Key security components and strategies for industrial control systems

Back to Basics: Industrial control systems (ICSs) are becoming a more frequent target for cybersecurity attacks, and companies working in vital industries need to take steps to prevent or reduce the risk for a catastrophic event. See five drivers of and eight ways to support ICS cybersecurity.

11/08/2016


Understanding risk management is key to managing the threat environment for an industrial control system (ICS). Courtesy: Anil Gosine, MG Strategy+Significant security risks and attacks against industrial control systems (ICSs) are growing in volume, and comprehensive solutions are needed. The financial and legal ramifications of breached ICSs are mounting across the world, and regulators are increasingly interested in a company's ability to defend against cyber attacks. The fragmentation of partial solutions and the complex integration of these are becoming a cost, and risk owners want to mitigate.

Threats and cyber incidents—malicious and accidental—against ICSs occur every day. These systems are a critical part of the infrastructure that facilitates operations in vital industries such as power generation, oil and gas, transportation, pharmaceutical, and chemical. In the past, ICSs operated in an environment that appeared safer because they were physically isolated and used proprietary control protocols with customized hardware and software. 

Five cybersecurity drivers

Cybersecurity solutions are increasingly designed for operations and policies, and there are five key constituents that can drive targeted solutions for ICSs:

  1. Audit and application of security policies and procedures developed specifically for the control system network and its devices
  2. Access control through the local area network (LAN), wide area network (WAN), and physical perimeters complemented with secure data transfers
  3. Threat detection of abnormal and malicious activities at all levels
  4. Risk management and mitigation against possible attack with an installed security suite designed to enhance regulate the ICS without disrupting the controlled process.
  5. Resolve key security problems that require an intrinsic relationship with vendors.

The ICS represents the core of production, which means the cybersecurity processes must address internal and external threats with multiple layers of defense that mitigate against various risks.

Initiatives by ICS vendors to reduce security risks to control systems in response to growing cybersecurity is resulting in automation professionals being more effective in securing their industrial processes. However, ICS vendors and automation professionals must be committed to providing a set of products and services that mitigate risks and provide security for production assets. And, the information silos that exist within organizations mean information is rarely shared. Comprehensive solution providers will acquire, integrate, and facilitate the adoption of cybersecurity technologies and deliver the product to end users.

Because ICSs are prone to cyber attacks and are being targeted with increasing frequency, automation vendors are working with information technology (IT) security service providers to develop stronger solutions. While many of the vulnerabilities are technology-based, it is worth noting that some weaknesses stem from a lack of personnel or a lack of awareness. These changes may require cultural shifts and collaboration mechanisms to reduce mistakes caused by human error.

An organization's risk management practice must be proportionate to the risks present. Organizations should not be asking, "Is there a risk," but rather "Which risks do we face and what is the level of investment to mitigate against them?" Educating executives and staff has not kept pace with the continually changing cybersecurity threats. Corporations must get involved in workgroups that discuss the current cybersecurity situation in their sector, describe key strategic elements to increase their security posture, and support workers with tools and guidance.

While the industrial sector is slowly recognizing there is a greater cybersecurity risk for ICSs, risk management is difficult due to the high costs linked to each risk and a lack of historical statistics to determine the probability of the scenario occurring. Companies must have cost-effective and efficient solutions that will keep industrial facilities safe. This is critical to the global economy.

This is why organizations must have their policies and procedures in place with security designed and implemented within the ICS environment before any further integration into other networks. The business case, security posture, and risk management plan determine the protocols and methodology for systems integration.

Another factor to consider from this systemwide integration is that IT security professionals do not properly understand the industrial processes that utilize the ICS, and ICS professionals do not properly understand today's IT security risks. This can result in a lack of awareness and safeguards that will take away from the benefits that were sought through the integration of the business and control systems when one major ICS incident occurs.

Cybersecurity support

With that in mind, the following objectives should be met to support the ICS' security components:

  1. A framework that provides an overview and identifies the core elements
  2. Corporate-level governance to ensure security risks are managed consistently and appropriately
  3. Thorough understanding of the risks that are faced and ability to justify the mitigation response needed
  4. Management of the ICS lifecycle that follow a security engineering process
  5. Improved ICS security awareness throughout the organization
  6. Continuous review of security protection measures that can be selected and implemented
  7. Procedures that deliver a sufficient response to new vulnerabilities and changes to the threat environment
  8. Effective management of third-party risks that can have an impact on the organization.

Anil Gosine is global program manager at MG Strategy+. Edited by Chris Vavra, production editor, Control Engineering, CFE Media, cvavra@cfemedia.com.

MORE ADVICE

Key concepts

  • Comprehensive solutions are needed to prevent attacks against industrial control systems (ICSs).
  • Automation vendors are working with information technology (IT) professionals to craft potential solutions.
  • There is a lack of understanding between IT and ICS professionals, and that can lead to security issues.

Consider this

What else can be done to close the gap between ICS and IT professionals?

ONLINE extra

See additional stories about industrial control systems (ICSs) linked below.



The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers. Vote now (if qualified)!
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
HMI effectiveness; Distributed I/O; Engineers' Choice Award finalists; System Integrator advice; Inside Machines
Women in engineering; Engineering Leaders Under 40; PID benefits and drawbacks; Ladder logic; Cloud computing
Robotic integration and cloud connections; SCADA and cybersecurity; Motor efficiency standards; Open- and closed-loop control; Augmented reality
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. As we know, PLCs aren’t the only option for making decisions in a control loop, but they are likely why you’re here.
This digital report explains how motion control advances and solutions can help with machine control, automated control on assembly lines, integration of robotics and automation, and machine safety.
This article collection contains several articles on how advancements in vision system designs, computing power, algorithms, optics, and communications are making machine vision more cost effective than ever before.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Control room technology innovation; Practical approaches to corrosion protection; Pipeline regulator revises quality programs
Cloud, mobility, and remote operations; SCADA and contextual mobility; Custom UPS empowering a secure pipeline
Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers. Vote now (if qualified)!
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
HMI effectiveness; Distributed I/O; Engineers' Choice Award finalists; System Integrator advice; Inside Machines
Women in engineering; Engineering Leaders Under 40; PID benefits and drawbacks; Ladder logic; Cloud computing
Robotic integration and cloud connections; SCADA and cybersecurity; Motor efficiency standards; Open- and closed-loop control; Augmented reality
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. As we know, PLCs aren’t the only option for making decisions in a control loop, but they are likely why you’re here.
This digital report explains how motion control advances and solutions can help with machine control, automated control on assembly lines, integration of robotics and automation, and machine safety.
This article collection contains several articles on how advancements in vision system designs, computing power, algorithms, optics, and communications are making machine vision more cost effective than ever before.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Control room technology innovation; Practical approaches to corrosion protection; Pipeline regulator revises quality programs
Cloud, mobility, and remote operations; SCADA and contextual mobility; Custom UPS empowering a secure pipeline
Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers. Vote now (if qualified)!
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
HMI effectiveness; Distributed I/O; Engineers' Choice Award finalists; System Integrator advice; Inside Machines
Women in engineering; Engineering Leaders Under 40; PID benefits and drawbacks; Ladder logic; Cloud computing
Robotic integration and cloud connections; SCADA and cybersecurity; Motor efficiency standards; Open- and closed-loop control; Augmented reality
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. As we know, PLCs aren’t the only option for making decisions in a control loop, but they are likely why you’re here.
This digital report explains how motion control advances and solutions can help with machine control, automated control on assembly lines, integration of robotics and automation, and machine safety.
This article collection contains several articles on how advancements in vision system designs, computing power, algorithms, optics, and communications are making machine vision more cost effective than ever before.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Control room technology innovation; Practical approaches to corrosion protection; Pipeline regulator revises quality programs
Cloud, mobility, and remote operations; SCADA and contextual mobility; Custom UPS empowering a secure pipeline
Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me