How to logically implement security into your Industrial Control Systems (ICS)—7 categories you need to know now

Two men looking at a laptop in a control room

As Spirent celebrates our 80th anniversary I find myself reflecting on how much the world has changed during this time, and how we as a company have adapted to our changing world. One area that has evolved significantly is critical infrastructure. Many of these critical systems were built long before the Internet became the backbone of our world economy, yet are now online through Industrial Control Systems (ICS).

Industrial Control Systems are empowering industries to monitor and control the critical infrastructure remotely over the internet. This provides great convenience in terms of control management, allowing for a distributed workforce with real time monitoring and control. This convenience also creates a big security concern, producing a real need for security testing, auditing, and monitoring.

Cyber-attacks loom over the head of manufacturing industries, while new security risks are also developing. Companies have their traditional risks which include losing employee/consumer data, and corporate secrets (e.g. patents, intellectual property, new projects, future development and design plans, etc.), with losses occurring via physical security weaknesses, network compromise, social engineering, and other types of network breaches.

Automation Creates New Security Challenges

With the expansion of integrated technology in the industrial sector there is a huge surge in demand for automation and a growing adoption of autonomous-operating heavy machinery.  These improvements in manufacturing create a new cyber security challenge for industries because cyber-attacks could go beyond an organizations’ data privacy, breaching operational security, that could threaten the safety of individuals onsite.

The threat with ICS security is real, and has government attention given the importance of our critical infrastructure. That’s why Department of Homeland Security have created a task force called “The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)”

The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) works to reduce risks within and across all critical infrastructure sectors by partnering with law enforcement agencies and the intelligence community and coordinating efforts among Federal, state, local, and tribal governments and control systems owners, operators, and vendors. Additionally, ICS-CERT collaborates with international and private sector Computer Emergency Response Teams (CERTs) to share control systems-related security incidents and mitigation measures.

Department of Homeland Security, on it’s ICS-CERT, page has a full page list of recommended best practices to safeguard Industrial Control Systems: https://ics-cert.us-cert.gov/Recommended-Practices.

So, what are these best practices? To be honest, it’s not very different from the Enterprise Network & Perimeter security best practices. To save you the hassle of reading hundreds of documents, I’ve done the hard work, categorizing the key pieces into a high level commonsense security grouping, listed here:

Improving Industrial Control Systems Cybersecurity with Defense-in Depth Strategies

  • Establishing Network Segmentation, Firewalls, and DMZs
  • Firewall Deployment on SCADA and Process Control Networks

Remote Access for Industrial Control Systems

  • Authentication, Authorization, and Access Control for Direct and Remote Connectivity
  • Use of VPNs and Encryption in Securing Communications
  • Securing Wireless Connections
  • Placement and Use of IDSs and IPSs

Patch Management for Control Systems

  • Patch and Vulnerability Management
  • Enterprise Password Management
  • Computer Security and Privacy Controls
  • Securing Control System Modems

Establishing a Secure Topology and Architecture

  • Applying and Complying with Security Standards
  • Ensuring Security when Modernizing and Upgrading
  • Establishing an Industrial Automation and Control Systems Security Program
  • Establishing a Control System Security Procurement Requirements Specifications

Establishing and Conducting Asset, Vulnerability, and Risk Assessments

  • Understanding, and Analyzing Critical Infrastructure Interdependencies
  • Common Vulnerabilities in Critical Infrastructure Control Systems
  • Penetration Testing of Industrial Control Systems

Security Training 

  • Control System Cyber Security Training for Engineers, Technicians, Administrators, and Operators

Creating Cyber Forensics Plans for Control System

  • Developing an Industrial Control Systems Cybersecurity Incident Response Plan

The biggest security challenge one faces is often where to start.  While the in-depth details have their place, you need a palatable amount of information to begin the security journey.

I hope you found this information helpful and can use this list to logically implement Security and incident handling into your industrial control systems environment.

If you find you are looking for an extension to your security team, or have a need for third party testing, SecurityLabs™ is here to help: http://www.spirent.com/Global-Services/SecurityLabs.


comments powered by Disqus
× Spirent.com uses cookies to enhance and streamline your experience. By continuing to browse our site, you are agreeing to the use of cookies.