Initially, since most of the ICS components were physically found in secured areas, and were not connected to IT systems or networks, local threats were the only security concern. Because merging ICS systems and IT networks has become increasingly prevalent, the former have become significantly less isolated from the outside world, thus requiring security measures to protect them from external and remote threats.
Additionally, the implementation of wireless networking makes the ICS vulnerable to physically proximal adversaries who do not have a direct access to the equipment. The endless list of possible rivals or threats to an ICS might include discontented employees, hostile governments, malicious intruders, terrorist groups, natural disasters, accidents, complexities as well as accidental or malicious actions by insiders. Therefore, the security objectives for any ICS must follow the priority of availability, integrity and confidentiality, in that order.
An ICS may face the following possible scenarios:
- A modification to the ICS software or configuration settings, or ICS software infection with malware.
- ICS operation disruption due to delayed or blocked traffic through the ICS network.
- Interference with the operation of safety systems, which could endanger human life.
- Unauthorised changes to commands, instructions, or alarm thresholds, which could disable, damage or shut down equipment, create environmental impacts and risk human life.
- Inaccurate information sent to system operators, either to disguise unauthorised changes, or to cause the operators to initiate inappropriate actions.
An ICS implementation should include the following main security objectives:
- Physical access restrictions to the ICS network and devices. A combination of card readers, locks, and/or security guards could be used as physical access controls to protect the ICS’s components from functionality disruptions.
- Individual ICS component protection from exploitation. After testing them under the conditions of the field, security patches can be deployed as quickly as possible. All unused ports and services should be disabled, ICS user privileges should be restricted to only those that are required for each individual role, audit trails should be tracked and monitored, and security controls such as antivirus software and file integrity checking software should be used whenever it is technically feasible to prevent, detect, deter and mitigate malware.
- Logical access restrictions to the ICS network and network activity. In order to prevent information flow from travelling directly between the ICS and the corporate networks, a demilitarized zone (DMZ) network architecture with firewalls can be used, along with separate authentication mechanisms and credentials for the ICS and corporate network users. Additionally, a network topology with multiple layers can be implemented, keeping the ICS’s most critical communications in the most reliable and secure layer.
- Maintenance of functionality during adverse conditions. In order to do so, the ICS must be designed so that each critical component has a counterpart that is redundant. If and when a component fails, it should do so in a way that avoids unnecessary traffic from generating on the ICS and other networks, or that it doesn’t detonate a cascading event or other problems elsewhere.
- System restoration after an incident. Because incidents are inevitable, it is essential to have an incident response program. The mark of an effective security plan is defined by how quickly a system can be restored after an incident has disrupted it. It is thus vital for a cross-functional cyber security team from various domains to share their experience and knowledge and to work together in evaluating and reducing the possible risk to the ICS. This team must at the very least include a member of the company’s IT staff, a control system operator, a control engineer, a network and the system security expert, a member of the management staff, and a member of the physical security department. Additionally, for consistency, this cyber security team must consult with the control system vendor and system integrator. They should report to the organisation’s CIO/CSO or the site management, who must take full responsibility and assume complete accountability for the ICS’s cyber security. An effective ICS cyber security program must focus on a “defense-in-depth” strategy which layers the security mechanisms to minimise the impact of a failure in any one of said mechanisms.
CSSP recommenced defence-in-depth architecture (NIST 800-82)
A defense-in-depth strategy in any typical ICS therefore requires:
- Physical access restrictions to the ICS network and devices.
- Modern technology, such as smart cards, for Personal Identity Verification (PIV).
- The application of an ICS layered network topology, with the most critical communications occurring in the most reliable and secure layer.
- The implementation of a DMZ network architecture to prevent traffic between the ICS and corporate networks.
- The establishment of a logical separation between the corporate and ICS networks (e.g., stateful inspection firewall(s) between the networks).
- The implementation of separate authentication mechanisms and credentials for users of the corporate network and the ICS network.
- The application of role-based access control and the configuration of each individual role based on the principle of least privilege, which means restricting ICS user privileges according to who is required for each job.
- The employment of security controls such as intrusion detection software, antivirus software and file integrity checking software, where technically feasible, to prevent, deter, detect, and mitigate the introduction, exposure, and propagation of malicious software to, within, and from the ICS.
- The implementation of security techniques such as cryptographic hashes and/or encryption to ICS data storage and communications where appropriate.
- The rapid deployment of security patches after testing all patches under field conditions before installation on the ICS.
- The disablement of unused ports and services on ICS devices after testing to reduce impact ICS operation.
- Tracking and monitoring audit trails on critical areas of the ICS.
- Ensuring that critical components are redundant and are on redundant networks.
- The design of critical systems for graceful degradation (fault tolerant) to prevent catastrophic cascading events.
- Addressing security throughout the lifecycle of the ICS from architecture design to procurement to installation to maintenance to decommissioning.
- The development of security policies, procedures, training and educational material that are specifically applicable to the ICS.
- Taking into account the ICS security policies and procedures following the Homeland Security Advisory System Threat Level, and employing progressively amplified security measures as the Threat Level increases.