ICS/IIoT taxonomy needed for cybersecurity
There have been many events and data points that show even people knowledgeable in industrial control systems (ICS) and security are having difficulty communicating together because we have different views and experiences on what an ICS is.
The latest example is Kaspersky’s Threat Landscape for Industrial Automation Systems H1 2018 report. The report stated that “42% of all machines had regular or full-time Internet connections,” and based on the other statistics, a large percentage of that 42% were sending and receiving email. In case you think Kaspersky isn’t looking at ICS, they characterized the 320 computers in the survey as SCADA servers, historians, OPC gateways, engineering workstations (EWS) and operator stations/human-machine interfaces (HMIs).
On the surface, that sounds crazy. We see almost no direct internet access from industrial control system (ICS) computers and certainly these computers are not receiving email. Even taking into account that clients are obviously security conscious, since they are hiring an expensive consultant to help them, those numbers were ludicrous.
On second thought, the computers that Kaspersky was monitoring likely were under the broad ICS definition. They likely included building automation systems, which are often on the corporate network, and are considered low-value ICS. This is a far cry from the ICSs that run power plants, pipelines, large manufacturing plants, large water systems, and more.
This demonstrates the challenge we have in communicating effectively about ICS when we use these broad terms without some sort of taxonomy.
There are even more important areas where this large ICS category inhibits effective communication and action including appropriate architecture, security controls, regulation, and risk. And the confusion is getting worse.
DHS decided that medical devices, including those implanted in humans, are ICS. It’s going to be very difficult to proceed with solutions that encompass both an implanted medical device and a turbine DCS and safety system, except in the broadest, and not particularly helpful way.
I’ve had an ongoing disagreement with ARC on their term Industrial Internet of Things (IIoT). At first I thought they coined this to cover IoT devices and systems that connect with what was traditionally called ICS. No. IIoT, in their definition, includes everything that existed in the ICS world plus everything new in the IoT world that is industrial-related. ICS and IIoT are likely here to stay and are as good as any to describe a broad category similar to the term enterprise. They are not sufficient or helpful for productive discussions. Something more specific is needed.
The taxonomy doesn’t need to be perfect or overly detailed; it’s purpose is to assist in effective communication.
Here are some possible categories:
- Value–What would be the consequence if integrity or availability of the ICS/IIoT is compromised
- Architecture–Classic Purdue model, IoT, classic + cloud?
- Maturity of ICSsec program–Huge difference in what should be done based on maturity. This is one of the biggest issues today with asset owners just starting their ICSsec efforts spending time and money on actions with minimal risk reduction.
- Sector/system type–This is the most obvious category. There are some sectors and systems that are homogenous while others, such as the chemical manufacturing, that have significant variance between small and large manufacturers. My thought is you could have three to five numbered sectors, and then place industries in one of those as appropriate. We could then discuss, for example, Sector 2 systems should deploy these security controls or have these threats.
This is far from a complete list of possibilities.
The bundling of more and more sectors and systems into ICS/IIoT term is helpful only in that it is increasing awareness and hopefully corresponding action. It is leading to unhelpful and confusing discussions even amongst those active in ICS. Executives and those peripherally involved in ICS will almost certainly be misled by “ICS” information that is unrelated to their ICS.
We need an ICS/IIoT taxonomy.
Dale Peterson is the founder, chief executive and head catalyst of industry security provider Digital Bond. This content originally appeared on ISSSource.com. ISSSource is a CFE Media content partner. Edited by Chris Vavra, production editor, CFE Media, firstname.lastname@example.org.