Industrial control systems (ICS) differ vastly from usual IT systems. Supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS) and programmable logic controllers (PLCs) are all examples of ICS. Many of these systems have strict governance over their reliability, function and safety because they control water pumps, power grids, and other high-availability, critical infrastructures. Also, because they are older and have often been pieced together over time, these systems are delicate and sometimes difficult to keep up-to-date.
Recent years have revealed numerous Internet-related attacks on ICS. The recent Black Hat security conference featured presenters who spoke about vulnerabilities in industrial facilities and pipeline infrastructures that have the industry clamoring for more robust security measures to protect ICS.
The National Institute of Standards and Technology (NIST) with the Department of Commerce has developed documentation on proper security for ICS. This publication is available in our IT Downloads under the title, “Guide to Industrial Control Systems (ICS) Security.”
The guide details all important facets of security for numerous industrial control systems. Topics covered include:
- Overview of Industrial Control Systems
- ICS Characteristics, Threats and Vulnerabilities
- ICS Program Development and Deployment
- Network Architecture
- ICS Security Controls
NIST defines security controls as “… the management, operational and technical controls (i.e., safeguards or countermeasures) prescribed for an informational system to protect the confidentiality, integrity, and availability of the system and its information.” As a system, ICS requires layers of security to protect its data and equipment from attack. The document explains:
A single security product or technology cannot adequately protect and ICS. Securing an ICS is based on a combination of effective security policies and properly configured sets of security controls. An effective cyber security strategy for an ICS should apply defense-in-depth, a technique of layering security mechanisms so that the impact of a failure in any one mechanism is minimized. Use of such a strategy is explored within the security control discussions and their applications to ICS that follow.
The document provides recommendations for personnel security that aim to reduce incidence of human error or misuse of mechanisms. It gives information on securing physical areas and control centers, and educates about the importance of contingency and continuity planning.
All organizations that deal with industrial systems will benefit from the information included in this document. From patch management to disaster recovery methods, this guide provides the integral information necessary to protect your ICS from potential threats.