Three steps for performing an ICS security audit

Companies looking to protect an industrial control system (ICS) should audit their assets, network, and data flows to better determine how safe a system is, and what more needs to be done.

By Emmett Moore III, Red Trident; Jeff Bates, PTC August 4, 2018

The threat landscape for industrial automation and Industrial Internet of Things (IIoT) systems is evolving as connectivity between disparate devices and networks grows. It is crucial that organizations plan and execute effective defense-in-depth (DID) strategies and invest in the continued evaluation and adjustment of their security measures.

According to Symantec’s 2018 Internet Security Threat Report, there’s been a 29% increase in industrial control system (ICS) related vulnerabilities over the past year. Given the valuable and safety-critical processes these systems connect and control, security breaches can have expensive, wide-reaching and dangerous implications.Malicious actors have several options for attack once they gain access to an ICS. These include loss of view, manipulated view, denial of control, manipulation of control- and finally-loss of control. These attacks can result in varying consequences that range from minimal interruption to dangerous failures and extended outages. Regardless of initial impact or severity, an unauthorized entry provides opportunity for damage to a company’s bottom line-through downtime, loss of intellectual property, and/or loss of market share-and to the safety of its employees and the general public.

With so much at stake, it can be overwhelming to know where to begin. By analyzing ICS assets and processes, companies will better understand threats to safety, reliability, and security. A security audit is a good place to start and should include these three simple steps:

1. Inventory the assets

While it seems simple, most operators do not have a complete view of the assets they need to protect, such as programmable logic controllers (PLCs), human machine interfaces (HMIs), supervisory control and data acquisition (SCADA) systems, and others. Categorize assets into classes with common properties and understand the data attributes of each asset. This exercise is a critical starting point because if companies don’t know what they need to protect, they won’t be able to protect it.

2. Inventory the network

Asset inventory will enable companies to understand the physical assets that are connected to the network. The next step involves understanding how those assets are connected through networking architecture and configuration. Understanding the paths data can take shows how an attacker could get access to this data. A physical and logical map of the enterprise’s network will set companies up for success in the third step of the security audit.

3. Inventory the data flows

Understanding data flows is critical. Because many protocols used in industrial automation do not have options for securing traffic, many attacks can be executed without any exploit-simply by having access to the network and understanding the protocol. Understanding the port, protocol, end-points, and timing requirements (deterministic or not) can enable understanding of where data needs to flow over the network assets identified in step 2.

Team members who design and maintain the ICS and the networking infrastructure can do these steps. With these steps complete, there is knowledge of assets, how they are connected, and how data flows across the network to and from each end-point. To get in, attackers would have to violate one of these three known domains. They would need to:

  • Add a new asset to the network
  • Modify the network configuration to gain access to various layers of the network
  • Manipulate an existing device to talk with a new end-point and create a new data flow.

With security, there is no "set it and forget it." Within this constantly evolving threat landscape, the best practices of yesterday are no longer adequate. By starting with a security audit, companies gain essential insights into the assets and data flows within an ICS, readying them to implement a defense-in-depth, ICS cyber security program. With revenue, intellectual property (IP), and human safety on the line, it’s more critical than ever that necessary measures be taken to improve ICS security.

Emmett Moore III, CEO, Red Trident Inc.; Jeff Bates, product manager, PTC. Edited by Chris Vavra, production editor, Control Engineering, CFE Media,


KEYWORDS: cybersecurity, industrial control systems, ICS

Cybersecurity attacks against industrial control systems (ICSs) are increasing.

Performing an ICS security audit can help with asset assessment and show where improvements are needed.

An ICS security audit can be performed by any team member involved in maintaining the system or the network infrastructure.

Consider this

What is the most important step when performing an ICS security audit?


Symantec, "Internet Security Threat Report, Volume 23." April 2018.