Access Control Models for ICS/SCADA environments


Access control for critical infrastructure requires moving the perimeter to workloads and managing access based on context. This zero-trust approach ensures access based on user/device characteristics, target workloads and associated risk. In this article, I give an example of one of two general approaches to achieving zero-trust ICS networks.


Zero-trust network (ZTN) design begins with microsegmentation. Usually controlled with software, microsegmentation creates security zones based on risk. These zones have stronger access controls than those we traditionally create with VLANs and VLAN access control lists.

DevOps Connect:DevSecOps @ RSAC 2022

Software-defined perimeters like Cisco’s Application Centric Infrastructure (ACI) use VXLANs and a software-defined network solution. This is an excellent approach for organizations with resources to protect that were designed with security and controlled access in mind. This is not true of many ICS/SCADA networks. 

We must consider that many ICS networks were implemented 30 years ago … or more. They were implemented with little effort at controlled network access. This is why using next-generation firewalls designed for microsegmentation is a good approach: use of firewalls enables segmentation across any network infrastructure. Microsegmentation begins by defining the various layers of an ICS network.

The Purdue model

The Purdue model is the basis for our segmentation design. The Purdue model, adopted from the Purdue Enterprise Reference Architecture (PERA), is a widely adopted ICS framework that shows how the various elements of an ICS architecture interconnect. 

The Purdue model consists of three zones and five levels.

  • Enterprise zone
    • Level 5: Enterprise network
    • Level 4: Site business and logistics
  • Industrial DMZ
  • Manufacturing/Industrial zone
    • Level 3: Site operations
    • Level 2: Area supervisor control
    • Level 1: Basic control
    • Level 0: The process

Enterprise zone

The resources in this zone include applications and infrastructure used to manage the business overall, including ERP, HR, financials and customer relationship management. (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Tom Olzak. Read the original post at: