The SANS 20 Critical Controls and their applicability to industrial control systems

Nov. 4, 2012
At the 12th Industrial Control System (ICS) Cyber Security Conference the week of October 22-25 in Norfolk, VA, there were a number of issues that became evident to the attendees:
- There are significant differences between IT and ICSs. From a cyber security perspective, ICS cyber vulnerabilities include both communication network vulnerabilities that can be similar to IT and cyber security vulnerabilities unique to the ICS designs. These ICS-unique vulnerabilities can, and have been, exploited such as with Stuxnet and Aurora.

At the 12th Industrial Control System (ICS) Cyber Security Conference the week of October 22-25 in Norfolk, VA, there were a number of issues that became evident to the attendees:
- There are significant differences between IT and ICSs. From a cyber security perspective, ICS cyber vulnerabilities include both communication network vulnerabilities that can be similar to IT and cyber security vulnerabilities unique to the ICS designs. These ICS-unique vulnerabilities can, and have been, exploited such as with Stuxnet and Aurora.
- ICS security efforts are probably at least 10-15 years behind the IT security community.
- ICS cyber security policies need to address ICS-unique issues as they are not addressed in traditional IT security policies
- A gulf exists between the IT and the ICS communities that needs to be closed so that each community can bring their strengths to the table.

Additionally, a special panel consisting of control system experts from power, water, oil/gas, chemicals, manufacturing, and DOD concurred with the need for ICS-unique cyber security solutions as most cyber security solutions being applied to ICSs are "recycled" IT solutions. This will require both the IT and ICS communities working together.

On Monday November 5, 2012, Tony Sager, the lead developer of the SANS 20 Critical Controls, will be publicly presenting these controls which come predominantly from the IT community. At the 50,000 foot level, the 20 Critical Controls can be applied to any computer system's networks including ICSs. However, when you drop down in granularity they do not comprehensively address ICS cyber security issues, particularly ICS design vulnerability issues. This is also true of the NIST SP800-53 controls. A continuing concern is when cyber security policy is developed, the control system experts are generally not at the table. There is a need for the IT community to include the ICS community, particularly the ICS experts, to support and enhance the SANS 20 Critical Controls.

Joe Weiss

Sponsored Recommendations

Make Effortless HMI and PLC Modifications from Anywhere

The tiny EZminiWiFi is a godsend for the plant maintenance engineers who need to make a minor modification to the HMI program or, for that matter, the PLC program. It's very easy...

The Benefits of Using American-Made Automation Products

Discover the benefits of American-made automation products, including stable pricing, faster delivery, and innovative features tailored to real-world applications. With superior...

50 Years of Automation Innovation and What to Expect Next

Over the past 50 years, the automation technology landscape has changed dramatically, but many of the underlying industry needs remain unchanged. To learn more about what’s changed...

Manufacturing Marvels Highlights Why EZAutomation Is a Force to Be Reckoned With

Watch EZAutomation's recent feature on the popular FOX Network series "Manufacturing Marvels" and discover what makes them a force to be reckoned with in industrial automation...