What is ICS Security?
ICS (or Industrial Control System) Security is growing in importance as cyber-attacks increasingly focus on physical processes for either ransom or to cause harm to critical production systems. Attacks such as those at the Oldsmar water treatment plant, the various ransomware attacks on the vaccine supply chain, and the more extensive threats to the Ukrainian and US power grids and oil refineries in the Middle East generate greater worry for boards, governments, and operators of industrial organizations.
What is ICS security?
To begin, “What is ICS Security”? ICS security is defined as the protection of industrial control systems from threats from cyber attackers. It is often referred to as OT security or security. It includes a wide range of practices including:
- Asset inventory and detection
- Vulnerability management
- Network intrusion protection and detection
- Endpoint detection and response
- Patch management
- User and access management
ICS security differs from traditional IT security in several ways:
- The type of devices protected are often sensitive to unintended changes or interaction, including a whole new class of OT assets known as embedded equipment, and are typically much older than IT systems.
- Risks are not only to information confidentiality but especially to the availability and integrity of the process or safety to personnel and property.
- The remediation of risks requires different techniques because of the differences in types of devices.
What is an industrial controls system? This is a broad category of computing systems sometimes referred to as “Operating Technology” or “SCADA” or “Cyber-Physical Systems”.
Industrial control systems specifically focus on industrial processes or automation rather than other operating systems such as building controls, medical devices, etc. Industrial control systems provide the components that ensure proper and continuous operation of a wide range of industrial systems — from power to water to manufacturing and beyond. They provide control over the inputs and outputs of key elements in an operational or physical process. The processes are often adjustable in real-time to ensure proper and safe operation. They often include the safety systems themselves to ensure shutdown in case of processes getting out of certain boundaries of performance.
Historically, these systems were separated from traditional IT networks and used a wide range of specialized components. More and more, these OT systems integrate with IT to increase operational efficiency and reduce the total cost of ownership. As a result, cybersecurity threats increase as formerly “air-gapped” systems, becoming more integrated into the internet-connected components of the enterprise IT environment.
Why do we need ICS security?
So this question is obvious at one level — ICS security is critical because these systems are under attack and the consequences of compromise are significant financially, operationally, and safety-wise. But, why do we need a separate category of security to address these types of systems? Why not just replicate what we’re doing in IT security?
First, the devices themselves create challenges for traditional IT security processes and technology. A sample of devices includes old versions of Windows such as Windows XP or Windows 7, a wide range of embedded devices such as PLCs, controllers, relays, sensors, etc., industrial (and traditional IT) networking equipment, and more. These devices require a different approach to security from the modern, updated, OS-based, or cloud-based devices in today’s IT stack.
Second, the potential impacts are different. In most IT cyber security efforts, the priorities are Confidentiality-Integrity-Availability, in that order. In the ICS world, the greatest risks are to the safety of people and property, followed by availability and integrity. Information confidentiality, while perhaps of some importance, pales relative to these others. As a result, the focus of risk management must also adjust.
Third, incident detection and response require specific knowledge of the systems affected. In many senses, IT systems are commodities with specific functions but are commonly grouped and analyzed with a wide range of available detection rules. Similarly, when responding to a threat, there are a variety of safe and effective actions to take uniformly and automatically. However, industrial control systems behavior is unique — often to that particular process. In addition, the response must be measured and handled in a way that does not cause more harm than good by stopping the expected operational process inappropriately.
Finally, to secure ICS safely and with operational resilience, specific knowledge of control systems and security is required, which is a unique combination in even shorter supply than the stretched IT security resources. Industrial control systems were designed years or decades ago and there is a shortage of skilled personnel that understands them. To secure ICS, the industry needs to join IT security capabilities to these people with knowledge of the systems.
As a result of these four factors, industrial control systems security must adapt a unique approach from our traditional IT security practices and technology.
How do we achieve ICS security?
This topic is worthy of much more than a blog post. Please visit our website at www.verveindustrial.com for a comprehensive set of materials on how to achieve critical functions in ICS security. As an initial installment, there are three key elements to make significant progress towards a more secure ICS infrastructure.
Establish an objective and design an ICS security program
The first step in robust ICS security is to establish the goal you are trying to achieve. The great news is that there is a range of standards out there — CIS Top 20, NIST CSF, IEC 62443, etc.
Across working with dozens of clients throughout their ICS security journey, often the biggest stumbling block is defining the destination. Many companies struggle because they pursue a specific initiative — network segmentation, network intrusion detection, asset visibility — for short-term gain. Success in industrial security requires a true program that brings together an integrated set of actions. Selecting a standard and focusing on delivering against it is the best way to make meaningful, measurable progress.
Bring IT and OT together to develop an ICS security solution that works for both
We often see this as “IT is going to lead.” Or “ICS/OT will determine what will work at this plant”. ICS is different, as said above, and the right answer is not just to employ the same tools and processes as in IT. By the same token, IT security has a lot to bring to the table in knowledge and capabilities — as well as the need to have a consistent measurement for the board and other stakeholders. It is critical to bring the two groups together to make this happen.
Leverage a security platform, rather than a series of individual tools
Of course, we have a stake in this game, but we truly believe that this is the only way to deliver true ICS security efficiently. In fact, Gartner analysts agree, stating “Solutions that offer multiple valuable features easily deploy, can be easily explained to operations as not adding additional risk, and are interoperable with other security tools are preferred.” Gartner highlights the benefits of a platform approach in their Market Guide for Operational Technology Security which includes lower total cost-of-ownership and better prioritization and remediation of risks.
Verve is one such platform that you can learn more about here. But regardless if it is Verve or another security vendor, find a platform that can bring the key requirements of ICS security together in a way that is both safe and effective in ICS, but also delivers the same quality and measurement as IT security.
Industrial control system security does not have to be a black box. You can apply many of the same principles as IT security, but it needs to be done with a platform that can address those unique challenges highlighted earlier in this blog.
John Livingston, CEO
Originally published at https://verveindustrial.com/resources/blog/what-is-ics-security/