Industrial Control Systems Security Essentials

Information Security Education and Awareness (ISEA) Project

Ministry of Electronics and Information Technology (MeitY)

Operational Technology (OT) /

Industrial Control Systems (ICS)
Security Essentials

ICS Concepts:
Functional Role of A Control System

Ch A S Murty, M.Sc, M.Tech, Ph.D

ISEA CISO Training and Certification

Centre for Development of Advanced Computing (C-DAC)
 Industrial Control Systems Security Essentials

1.0 Introduction to the Control System: Orchestrator of the Physical World in

OT
In the realm of Operational Technology (OT), where the physical world meets the digital, control systems
reign supreme. Imagine a complex symphony - a factory floor humming with activity, a power plant
generating electricity, or a water treatment facility ensuring clean water. The control system acts as the
conductor, ensuring everything runs smoothly and in perfect harmony.

Here's a breakdown of the functional role of a control system in an OT environment:

• Data Acquisition: The control system acts as the central nervous system, constantly gathering
data from a network of sensors and field devices. These sensors monitor critical parameters like
temperature, pressure, flow rate, or liquid levels. This real-time data is the lifeblood of the control
system, providing a constant picture of the physical process.
• Decision-Making and Control: Based on the collected data and pre-programmed logic, the
control system makes critical decisions. Imagine a temperature sensor in a chemical plant
registering a spike. The control system, armed with pre-defined safety protocols, might trigger an
automated shutdown to prevent an accident. This decision-making capability ensures the
process stays within safe and efficient operating parameters.
• Actuation and Optimization: The control system doesn't just observe; it takes action. It can
send commands to actuators like valves, pumps, or motors to adjust physical equipment and
influence the process. For instance, it might adjust the flow rate of raw materials in a
manufacturing line based on production demands. This ability to control actuators allows for real-
time optimization of the physical process.
• Human-Machine Interface (HMI): While the control system operates autonomously, it also
provides a vital link with human operators. The HMI acts as a window into the process, displaying
real-time data, system status, and alarms. Operators can use the HMI to monitor performance,
make adjustments as needed, and intervene in case of unexpected situations.

In essence, the control system in an OT environment is the brain behind the brawn. By continuously
monitoring, analyzing, and controlling physical processes, it ensures the smooth, safe, and efficient
operation of critical infrastructure. Understanding the control system's role is the first step towards
securing these vital systems from cyber threats in today's ever-evolving digital landscape.

2.0 Functional Role of Control System

The heart of industrial automation lies in control loops. These feedback loops continuously monitor a
physical process (think the temperature in a reactor) using sensors. Based on pre-programmed logic and
setpoints (desired operating conditions), a controller (like a PLC) makes decisions and sends commands
to actuators (valves, pumps) to adjust the process and maintain optimal operation. Imagine a loop
constantly fine-tuning a machine for efficiency and safety.

ISEA CISO Training and Certification

Centre for Development of Advanced Computing (C-DAC)
 Industrial Control Systems Security Essentials

Figure 1: Functional Role of a Control System

The above figure depicts a supervisory control loop, which is a fundamental concept in industrial control
systems. Here's a breakdown of the key components and their functionalities:

Supervisory Control
• Engineering Workstation: This powerful computer is used by engineers to design, monitor, and
configure the control system. They can develop control logic programs, troubleshoot issues, and
update software on PLCs (Programmable Logic Controllers).
• Technician Workstation: This workstation allows technicians to monitor the control system's
performance, view real-time data trends, and make operational adjustments as needed. They
might also use it to initiate maintenance procedures or respond to alarms.

Control Loop
• Controller: This is the brain of the control loop, typically a PLC (Programmable Logic Controller).
It receives data from sensors, executes pre-programmed logic based on setpoints (desired
operating conditions), and sends control signals to actuators. Imagine a PLC in a factory
monitoring a machine's temperature. Based on the program and a setpoint of 70 degrees Celsius,
the PLC might trigger a cooling mechanism if the temperature rises above the limit.
• Sensors: These are field devices that collect real-time data about the physical process being
controlled. Examples include temperature sensors, pressure sensors, or flow meters. This data
is transmitted to the controller for processing.
• Actuators: These are field devices that receive control signals from the controller and influence
the physical process. In our factory example, the actuator could be a pump or a fan activated by
the PLC to regulate machine temperature.
• Process: This represents the physical system or equipment being controlled. It could be a
manufacturing assembly line, a chemical reaction vessel, or a power generator.

Outputs and Changes

• The control loop constantly monitors the process through sensors and makes adjustments
through actuators based on the control program to maintain the desired state (setpoint). These
adjustments are the changes made to the process.

ISEA CISO Training and Certification

Centre for Development of Advanced Computing (C-DAC)
 Industrial Control Systems Security Essentials

Overall Function

The supervisory control system monitors the entire control loop, ensuring the controller is functioning
properly and the process variables (temperature, pressure, etc.) remain within the desired range. The
engineering workstation allows for configuration and program development, while the technician
workstation facilitates monitoring and operational adjustments.

In essence, this supervisory control loop exemplifies how automation and control systems work together
to maintain the efficient and safe operation of industrial processes.

3.0 Dealing with Complexity for Functional Role of Control System

In Operational Technology (OT) or Industrial Control Systems (ICS) environments, dealing with
complexity involves understanding the major functions that all ICSs adhere to. These functions form the
backbone of ICS operations and are crucial for maintaining the system's functionality and security.

Input: This function involves gathering data from various sensors and input devices within the system.
Inputs can include temperature readings, pressure levels, flow rates, and other parameters relevant to
the controlled process. Inputs provide the necessary information for the system to make decisions and
take action. Attackers may attempt to manipulate or spoof sensor data to provide false information to the
system, leading to incorrect control decisions

Processing: The processing function involves analyzing the input data and executing control algorithms
to determine the appropriate response. This may include adjusting setpoints, activating or deactivating
actuators, and making other control decisions based on the system's programmed logic. If attackers gain
unauthorized access to the control algorithms or logic within the system, they could modify them to cause
unintended behaviour or disrupt normal operations.

Output: The output function involves transmitting commands to actuators and output devices to effect
changes in the controlled process. Outputs may include signals to valves, motors, pumps, or other
equipment to regulate the process according to the system's requirements. Manipulating the output
commands sent to actuators or other control devices could result in physical damage to equipment,
process deviations, or safety hazards

Communication: Communication functions facilitate the exchange of data between different

components of the ICS, including sensors, controllers, actuators, and supervisory systems. This can
involve both local communication within a control network and remote communication with external
systems or operators.

Control systems, despite their intricate nature, can be understood through a simplified lens. Imagine a
control system as a loop constantly monitoring and adjusting a physical process. This loop consists of
three core functions:

• Sensing: Sensors gather real-time data about the process (temperature, pressure, etc.).
• Decision-Making: A controller (PLC) analyzes sensor data and pre-programmed logic to make
control decisions.
• Actuation: Based on those decisions, the controller sends commands to actuators (valves,
pumps) to influence the process and maintain desired conditions.

ISEA CISO Training and Certification

Centre for Development of Advanced Computing (C-DAC)
 Industrial Control Systems Security Essentials

Attackers may exploit vulnerabilities in communication protocols or network infrastructure to intercept or

modify data transmitted between ICS components, potentially compromising the integrity and
confidentiality of system communications.

A single malicious packet sent to the controller could potentially exploit vulnerabilities in any of these
functions, depending on the specific nature of the attack and the system's configuration. Therefore,
implementing robust security measures, such as network segmentation, encryption, access controls, and
intrusion detection systems, is essential to mitigate the risk of attacks targeting ICS inputs and other
critical functions.

Figure 2: NIST 800-82 recommended simulation/emulation

Control systems can be very difficult and costly to replace and adjust. This is one of the reasons why
security in this space is lagging. Refreshing a control system is something done very rarely. It is not
unusual for a system to remain in place for 20+ years without many changes.

The general size of points monitored or controlled:

• Small: 1-2 Workstations, l-2 Controllers, 0-599 points

• Medium: 3-8 Workstations, 3-8 Controllers, 600-1,499 points
• Large: 8+ Workstations,8+ Controllers, 1,500+ points

Image Source: NIST SP 800-82 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-

82r3.pdf

Complexity Simplified:

The beauty lies in the fact that all control systems and ICS, regardless of their complexity, map to this
basic model.

ISEA CISO Training and Certification

Centre for Development of Advanced Computing (C-DAC)
 Industrial Control Systems Security Essentials

• Sensors: These could be simple temperature sensors in a home thermostat or sophisticated

pressure gauges in a nuclear power plant.
• Controllers: They can range from single-chip microcontrollers in embedded devices to powerful
PLCs managing entire factories.
• Actuators: From valves controlling water flow to motors driving machinery, actuators translate
control signals into physical actions.

Vulnerability Points: Understanding these functions also reveals potential attack surfaces:

• Sensor Inputs: Malicious actors might tamper with sensor data to provide false information to
the controller, disrupting the control loop.
• Controller Logic: Cyberattacks could exploit vulnerabilities in the controller's software or logic,
leading to unintended commands and process disruptions.
• Communication Channels: Attacks can target the communication between sensors,
controllers, and actuators, potentially injecting malicious commands or disrupting data flow.

A Single Malicious Packet: A single, cleverly crafted data packet could wreak havoc depending on the
target. If it reaches a sensor and alters the data, it might trigger an unnecessary shutdown. If it infiltrates
the controller, it could rewrite logic and cause equipment malfunction.

Although control systems can be complex, understanding their core functions and potential vulnerabilities
is crucial for building robust defences against cyberattacks

ISEA CISO Training and Certification

Centre for Development of Advanced Computing (C-DAC)