I was asked to review the architecture of an Industrial Control System V2.0 (ICS). To protect the privacy of the customer, I have provided an example image — but close enough to get a few points across.
The separation between the Enterprise and Control layer is a firewall. In an earlier post, I addressed the need to work toward a Zero Trust Architecture. Comparing Zero Trust Architecture (ZTA) and ICS 2.0 is very similar to comparing apples and oranges. ZTA is about strong authentication, authorization, and policy based, while security for the ICS 2.0 Architecture is provided at the edge – the firewall.
The Azure Zero Trust image illustrates how identities and policies, control access to devices, applications, networks, data, and infrastructures.
From Microsoft:
“Microsoft Azure Industrial Internet of Things (IIoT) is a suite of Azure cloud microservices and Azure IoT Edge modules. Azure Industrial IoT integrates the power of the cloud into industrial and manufacturing shop floors. Using industry-standard open interfaces such as the open platform communications unified architecture (OPCUA), Azure IIoT provides you with the ability to integrate data from assets and sensors – including those systems that are already operating on your factory floor – into the Azure cloud. Having your data in the cloud enables it to be used more rapidly and flexibly as feedback for developing transformative business and industrial processes.”
“The Azure Industrial IoT Platform allows plant operators to discover OPC UA-enabled servers in a factory
network and register them in Azure IoT Hub. Operations personnel can subscribe and react to events on the factory floor from anywhere in the world. Azure IIoT will enable the reception of alerts and alarms and will allow reaction to them in real time. Azure IIoT provides a set of microservices that connect to OPC UA systems on the shop floor. The microservices REST APIs mirror the OPC UA systems functionality. The REST APIs enable your cloud applications to browse
OPC UA server address spaces, read/write values of OPC UA nodes, and execute OPC UA methods. Components at the factory floor are implemented as Azure IoTEdge modules. The cloud microservices are ASP.NET microservices with a REST interface and run on managed Azure Kubernetes Services or standalone on Azure App Service. Azure IoT Edge modules and Azure IIoT cloud services are available as pre-built Docker containers in the Microsoft Container Registry (MCR). The edge modules and cloud services collaborate closely and must be used together. Azure IIoT provides easy to-use deployment scripts that allow to deploy the entire platform with a single command. The REST APIs can be used with any programming language through its exposed Open API specification (Swagger).When integrating OPC UA into cloud management solutions, developers are free to choose technology that matches their skills, interests, and architecture choices. For example, a full stack web developer who develops an application for an alarm and event dashboard can write logic to respond to events in JavaScript or TypeScript without ramping up on an OPC UA SDK, C, C++, Java or C#….”
Summary
Some marketing from Microsoft in the previous text. But a way to migrate and implement industrial systems in a cloud environment. Leveraging the cloud, the industrial systems will become more reliable, more cost efficient, more adaptable and more secure – zero trust as a goal.
Discover more from Threat Detection
Subscribe to get the latest posts to your email.