Introduction to Industrial Control System

ICS Architecture : The Purdue Model

Industrial Control Systems are designed to automate a physical process. It consists of sensors that measure physical properties and actuators that manipulate these properties.

Purdue model was adopted from the Purdue Enterprise Reference Architecture (PERA) model by ISA-99 and used as a concept model for ICS architecture .

To understand this let’s start by taking a example of Thermal power station.

These will involve processes like water heating boiler furnace, circulating water system, high pressure steam turbine , cooling water pump, coal conveyor , steam control valve. These are some of the physical processes that are involved in electricity generation.

To perform these processes motors , actuators, conveyor belts , pneumatic valves are used.

To monitor these processes sensors will be in place and field devices are used to control these processes.

These all three combined will form a control loop.

Sensors measure physical properties like temperature , pressure and various fluid level and transmit this information to the controller. The sensors manipulate the current in the wire, which interprets as input signal from 0–100% common example 4mA-20mA.

Controller based on these signals decides what to based on “Logic”, and sends appropriate command to field devices

These field devices adjust physical attributes of process or turn things on and off based on instructions from controller

In early days controllers comprised of complex pneumatic valves . It further progressed to electronic controllers that were hard wired to the meters to sensor to controller leading back to control valve, which manipulated the flow. There was no concept of networks, each of the controller was separate.

To interact and observe the process parameter , that is automated by controller , we connect them to HMI , Human Machine Interface. HMI is an user interface, that is used for graphic display, setting values and parameters.

The Purdue Model Source:-Onramps4xevents

At level 2 we have Database servers , that holds all of the configuration data

Historian systems are needed to record all the values, alarm, events that are happening in log file.

All the data that is stored in historian , is accessed by enterprise network to analyse and make profitable decisions.

Summing up the Purdue Model we have:-

Enterprise:

Level 5: Enterprise network

Level 4: Site business and logistics

Industrial Demilitarized zone.

Manufacturing zone (also called the Industrial zone):

Level 3: Site operations

Level 2: Area supervisory control

Level 1: Basic control

Level 0: The process

Source :- Packt Publishing

Programmable Logic Controller

A programmable logic controller (PLC) is an industrial computer that receives inputs from input devices and then evaluates those inputs in relation to stored program logic and generates outputs to control peripheral output devices.

PLC Programming

As PLC are intended to be used by electrical engineers , graphical programming language call Ladder Logic was developed for this purpose . Ladder logic resembles hardwired electromechanical relays used to control devices.

Micro800 Simulator

In the above figure top line with number in squared boxes represent inputs and at bottom number in circle represents output

Below is the sample of Ladder Logic , simulated in Allen Bradely Connected Component Workbench.

Input

-[]- Represent normally open contact , _IO_EM_DI_01 denotes input at squared 01 of above shown Micro800 PLC “Start Button Input”

-[\]- Represent normally closed contact , _IO_EM_DI_02 denotes input at squared 02 of above shown Micro800 PLC “Stop Button Input”

Output

()- Represents normally inactive , _IO_EM_D0_01 denotes output at circle 01 of above shown Micro800 PLC. “Motor Output”

It is a simple program that activates output 01, when input 1 is high logic AND input is low logic. The branch below _IO_EM_DI_01 is status of output 01 “Motor Input Feedback”, even when input 01 is toggled back to low, output 01 will continue to be high. The branch represent digital logic OR.

“PLC programs executes from left to right and top to bottom. Each line of code is called a rung”

ICS Protocols

Data transfer and real time communication between various components of ICS (PLC, HMI, database, Engineering workstation ,etc) is achieved with help of different ICS protocols.

Traditionally these protocols were based on serial communication, though TCP/IP protocols over Ethernet Networks are developed for ICS implementation, still we find these serial protocols at many places in industry.

It is responsible for data that commands the equipment to change its state and set value points.

Some ICS protocols — DNS, SNMP, SSH, SMB, RDP, Modbus

Modbus is one of ICS protocols that used in every industry at some level.

ICS protocols were designed for effective communication , neglecting any cryptographic security . Many protocols uses data packets without any encryption, thus it is easy to craft malformed packets to gain control of field devices.

ICS Security

In IT, security is based on the CIA triad . Confidentiality, Integrity and Availability . In contrast with IT, in ICS environment availability is main priority . Due to this reason protocols were designed keeping in mind the availability and not security measures. ICS systems are critical environment failure of one system may lead to chain of events , causing economical and human loss.

Previously before security events like Ukraine power grid attack, Stuxnet Tran-Siberian Pipeline, and so on , it was argued that ICS cannot be attacked as they are air gaped system , field devices work in closed network , etc. But it proved to be wrong .

In the next blog we will see demonstration that will exploit the plain-text based Modbus protocol to control the inputs thus controlling outputs.