industrial automation
Automation describes a wide range of technologies that reduce human intervention in processes, namely by predetermining decision criteria, subprocess relationships, and related actions, as well as embodying those predeterminations in machines ...
and control systems
A control system manages, commands, directs, or regulates the behavior of other devices or systems using control loops. It can range from a single home heating controller using a thermostat controlling a domestic boiler to large industrial ...
. These control systems manage essential services including electricity, petroleum production, water, transportation, manufacturing, and communications. They rely on computers, networks, operating systems, applications, and programmable controllers, each of which could contain security vulnerabilities. The 2010 discovery of the Stuxnet worm demonstrated the vulnerability of these systems to cyber incidents. The United States and other governments have passed cyber-security regulations requiring enhanced protection for control systems operating critical infrastructure.
Control system security is known by several other names such as ''SCADA
Supervisory control and data acquisition (SCADA) is a control system architecture comprising computers, networked data communications and graphical user interfaces for high-level supervision of machines and processes. It also covers sensors an ...
security'', ''PCN security'', ''Industrial network security
Network security consists of the policies, processes and practices adopted to prevent, detect and monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources. Network security involves th ...
'', ''Industrial control system
An industrial control system (ICS) is an electronic control system and associated instrumentation used for industrial process control. Control systems can range in size from a few modular panel-mounted controllers to large interconnected and in ...
(ICS) Cybersecurity'', '' Operational Technology (OT) Security'' and ''Control System Cyber Security''.
Risks
Insecurity of, or vulnerabilities inherent in industrial automation and control systems (IACS) can lead to severe consequences in categories such as safety, loss of life, personal injury, environmental impact, lost production, equipment damage, information theft, and company image. Guidance to assess, evaluate and mitigate these potential risks is provided through the application of many Governmental, regulatory, industry documents and Global Standards, addressed below.Vulnerability of control systems
Industrial automation and control systems have become far more vulnerable to security incidents due to the following trends that have occurred over the last 10 to 15 years. * Heavy use of Commercial Off-the Shelf Technology (COTS) and protocols. Integration of technology such as MS Windows, SQL, and Ethernet means that process control systems are now vulnerable to the same viruses, worms and trojans that affect IT systems * Enterprise integration (using plant, corporate and even public networks) means that process control systems (legacy) are now being subjected to stresses they were not designed for * Demand for Remote Access - 24/7 access for engineering, operations or technical support means more insecure or rogue connections to control system *Security Through Obscurity
Security through obscurity (or security by obscurity) is the reliance in security engineering on design or implementation secrecy as the main method of providing security to a system or component.
History
An early opponent of security through ob ...
- Using not publicly available protocols or standards is detrimental to system security
The cyber threats and attack strategies on automation systems are changing rapidly. Fortunately, regulation of control system security is rare as regulation is a slow moving process. The United States, for example, only does so for the nuclear power
Nuclear power is the use of nuclear reactions to produce electricity. Nuclear power can be obtained from nuclear fission, nuclear decay and nuclear fusion reactions. Presently, the vast majority of electricity from nuclear power is produced ...
and the chemical industries
A chemical substance is a form of matter having constant chemical composition and characteristic properties. Some references add that chemical substance cannot be separated into its constituent elements by physical separation methods, i.e., wit ...
.
Government efforts
The U.S. Government Computer Emergency Readiness Team (US-CERT) originally instituted a control systems security program (CSSP) now the National Cybersecurity and Communications Integration Center (NCCIC) Industrial Control Systems, which has made available a large set of free National Institute of Standards and Technology (NIST) standards documents regarding control system security. The U.S. Government Joint Capability Technology Demonstration (JCTD) known as MOSIACS (More Situational Awareness for Industrial Control Systems) is the initial demonstration of cybersecurity defensive capability for critical infrastructure control systems. MOSAICS addresses the Department of Defense (DOD) operational need for cyber defense capabilities to defend critical infrastructure control systems from cyber attack, such as power, water and wastewater, and safety controls, affect the physical environment. The MOSAICS JCTD prototype will be shared with commercial industry through Industry Days for further research and development, an approach intended to lead to an innovative, game-changing capabilities for cybersecurity for critical infrastructure control systems.Industrial Cybersecurity Standards
The international standard for cybersecurity in industrial automation is the IEC 62443. In addition, multiple national organizations such as the NIST and NERC in the USA released guidelines and requirements for cybersecurity in control systems.IEC 62443
The IEC 62443 cybersecurity standard defines processes, techniques and requirements for Industrial Automation and Control Systems (IACS). Its documents are the result of the IEC standards creation process where all national committees involved agree upon a common standard. The IEC 62443 was influenced by and is partly based on the ANSI/ISA-99 series of standards and the VDI/VDE 2182 guidelines.
All IEC 62443 standards and technical reports are organized into four general categories called ''General'', ''Policies and Procedures'', ''System'' and ''Component''.
# The first category includes foundational information such as concepts, models and terminology.
# The second category of work products targets the Asset Owner. These address various aspects of creating and maintaining an effective IACS security program.
# The third category includes work products that describe system design guidance and requirements for the secure integration of control systems. Core in this is the zone and conduit design model.
# The fourth category includes work products that describe the specific product development and technical requirements of control system products.
NERC
The most widely recognized modern NERC security standard is NERC 1300, which is a modification/update of NERC 1200. The latest version of NERC 1300 is called CIP-002-3 through CIP-009-3, with CIP referring to Critical Infrastructure Protection. These standards are used to secure bulk electric systems although NERC has created standards within other areas. The bulk electric system standards also provide network security administration while still supporting best-practice industry processes. The Public Foundation of Guidelines and Innovation (NIST) Online protection System (CSF) is a structure created by the Public Establishment of Principles and Innovation (NIST) to assist associations with overseeing network safety chances. The system is intended to be utilised by associations of all sizes and in all businesses, and it gives a typical language and approach for overseeing network protection gambles.Control system security certifications
Certifications for control system security have been established by several global Certification Bodies. Most of the schemes are based on the IEC 62443 and describe test methods, surveillance audit policy, public documentation policies, and other specific aspects of their program.External links
IEC 62443
US NIST webpage
US NERC Critical Infrastructure Protection (CIP) Standards
UK CPNI Internet of Things and Industrial Control Systems
References