In Depth on ICS Network Diagrams

ICS Asset Inventory and Network Diagrams, Part 2

Accurate industrial control system (ICS) network diagrams are critical to maintaining and securing an ICS. They document a holistic view of the physical and logical representation of the system. They reduce project engineering costs, support maintenance and troubleshooting tasks, are essential for risk assessment, and are invaluable for incident response. As covered in our part 1 blog, there are manual, automated, and semi-automated methods to link asset inventory and network information in the creation and maintenance of the diagrams.

Some core diagram types include physical, logical, zone & conduit, Purdue model, dataflow, and per-VLAN drawings. Diagrams should have a defined purpose and not depict too much information for the type of drawing. It is crucial to identify goals for each diagram type to limit having information in too many places, thus limiting the potential of having out of date or conflicting information in multiple diagrams.

What sort of information should be conveyed on network diagrams? Physical network diagrams show the construction of the network, endpoint information (e.g., MAC address, metadata), media type (e.g., Ethernet, fiber), port type (e.g., trunk, access), port status (e.g., physically blocked, administratively down, etc.), and serial connections. Logical diagrams include subnets, VLANS, zones, routing information, dataflows, and layer 3 redundancy. Zone and conduit network diagrams show how the assets and networks are partitioned into security zones which can be depicted in a Purdue model level hierarchy.

Shown: An example of a zone and conduit network diagram

Zones should include the name, safety designation, security level target, network and physical boundaries, criticality, and a zone vulnerability summary. Purdue model diagrams aid in developing network segmentation by defining the hierarchical levels in the operational technology (OT) systems. They generally do not show network segmentation, yet they do provide some context for risk management. Dataflow diagrams depict actual and / or permitted data flow between zones. They support firewall / router rule development, help visualize questionable data flows, and help identify potential inter-zone vulnerabilities. Per-VLAN network diagrams are unique for each VLAN, document the endpoints (e.g., physical location and metadata), and show spanning-tree or layer 2 redundancy information. They provide an easy way to visualize the endpoints and switches in each VLAN and help identify network misconfigurations.

These diagrams are by no means an exhaustive list, but they are great starting points in identifying the types and goals of each diagram to properly document an ICS. Depending on the ICS and business requirements it may be helpful to document additional information on any one of these drawing types, including external communications, patch status, backup status, and monitoring status.

Contact Us to learn more about how we can help guide you through creating comprehensive network diagrams.