What is ICS?
ICS is actually a class of some digital devices....
There are number of digital devices which are used in modern 'INDUSTRIAL' processes.
Whether it is your Critical Infrastructure at nation-level (e.g., Power Grid, Water Treatment, Dams, Railways, etc) or your own manufacturing unit or many other large applications, they are using the following types of devices:
-
Programmable Logic Controllers (PLCs)
-
Remote Terminal Units (RTUs)
-
Human-Machine Interfaces (HMIs)
-
Supervisory Control and Data Acquisition (SCADA)
All these types of devices belongs to what is called ICS -- Industrial Control Systems. Sometimes when you hear the term 'Operational Technology,' you are dealing with ICS devices, of course. There are many more types of device which are part of ICS…
ICS are different from devices which are used for controlling the systems or safety of the building. ICS are different from medical devices too.
ICS devices/technologies specifically focus on INDUSTRIAL PROCESSES or AUTOMATION of those processes. They provide you the components that will ensure proper and continuous operation of a wide range of industrial systems. ICS devices provide you a control over the 'inputs' and 'outputs' of KEY ELEMENTS in operational or physical process.
Suppose you have some physical/operational process where you cannot think of some input or output going beyond a certain limit, as it may be hazardous or dangerous to the safety of system, or your labour or general public in the town. Then you are mandated to use some 'Safety System' to ensure that the process is automatically shutdown, if the process starts getting out of that limit. In this example, ICS devices would provide you all the components of your safety system.
I expect that so many of you may have already seen many such devices in the factories or manufacturing units...
An industrial control system can be composed of just a few controllers or a complex network of interactive control systems made up by hundreds or thousands of connections. These systems get data from remote sensors that monitor and measure the variables of your industrial process(es). These process variables are then compared with the predefined 'set points.' Then ICS system will send commands that will control processes via the final control elements, such as control valves, etc.
For instance, remote sensors will check your machinery and then send it to the industrial control system. If it sees that the machinery is overheating, then ICS will tell the machinery to shut down. For some buildings, ICS can regulate energy usage too.
-
What is ICS Security?ICS devices have long been around. They are not new stuff...
In the past, these control systems almost had negligible computing power. And they had zero involvement of any communication technologies. These devices would do their job, but will not report or record anything by themselves. Somebody would need to go around the plant floor and take readings (e.g., temperature) from them and then report on them.
Because, these devices were used and kept away from internet, the security of those devices was not that big of a problem. But there has been a major shift in recent years...
Particularly with the advent of robots in the industrial setups and the usage of IoT and Industrial IoT devices (IIoT) and very high-class sensors, all these devices are now well networked. They are capable of sending the data to you over the internet too. They are capable of measuring, recording and reporting all the key 'variables' of industrial process(es) to the your system automatically.
Like every computer or IT system that is connected to the Internet, industrial control systems also face all sorts of threats emanating from Internet.
ICS security is defined as the protection of industrial control systems from threats from cyber-attackers. It is often referred to as OT Security. ICS security is critical because these systems are under attack and the consequences of compromise are significant financially, operationally, and safety-wise for your company.
-
TWO QUESTIONS FOR YOU
Q 1: Why do you need a separate category of OT security to address these types of systems?
Q 2: Why not just replicate what you are doing in IT security?
There is no doubt that many principles and practices of IT are applicable here, such as Asset inventory and detection, Vulnerability management, Network intrusion protection & detection, Endpoint detection and response, Patch management, Users and Access management, etc.
BUT securing ICS systems is definitely nowhere similar to the security of IT systems. I have already pointed out this in my previous post on IT vs OT...ICS security differs from traditional IT security in several ways:
First, the devices themselves create challenges for traditional IT security processes and technology.
You can easily find a number of such of devices which run on old versions of Windows XP or Windows 7. You would easily find a wide range of embedded devices, e.g., PLCs, controllers, relays, sensors, etc., industrial (and traditional IT) networking equipment, and more. Most of these devices will compel you to take a different approach to security, because they may not be modern, updated, OS-based, or cloud-based devices, as in your normal IT stack.
Second, the potential impact is very different from traditional IT. How?
Being an IT guy, you already know that the priorities of IT as established in this order:
Confidentiality-Integrity-Availability, in that order.
In the world of ICS, their priorities are absolutely different. Their GREATEST priority is the SAFETY of their people and property. There is no question about that! Then, their next set of priorities emerges, in the following order:
Availability-Integrity-Confidentiality
Now you can see that why you need to have a drastically different focus of RISK management in ICS Security.
Third, Incident Detection & Response in case of ICS Security is also not the same. Because it requires very 'specific knowledge' of the ICS systems affected. Since the behavior of ICS systems is unique to them often very particular to the process it concerns, your response to any cyber-incident must be highly measured and handled in such a way that does not cause more harm than good, by stopping the operational process inappropriately. You simply cannot take the mindset of IT incident response there. You cannot implement available detection rules on all the ICS systems all the time. You may not take responsive actions uniformly and automatically.
Fourth, your job is to ensure the ICS systems are made secure but SAFELY and the operational-resiliency is maintained all the time. That's why, you need specific knowledge of these control-systems and their respective security. This combination of desired knowledge is in itself a big challenge. So many of ICS systems were designed years ago or decades ago and there is a shortage of skilled personnel that understands them. To secure ICS, your company need to merge its IT security capabilities to these people who have knowledge of ICS systems.
All these reasons together warrant that your company adopt a unique approach from your traditional IT security practices and technology.
-
How can you achieve ICS security?
There are three key elements to make significant progress towards a more secure ICS infrastructure.
1. Establish an objective and design an ICS security program
The first step in robust ICS security is to establish the goal you are trying to achieve. The great news is that there is a range of standards out there – 18-CIS Controls, NIST's Cybersecurity Framework (CSF), NIST’s SP 800-82, IEC 62443, etc. that can guide your organisation in this area.
Practical experience in the field of ICS security implementation, would clearly tell you that the biggest stumbling block often, is defining the destination.
Your company would struggle, if you pursue single specific initiative, such as Network segmentation, Network intrusion detection, Asset visibility, etc for short-term gain.
If your company desires to get success in ICS security, you will require a true program that brings together an INTEGRATED set of actions. For, you should select a STANDARD and focus ALL your energies on delivering against it, as it is the best way to make meaningful, measurable progress in ICS security.
2. IT is from Marsh, OT is from Venus
You must bring IT and OT together to develop an ICS security solution that works.
If you think that "Your IT team is going to lead...," it will fail!
If you think that "Your ICS team is going to lead...," it will fail!
What you need to very clear in your mind is that -- Your IT security (and team) will certainly bring a lot of stuff on the table in terms of knowledge and capabilities, but you cannot implement every stuff in the same way as you do in your IT. ICS would demand some consistent 'measurements' for Board of Directors and other ICS stakeholders. That is why, it is absolutely critical for your company to bring these 2-groups TOGETHER to make ICS Security happen at your company.
3. Leverage a security platform, rather than a series of individual tools
See, ICS Security does not have to be a BLACK BOX. You can apply many of the same principles as IT security, but it is better to do it with a 'platform' that can address those unique challenges of ICS Security.
Gartner has pointed out that --
Solutions that offer multiple valuable features easily deploy, can be easily explained to operations as not adding additional risk and are interoperable with other security tools, are preferred.
Whether it is Checkpoint, Fortinet, Palo Alto, Cisco and other security vendors, there are many ICS Security offerings in the market.
For example, Fortinet's ICS/SCADA solution contain the following components:
-
Next-Generation Firewall
-
Secure Wireless
-
Switching
-
FortiSandbox (Malware Sandbox)
-
Identity and Access Management (IAS) solution
-
FortiManager (Central Management)
-
FortiAnalyzer (Analytics, Reporting and Response)
-
FortiSIEM (SIEM)
-
General Best Practices for ICS Security-
Restrict access to the critical areas of the system’s network and functionality. Firewalls can be used to form a barrier between the machinery and the organization’s network.
-
Restrict those who do not need physical access from coming into contact with important ICS devices. This may include physical measures like guards or digital methods such as card readers, Iris Scanner, etc.
-
Apply security measures to individual elements of the ICS. To do this, you can block ports that are unused, install security patches, and implement least-privilege principles to ensure only those who need to access the system can.
-
Protect data from being changed while it is being stored or transmitted.
-
Use redundancy for the most important components of the ICS. In this way, if one fails, another can keep production online.
-
Implement a plan to respond to incidents and enable a quick return to normal operations.
-
Kindly write 
your comments on the posts or topics, because when you do that you help me greatly in 
designing new quality article/post on cybersecurity.
your comments on the posts or topics, because when you do that you help me greatly in designing new quality article/post on cybersecurity.You can also share with all of us if the information shared here helps you in some manner.
Life is small and make the most of it!
Also take care of yourself and your beloved ones…
With thanks,
Meena R.
____
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
34,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM