00:00:01
hey welcome back to OT Asset Management
00:00:03
weekly in today's session we talk about
00:00:08
your favorite topic I know it is the
00:00:10
Purdue model because anytime we do
00:00:14
anything about Purdue the the videos
00:00:17
usually get a high view count so I I
00:00:20
anticipate it's going to be the same
00:00:22
with this video what I'm trying to do
00:00:26
today is um as the title suggest just
00:00:30
tell you everything you need to know
00:00:33
about the prodium model especially if
00:00:36
you are um from the it side of the house
00:00:42
so if your experience is mostly in it um
00:00:46
and you struggle to make sense out of
00:00:48
the perum model and that's natural
00:00:51
that's natur this is why I'm doing uh
00:00:54
this webcast here uh in order to clear
00:00:58
it all up for you so that finally you
00:01:02
see through the mist and you see the
00:01:05
perum model for what it really is um I'm
00:01:08
talking mostly to it people
00:01:11
because guess what for engineers the
00:01:13
perum model isn't a thing so Engineers
00:01:17
don't have those debates now is is this
00:01:20
device or network on level two or level
00:01:23
three or level one um they don't use
00:01:26
this terminology so um the model is
00:01:31
mostly used by it people or people with
00:01:34
an IT background
00:01:37
and there are two reasons why you should
00:01:41
have some foundational understanding um
00:01:44
about this model if you are such an IT
00:01:48
person aspiring OT security expert um
00:01:52
why should you look be able to look
00:01:55
through the Mist so first of all there
00:01:58
are a lot of miscon conceptions about
00:02:00
prum model that will lead you to um bad
00:02:06
results when it comes to OT security and
00:02:09
and I will I will explain to you why and
00:02:12
the second reason why you should uh be
00:02:15
able to see through the Mist is
00:02:17
because um many people completely
00:02:22
overvalue the perum model and spend way
00:02:24
too much time TR in a desperate effort
00:02:28
to understand it
00:02:30
guess what there there isn't a lot to
00:02:32
understand there there is a lot of
00:02:34
nonsense around this model um and it's
00:02:37
just a waste of time it's like when when
00:02:39
I discovered as as an adolescent you
00:02:43
know I I spent years trying to
00:02:46
understand the teachings of this
00:02:48
particular philosopher take uh the W
00:02:51
Doro for example only to figure out
00:02:54
after so many years well it's mostly
00:02:57
useless nonsense so I take the the
00:02:59
nonsense back it's it's mostly useless
00:03:02
so you shouldn't spend too much time on
00:03:04
that so let's get right into the thick
00:03:06
of it um the peral model is a conceptual
00:03:11
model that um is intended to help people
00:03:16
understand especially people with an IT
00:03:18
background what's going on in a factory
00:03:20
automation environment and as it so
00:03:24
happens um in that environment you find
00:03:28
devices you find technology
00:03:30
that sometimes seems to be very remote
00:03:32
to it people when it comes to actuators
00:03:35
for example many um it experts till this
00:03:39
day have no idea what an actuator would
00:03:41
be then you also have windows boxes you
00:03:44
have computers you have switches that
00:03:46
might um have a totally different
00:03:49
function and use cases as you know it
00:03:52
from it so in that
00:03:54
respect the perum model does carry some
00:03:58
water because because um it gives you an
00:04:02
idea what's going on in that OT space
00:04:07
and let me in in order to to understand
00:04:10
this a little bit better let's let's
00:04:12
just look at those many visual models
00:04:15
that you have seen so what I did here is
00:04:17
simply I did I did a Google search for
00:04:19
perw model and clicked on
00:04:22
images and maybe this one that I singled
00:04:25
out here from the good Folks at armis is
00:04:28
a good starting point because uh it
00:04:31
shows you where at the top you have all
00:04:34
your it stuff and you could um think of
00:04:37
that as the tip of the iceberg because
00:04:40
then when you go down oh this is
00:04:43
underwater where you find all all the
00:04:45
bizar stuff bizarre for an IT person for
00:04:48
engineers it's it's there where they
00:04:50
live right um so you have um some
00:04:54
historians you have skar systems you
00:04:57
have operator stations you have your
00:05:00
plc's and finally down there at at the
00:05:03
very bottom you have the sensors and
00:05:06
actuators so that makes sense and and
00:05:09
that might lure people it people um to
00:05:15
to think about oh oh that there is so
00:05:18
much more below that surface so in ity
00:05:21
we have been dealing with that tip of
00:05:22
the iceberg and down below underwater
00:05:26
man you know all all the the funny
00:05:29
sometimes scary creatures that live
00:05:31
there that makes sense so it it would
00:05:34
hopefully prompt you um to figure out
00:05:37
what a PLC is uh What uh a vfd is this
00:05:42
is this is stuff that that you have to
00:05:44
know when you want to do anything in OT
00:05:47
and certainly also in ODOT security okay
00:05:49
so then you have all those numbers
00:05:52
you're assigned to the various levels
00:05:54
and and this is where things start to to
00:05:56
Veer off but I'll get back to that in a
00:05:58
second um
00:06:00
now let let's clear up one thing first
00:06:04
and foremost this model has very very
00:06:09
little to do with network architecture
00:06:12
and nothing or or even less to do with
00:06:15
with OT security and I tell you why
00:06:19
so this this is for example what the
00:06:22
armies guys uh got wrong so this
00:06:26
suggests that you would actually be
00:06:28
looking at different Network L that is
00:06:31
actually not true in real life so you
00:06:33
should just um forget about those lines
00:06:36
here some somehow these devices talk to
00:06:38
each other but not in this architecture
00:06:41
that you see here okay um just keep that
00:06:44
in mind the only thing that uh you
00:06:49
should associate with Purdue when it
00:06:52
comes to networking the the the the one
00:06:55
and only thing is
00:06:57
that you should you should have a
00:07:02
protection layer a security layer
00:07:04
between the Enterprise Network and
00:07:07
anything that's going on in
00:07:09
OT that is maybe the the the most
00:07:13
important takeaway that you keep in mind
00:07:15
all that stuff below that level four
00:07:19
that should be protected somehow because
00:07:22
in the Enterprise Network all kinds of
00:07:24
of traffic is going on that you don't
00:07:27
want to see um in your networks and this
00:07:31
is where it gets really funny so um in a
00:07:34
way this is what you would expect so
00:07:37
I've just uh flipped over here to
00:07:40
another diagram now you see here there's
00:07:44
this security layer between uh the it
00:07:48
Network so usually the Enterprise
00:07:51
Network and the OT networks that usually
00:07:56
start with level three and go down to
00:07:58
level zero R um and and uh so that is
00:08:02
something that you want to have and the
00:08:06
the best implementation for that would
00:08:08
be as it is depicted here a
00:08:10
DMZ and this is something that you find
00:08:14
in various other
00:08:16
diagrams such as this one um and and
00:08:20
again here is where it gets funny
00:08:22
because this DMZ was not conceptualized
00:08:28
in the original perum model so therefore
00:08:31
now you have a layer between three and
00:08:34
four h what do you do what do we do with
00:08:39
that simple answer so that is the the
00:08:43
solution that you usually
00:08:46
see um okay let's just call it 3.5
00:08:49
because it sits between four and three
00:08:53
so let's make it a
00:08:54
3.5 again this was added later to the
00:08:57
model and it's it's clear from just from
00:09:00
the nomenclature so there is this this
00:09:03
intermediate step um
00:09:05
and as Fate has it there are all kinds
00:09:10
of of different um uh different well um
00:09:16
ways to also label that so I've selected
00:09:19
here another one where they say no the
00:09:22
DMZ that's level three and uh then you
00:09:26
have a control center SL processing l
00:09:29
that is level 2/3 they're below there
00:09:32
you have a level two
00:09:35
and this is where things get funny
00:09:39
because
00:09:41
um now some people some people in some
00:09:46
aspiring OT Security Experts believe
00:09:49
it's it's really worthwhile to figure
00:09:52
out what is right and what is wrong is
00:09:55
is this on level two level three 3.5 2.5
00:09:59
five this could suggest here the this
00:10:02
operations management zone or that we
00:10:06
should probably call that 2.5
00:10:10
and discussions like that are just a
00:10:13
pile of BS so there are waste of time
00:10:16
you don't want to engage
00:10:18
there um you should just um take away
00:10:22
the following you you have the
00:10:24
separation between it and OT uh you
00:10:28
would want to see DMZ
00:10:30
there and and the rest is pretty much um
00:10:35
the wild west and and that's not um that
00:10:38
doesn't mean it's insecure I I'll get
00:10:41
back to that so here is another one very
00:10:45
CEO they place the DMZ in in that upper
00:10:48
right but it's also label
00:10:50
3.5 and again uh this is um another
00:10:54
diagram that I don't like because it's
00:10:56
inaccurate since it suggest
00:11:00
that you would also have different
00:11:02
networks that can be the case but don't
00:11:06
assume that it will mostly be the case
00:11:10
that is not true and I will get to that
00:11:13
um so this is what I just want to point
00:11:18
out first thing it's a conceptual model
00:11:22
second the one thing that you want to
00:11:25
see is this DMZ here and third it
00:11:29
doesn't really everything that's below
00:11:31
down here doesn't actually directly
00:11:35
relate to networking that's very
00:11:38
important um and it gets even more
00:11:42
important when you think about OT
00:11:45
security and network
00:11:46
segregation um just
00:11:49
another detail here so on on level zero
00:11:54
you find All Those sensors and
00:11:56
actuators and uh this is something that
00:12:00
everybody must know what what that means
00:12:02
sensors and
00:12:04
actuators um if you don't know the
00:12:07
meaning of those terms just look them up
00:12:09
there is plenty of educational material
00:12:12
on the web um
00:12:15
and many of those sensors and actuators
00:12:18
are non- networked that would be uh the
00:12:22
direct electrical connections that go to
00:12:25
your iOS your your I IO cards in your
00:12:29
control system recks but then
00:12:33
also many of those sensors and actuators
00:12:36
are networked in today's
00:12:38
environments and
00:12:40
um a typical example would be average
00:12:44
vfds virtual frequency
00:12:47
drives that um you need to to drive your
00:12:52
motors for your conveyor belts Etc okay
00:12:56
um and many of those are network in a in
00:13:00
your typical manufacturing shop you will
00:13:03
see maybe hundreds of networked drives
00:13:07
they live directly on a TCP IP
00:13:11
network and um they don't need to be in
00:13:17
a in in a separate logical Network or or
00:13:20
physical Network and that is often times
00:13:24
not done so let me show you a
00:13:27
typical uh manufacturing n Network in a
00:13:32
base just pick this one here where
00:13:37
um you see here here is the address list
00:13:41
and uh the color codes already tell you
00:13:43
something so you have uh couple of
00:13:46
control controllers here couple of of
00:13:48
control system recks there there you
00:13:50
have a sensor uh there you have an an
00:13:53
operator
00:13:54
station um there you have a
00:13:57
switch uh another operator station Etc
00:14:01
there you have three
00:14:04
actuators that's the thing so that is
00:14:07
like what what a
00:14:09
real Network looks like in a
00:14:11
manufacturing shop so it goes across
00:14:16
those Purdue
00:14:18
levels and that's not a bad thing um so
00:14:22
it would be foolish to think otherwise
00:14:25
then and and now we get to the OT
00:14:29
security piece of
00:14:31
it
00:14:32
so
00:14:34
unfortunately the way that these
00:14:36
diagrams are drawn it
00:14:39
suggests that it would be important to
00:14:42
or or that that it would go along with
00:14:44
network segregation and that's
00:14:47
nonsense um
00:14:49
because if you want if you would
00:14:52
segregate your network like
00:14:55
this you are bound to end up with the
00:14:58
most most insecure Network architecture
00:15:01
that you can
00:15:02
imagine why is that the
00:15:05
case so let's just assume you put all
00:15:08
your as is suggested here by the good
00:15:11
people at
00:15:12
zscaler right all all those
00:15:16
plc's at level one and the
00:15:20
rtus you put those all in in one network
00:15:24
or one
00:15:25
zone and there that is protected against
00:15:29
the the scater boxes against the uh hmis
00:15:34
and also it's protected against the
00:15:36
sensor and
00:15:38
actuators that is complete nonsense my
00:15:41
friends because that means once that
00:15:46
this level here is
00:15:50
compromised then the whole shop is
00:15:54
down right so because you have all all
00:15:57
your controllers in there
00:16:00
and that is not a good strategy so in
00:16:03
other
00:16:04
words your
00:16:06
segregation would have given you
00:16:08
nothing um when it comes to segregation
00:16:13
strategies you should always start with
00:16:17
thinking um in
00:16:20
zones you should start thinking east
00:16:22
west
00:16:23
traffic not north
00:16:26
south because for a segregation strategy
00:16:31
the big question is um which
00:16:36
units are able to operate on their own
00:16:39
so that even when other stuff is
00:16:43
compromised that let's just say those
00:16:45
those other machine lines can still
00:16:48
function that is what a good segregation
00:16:51
strategy will
00:16:52
yield and now you understand why the
00:16:57
perum model does not lead to a good
00:17:00
segregation strategy it leads to a bad
00:17:02
segregation
00:17:04
strategy also the other thing that you
00:17:07
should keep in mind is well why would
00:17:10
you want to segregate between level one
00:17:13
and level zero because once that a
00:17:16
controller is
00:17:18
compromised the controller can do
00:17:20
anything with the sensors and uus
00:17:25
because he's talking to those devices
00:17:27
all the time
00:17:29
um and I could even take it a step
00:17:33
further let's talk about level two where
00:17:37
uh you would find your um engineering
00:17:42
station if the engineering station is
00:17:46
compromised you can kiss your
00:17:48
controllers and actuators goodbye
00:17:50
because the engineering station will is
00:17:53
is then in a position to compromise the
00:17:56
controller and then the controller can
00:17:59
do what it wants with that malicious
00:18:01
code with the
00:18:04
actuators to sum it up that
00:18:08
horizontal segregation idea is
00:18:12
BS it's
00:18:15
counterproductive you should think
00:18:17
vertical or lateral lateral movement
00:18:20
East
00:18:21
West that heals um solid segregation
00:18:26
strategies and wins when it when it
00:18:28
comes to protection and now you have a
00:18:31
better idea why a network such as
00:18:35
this makes a lot of sense because it
00:18:39
contains all the stuff or or most of the
00:18:43
stuff that is
00:18:44
required for a specific plant
00:18:48
component if anything in this network
00:18:52
goes down that plant component goes down
00:18:54
anyway
00:18:56
sorry but um
00:18:59
that should not
00:19:01
affect other uh machine lines Etc other
00:19:05
plant components that is what you uh
00:19:09
need to keep in mind when it comes to OT
00:19:12
security and and when it comes to
00:19:15
Furnishing a network security strategy a
00:19:18
segregation
00:19:20
architecture that actually yields some
00:19:23
benefits um and this is what the the
00:19:27
perum model doesn't tell you because
00:19:30
it's just horizontal okay and so maybe
00:19:36
um the the the way out here would be to
00:19:39
take a closer look at ISC 62443 where
00:19:42
the concept of zones and conduits is
00:19:44
introduced so that carries much more
00:19:47
water um and maybe in
00:19:52
closing I would
00:19:54
say that model is not only totally
00:19:58
overrated it it's also abused beyond
00:20:01
belief and as I have shown you well even
00:20:05
some OT security vendors have no clue
00:20:09
that that is something I find very
00:20:11
concerning um nobody seems to be
00:20:15
bothered by that that your vendor one
00:20:17
tells you oh this is uh Zone 23 and the
00:20:22
other tells you it's it's three and then
00:20:24
I don't know so it it's all over the
00:20:27
place um and
00:20:29
and please take my advice trying to sort
00:20:34
that out is a waste of time you don't
00:20:36
need that and the other advice that I
00:20:39
have for you is just talk with actual
00:20:42
control
00:20:43
engineers and you might
00:20:46
even uh end up in a situation where uh
00:20:51
the control engineer who is running that
00:20:53
shop for I don't know a decade or
00:20:57
so it gives you that that very surprised
00:21:01
what do you mean level one oh you're
00:21:04
talking about the controllers Oh no I
00:21:06
got it yeah I can tell you everything
00:21:08
about the controlers what do you
00:21:09
actually want to know um so that is a
00:21:13
different world and um it it is really
00:21:18
surprising how how much time um it folks
00:21:22
spent on on this model and also
00:21:25
sometimes don't realize that they don't
00:21:28
don't
00:21:29
impress experienced experts just okay
00:21:33
just just keep your per model and but
00:21:35
but leave us alone um so in
00:21:40
closing it's not a network model Network
00:21:44
architecture no uh the one thing that
00:21:47
you should take away is you need that
00:21:49
security layer and that should be a DMZ
00:21:52
between it and OT anything below that
00:21:56
security layer can be architected in any
00:22:01
different way it will most definitely
00:22:05
not be architectured in What puru
00:22:08
suggests where you have separate
00:22:11
networks for the actuators for the
00:22:15
plcs no you don't see that in real life
00:22:18
um it will if if when when it comes to
00:22:22
network security when it comes to
00:22:24
segregation it will be
00:22:26
segregated with the idea to keep
00:22:30
individual process units
00:22:33
functional even in the case that there
00:22:35
are issues network issues security
00:22:39
issues in other
00:22:41
areas that's all you need to know about
00:22:43
the produ
00:22:44
model have a nice day
