Building a Reference Architecture for Wonderware System Platform According to IEC 62443

In this post, we will see where the different Wonderware-System Platform applications fit within the IEC62443 levels to build a reference architecture.

Becolve Digital

iSID Network monitoring and analysis

Blog cover

In the previous post on our Industrial Cybersecurity website, we saw the basic concepts defined in IEC 62443, which will help us build interconnected, organized, hierarchical network architectures with easier protection.

In this post, we will see where the different Wonderware-System Platform applications fit within the IEC62443 levels to build a reference architecture.

Main Components of Wonderware System Platform

One of the main advantages of System Platform is its scalability: it allows you to create different architectures to adapt to the needs or sizes of the infrastructures it intends to supervise and control. Its high degree of adaptability is largely due to the fact that System Platform is made up of a set of software pieces, interrelated with each other, which can be installed, or not, on one or more computers.

In general, it is common to use the following System Platform roles:

Other software pieces can be installed on the ArchestrA platform of Wonderware System Platform to convert process information into useful information for decision-making and to maximize the exploitation of process data (Wonderware Intelligence, AEMES, Wonderware InBatch, Wonderware Recipe Manager Plus, and many more).

From an architectural point of view, all these software pieces are composed of:

Databases.
Executables, code libraries, etc. Software that manipulates that data.
Web portal for integration with various types of clients.
Reports.

Identifying Security Zones of IEC 62443

As we have seen, Wonderware System Platform is composed of different software pieces that are installed to adapt to the environment that needs to be supervised. These “pieces” have different purposes or roles, so it makes sense for them to be in different IEC62443 Zones and thus adapt to their particular security requirements:

Infrastructure Zone: Zone for the general servers necessary for the operation of the entire platform. They do not have to be Wonderware servers, for example, unified user management servers, time server, log server, remote desktop services server, etc.
Development/Pre-production Zone: Zone where changes are developed and/or tested before being put into production. In this zone would be the computers with the IDE and GR of the Wonderware environment, in addition to other applications that are linked to the development. The existence of this zone allows controlling that only developers can access these services.
Wonderware shared Servers Zone: Zone where the different Wonderware servers with roles necessary for the operation of the real-time platform would be located, but where there is practically no human interaction: Historian, AOS, Intouch application server, Intelligence, etc.
Supervision Zone: Zone where the supervision equipment would be located, such as equipment that connects to application servers or equipment with Intouch installed. As this equipment will be manipulated by humans, it is logical to think that its security requirements are different from the rest of the equipment and therefore they are located in a separate zone.
Production cell Zones: Zones where the different process zones are located and where equipment with the role of AOS can be installed for data collection with minimal latency.
Remote Access Zone: Zone intended to host the assets intended to expose industrial services to those clients who require to view process data WITHOUT them being able to connect to industrial networks (e.g. Intouch Access Anywhere Secure Gateway, RDS Gateway, Historian T2, Windows Patching Server, Antimalware Server, …).