This post was written by Jim Gilsinn of Kenexis Security.
The purpose of industrial control system (ICS) cybersecurity is to ensure that the industrial process performs safely and as expected. It should only perform at the right time, for the right people, and for the purposes for which it was designed. Anything outside those conditions is often considered a cybersecurity incident. Small improvements to the system design, network architecture, monitoring strategy, and maintenance policies can solve many problems before they become larger issues.
Reliability and ROI
When broaching the topic of cybersecurity with management, it is important to show some return on investment (ROI). Generally, organizations are not prepared to invest in cybersecurity for cybersecurity’s sake. It may be easier to introduce cybersecurity improvements by looking toward the overall reliability and uptime of the system instead. The reliability and uptime of ICS is a function of safety, security, and performance. A failure in any of those conditions affects the overall reliability of the system, which will affect uptime and production efficiency.
For many industrial processes, safety is king. Companies have learned the hard lessons of not responding to safety issues right away through a number of serious incidents. Organizations have also designed their systems to operate safely or with safer processes to lower their potential risk. By reducing the consequences in areas of their systems, organizations can reduce the complexity of the countermeasures that need to be applied to the system.
Security can have a negative or positive effect on reliability and uptime, depending on how it is implemented. For example, it can segment the network, reduce the attack surface of legacy systems, and limit the spread of an incident.
Performance seems like a natural aspect of reliability and uptime, but the root causes of performance degradation or failures may actually be overlooked. Performance problems often present themselves as inconsistent data delivery, halted human-machine interface screens, or jitter in data values. They may be indicators of network infrastructure problems and not the result of malfunctioning devices.
Risk management is an integral part of industrial processes. Balancing the process risks with those for production quantity, quality, and safety is important for industrial organizations. When considering how to manage ICS security risks, learn from existing risk management systems.
Organizations have often analyzed financial, safety, physical security, and business information technology (IT) security risks. The consequences and risk calculations made during those efforts are similar to those for ICS cybersecurity. Generally, the consequences will be the same for the different risk management systems, although the root causes may be different.
When comparing ICS cybersecurity to other risk management systems consider people, devices, and systems not acting as they should or as they were configured, either through unintentional events or intentional actions. The failure modes associated with ICS security are slightly different as well.
- Loss of view = condition where a device or system is not receiving information from another device or system
- Manipulation of view = actions by an attacker to change the information between devices or systems
- Denial of control = condition where a device or system is not receiving control signals from another device or system
- Manipulation of control = actions by an attacker to change the control signals sent between devices or systems
- Loss of control = actions by an attacker to combine some or all of the above and deny information and control signals from reaching the proper devices or systems correctly
For greenfield (new) ICS, security should be factored in from the start. When designing the control system, organizations should consider the security of components and communication paths. ICS cybersecurity should be included in the normal hazard and operability study, safety instrumented system (SIS) designs, and basic process control system designs. Consider possible single points of failure and systems that require extra protection due to potential consequences or their importance to the process.
For brownfield (retrofit/upgrade) projects, security should be factored in to all future designs. The organization should consider adding or modifying security countermeasures during maintenance outages. These upgrades will require more planning, because maintenance outages are limited in duration and resources may not be available. Any improvements should be designed, procured, and tested with enough lead time to initiate them without any delay—possibly months in advance.
In a perfect world, organizations have enough personnel and funding to implement ICS security for all their systems once management approves. In the real world, capital expenditures are limited, personnel are almost always overloaded, and systems cannot be shut down at a moment’s notice. Organizations need to prioritize their ICS security countermeasures. One way to do this is by looking at the ability to implement versus the time for planned outages and making three categories: easily actionable improvements, near-term improvements, and long-term plans (see table 1).
About the Author
Jim Gilsinn is a senior investigator for Kenexis Security. He is involved in network and vulnerability assessments, as well as network and security design. He is also the co-chair of the ISA99 committee.
A version of the post originally was published at InTech magazine.