The SANS 20 Critical Controls and their applicability to industrial control systems

Nov. 4, 2012
At the 12th Industrial Control System (ICS) Cyber Security Conference the week of October 22-25 in Norfolk, VA, there were a number of issues that became evident to the attendees:
- There are significant differences between IT and ICSs. From a cyber security perspective, ICS cyber vulnerabilities include both communication network vulnerabilities that can be similar to IT and cyber security vulnerabilities unique to the ICS designs. These ICS-unique vulnerabilities can, and have been, exploited such as with Stuxnet and Aurora.

At the 12th Industrial Control System (ICS) Cyber Security Conference the week of October 22-25 in Norfolk, VA, there were a number of issues that became evident to the attendees:
- There are significant differences between IT and ICSs. From a cyber security perspective, ICS cyber vulnerabilities include both communication network vulnerabilities that can be similar to IT and cyber security vulnerabilities unique to the ICS designs. These ICS-unique vulnerabilities can, and have been, exploited such as with Stuxnet and Aurora.
- ICS security efforts are probably at least 10-15 years behind the IT security community.
- ICS cyber security policies need to address ICS-unique issues as they are not addressed in traditional IT security policies
- A gulf exists between the IT and the ICS communities that needs to be closed so that each community can bring their strengths to the table.

Additionally, a special panel consisting of control system experts from power, water, oil/gas, chemicals, manufacturing, and DOD concurred with the need for ICS-unique cyber security solutions as most cyber security solutions being applied to ICSs are "recycled" IT solutions. This will require both the IT and ICS communities working together.

On Monday November 5, 2012, Tony Sager, the lead developer of the SANS 20 Critical Controls, will be publicly presenting these controls which come predominantly from the IT community. At the 50,000 foot level, the 20 Critical Controls can be applied to any computer system's networks including ICSs. However, when you drop down in granularity they do not comprehensively address ICS cyber security issues, particularly ICS design vulnerability issues. This is also true of the NIST SP800-53 controls. A continuing concern is when cyber security policy is developed, the control system experts are generally not at the table. There is a need for the IT community to include the ICS community, particularly the ICS experts, to support and enhance the SANS 20 Critical Controls.

Joe Weiss