Designing PCN Domains
User requirements and industry best practices for designing and deploying a control domain within the process control network (PCN) .
Historically most control systems are configured with local user accounts. Weaknesses in the user account management has been linked to several ICS breaches in the past. Therefore, deploying domain based user access control and management tailored for the ICS environment is gaining relevance and traction within the industry. However, many deployments today use enterprise domain controllers and active directory accounts and there is a growing concern that compromise of the enterprise AD accounts can result in pivoted attacks on the process control network and assets.
Industry best practice recommends isolating and deploying a separate PCN domain controller architecture for the ICS environment. In order to properly design and deploy the architecture, it is critical to understand the different use cases and functional requirements.
Description of the Service
aeSolutions offers a service to develop the user requirements and assist through conceptual design and deployment. We typically facilitate a 2 to 3 day workshop to develop user requirements and a PCN domain architecture. We can also assist with the deployment, testing and commissioning phases of the project. During the workshop we tackle some of the key challenges implementing a PCN domain architecture, some of which are listed below:
- Integrating plants with control domain already in place
- Aligning with control system vendor’s standard architecture
- Integration of control system application level user accounts
- Ensuring availability of systems to control system personnel
- Administration and management
- Remote access requirements
- Site bandwidth restrictions
- Escalation of privileges during plant emergencies
Report out document with detailed notes/results from the workshop
A schematic of proposed PCN domain architecture design
Industry Best Practices – Dos & Don’ts
We Can Help
Our Core Services