Interested in linking to "Protecting ICSs from Electronic Threats, II"?
You may use the Headline, Deck, Byline and URL of this article on your Web site. To link to this article, select and copy the HTML code below and paste it on your own Web site.
By Joe WEISS, PE, CISM, Applied Control
The following is the second section of a three-part Security Spotlight series that consists of portions of Joe Weiss' Protecting Industrial Control Systems from Electronic Threats, Momentum Press, 2010. Part 1 ran in the June issue of Control, and Part 3 will run in the October issue. In industrial control systems (ICS), cyber attacks tend to focus on destabilizing assets. Because integrity and availability are most important for ICSs, their security also relies more on authentication and message integrity.
Fortunately, IC security is an engineering problem that requires engineering solutions. Resilience and robustness are the critical factors in the survivability of compromised ICSs. Their security requires a balanced approach to technology design, product development and testing, development and application of appropriate ICS policies and procedures, analysis of intentional and unintentional security threats, and proactive management of communications across view, command and control, monitoring and safety. It's a lifecycle process that begins with the conceptual design of a system and continues through to its retirement.
To begin dealing with cyber threats to ICSs, it's useful to break them out in four main ways:
Besides these threats, there are many misconceptions about cybersecurity that can impact ICSs and their users. These myths include:
Arguably, there are less than several hundred people worldwide with expertise that falls in the realm of ICS security experts. Of that very small number, an even smaller fraction exists within the electric power community.
There are many reasons for this imbalance. As opposed to traditional business IT, the area of ICS cybersecurity is a still developing area. It's an interdisciplinary field encompassing computer science, networking, public policy and engineering control system theory and applications. Unfortunately, today's computer science curricula often do not address the unique aspects of control systems. Likewise, most of the electrical, chemical, mechanical, nuclear and industrial engineering curricula don't address computer security.
Consequently, there is a need to form joint programs for ICS security. Presently, the U.S. Department of Homeland Security and Lawrence Livermore National Laboratory are developing an ICS security curriculum at the policy level, but there is still a need to develop the technical curriculum.
In addition, the U.S. Department of Energy funded a project in 2004 that helped establish its Computer Emergency.
Response Team (CERT) for the energy industry's control systems, and this has been expanded to include other industries as the Industrial Control System (ICS) CERT. However, the CERT/Coordination Center (CC) at Carnegie Mellon University's Software Engineering Institute and other existing CERTs have little experience in dealing with the direct cyber impacts of Internet- and other cyber-based attacks on ICSs. What is needed is a non-governmental ICS-CERT capability that deals, not only with traditional Internet-based cyber vulnerabilities and threats, but also with those that arise at the intersection of network-based IT systems and ICSs. This ICS-CERT would collect and process cybersecurity reports for ICS end users, distribute alerts and recommendations, develop and disseminate best practices and training on countermeasures, and analyze new data to support existing activities and form responses to new threats.
ControlGlobal.com is exclusively dedicated to the global process automation market. We report on developing industry trends, illustrate successful industry applications, and update the basic skills and knowledge base that provide the profession's foundation.