Importance of Defining Security Functions to Obtain Visibility in Assets from Level 1 of the Purdue Model

For years many practitioners in the ICS security community realized that guidelines and best practices around secure PLC programming practices were lacking. To address this problem, ICS security professionals in the community pulled together to develop the Top 20 PLC controls. Beyond these controls, however, it is essential to define abnormality detections to display the information on the HMI clients. This allows operations staff to respond to an incident at an early stage and provides the capability to forward the same information to SIEM systems for further analysis. These functions can be developed by using the PLC’s own capabilities and adding operational conditions that infer cyber events.

This webinar explains the importance of having detections from assets that belong to the lower layers of the Purdue Model, as is the case of the PLCs or controllers. The webinar highlights first the importance of visibility in security and the correct selection of the security controls involved in the systems abnormalities detection. It describes the security functions classification and how the security functions will interact with the primary functions contained in a control system. Lastly, the paper elaborates on implementing the functions and describing the alarms and detections generated.