Security, process, control
To protect Industrial Control Systems (ICS) from cyber threats, you need robust security processes across the whole organisation
As we’ve noted before, cyber-security is not something that can be considered in isolation. Effectively protecting connected assets requires a combination of three factors: people, processes and technology.
We’ve already discussed some of the major issues around people, so let’s address three key considerations in the design and execution of a robust security process for Industrial Control Systems.
Take a full lifecycle approach
There is no fit-and-forget in cyber-security. Security processes need to be integrated into the full lifecycle of every asset, from specification and design through commissioning, operations and maintenance to end-of-life and disposal. Threats, vulnerabilities and protection strategies are all likely to evolve significantly during the operating life of a system, therefore these should undergo annual assessments (using compliance programs such as NCSC Cyber Essential scheme), in a similar way to an annual MOT being undertaken on a motor vehicle.
Once an asset has reached retirement age it may contain commercially or legally sensitive data. And in the industrial control environment, it isn’t just data that could be lost in a cyber-attack. System compromise could damage or destroy high value physical assets or even put lives at risk.
Document and standardise
Security processes need to be applied consistently – during every interaction with every asset – whether that’s the design of an entirely new installation or an urgent maintenance intervention. Organisations need a clear, well-documented framework so everyone understands their role in this effort, from plant operator to those accessing data to inform management decision-making. Many companies base their processes on industry standards, such as the ISA/IEC 62443 series, but may adapt or extend the relevant standards to suit the needs of their infrastructure.
If an organisation is employed to work on assets on behalf of a client, it needs to consider the requirements of the client’s security standards in addition to its own internal standards.
Integrate across functions
Cyber-security considerations have implications for many of the processes and standards used across your organisation, and even more consideration needs to be given to how these are applied within the ICS environment. Actions to maintain security must be integrated into standard operating and maintenance procedures, for example. That integration requires a two-way conversation: if security requirements interfere excessively with the normal operation of a system, staff are likely to ignore or override them.
Externally-sourced components and services are a significant potential weak point in any Industrial Control System, so procurement processes need to ensure vendors are able to demonstrate compliance with appropriate standards. Quality assurance and evaluation activities for new equipment and new suppliers should include appropriate checks for security vulnerabilities and compliance. Human Resources processes must include suitable security training for staff and management of access rights to sensitive systems.
Finally, security needs to be an integral part of your organisation’s change management processes. That integration should ensure that the security impact of ongoing changes to assets, supply chains or operating procedures is properly assessed and controlled. It should also provide a well-regulated route for modifications required to address evolving security concerns.