Enhancing Sababa Security’s presence in central and southern Italy
March 29, 2023
The Role of a Cyber Threat Intelligence Specialist for Effective Cybersecurity
April 6, 2023
Level 0, Level 1 and Level 2 are three main layers of the Purdue Enterprise Reference Architecture (PERA), which is a widely used model for organising industrial control systems (ICS) and their associated cybersecurity measures.
Level 0, also known as the Process Control level, is the lowest layer in the Purdue model and is where the physical process of an industrial plant is monitored and controlled. This includes devices such as sensors, actuators, and programmable logic controllers (PLCs) that are used to control industrial processes such as temperature, pressure, and flow.
Level 1, also known as Area Supervision, is responsible for managing specific areas of the industrial process. This includes systems such as programmable automation controllers (PACs) and communication gateways that connect Level 0 devices to higher-level systems.
Level 2, also known as the Supervisory Control level, is a higher layer in the Purdue model and is responsible for managing the overall operation of the industrial process. This includes systems such as human-machine interfaces (HMIs) and supervisory control and data acquisition (SCADA) systems that allow operators to monitor and control the industrial process.
A Closer Look at ICS Level 0 – 2 Security
Despite being designed to be highly reliable, Industrial Control Systems (ICS) are becoming increasingly connected and therefore more vulnerable to cyberattacks. Depending on the nature and scope of the attack, consequences can include safety hazards, environmental disaster, financial losses, and reputational damage. In fact, incidents involving these targets may cause critical infrastructure such as power grids, water supply systems, and transportation networks to malfunction or shut down, disrupting public services and endangering lives.
But what is actually threatening the control and supervisory layers of the Purdue Enterprise Reference Architecture? Here are some examples of the cyber threats that may affect PERA Levels 0-2:
Malware and viruses. Malware and viruses can infect Level 0 components such as sensors and actuators, Level 1 components such as input/output (I/O) devices and distributed control systems (DCS), as well as Level 2 components such as supervisory control and data acquisition (SCADA) systems and historians. They can cause these components to malfunction, leading to operational disruptions, equipment damage, and safety risks. As an example, the Stuxnet worm, discovered in 2010, was specifically designed to target PLCs used in Iran’s nuclear program, causing significant physical damage to centrifuges used in the uranium enrichment process.
Network attacks. Network attacks, such as Distributed Denial of Service (DDoS) attacks, Man-in-the-Middle (MitM) attacks, and IP Spoofing, can target all three levels of the PERA framework and interrupt their communication and operation. These attacks can also allow hackers to gain unauthorised access to the ICS network and its sensitive data.
Physical attacks. Physical attacks – such as tampering with Level 0 components, physical manipulation of level 1 devices, or physical damage to Level 2 facilities – can pose significant risks to ICS networks and operations. It was not so long ago that a plant operator in Florida saw his cursor being moved around on his computer screen, opening various software functions that controlled the water being treated. The hacker, who gained access to the control system for the water treatment plant, boosted the level of sodium hydroxide – a caustic chemical used to control the acidity of the water supply – to 100 times higher than normal.
Insider threats. Insider threats can come from employees, contractors, or other individuals with access to the ICS network. These can include intentional sabotage, accidental damage, or negligence. Among others, in 2020, a former employee of a Texas manufacturing company was sentenced to prison for sabotaging the company’s computer network, causing significant financial losses.
Supply chain attacks. Supply chain attacks can occur when an attacker infiltrates a vendor or supplier and inserts malicious code into ICS components or software updates. These attacks can lead to widespread disruption and compromise of the entire ICS network. For instance, in 2020, the SolarWinds supply chain attack affected multiple U.S. government agencies and private companies, including industrial control system (ICS) vendors, potentially compromising their customers’ Level 2 systems.
What to do then?
To mitigate these threats, organisations should implement security measures such as segmenting the network into separate zones, limiting access to PERA Levels 0-2 components, installing firewalls, using intrusion detection systems, and security monitoring. They should also train employees in security awareness and best practices to prevent social engineering attacks and other human error-related incidents. Finally, regularly patching and updating software and firmware on PERA Levels 0-2 components are crucial to reduce the risk of exploits and vulnerabilities.
