Learn about what ICS security is, challenges, best practices, and more in Data Protection 101, our series on the fundamentals of information security.
ICS security, or industrial control system security, involves safekeeping and securing industrial control systems as well as the necessary software and hardware that are used by the system. Here’s what you need to know about ICS security.
Definition of an Industrial Control System
An industrial control system is one of the different types of control systems that are used for monitoring industrial processes. It can be composed of just a few controllers or a complex network of interactive control systems made up by hundreds or thousands of connections. These systems get data from remote sensors that monitor and measure process variables. These process variables are then compared with the set points. The system will then send commands that will control processes via the final control elements, such as control valves.
For instance, remote sensors will check your machinery and then send it to the industrial control system. If it sees that the machinery is overheating, then ICS will tell the machinery to shut down. For some buildings, ICS can regulate energy use.
In short, industrial control systems give operators an easy way to manage, monitor, and control industrial processes. These systems ensure that your operations run smoothly, and issues are detected before they can become a problem.
In the past, control systems often existed in silos, without computing power or communication technologies. Somebody would need to go around the plant floor and take temperature readings and then report on them. Because of the Internet of Things (IoT) and better sensors, even non-computing machineries and devices are networked, and they are able to send data over the Internet. So rather than manually measuring variables, these variables are automatically sent to the system.
While most people would confuse industrial control systems with SCADA, or Supervisory Control and Data Acquisition, industrial control systems involve several other technologies, such as distributed control systems, remote terminal units, programmable logic controllers, and other technologies that are used to run industrial concerns.
How ICS Security Works
ICS security is concerned with:
• Securing and safeguarding industrial control systems, and the software and hardware used in operating and controlling machinery, and other devices used in the factory and other industrial businesses.
• Keeping processes and machineries running smoothly.
• Ensuring that the information and data shown on the control room dashboards and screens are accurate, reflecting what is really happening in the plant or production floor.
Challenges of ICS Security
Like every system that is networked to the Internet, industrial control systems must be properly secured. The problem is that industry control systems security is often overlooked because it is tied to mission critical systems and infrastructure. As such, disruptions are often avoided, which includes taking these systems down for security updates.
This gives rise to the problem of having an industrial control system that is out of date, unpatched, and vulnerable to attacks.
Most industrial control systems also do not have computing power or have very limited resources used for computing. This means that they would not be able to run antimalware and antivirus software.
An underlying problem when it comes to ICS security is that it is not clear who should be in charge over it. Your IT guys probably have the experience and expertise necessary to secure your systems, but they simply do not have a complete understanding of how these systems work and its place in operations. What's more, IT often places confidentiality and integrity first, as availability is not their top concern. Your IT personnel would probably take your industrial control systems down in order to run a security patch or contain a malware attack. In short, the availability of these systems is sacrificed to ensure both integrity and confidentiality.
This is simply not acceptable for your operational technology (OT) personnel, whose main concern is that these systems are up and ready for use at any time. Your OT personnel would most likely argue against taking down these systems and put confidentiality and integrity on the backburner. For them, taking these systems offline could endanger workers, therefore availability and uptime are more important.
Digital Guardian for Manufacturing
ICS Security Best Practices
The National Institute of Standards and Technology has published the Guide to Industrial Control Systems Security to help you come up with a security framework for your own systems. According to the NIST document, the main security objectives for ICS should include:
1. Being able to restrict logical access to the system's network and activity, such as using a demilitarized zone network design that uses firewalls to stop network traffic from passing through the ICS and your corporate networks, or the use of unidirectional gateways.
2. Being able to restrict physical access to the ICS devices and network in order to avoid disruptions to the system's functionality. This includes hiring guards and putting up locks and card readers.
3. Securing all individual components of the ICS. This may include applying security patches as soon as they are tested, blocking all unused ports, and assigning user privileges only to people who are authorized to use the ICS.
4. Protecting against unauthorized changes of data, including both data that is still being transmitted and stored data.
5. Designing ICS with all important parts including having a redundant counterpart, making sure that it will continue to function even during emergency situations.
6. Having an incident response plan to restore the ICS after any incident.
ICS Security Standards
There are several industrial control systems security standards out there, and there are quite a few that are specific to an industry. One of the most broadly applied standards is the NIST’s SP 800-82, or the guide mentioned above, which is now on its second revision.
Another broadly applicable set of standards is the ANSI/ISA99 standard. In order to raise awareness of this standard, the International Society of Automation and the International Electrotechnical Commission has developed the ISA/IEC 62443 Cybersecurity Certificate Programs.
ICS security is a necessary facet of any modern industrial operation. Following best practices for ICS security is essential to protecting today’s increasingly complex industrial control systems in the age of IoT.