The SANS 20 Critical Controls and their applicability to industrial control systems

At the 12th Industrial Control System (ICS) Cyber Security Conference the week of October 22-25 in Norfolk, VA, there were a number of issues that became evident to the attendees:
- There are significant differences between IT and ICSs. From a cyber security perspective, ICS cyber vulnerabilities include both communication network vulnerabilities that can be similar to IT and cyber security vulnerabilities unique to the ICS designs. These ICS-unique vulnerabilities can, and have been, exploited such as with Stuxnet and Aurora.
- ICS security efforts are probably at least 10-15 years behind the IT security community.
- ICS cyber security policies need to address ICS-unique issues as they are not addressed in traditional IT security policies
- A gulf exists between the IT and the ICS communities that needs to be closed so that each community can bring their strengths to the table.

Additionally, a special panel consisting of control system experts from power, water, oil/gas, chemicals, manufacturing, and DOD concurred with the need for ICS-unique cyber security solutions as most cyber security solutions being applied to ICSs are "recycled" IT solutions. This will require both the IT and ICS communities working together.

On Monday November 5, 2012, Tony Sager, the lead developer of the SANS 20 Critical Controls, will be publicly presenting these controls which come predominantly from the IT community. At the 50,000 foot level, the 20 Critical Controls can be applied to any computer system's networks including ICSs. However, when you drop down in granularity they do not comprehensively address ICS cyber security issues, particularly ICS design vulnerability issues. This is also true of the NIST SP800-53 controls. A continuing concern is when cyber security policy is developed, the control system experts are generally not at the table. There is a need for the IT community to include the ICS community, particularly the ICS experts, to support and enhance the SANS 20 Critical Controls.

Joe Weiss

What are your comments?

You cannot post comments until you have logged in. Login Here.

Comments

  • Not to be argumentative, but a few comments:

    > - There are significant differences between IT and ICSs.

    People who still don't understand this simply have not been paying attention. It's time to move on. 

    > - ICS security efforts are probably at least 10-15 years behind the IT security community.

    I believe that if you redefine the challenge as being to design and implement high availabilty aqnd resilient systems then this statement can be disputed. After all, in the case of ICS "secure" is means to an end, and that end is the protection of system operation and integrity.

    > - A gulf exists between the IT and the ICS communities that needs to be closed so that each community can bring their strengths to the table.

    Again, this is old news, and probably a broad over generalization. There are many many examples of successful cooperation and collaboration between these two "communities." They just don't get as much attention as the negative examples, since they're not as provocative.

    Reply

RSS feed for comments on this page | RSS feed for all comments