Industrial Control Systems: Securing The Heartbeat of Critical Infrastructure

Industrial Control Systems (ICS) are a specialised set of physical and cyber systems that drive production for critical infrastructure industries such as power generation and distribution, oil production and refining, chemical manufacturing and more, observes Mark Carrigan.

ICS include field instruments (sensors and actuators), Distributed Control Systems, Programmable Logic Controllers, Supervisory Control and Data Acquisition, process historians, process analytical systems and other applications that are used to both control and optimise industrial operations. Companies have invested billions in ICS that provide the heartbeat of operations. Without the ICS, companies simply cannot generate products.

For many years, cyber security for ICS was something of an afterthought. Security investments focused on the IT assets that drive business processes and personnel productivity. The primary objective for IT cyber security is to protect Intellectual Property and ensure availability of the IT assets. ICS were not considered to be a target because they were obscure, isolated from the IT networks and generally not of interest to hackers. All of that has changed.

Companies now realise there’s a serious risk to their ICS assets. There have been numerous documented attacks on ICS that have caused economic damage (and many more undocumented as companies are reticent to share this information). Additionally, threats are no longer isolated to unsophisticated, part-time hackers. Nation States have either directly or indirectly sponsored ICS cyber security infiltrations. The critical infrastructure industries have woken up to the fact that they must focus investments to secure their critical ICS assets. 

IT versus OT: technology and mission differences

While ICS is made up of computer hardware and software (like IT assets), there are important differences between their underlying technology and missions as summarised in the following table.

IT Assets ICS Assets
General versus Specific Missions Many IT assets, such as personal computers, deliver multiple functions and capabilities, such as e-mail communication and spreadsheets. Users have more leeway to customise and change applications ICS assets perform specific, highly-engineered and controlled tasks, such as regulating pressure in a vessel or converting feedstock into chemical products. Design and changes must be carefully managed
Security versus Availability In IT, security trumps availability. Interrupting services to remediate critical vulnerabilities is common In ICS, availability trumps security. Remediating vulnerabilities is often postponed, ensuring there’s no interruption in production
New versus Old IT assets have a relatively short life. Computers, servers and network devices are often replaced on a three-to-five year lifecycle, making it easier to deploy technologies that improve security ICS assets are long-lived, often greater than 30 years. These systems were designed to ensure reliability, not security. The expense in replacing these systems makes it difficult to justify an upgrade strictly for security purposes
Homogeneous versus Heterogeneous IT devices are relatively similar – it’s easier to collect information from these systems and deploy ‘one-size-fits-all’ security applications ICS devices are highly proprietary and different from vendor to vendor and from product to product. It’s more difficult to deploy security technologies as they can pose a threat to system reliability

Understanding these differences is key to developing a programme that will identify and reduce security risks in an ICS environment. Many of the security Best Practices that are ubiquitous in IT can be adopted in the ICS environment, but must be modified to address the differences in both the technology and the primary mission. 

ICS Security: start with the basics

When developing a plan for ICS cyber security, it’s best to start with the basics that are the foundation for any security programme. Other technologies and advanced applications can be considered, but should be implemented upon a solid foundation.

(1) Risk-Based Security Framework

Cyber security has become another risk to manage for industrial operations. There’s no way to eliminate the possibility of a cyber attack. Companies can only reduce the likelihood of a successful attack and implement systems designed to minimise the impact of any breach.

Most companies have implemented processes and procedures to manage risk, especially as it relates to safety. Industries such as oil and gas, refining, petrochemicals, power and mining have inherent safety risks – the impact of an incident can result in serious economic damage or loss of life. These companies rely upon systems (such as the ICS) and procedures to decrease the risk and impact of safety incidents. Many of these safety practices can be applied to ICS cyber security in order to identify and remediate risk.

A comprehensive risk-based approach towards ICS cyber security should include the following:

*ICS Risk Assessment: Identify the primary security risks to the ICS assets

*Leverage Process Hazard Analysis, Layers of Protection Analysis and other safety Best Practices to identify the potential consequences of a cyber breach. In most cases, the negative outcomes associated with process risk can also be used to identify the systems requiring the greatest security controls

*’What If?’ Scenarios: Cyber security, much like process safety, is a journey not a destination. Companies need the ability to conduct ‘What If?’ scenarios to determine which security investments can deliver the greatest risk reduction. As an example, a company may want to compare the relative risk reduction of further segmenting its networks with the installation of firewalls compared to implementing a vulnerability management programme

(2) Inventory

You cannot secure what you cannot see. Companies must be able to detect and manage all assets on their ICS networks. This issue is complicated because the discovery of inventory for the ICS is considerably more difficult when compared to IT assets.

ICS systems are highly propriety and traditional IT technologies cannot discover a compressive inventory list, including all hardware, software and firmware in use. Companies should consider technologies specifically designed to capture and manage ICS inventory and not re-purpose IT technology that may not fit the task.

(3) Vulnerability Management

Identifying and mitigating vulnerabilities is critical to any security programme. Companies must have a way to discover ‘known’ published vulnerabilities, as well as search for vulnerabilities that are not published (such as a notification from an automation vendor that has been made known only to specific users).

Today, many companies rely on an ‘open loop’ communication process to notify their user communities of vulnerabilities and hope they act to remediate them. A comprehensive inventory, along with the ability to match that inventory to a vulnerability database, can provide a comprehensive ‘closed loop’ process to identify vulnerabilities.

Additionally, vulnerability remediation cannot be ‘pushed out’ automatically. Patching and other processes must be carefully planned to ensure system reliability and not interfere with production any more than is necessary.

(4) Policies and Security Management

As mentioned previously, ICS systems are highly engineered to perform specific tasks. Any potential change should be carefully evaluated and implemented. In studying successful cyber attacks, economic loss occurred when the intruders were able to take control and make undesired changes to the configuration of the ICS. A comprehensive security programme should include procedures and technologies to set configuration policies, audit the ICS assets against these policies and manage change comprehensively to ensure the detection of all changes and the investigation of any changes that are not part of an approved work process.

A change tracking and management programme can also enhance the recovery strategy. In the case of a breach, companies will know exactly what changed over a given time period, subsequently allowing them to quickly revert the systems back to a safe configuration.

Heartbeat of industrial operations

Mark Carrigan

Mark Carrigan

ICS assets are the heartbeat of industrial operations. they drive production and provide key safety functions to prevent accidents. If an ICS fails, companies cannot generate products. It’s as simple as that.

Over the years, sophisticated threat actors have targeted and infiltrated ICS systems to cause economic harm. ICS asset protection requires the application of cyber security Best Practice, but their different missions, complexity and proprietary nature means that applying cyber security Best Practice is more difficult in the ICS space when compared to IT assets.

Companies must account for these differences when designing a security programme for their most critical assets.

Mark Carrigan BEng (Hons) is Chief Operating Officer at PAS

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts