As in the information technology (IT) industry, many operational technology (OT) vendors of control system applications and devices are now designing products with security in mind. This provides customers with the available product features needed to deploy a defense in depth security architecture as represented in the following source doctrine and authoritative guidance.
- Purdue Enterprise Reference Architecture (PERA), commonly known as the Purdue Model
- 5-Level Control System Architecture found in Unified Facility Criteria (UFC) 4-010-06 Appendix E – Cybersecurity of Facility-Related Control Systems (FRCS)
- Control Systems Security Program (CSSP) Recommended Defense-In-Depth Architecture found in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-82 Revision 2 – Guide to Industrial Control Systems (ICS) Security
The Functional Cybersecurity Framework and 5-Level Control System Architecture diagram below provides the concept for configuring a control system enclave/network with a defense in depth security architecture. For example, a segmented network; enforcement zones with stateful firewalls between multiple Levels of the Purdue Model; compliant patch management procedures; appropriate identity and access management (IdAM); tailored group policy settings; disabled or removed unnecessary ports, protocols and services (PPS); implementing properly configured host-based firewalls and/or access control lists (ACL); use of application whitelisting (AWL); encrypted communications, etc.