INDUSTRIAL CONTROL SYSTEMSSECURING THE SYSTEMS THAT CONTROL PHYSICAL ENVIRONMENTS

The digital revolution that transformed both commercial organisations and governments is now affecting systems deployed in the industrial world – and at an equally runaway pace. Such rapid change is leaving many organisations struggling to secure these systems against cyber attacks.

The term Industrial Control Systems (ICS) describes different types of (typically computerised) systems used to operate, control and monitor a broad range of machinery from small, single-purpose devices such as water pumps, to a large infrastructure such as a national railway network. ICS form the bedrock of organisations in industry sectors including utilities, transportation and manufacturing and are often a key constituent of a country’s critical national infrastructure (CNI).

Many ICS are now interconnected with enterprise IT or external networks and are becoming increasingly attractive targets for attackers. Physically, ICS need protection from unauthorised access, interference and damage. But ICS-related information (e.g. commands to control machinery, critical monitoring data and user access credentials) also requires protection as it is key to their operation. The impact of a compromise of the confidentiality, integrity or availability of ICS-related information (e.g. caused by a serious cyber attack) can include severe injuries or fatalities, major disruptions to business operations, substantial financial or operational penalties and significant reputational damage.

The ISF ICS Security Programme has been developed to help Members address these issues and improve the effectiveness of their ICS security arrangements by: defining ICS; highlighting the need to protect ICS; describing how to prepare for the ICS Security Programme; and explaining the steps required to implement the programme effectively.

‒ A small, simple control system, such as a programmable logic controller (PLC).

‒ A distributed control system (DCS), often incorporating multiple PLCs.

‒ A higher-level supervisory control and data acquisition (SCADA) system, which can comprise combinations of multiple DCSs and PLCs.

The three main types of ICS

INDUSTRIAL CONTROL SYSTEMSSECURING THE SYSTEMS THAT CONTROL PHYSICAL ENVIRONMENTS

In today’s modern, interconnected world, the potential impact of inadequately securing ICS can be catastrophic, with lives at stake, costs extensive and corporate reputation on the line. As a result, senior business managers and boards are encountering growing pressure to improve and maintain the security of their organisation’s ICS environments.

This pressure is fuelled by: ‒ significant concerns raised about ICS and cyber risk (e.g. as highlighted by the World Economic Forum) ‒ cyber attackers becoming increasingly sophisticated and well-resourced ‒ the profile and potential for misuse of the Industrial Internet of Things (IIoT) ‒ major and widely publicised cyber security incidents, along with accompanying headline publicity ‒ expanding media coverage of technical ICS security vulnerabilities.

The ISF has developed a flexible and collaborative ICS Security Programme that helps organisations to address these problems and to make effective, sustainable improvements to information security arrangements in their ICS environments.

The programme is supported by a set of ICS Security Review Tools, an ICS Threat Reference Guide and an ICS Security Controls Toolkit.

This practical, risk-based information security programme can be used to evaluate and improve information security for: ‒ individual ICS (e.g. PLC, DCS or SCADA) ‒ groups of ICS that perform a defined function (e.g. in a food processing station, mining equipment, assembly machinery or robot control system)

‒ a full-scale industrial operation (e.g. in a chemical plant, oil refinery or power station).

Information security professionals will need to collaborate with the teams responsible for the systems in ICS environments to set and achieve security targets for ICS and to establish a strong ICS information security-positive culture.

THE MAIN ICS SECURITY PROBLEMS

RISKS CONTROLS

ICS ENVIRONMENTS

Increasing yet unclear level of ICS information risk– Inherent ICS design weaknesses

– Many technical ICS security vulnerabilities

– Larger attack surface due to increased connectivity

– Targeting by sophisticated attackers

Constraints in protectingICS environments– Lack of ownership for the protection of ICS environments

– Differing safety and security requirements

– Confusing ICS terminology

– Inadequate knowledge of how to implement ICS security controls

Uncertainty about the security status of ICS environments– Unknown extent of security weaknesses in ICS environments

– Inconsistent ICS regulatory landscape

– Heavy reliance on ICS suppliers

RISKS CONTROLS

ICS ENVIRONMENTS

IMPROVEICS security arrangements

DD.1 Establish and monitor ICS security improvementsD.2 Embed ICS security into ‘business as usual’

REVIEWICS security arrangements

AA.1 Evaluate the corporate ICS security approach A.2 Identify and record summary ICS detailsA.3 Conduct security reviews of ICS environmentsA.4 Classify ICS environments A.5 Specify assessment and protection approaches

ICS Security Review Tools ‒ ICS Security Diagnostic ‒ ICS Security Summary

IRAM2

ASSESSinformation risk fortarget ICS environments

B

B.1 Define scope of risk assessmentB.2 Assess business impactB.3 Profile threatsB.4 Assess vulnerabilitiesB.5 Evaluate and record risksB.6 Report main risksB.7 Implement risk treatment plans

ICS Threat Reference Guide PDF

The

STANDARD

PROTECTICS environments

CC.1 Build technical ICS security architectureC.2 Perform ICS security configuration and monitoringC.3 Provide ICS security management and assurance

ICS Security Controls Toolkit ‒ ICS Security Controls Guide ‒ ICS Standard Reference Table PDF E

E

THE ISF ICS SECURITY PROGRAMME

CONTACTFor further information contact:

Steve Durbin, Managing Director US: +1 (347) 767 6772UK: +44 (0)20 3289 5884UK Mobile: +44 (0)7785 953800steve.durbin@securityforum.orgsecurityforum.org

ABOUT THE ISFFounded in 1989, the Information Security Forum (ISF) is an independent, not-for-profit association of leading organisations from around the world. It is dedicated to investigating, clarifying and resolving key issues in cyber, information security and risk management by developing best practice methodologies, processes and solutions that meet the business needs of its Members.

ISF Members benefit from harnessing and sharing in-depth knowledge and practical experience drawn from within their organisations and developed through an extensive research and work programme. The ISF provides a confidential forum and framework, which ensures that Members adopt leading-edge information security strategies and solutions. And by working together, Members avoid the major expenditure required to reach the same goals on their own.

DISCLAIMERThis document has been published to provide general information only. It is not intended to provide advice of any kind. Neither the Information Security Forum nor the Information Security Forum Limited accept any responsibility for the consequences of any use you make of the information contained in this document.

©2017 Information Security Forum LimitedREFERENCE: ISF 17 12 02 | CLASSIFICATION: Public, no restrictions

WHERE NEXT?

The growing need for business leaders to improve and then sustain the security of ICS environments has been brought into sharp focus by recent research from many quarters.

The significant cyber risk concerns raised during research – along with well-publicised cyber security incidents and increased media coverage of ICS security vulnerabilities – clearly demonstrates the urgency that organisations should now attach to improving information security across both ICS environments and the Industrial Internet of Things (IIoT).

To improve the effectiveness of ICS security, organisations should implement a tailored, collaborative and risk-based approach. The ISF ICS Security Programme detailed in this report presents a practical and structured method for enabling actions that deliver advantages over adversaries and competitors alike.

Organisations should also consider the ISF resources related to this report including The Standard of Good Practice for Information Security, Information Risk Assessment Methodology 2 (IRAM2), Protecting the Crown Jewels: How to secure mission-critical information assets, Securing Critical Infrastructure and Threat Intelligence: React and prepare.

The ISF encourages collaboration on its research and tools. Members are invited to join the vibrant Industrial Control Systems community on ISF Live to share their experience and discuss the findings and recommendations presented in this report.

Consultancy services from the ISF provide Members and Non-Members with the opportunity to purchase short-term, professional support activities to supplement the implementation of ISF products.

The report is available free of charge to ISF Members, and can be downloaded from the ISF Member website www.isflive.org. Non-Members interested in purchasing the report should contact Steve Durbin at steve.durbin@securityforum.org.