There’s a pressing need to improve cyber security in Industrial Control Systems (ICS) environments to avoid future breaches that could adversely impact Critical National Infrastructure (CNI). That’s the firm belief of CREST*, the not-for-profit accreditation body representing the technical information security industry, as outlined in the organisation’s latest position paper entitled ‘Industrial Control Systems: Technical Security Assurance’.
The detailed report highlights a number of challenges and suggests more technical security testing has a significant role to play in ensuring that higher levels of security assurance are met. The document draws on the diverse views of both the ICS and technical security communities and proposes a model for gaining greater assurance in ICS environments, with the final report based on the detailed findings of a research project which looked to set out the main challenges and possible solutions for protecting ICS (many of which are based on legacy technologies).
One of the key findings in the report is the absence of periodic standards-based technical security testing that’s commonplace in many other industries. As a result of this, ICS environment owners and operators have no objective way of knowing whether or not cyber risk is being adequately managed and, at present, there’s no definitive standard for testing ICS environments that’s mandated by regulatory bodies. The fact that ICS environments are rapidly changing also leads to a higher degree of exposure.
“ICS environment owners require assurances that risk is being identified, assessed and evaluated,” explained Ian Glover, president of CREST. “Above all else, they need to know that there are appropriate measures in place to manage and mitigate risk. Research on the project has helped to identify the high-level characteristics of a practical technical security testing approach and organisations should consider how this could add value and protection. It’s clear that ICS environments are more sensitive than conventional IT environments. On that basis, any penetration testing of systems needs to be planned and undertaken with a high degree of trust, skill and caution.”
Glover went on to state: “This position paper is supporting the work CREST is conducting in many parts of the CNI in the roll-out of intelligence-led penetration testing.”
A spokesperson for the National Cyber Security Centre commented: “We believe this position paper provides a valuable contribution to current thinking on this challenging topic. We look forward to working with CREST, as well as ICS operators and members of the cyber security sector, in order to make the UK the safest place in which to live and do business online.”
The position paper is for organisations in both the private and public sectors and is mainly targeted at IT managers, information security managers and technical security testing specialists. It will also be of interest to process engineers, safety specialists, business managers, procurement specialists and IT auditors.
CREST is now looking to expand on this initial ICS research and develop detailed guidance material that can be used by specialists to help secure ICS environments and, in particular, those that make up the UK’s CNI.
**CREST provides internationally-recognised accreditation for organisations and individuals offering penetration testing, cyber incident response and threat intelligence services. All CREST member companies undergo regular and stringent assessment procedures, while CREST-qualified individuals have to pass rigorous examinations in order to demonstrate their ongoing knowledge, skill and competence. CREST is governed by an elected executive of experienced security professionals who also promote and develop awareness, ethics and standards within the cyber security sector