Industrial control system (ICS) security is growing in importance as cyber-attacks increasingly focus on physical processes for either ransom or to cause harm to critical production systems. Attacks such as the Oldsmar water treatment plant, the various ransomware attacks on the vaccine supply chain, and the more extensive threats to the Ukrainian and US power grids and oil refineries in the Middle East generate greater worry for boards, governments, and operators of industrial organizations.
What is ICS security?
ICS security is defined as the protection of ICSs from threats from cyber attackers. It is often referred to as operational technology (OT) security. It includes a wide range of practices including:
- Asset inventory and detection
- Vulnerability management
- Network intrusion protection and detection
- Endpoint detection and response
- Patch management
- User and access management
ICS security differs from traditional information technology (IT) security in several ways:
- The type of devices protected are often sensitive to unintended changes or interaction, including a whole new class of OT assets known as embedded equipment, and are typically much older than IT systems.
- Risks are not only to information confidentiality but especially to the availability and integrity of the process or safety to personnel and property.
- The remediation of risks requires different techniques because of the differences in types of devices.
What is an industrial controls system? This is a broad category of computing systems sometimes referred to as OT or supervisory control and data acquisition (SCADA) or cyber-physical systems.
ICSs specifically focus on industrial processes or automation rather than other operating systems such as building controls, medical devices, etc. ICSs provide the components that ensure proper and continuous operation of a wide range of industrial systems – from power to water to manufacturing and beyond. They provide control over the inputs and outputs of key elements in an operational or physical process. The processes are often adjustable in real-time to ensure proper and safe operation. They often include the safety systems themselves to ensure shutdown in case of processes getting out of certain boundaries of performance.
Historically, these systems were separated from traditional IT networks and used a wide range of specialized components. More and more, these OT systems integrate with IT to increase operational efficiency and reduce the total cost of ownership. As a result, cybersecurity threats increase as formerly “air-gapped” systems, becoming more integrated into the internet-connected components of the enterprise IT environment.
Why do we need ICS security?
ICS security is critical because these systems are under attack and the consequences of compromise are significant financially, operationally, and safety-wise. Why do we need a separate category of security to address these types of systems? Why not replicate what’s being done in IT security?
First, the devices themselves create challenges for traditional IT security processes and technology. A sample of devices includes old versions of Microsoft Windows such as Windows XP or Windows 7, a wide range of embedded devices such as programmable logic controllers (PLCs), controllers, relays, sensors, etc., industrial (and traditional IT) networking equipment, and more. These devices require a different approach to security from the modern, updated, OS-based, or cloud-based devices in today’s IT stack.
Second, the potential impacts are different. In most IT cybersecurity efforts, the priorities are confidentiality-integrity-availability, in that order. In the ICS world, the greatest risks are to the safety of people and property, followed by availability and integrity. Information confidentiality, while perhaps of some importance, pales relative to these others. As a result, the focus of risk management must also adjust.
Third, incident detection and response require specific knowledge of the systems affected. In many senses, IT systems are commodities with specific functions but are commonly grouped and analyzed with a wide range of available detection rules. Similarly, when responding to a threat, there are a variety of safe and effective actions to take uniformly and automatically. However, industrial control systems behavior is unique – often to that particular process. In addition, the response must be measured and handled in a way that does not cause more harm than good by stopping the expected operational process inappropriately.
Finally, to secure ICS safely and with operational resilience, specific knowledge of control systems and security is required, which is a unique combination in even shorter supply than the stretched IT security resources. Industrial control systems were designed years or decades ago and there is a shortage of skilled personnel that understands them. To secure ICS, the industry needs to join IT security capabilities to these people with knowledge of the systems.
As a result of these four factors, industrial control systems security must adapt a unique approach from our traditional IT security practices and technology.
Three ways to achieve ICS security
This is a very in-depth topic, but to start with, there are three key elements to make significant progress towards a more secure ICS infrastructure.
1. Establish an objective and design an ICS security program
The first step in robust ICS security is to establish the goal you are trying to achieve. The great news is there are a range of standards out there – CIS Top 20, NIST CSF, IEC 62443, etc.
Across working with dozens of clients throughout their ICS security journey, often the biggest stumbling block is defining the destination. Many companies struggle because they pursue a specific initiative – network segmentation, network intrusion detection, asset visibility – for short-term gain. Success in industrial security requires a true program that brings together an integrated set of actions. Selecting a standard and focusing on delivering against it is the best way to make meaningful, measurable progress.
2. Bring IT and OT together to develop an ICS security solution that works for both
We often see this as “IT is going to lead.” Or “ICS/OT will determine what will work at this plant.” ICS is different, and the right answer is not just to employ the same tools and processes as in IT. By the same token, IT security has a lot to bring to the table in knowledge and capabilities – as well as the need to have a consistent measurement for the board and other stakeholders. It is critical to bring the two groups together to make this happen.
3. Leverage a security platform, rather than a series of individual tools
Of course, we have a stake in this game, but we truly believe this is the only way to deliver true ICS security efficiently. In fact, Gartner analysts agree, stating “Solutions that offer multiple valuable features easily deploy, can be easily explained to operations as not adding additional risk, and are interoperable with other security tools are preferred.” Find a platform that can bring the key requirements of ICS security together in a way that is safe and effective in ICS, but also delivers the same quality and measurement as IT security.
ICS security does not have to be a black box. You can apply many of the same principles as IT security, but it needs to be done with a platform that can address those unique challenges.
– This article originally appeared on Verve Industrial’s website. Verve Industrial is a CFE Media content partner. Edited by Chris Vavra, web content manager, Control Engineering, CFE Media and Technology, firstname.lastname@example.org.
Original content can be found at verveindustrial.com.
Do you have experience and expertise with the topics mentioned in this article? You should consider contributing content to our CFE Media editorial team and getting the recognition you and your company deserve. Click here to start this process.