ISA Interchange

Welcome to the official blog of the International Society of Automation (ISA).

This blog covers numerous topics on industrial automation such as operations & management, continuous & batch processing, connectivity, manufacturing & machine control, and Industry 4.0.

The material and information contained on this website is for general information purposes only. ISA blog posts may be authored by ISA staff and guest authors from the automation community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

All Posts

Implementing Security for Industrial Automation Systems (Part 2)

 

This is Part 1 of a guest post series authored by Ronald L. Krutz, Ph.D., a scientist and consultant specializing in cybersecurity services, and author of the ISA book Industrial Automation and Control System Security Principles. Click this link to read a brief Q&A with the author, including a free PDF excerpt. Click this link to read Part 1 of this blog post series.

 

In a previous blog post, I reviewed areas of industrial control systems that have to be protected and the kinds of threats experienced in the automation industry.  Measures that can be implemented to safeguard industrial control systems have been categorized in the National Institute of Science and Technology (NIST SP 800-82). They include management, operational and technical controls. The controls were listed with a request to match each with one of the three categories.  Here are the answers:

Controls

  • Access control (Technical)
  • Audit and accountability (Technical)
  • Awareness and training (Operational)
  • Identification and authentication (Technical)
  • Maintenance (Operational)
  • Personnel security (Operational)
  • Physical and environmental protection (Operational)
  • Planning  (Management)
  • Risk assessment (Management)
  • Security assessments (Management)

 

Management Controls

Management controls incorporate the topics of risk assessment, planning, system and services acquisition, certification, accreditation and security assessments.

Risk assessment is defined in the NIST Special Publication 800-82 Guide to Industrial Control Systems Security as “the process of identifying risks to operations, assets, or individuals by determining the probability of occurrence, the resulting impact, and additional security controls that would mitigate this impact.”

Planning refers to the generation of a plan to determine and implement security controls, performing assessments, conducting incident response, and assigning security levels.

Security assessments have the goals of ensuring that the specified controls are properly implemented and functioning as desired.

Operational Controls

Operational controls are those controls that are performed by personnel as opposed to computer systems.

Personnel security includes policies and procedures for personnel position categorization, screening, transfer, penalty and termination.  It also addresses third-party personnel security.  Physical and environmental protection refers to policies and procedures addressing physical, transmission and display access control as well as environmental controls for conditioning (e.g., temperature, humidity) and emergency provisions (e.g., shutdown, power, lighting, fire protection).

Maintenance policies and procedures are applied to manage all maintenance aspects of an information system.

Awareness and training policies and procedures are used to ensure that all information system users are given appropriate security training relative to their usage of the system and that accurate training records are maintained.

 

Click this link to download a free excerpt from the ISA book Industrial Automation and Control System Security Principles.

 

Technical Controls

Technical controls are characterized by implementation through software, hardware or firmware elements.

Identification and authentication is the process of verifying the identity of a user, process or device through the use of specific credentials (e.g., passwords, tokens, biometrics) as a prerequisite for granting access to resources in an IT system.

Access control is the process of granting or denying specific requests for obtaining and using information and related information processing services for physical access to areas within the information system environment.

Audit and accountability refers to the independent review and examination of records and activities to assess the adequacy of system controls to ensure compliance with established policies and operational procedures, and to recommend necessary changes in controls, policies or procedures.

The application of these management, operational, and technical controls will serve to reduce the risks to industrial automation and control systems and will mitigate vulnerabilities. Threats to these systems have the potential to endanger life, affect regulatory compliance, incur liability, erode public confidence, damage equipment, and result in loss of product.  It is important to understand the relationship and tradeoffs between security and safety and risk analysis can provide the required knowledge to make the proper and effective decisions.  Thus, the process of managing risk considers effectiveness, efficiency, and constraints due to laws, directives, policies, or regulations.

Click this link to read Part 1 of this blog post series.

 

ISA offers standards-based industrial cybersecurity training, certificate programs, conformity assessment programs, and technical resources. Please visit the following ISA links for more information:

 

About the Author
Ronald L. Krutz has more than 30 years of experience in industrial automation and control systems, distributed computing systems, computer architectures, information assurance methodologies and information security training. Dr. Krutz has co-authored 15 books in the area of cybersecurity, authored the book, Securing SCADA Systems, and three textbooks on microcomputer system design, computer interfacing and computer architecture. He holds seven patents in the area of digital systems, and has published more than 30 technical papers.

 

Connect with Ronald
LinkedIn

 


Related Posts

Exploring Zero Trust in Operational Technology

Zero trust has become the top approach for IT security, guiding how organizations worldwide design their ...
Muhammad Musbah Nov 1, 2024 7:00:00 AM

The Role of IoT in Streamlining Communication for Industrial Automation

The Internet of Things plays a vital role in transforming industrial settings. As we usher in Industry 4....
Ainsley Lawrence Oct 29, 2024 7:00:00 AM

Maximize Operator Situation Awareness During Commissioning Campaign

Learning Outcomes Explain the scenario that often occurs during the construction and commissioning of lar...
Daniel O'Duffy Oct 25, 2024 7:00:00 AM