Cyber Risks for Industrial Control Systems

10 November 2015
If News 8/2015 Liability. ​Industrial Control Systems (ICS) are typically not on the radar of organizations when they consider their cybersecurity, at least not yet. Examples include SCADA, DCS and PLC systems typically used to control utilities, equipment and machinery.

​The vulnerability of ICS to computer network-based attacks have increased significantly because they have changed from proprietary, isolated systems to open architectures and standard technologies highly interconnected with other networks and the Internet.

In addition, attacks such as ‘Stuxnet’, ‘Duqu’, ‘Flame’ and ‘Gauss’ are strong indicators of the growing interest in SCADA systems as a target.

The Framework

Unpatched software represents one of the greatest vulnerabilities to a system. ICS are often more complex and require a different level of expertise. They are typically managed by control engineers, not IT personnel. MOC procedures are paramount to maintaining the integrity of both IT and control systems. To assure adequate risk management it is recommended to apply a Framework for cybersecurity.

The Framework focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s risk management processes.

For example, the US National Institute of Standards and Technology published in 2014 a Framework for Improving Critical Infrastructure Cybersecurity. This Framework, created through collaboration between the US government and the private sector is available from: http://www.nist.gov/cyberframework/index.cfm

Three parts: Core, Profile, and the Implementation Tiers

The Framework Core is a set of cybersecurity activities, outcomes, and informative references that are common across critical infrastructure sectors, providing the detailed guidance for developing individual organizational Profiles. Through the use of Profiles, the Framework will help the organization align its cybersecurity activities with its business requirements, risk tolerances, and resources. The Tiers provide a mechanism for organizations to view and understand the characteristics of their approach to managing cybersecurity risk.

The five Framework Core Functions are defined below. These Functions are not intended to form a serial path, or lead to a static desired end state. Rather, the Functions can be performed concurrently and continuously to form an operational culture that addresses the dynamic cybersecurity risk.

  • Identify. Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. The activities in the Identify Function are foundational for effective use of the Framework. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs. Examples of outcome Categories within this Function include: Asset Management; Business Environment; Governance; Risk Assessment; and Risk Management Strategy.
  • Protect. Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Access Control; Awareness and Training; Data Security; Information Protection Processes and Procedures; Maintenance; and Protective Technology.
  • Detect. Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. The Detect Function enables timely discovery of cybersecurity events. Examples of outcome Categories within this Function include: Anomalies and Events; Security Continuous Monitoring; and Detection Processes.
  • Respond. Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. The Respond Function supports the ability to contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Response Planning; Communications; Analysis; Mitigation; and Improvements.
  • Recover. Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity event. Examples of outcome Categories within this Function include: Recovery Planning; Improvements; and Communications.

Governmental aid

Help on security can be obtained from government organisations. For example the European Union Agency for Network and Information Security (ENISA) acts as a facilitator and information broker for CERTs/CSIRTs. As an EU Expert body, it stays in touch with all the CERT/CSIRT communities in Europe and beyond. CERT stands for Computer Emergency Response Team.

A more recent term is Computer Security and Incident Response Team (CSIRT). The name explains what makes these entities so special: like a fire brigade, they are the only ones that can react when security incidents occur.

Besides reactive services (incident response) they usually also provide a comprehensive portfolio of other security services for their customers, such as alerts and warnings, advisories and security training. Over the years, CERTs/CSIRTs have evolved into premium providers of security services.

Erik van der Heijden