Key security components and strategies for industrial control systems

Back to Basics: Industrial control systems (ICSs) are becoming a more frequent target for cybersecurity attacks, and companies working in vital industries need to take steps to prevent or reduce the risk for a catastrophic event. See five drivers of and eight ways to support ICS cybersecurity.

11/08/2016


Understanding risk management is key to managing the threat environment for an industrial control system (ICS). Courtesy: Anil Gosine, MG Strategy+Significant security risks and attacks against industrial control systems (ICSs) are growing in volume, and comprehensive solutions are needed. The financial and legal ramifications of breached ICSs are mounting across the world, and regulators are increasingly interested in a company's ability to defend against cyber attacks. The fragmentation of partial solutions and the complex integration of these are becoming a cost, and risk owners want to mitigate.

Threats and cyber incidents—malicious and accidental—against ICSs occur every day. These systems are a critical part of the infrastructure that facilitates operations in vital industries such as power generation, oil and gas, transportation, pharmaceutical, and chemical. In the past, ICSs operated in an environment that appeared safer because they were physically isolated and used proprietary control protocols with customized hardware and software. 

Five cybersecurity drivers

Cybersecurity solutions are increasingly designed for operations and policies, and there are five key constituents that can drive targeted solutions for ICSs:

  1. Audit and application of security policies and procedures developed specifically for the control system network and its devices
  2. Access control through the local area network (LAN), wide area network (WAN), and physical perimeters complemented with secure data transfers
  3. Threat detection of abnormal and malicious activities at all levels
  4. Risk management and mitigation against possible attack with an installed security suite designed to enhance regulate the ICS without disrupting the controlled process.
  5. Resolve key security problems that require an intrinsic relationship with vendors.

The ICS represents the core of production, which means the cybersecurity processes must address internal and external threats with multiple layers of defense that mitigate against various risks.

Initiatives by ICS vendors to reduce security risks to control systems in response to growing cybersecurity is resulting in automation professionals being more effective in securing their industrial processes. However, ICS vendors and automation professionals must be committed to providing a set of products and services that mitigate risks and provide security for production assets. And, the information silos that exist within organizations mean information is rarely shared. Comprehensive solution providers will acquire, integrate, and facilitate the adoption of cybersecurity technologies and deliver the product to end users.

Because ICSs are prone to cyber attacks and are being targeted with increasing frequency, automation vendors are working with information technology (IT) security service providers to develop stronger solutions. While many of the vulnerabilities are technology-based, it is worth noting that some weaknesses stem from a lack of personnel or a lack of awareness. These changes may require cultural shifts and collaboration mechanisms to reduce mistakes caused by human error.

An organization's risk management practice must be proportionate to the risks present. Organizations should not be asking, "Is there a risk," but rather "Which risks do we face and what is the level of investment to mitigate against them?" Educating executives and staff has not kept pace with the continually changing cybersecurity threats. Corporations must get involved in workgroups that discuss the current cybersecurity situation in their sector, describe key strategic elements to increase their security posture, and support workers with tools and guidance.

While the industrial sector is slowly recognizing there is a greater cybersecurity risk for ICSs, risk management is difficult due to the high costs linked to each risk and a lack of historical statistics to determine the probability of the scenario occurring. Companies must have cost-effective and efficient solutions that will keep industrial facilities safe. This is critical to the global economy.

This is why organizations must have their policies and procedures in place with security designed and implemented within the ICS environment before any further integration into other networks. The business case, security posture, and risk management plan determine the protocols and methodology for systems integration.

Another factor to consider from this systemwide integration is that IT security professionals do not properly understand the industrial processes that utilize the ICS, and ICS professionals do not properly understand today's IT security risks. This can result in a lack of awareness and safeguards that will take away from the benefits that were sought through the integration of the business and control systems when one major ICS incident occurs.

Cybersecurity support

With that in mind, the following objectives should be met to support the ICS' security components:

  1. A framework that provides an overview and identifies the core elements
  2. Corporate-level governance to ensure security risks are managed consistently and appropriately
  3. Thorough understanding of the risks that are faced and ability to justify the mitigation response needed
  4. Management of the ICS lifecycle that follow a security engineering process
  5. Improved ICS security awareness throughout the organization
  6. Continuous review of security protection measures that can be selected and implemented
  7. Procedures that deliver a sufficient response to new vulnerabilities and changes to the threat environment
  8. Effective management of third-party risks that can have an impact on the organization.

Anil Gosine is global program manager at MG Strategy+. Edited by Chris Vavra, production editor, Control Engineering, CFE Media, cvavra@cfemedia.com.

MORE ADVICE

Key concepts

  • Comprehensive solutions are needed to prevent attacks against industrial control systems (ICSs).
  • Automation vendors are working with information technology (IT) professionals to craft potential solutions.
  • There is a lack of understanding between IT and ICS professionals, and that can lead to security issues.

Consider this

What else can be done to close the gap between ICS and IT professionals?

ONLINE extra

See additional stories about industrial control systems (ICSs) linked below.



Engineers' Choice Awards
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers. Vote now (if qualified)!
System Integrator Giants
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
How to Maximize Factory Automation Efficiency with Low Cost Machine Vision
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Wireless Reliability in Harsh Environments
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
Human Factors and the Impact on Plant Safety
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
May 2018
Salary and Career Survey, IT and OT convergence, robotic standards and safety, secure circuit protection
April 2018
Cybersecurity best practices, artificial intelligence, robotic additive manufacturing, embedded systems, IIoT integration, energy efficiency
March 2018
Digitalization integration, process sensors, edge computing, fog computing, condition monitoring, and motors
Edge Computing
This article collection contains several articles on how today's technologies heap benefits onto an edge-computing architecture such as faster computing, better networking, more memory, smarter analytics, cloud-based intelligence, and lower costs.
IIoT: Machines, Equipment, & Asset Management
Articles in this digital report highlight technologies that enable Industrial Internet of Things, IIoT-related products and strategies.
PLCs
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. Featured articles in this digital report compare PLCs and programmable automation controllers (PACs), industrial PCs, and robotic controllers.
SIDB

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

April 2018
ROVs, rigs, and the real time; wellsite valve manifolds; AI on a chip; analytics use for pipelines
February 2018
Focus on power systems, process safety, electrical and power systems, edge computing in the oil & gas industry
December 2017
Product of the Year winners, Pattern recognition, Engineering analytics, Revitalize older pump installations
John O. Ayuk, PE, CFSE, PMP, CAP
Automation Engineer; Wood Group
Doug Baker
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
Engineers' Choice Awards
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers. Vote now (if qualified)!
System Integrator Giants
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
How to Maximize Factory Automation Efficiency with Low Cost Machine Vision
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Wireless Reliability in Harsh Environments
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
Human Factors and the Impact on Plant Safety
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
May 2018
Salary and Career Survey, IT and OT convergence, robotic standards and safety, secure circuit protection
April 2018
Cybersecurity best practices, artificial intelligence, robotic additive manufacturing, embedded systems, IIoT integration, energy efficiency
March 2018
Digitalization integration, process sensors, edge computing, fog computing, condition monitoring, and motors
Edge Computing
This article collection contains several articles on how today's technologies heap benefits onto an edge-computing architecture such as faster computing, better networking, more memory, smarter analytics, cloud-based intelligence, and lower costs.
IIoT: Machines, Equipment, & Asset Management
Articles in this digital report highlight technologies that enable Industrial Internet of Things, IIoT-related products and strategies.
PLCs
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. Featured articles in this digital report compare PLCs and programmable automation controllers (PACs), industrial PCs, and robotic controllers.
SIDB

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

April 2018
ROVs, rigs, and the real time; wellsite valve manifolds; AI on a chip; analytics use for pipelines
February 2018
Focus on power systems, process safety, electrical and power systems, edge computing in the oil & gas industry
December 2017
Product of the Year winners, Pattern recognition, Engineering analytics, Revitalize older pump installations
John O. Ayuk, PE, CFSE, PMP, CAP
Automation Engineer; Wood Group
Doug Baker
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
Engineers' Choice Awards
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers. Vote now (if qualified)!
System Integrator Giants
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
How to Maximize Factory Automation Efficiency with Low Cost Machine Vision
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Wireless Reliability in Harsh Environments
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
Human Factors and the Impact on Plant Safety
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
May 2018
Salary and Career Survey, IT and OT convergence, robotic standards and safety, secure circuit protection
April 2018
Cybersecurity best practices, artificial intelligence, robotic additive manufacturing, embedded systems, IIoT integration, energy efficiency
March 2018
Digitalization integration, process sensors, edge computing, fog computing, condition monitoring, and motors
Edge Computing
This article collection contains several articles on how today's technologies heap benefits onto an edge-computing architecture such as faster computing, better networking, more memory, smarter analytics, cloud-based intelligence, and lower costs.
IIoT: Machines, Equipment, & Asset Management
Articles in this digital report highlight technologies that enable Industrial Internet of Things, IIoT-related products and strategies.
PLCs
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. Featured articles in this digital report compare PLCs and programmable automation controllers (PACs), industrial PCs, and robotic controllers.
SIDB

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

April 2018
ROVs, rigs, and the real time; wellsite valve manifolds; AI on a chip; analytics use for pipelines
February 2018
Focus on power systems, process safety, electrical and power systems, edge computing in the oil & gas industry
December 2017
Product of the Year winners, Pattern recognition, Engineering analytics, Revitalize older pump installations
John O. Ayuk, PE, CFSE, PMP, CAP
Automation Engineer; Wood Group
Doug Baker
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me