Security Management of Industrial Automation and Control Systems (abbreviated
to IACS) has grown in prominence over the last decade, due to an increase
in the complexity and connectivity of control systems. This has led to a greater
exposure to the malicious and dangers elements of an interconnected world.
The IACS – A target for Cyber Attacks
The IACS can be defined as a collection of networks, PLCs, SCADA systems, and other control systems. All parts of the IACS are potentially vulnerable to cyber attack and as many forms of cyber attack are indiscriminate, this means that all industries, production processes and computerised systems are at risk.
IT and OT
Information Technology’s primary function is to process, communicate and secure information from malicious intrusion and tampering. Confidentiality, Integrity and Availability, or the “CIA Triad“, is a model that well describes the focus of information security policies for IT networks.
Operational Technology systems, on the other hand, are designed to control and monitor physical devices in real-time. In OT networks the top priority is Control (including Safety). Next is Availability, then Integrity and finally Confidentiality.
As the dangers of cyber attack have grown against both IT and OT systems, national and international standards have been created and amended regularly to provide guidance for organisations on how to combat these threats, including:
IEC 62443 – The International Electrotechnical Commission (IEC) cyber security standard for IACS.
NIST Cyber Security Framework – developed by the U.S. based National Institute of Standards and Technology.
NIS Directive – EU and UK directions on achieving a common level of network and information system security as derived from European law.
OG86 – Guidance on the inspection of Cyber Security for IACS. Incorporating IEC 62443-2-1 and NIS Guidance.
CIS CSC – The Centre for Internet Security Critical Security Controls for Effective Cyber Defence. Best practice guidelines closely linked to other standards.
As Control and Safety are the top priorities of Operational Technology there are limitations on how threats can be mitigated, and challenges that are more prominent than in other network types.
A significant challenge in OT systems is Obsolescence. Much of the equipment used in Industrial Automation is still running on operating systems that were designed before many of today’s threats were even conceived. If these old systems have no recent updates available then they are, at a minimum, vulnerable to all forms of cyber attack that have been created since their last update. With the door left open in this way the consequences of an unchallenged cyber attack could be disastrous.
Adhering to the IEC 62443 standard requires the use of a Cyber Security Management System (abbreviated to CSMS) to manage all aspects of Cyber Security in regards to an IACS area.
The early stages of implementing a CSMS include carrying out risk assessments in order to identify vulnerabilities and establish a clear direction for the implementation, managing and monitoring of all Cyber Security threats and issues.
The Asset Guardian Solution
An effective CSMS should be designed in a way that protects the entire IACS. As well as risk assessments, the CSMS should also be used for all other Cyber Security activities including disaster recovery planning, incident management and organising training.