Key security components and strategies for industrial control systems

Back to Basics: Industrial control systems (ICSs) are becoming a more frequent target for cybersecurity attacks, and companies working in vital industries need to take steps to prevent or reduce the risk for a catastrophic event. See five drivers of and eight ways to support ICS cybersecurity.

By Anil Gosine November 8, 2016

Significant security risks and attacks against industrial control systems (ICSs) are growing in volume, and comprehensive solutions are needed. The financial and legal ramifications of breached ICSs are mounting across the world, and regulators are increasingly interested in a company’s ability to defend against cyber attacks. The fragmentation of partial solutions and the complex integration of these are becoming a cost, and risk owners want to mitigate.

Threats and cyber incidents—malicious and accidental—against ICSs occur every day. These systems are a critical part of the infrastructure that facilitates operations in vital industries such as power generation, oil and gas, transportation, pharmaceutical, and chemical. In the past, ICSs operated in an environment that appeared safer because they were physically isolated and used proprietary control protocols with customized hardware and software. 

Five cybersecurity drivers

Cybersecurity solutions are increasingly designed for operations and policies, and there are five key constituents that can drive targeted solutions for ICSs:

  1. Audit and application of security policies and procedures developed specifically for the control system network and its devices
  2. Access control through the local area network (LAN), wide area network (WAN), and physical perimeters complemented with secure data transfers
  3. Threat detection of abnormal and malicious activities at all levels
  4. Risk management and mitigation against possible attack with an installed security suite designed to enhance regulate the ICS without disrupting the controlled process.
  5. Resolve key security problems that require an intrinsic relationship with vendors.

The ICS represents the core of production, which means the cybersecurity processes must address internal and external threats with multiple layers of defense that mitigate against various risks.

Initiatives by ICS vendors to reduce security risks to control systems in response to growing cybersecurity is resulting in automation professionals being more effective in securing their industrial processes. However, ICS vendors and automation professionals must be committed to providing a set of products and services that mitigate risks and provide security for production assets. And, the information silos that exist within organizations mean information is rarely shared. Comprehensive solution providers will acquire, integrate, and facilitate the adoption of cybersecurity technologies and deliver the product to end users.

Because ICSs are prone to cyber attacks and are being targeted with increasing frequency, automation vendors are working with information technology (IT) security service providers to develop stronger solutions. While many of the vulnerabilities are technology-based, it is worth noting that some weaknesses stem from a lack of personnel or a lack of awareness. These changes may require cultural shifts and collaboration mechanisms to reduce mistakes caused by human error.

An organization’s risk management practice must be proportionate to the risks present. Organizations should not be asking, "Is there a risk," but rather "Which risks do we face and what is the level of investment to mitigate against them?" Educating executives and staff has not kept pace with the continually changing cybersecurity threats. Corporations must get involved in workgroups that discuss the current cybersecurity situation in their sector, describe key strategic elements to increase their security posture, and support workers with tools and guidance.

While the industrial sector is slowly recognizing there is a greater cybersecurity risk for ICSs, risk management is difficult due to the high costs linked to each risk and a lack of historical statistics to determine the probability of the scenario occurring. Companies must have cost-effective and efficient solutions that will keep industrial facilities safe. This is critical to the global economy.

This is why organizations must have their policies and procedures in place with security designed and implemented within the ICS environment before any further integration into other networks. The business case, security posture, and risk management plan determine the protocols and methodology for systems integration.

Another factor to consider from this systemwide integration is that IT security professionals do not properly understand the industrial processes that utilize the ICS, and ICS professionals do not properly understand today’s IT security risks. This can result in a lack of awareness and safeguards that will take away from the benefits that were sought through the integration of the business and control systems when one major ICS incident occurs.

Cybersecurity support

With that in mind, the following objectives should be met to support the ICS’ security components:

  1. A framework that provides an overview and identifies the core elements
  2. Corporate-level governance to ensure security risks are managed consistently and appropriately
  3. Thorough understanding of the risks that are faced and ability to justify the mitigation response needed
  4. Management of the ICS lifecycle that follow a security engineering process
  5. Improved ICS security awareness throughout the organization
  6. Continuous review of security protection measures that can be selected and implemented
  7. Procedures that deliver a sufficient response to new vulnerabilities and changes to the threat environment
  8. Effective management of third-party risks that can have an impact on the organization.

Anil Gosine is global program manager at MG Strategy+. Edited by Chris Vavra, production editor, Control Engineering, CFE Media, cvavra@cfemedia.com.

MORE ADVICE

Key concepts

  • Comprehensive solutions are needed to prevent attacks against industrial control systems (ICSs).
  • Automation vendors are working with information technology (IT) professionals to craft potential solutions.
  • There is a lack of understanding between IT and ICS professionals, and that can lead to security issues.

Consider this

What else can be done to close the gap between ICS and IT professionals?

ONLINE extra

See additional stories about industrial control systems (ICSs) linked below.

Original content can be found at Oil and Gas Engineering.


Author Bio: Anil Gosine has over 18 years of construction management, operations and engineering experience within the Industrial Sector with a primary focus on electrical, Instrumentation and automation process and systems in the U.S., Canada, and Central America. He has been heavily involved in the utility industry for over 11 years engineering, implementing and project managing a wide range of projects, utilizing a wide array of products and control system technologies within this industry segment. Anil is an active member of several professional organizations and independently participates in industry forums and technical committees for infrastructure development, industrial automation design and implementation, data analytics, and cyber-security processes. Anil is the global program manager for global industrial projects with MG Strategy+ and leads the Strategic Efficiency Consortium Security Workgroup with specific focus on cybersecurity metrics, threats, vulnerabilities, and mitigation strategies for ICS and security intelligence and analysis.