CREST report highlights need to improve cyber security in Industrial Control Systems

There’s a pressing need to improve cyber security in Industrial Control Systems (ICS) environments to avoid future breaches that could adversely impact Critical National Infrastructure (CNI). That’s the firm belief of CREST*, the not-for-profit accreditation body representing the technical information security industry, as outlined in the organisation’s latest position paper entitled ‘Industrial Control Systems: Technical Security Assurance’.

The detailed report highlights a number of challenges and suggests more technical security testing has a significant role to play in ensuring that higher levels of security assurance are met. The document draws on the diverse views of both the ICS and technical security communities and proposes a model for gaining greater assurance in ICS environments, with the final report based on the detailed findings of a research project which looked to set out the main challenges and possible solutions for protecting ICS (many of which are based on legacy technologies).

One of the key findings in the report is the absence of periodic standards-based technical security testing that’s commonplace in many other industries. As a result of this, ICS environment owners and operators have no objective way of knowing whether or not cyber risk is being adequately managed and, at present, there’s no definitive standard for testing ICS environments that’s mandated by regulatory bodies. The fact that ICS environments are rapidly changing also leads to a higher degree of exposure.

“ICS environment owners require assurances that risk is being identified, assessed and evaluated,” explained Ian Glover, president of CREST. “Above all else, they need to know that there are appropriate measures in place to manage and mitigate risk. Research on the project has helped to identify the high-level characteristics of a practical technical security testing approach and organisations should consider how this could add value and protection. It’s clear that ICS environments are more sensitive than conventional IT environments. On that basis, any penetration testing of systems needs to be planned and undertaken with a high degree of trust, skill and caution.”

Glover went on to state: “This position paper is supporting the work CREST is conducting in many parts of the CNI in the roll-out of intelligence-led penetration testing.”

A spokesperson for the National Cyber Security Centre commented: “We believe this position paper provides a valuable contribution to current thinking on this challenging topic. We look forward to working with CREST, as well as ICS operators and members of the cyber security sector, in order to make the UK the safest place in which to live and do business online.”

The position paper is for organisations in both the private and public sectors and is mainly targeted at IT managers, information security managers and technical security testing specialists. It will also be of interest to process engineers, safety specialists, business managers, procurement specialists and IT auditors.

CREST is now looking to expand on this initial ICS research and develop detailed guidance material that can be used by specialists to help secure ICS environments and, in particular, those that make up the UK’s CNI.

*Access the full report here:

**CREST provides internationally-recognised accreditation for organisations and individuals offering penetration testing, cyber incident response and threat intelligence services. All CREST member companies undergo regular and stringent assessment procedures, while CREST-qualified individuals have to pass rigorous examinations in order to demonstrate their ongoing knowledge, skill and competence. CREST is governed by an elected executive of experienced security professionals who also promote and develop awareness, ethics and standards within the cyber security sector

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts