they become highly vulnerable to spoofing and replay attacks.
| Protocol | Typical Use | Security Level | Encryption |
|---|---|---|---|
| Modbus TCP | General automation, sensors | None | None |
| DNP3 | Utilities, SCADA RTUs | Optional SAv6 | Optional |
| PROFINET | Factory automation (Siemens) | Built-in GSD | None (IRT) |
| OPC UA | Cross-vendor integration, Level 3-4 | Full PKI | TLS 1.2+ |
The ISA/IEC 62443 standard mandates that any protocol crossing a zone boundary must be wrapped in an encrypted, authenticated transport. For legacy protocols like Modbus that cannot support encryption natively, the recommended approach is to deploy a Protocol Gateway at the DMZ that translates Modbus to OPC UA, providing security at the zone boundary rather than at the device level.
Handover Checklist
- [ ] Verified all switches are Industrial-Grade (DIN-rail mount, Extended Temp Range -40┬░C to +70┬░C).
- [ ] Confirmed no direct internet routing to Level 0•ô3 assets (verified by firewall ACL review).
- [ ] Documented all Modbus register maps, IP addresses, and polling intervals in the Network As-Built drawing.
- [ ] Tested redundant ring recovery (REP or MRP) under 50ms following IEEE 62439-2 requirements.
- [ ] Confirmed all Level 0•ô1 field instruments are powered from isolated 24VDC SELV sources.
- [ ] Validated that historian can receive data across the DMZ without requiring any open inbound ports from the plant network.