- It is crucial to have proper cybersecurity when it comes to industrial control systems.
- The ICS periodic table provides insights on the best practices of industrial cybersecurity on industrial control systems.
- It is important to take inventory and maintain high levels of security as new assets to IT and OT are mixed in and as time progresses.
Science has come a long way since Aristotle’s theory of air, water, fire and earth. Just like Aristotle’s theory, the four key security elements are design, technology, people and process. I like to call it the security tetrahedron. With advancements in this digital era, the critical objective is to protect information — especially the processing technology and infrastructure of the information.
This industrial control systems (ICS) periodic table depicts the chemistry of all the control elements that enable security around the operational technology (OT) estate for any organization. Industrial OT refers to the hardware and software that are used to manage the control systems for industrial processes. ICS, such as supervisory control and data acquisition (SCADA), are used across industries.
Computing environments are rapidly transforming to deliver business outcomes for modern consumers in a modern world. Network perimeters continue to erode to enable this transformation and include mobile devices, cloud applications and platforms; OT such as sensors and controls; and industrial internet of things (IIOT) devices. Cybersecurity has become an encompassing term, with a variety of complex technologies across wider estates.
Effective integration of cybersecurity into the operation of OT requires defining and executing a comprehensive program that addresses all aspects of security and all the modules that are related to security. This includes defining the objectives and scope of the program; establishing a distributed functional team that understands OT and security; defining policies and procedures; identifying the cyber risk management capabilities that include people, process and technology; and identifying day-to-day operations of event monitoring and auditing for compliance and improvement.
With new assets being installed in current OT and information technology (IT), it is imperative to take the time to address security throughout the life cycle, including procurement, architecture, installation, maintenance and decommissioning. Deploying systems to the field based on the assumption that these systems will be secured later introduces significant risk to the systems and the organization. If there is neither sufficient time nor resources to secure the system properly before deployment, it is unlikely that security will be addressed later. Since new OT assets are designed and deployed less frequently than IT systems on a complete landscape, it is much more common to improve, expand or update an existing OT system than to design a new one.
Risk landscape without proper security controls
In the traditional IT world, risk involves threats that would undermine the confidentiality, integrity and availability of data and systems. The impact is mainly financial, such as the cases of extortion (i.e., CryptoLocker), bank fraud or denial of service (DoS) attacks distributed on web servers used by e-commerce sites.
ICS drives the physical world where operational technologies are used. The risk in ICS environments involves threats that would undermine the operational safety (i.e., physical security of goods, people and environmental impacts) and the availability or even the physical integrity of the production tool. Theft of critical industrial data is also feared.
The potential impact of a cybersecurity event could be severe — it could impact the organization’s mission and objectives, the environment, regulatory compliance and even human safety. The impacts are economic but also social, as the civil and criminal liability of leaders is engaged. ICS have never been designed to deal with cybersecurity threats. They are created with the objective of ensuring operational safety and the continuity of operations, and they often do not consider the possibility that a motivated and malicious intruder could reach their digital interfaces. Therefore, security should be in the heart of the overall organizational landscape and consider the factors in the ICS periodic table