Industrial Control Systems (ICS) Security

The paradigm has shifted.
CyberSecurity has traditionally been a concern for commercial technology environments, such as those dealing with financial information, healthcare-related data, and other formally regulated information.  Industrial environments, on the other hand, such as mass transit systems, power plants, and manufacturing plants, consisted of components that were not susceptible to the same types of vulnerabilities inherent in the technology components common to commercial environments, until now…

Industrial Control Systems are vulnerable.
The introduction of sophisticated IP-enabled technology to industrial control system (ICS) environments brings advanced capabilities, efficiencies, and conveniences, along with the vulnerabilities inherent in these technologies.   These vulnerabilities are being introduced to environments and personnel ill prepared for the risk management challenges.  These challenges are especially dangerous, not only to the confidentiality, integrity, and availability of information, but also to human lives and public safety.

The threat landscape is evolving.
In Today’s tumultuous climate, bad actors have evolved beyond “technical exploit” capabilities.  Sophisticated technical exploit techniques are combined with exploit of the ‘human element’, allowing bad actors to circumvent technical security controls such as firewalls and ‘air gaps’.  Trust relationships, such as those with 3rd party service providers, are increasingly exploited.  Personal device technologies, such as smartphones and tablets, are bridging the gap between the personal world and the corporate world.  Social media is used as a means of gathering intelligence or propagating software code specifically designed to compromise target systems.  The fact that cybersecurity threats to ICS environments are very well funded, by foreign nation states and terrorist organizations, makes the situation a precarious one.

The risk is real.
Hostile organizations and persons, both foreign and domestic, state-sponsored and of private interest, are well aware of the vulnerable condition of most ICS environments.  The risks include the threat of malicious organizations and persons motivated by financial gain or ‘challenge’ and those motivated to do significant damage to property and lives.  In recognition of the national security implications of these risks, the National Institute of Standards and Technology (NIST), as mandated by Executive Order 13636 “Improving Critical Infrastructure Cybersecurity,” published the “Framework for Improving Critical Infrastructure Cybersecurity” in February, 2014.  This framework established a structured basis to address the risk in critical infrastructure environments including mass transit, power, and manufacturing, as well as the application of technical and procedural security controls to manage that risk.

CyberSecurity in the ICS world is a significant challenge.
Organizations with ICS environments are faced with significant challenges in adopting an effective cybersecurity risk management program.  With government mandates for technical enhancements, such as Positive Train Control (PTC) for mass transit environments, and the general advent of the ‘Internet-of-Things’ (IoT), organizations must aggressively implement IP-enabled components in industrial control system environments not only to comply with mandates, but also to stay competitive.  The implementation of these technologies cannot be treated as a straightforward upgrade, nor can current personnel effectively manage the inherent cybersecurity risks by taking a few training classes. 

A fundamental shift in CyberSecurity strategy is vital for ICS environments.
Risk management should be conducted ‘from the ground up’.  Cybersecurity requirements and control specifications need to be defined for every element of the technology environments.  Policies and procedures should be established specifically for cybersecurity in addition to the existing policies and procedures for premises and personnel security.  These standards, policies, and procedures should also be mandated, by written agreement, for 3rd party service providers.  Resources need to be tasked with conducting regular cybersecurity operations, including monitoring, regular testing, and incident response procedures.  Personnel, even those that have no direct role in cybersecurity, should be educated on cybersecurity risks inherent in the technologies they use in their work role.

STIGroup can help.
STIGroup has significant experience and expertise in assessing, implementing, and managing security controls in ICS environments.  Our team understands the proprietary aspects of the ICS components used in mass transit, power, and manufacturing environments, the vulnerabilities inherent in the IP-enabled components, and the threat landscape unique to these environments.  STIGroup can effectively and efficiently:

  • Assess the security posture of your Industrial Control System (ICS) environment
  • Develop and execute a prioritized remediation plan to mitigate risk
  • Design and implement an effective cybersecurity operations plan
  • Manage the security controls in your ICS environment to maintain a secure state and respond to cybersecurity events