In a Nutshell

Unlike commercial IT networking, Industrial Operational Technology (OT) prioritizes safety and uptime over confidentiality. This guide provides the framework for deploying robust SCADA networks across factory floors, utility sites, and remote infrastructure nodes using the Purdue Model of logical separation.

IT vs. OT: The Priority Inversion

In a standard office network, the primary goal is protecting the data (Confidentiality). In a SCADA (Supervisory Control and Data Acquisition) environment, the primary goal is protecting the machine and the human operator (Safety).

IT vs. OT Priority Spectrum

Comparing Commercial vs. Industrial Success Metrics

IT: The CIA Triad
  • Confidentiality: Encrypt all data.
  • Integrity: Prevent unauthorized change.
  • Availability: Business continuity.
OT: The SRP Model
  • Safety: Protect human life/machine.
  • Reliability: Deterministic performance.
  • Productivity: OEE and output volume.
ENTERPRISE (L4)
PURDUE MODEL
PROCESS (L0)
Protocol: TCP, HTTP/S, SMTP
Intermediary: OPC UA, MQTT
Control: Modbus, EtherNet/IP, PROFINET

The Purdue Model (Hierarchy of Control)

To secure industrial sites, we use the Purdue Enterprise Reference Architecture (PERA). This divides the network into logical levels:

  • Level 0 (Physical Process): Sensors, actuators, and motors.
  • Level 1 (Basic Control): PLCs (Programmable Logic Controllers) and RTUs.
  • Level 2 (Area Supervisory): HMI terminals and engineering workstations.
  • Level 3 (Site Operations): Historians and local site management.
  • Level 3.5 (DMZ): The firewall barrier between the factory and the office.
  • Level 4/5 (Business): The enterprise IT network and cloud services.

SCADA Protocols: Modbus, DNP3, and PROFINET

Old SCADA protocols were designed for serial lines and have zero security features. When wrapping these in Ethernet (Modbus TCP), they become highly vulnerable to spoofing.

Handover Checklist

  • [ ] Verified all switches are Industrial-Grade (Extended Temp Range).
  • [ ] Confirmed no direct internet routing to Level 0-3 assets.
  • [ ] Documented all Modbus register maps and IP addresses.
  • [ ] Tested redundant ring recovery (REP or MRP) under 50ms.
Share Article

Technical Standards & References

REF [1]
ISA/IEC (2018)
Industrial Automation and Control Systems Security
Published: ISA/IEC 62443
VIEW OFFICIAL SOURCE
REF [2]
NIST (2023)
Security for Industrial Control Systems (ICS)
Published: SP 800-82
VIEW OFFICIAL SOURCE
Mathematical models derived from standard engineering protocols. Not for human safety critical systems without redundant validation.