How to assess security risks using the bow tie method

Bow tie risk diagrams are used in safety critical environments, like aviation, chemicals and oil and gas. They visualise potential causes and consequences of hazardous events and allow for preventative and recovery controls to be highlighted.

You don’t have to be a gas engineer or work for a rail operator to benefit from this tool, however. Cyber security professionals can use simplified bow tie diagrams to communicate security risks to non-technical audiences as they succinctly capture business consequences and their precursors on a single slide.

If you work for one of the safety critical industries already, using this technique to represent cyber risks has an added benefit of aligning to the risk assessment patterns your engineers likely already use, increasing the adoption and harmonising the terminology.

There are templates available online and, depending on the purpose of the exercise, they can vary in complexity. However, if you are new to the technique and want to focus on improving your business communication when talking about cyber risk, I suggest starting with a simple PowerPoint slide

Feel free to refer to my example diagram above where I walk through a sensitive data exposure scenario. For example, it can occur through either a phishing attempt or a credential stuffing attack (supply chain and web application/infrastructure exposure being another vector) leading to a variety of business consequences ranging from a loss of funds to reputational damage. The figure also incorporates potential preventative barriers and recovery controls that are applicable before and after the incident respectively. 


Intrusion detection in the ICS environment


There are many network traffic analysis tools out there but how many of them understand industrial protocols like Modbus, Profibus or DNP3? More importantly, how effective are these solutions in the industrial control systems environment?

In this post I would like to share a quick summary of security vendors in this domain.

Please note that this space moves quickly so the list may not be up-to-date by the time you are reading this. That being said, I hope it provides a high-level overview of vendors and capabilities in this space.


Global Industrial Cyber Security Professional (GICSP)

I’ve recently passed my GICSP exam. This certification is deigned to bridge together IT, engineering and cyber security to achieve security for industrial control systems from design through retirement.

This unique vendor-neutral, practitioner focused industrial control system certification is a collaborative effort between GIAC and representatives from a global industry consortium involving organisations that design, deploy, operate and/or maintain industrial automation and control system infrastructure.

GICSP assesses a base level of knowledge and understanding across a diverse set of professionals who engineer or support control systems and share responsibility for the security of these environments.

Here are some useful links for those of you who are interested in sitting the exam:

Exam FAQ


Certification Handbook

Delivering a Seminar at the London Metropolitan University

RIG (1)

I was invited to give a talk on industrial systems security at the London Metropolitan University.

The seminar was intended for academic staff to discuss current problems in this field. We managed to cover a broad range of issues regarding embedding devices and network and IT infrastructure in general.

The professors shared their perspective on this subject.  This resulted in the  identification of several research opportunities in this area.

Image courtesy of Vlado /

Presenting on Industrial Control Systems Security at the University of Westminster


I delivered a seminar to a group of students at the University of Westminster on industrial control systems security. We discussed the history of these systems, current developments and research opportunities in this area. There was some debate around the hypothesis that these systems weren’t designed to be secure and the trade-offs between confidentiality, integrity and availability helped the participants to better understand modern challenges. Practical recommendations were given pertaining the areas of risk management, disaster recovery, and resilience.

I also facilitated a workshop, where I divided the audience into several groups representing various stakeholders within the company: shareholders, process engineers, and security managers. This helped to drive further discussion regarding different points of view, priorities, and the complexity of communication.

An Introduction to Industrial Control Systems Security Part III: Auditing the Environment

In order to ensure the security of a system sometimes it is not enough to follow the general advice outlined in the Overview of Protection Strategies and one may chose to perform a penetration test.

Security assessments of this highly sensitive environment should be conducted with extreme care. It requires not only basic network security skills but also knowledge of the equipment, SCADA-specific protocols and vulnerabilities.


On the photo you can see different types of PLC and RTU devices, discussed in the Overview of Industrial Control Systems:

  • Modicon Momentum PLC
  • Rockwell Automation MicroLogix 1100 PLC
  • Siemens S7 1200 PLC
  • Small embedded RTU device

The original SCADA protocols (vendor-specific protocols include ModbusRTU, DF1, Conitel, and Profibus) were serial-based, meaning that the master station initiated the communication with the controllers. Nowadays, almost all SCADA protocols are encapsulated in TCP/IP and can be operated over Ethernet.

To get a better understanding, one can use Modscan32 to connect to the PLC and view register data by entering the IP address and TCP port number in the tool.


If there is no live PLC available to work with, one can always use the ModbusTCP simulator to practice capturing traffic with Wireshark, configuring the OPC server and building human-machine interfaces.


An Introduction to Industrial Control Systems Security Part II: An Overview of Protection Strategies

Initially, since most of the ICS components were physically found in secured areas, and were not connected to IT systems or networks, local threats were the only security concern. Because merging ICS systems and IT networks has become increasingly prevalent, the former have become significantly less isolated from the outside world, thus requiring security measures to protect them from external and remote threats.

Additionally, the implementation of wireless networking makes the ICS vulnerable to physically proximal adversaries who do not have a direct access to the equipment. The endless list of possible rivals or threats to an ICS might include discontented employees, hostile governments, malicious intruders, terrorist groups, natural disasters, accidents, complexities as well as accidental or malicious actions by insiders. Therefore, the security objectives for any ICS must follow the priority of availability, integrity and confidentiality, in that order.

An ICS may face the following possible scenarios:

  • A modification to the ICS software or configuration settings, or ICS software infection with malware.
  • ICS operation disruption due to delayed or blocked traffic through the ICS network.
  • Interference with the operation of safety systems, which could endanger human life.
  • Unauthorised changes to commands, instructions, or alarm thresholds, which could disable, damage or shut down equipment, create environmental impacts and risk human life.
  • Inaccurate information sent to system operators, either to disguise unauthorised changes, or to cause the operators to initiate inappropriate actions.

An ICS implementation should include the following main security objectives:

  • Physical access restrictions to the ICS network and devices. A combination of card readers, locks, and/or security guards could be used as physical access controls to protect the ICS’s components from functionality disruptions.
  • Individual ICS component protection from exploitation. After testing them under the conditions of the field, security patches can be deployed as quickly as possible. All unused ports and services should be disabled, ICS user privileges should be restricted to only those that are required for each individual role, audit trails should be tracked and monitored, and security controls such as antivirus software and file integrity checking software should be used whenever it is technically feasible to prevent, detect, deter and mitigate malware.
  • Logical access restrictions to the ICS network and network activity. In order to prevent information flow from travelling directly between the ICS and the corporate networks, a demilitarized zone (DMZ) network architecture with firewalls can be used, along with separate authentication mechanisms and credentials for the ICS and corporate network users. Additionally, a network topology with multiple layers can be implemented, keeping the ICS’s most critical communications in the most reliable and secure layer.
  • Maintenance of functionality during adverse conditions. In order to do so, the ICS must be designed so that each critical component has a counterpart that is redundant. If and when a component fails, it should do so in a way that avoids unnecessary traffic from generating on the ICS and other networks, or that it doesn’t detonate a cascading event or other problems elsewhere.
  • System restoration after an incident. Because incidents are inevitable, it is essential to have an incident response program. The mark of an effective security plan is defined by how quickly a system can be restored after an incident has disrupted it. It is thus vital for a cross-functional cyber security team from various domains to share their experience and knowledge and to work together in evaluating and reducing the possible risk to the ICS. This team must at the very least include a member of the company’s IT staff, a control system operator, a control engineer, a network and the system security expert, a member of the management staff, and a member of the physical security department. Additionally, for consistency, this cyber security team must consult with the control system vendor and system integrator. They should report to the organisation’s CIO/CSO or the site management, who must take full responsibility and assume complete accountability for the ICS’s cyber security. An effective ICS cyber security program must focus on a “defense-in-depth” strategy which layers the security mechanisms to minimise the impact of a failure in any one of said mechanisms.


CSSP recommenced defence-in-depth architecture (NIST 800-82)

A defense-in-depth strategy in any typical ICS therefore requires:

  • Physical access restrictions to the ICS network and devices.
  • Modern technology, such as smart cards, for Personal Identity Verification (PIV).
  • The application of an ICS layered network topology, with the most critical communications occurring in the most reliable and secure layer.
  • The implementation of a DMZ network architecture to prevent traffic between the ICS and corporate networks.
  •  The establishment of a logical separation between the corporate and ICS networks (e.g., stateful inspection firewall(s) between the networks).
  • The implementation of separate authentication mechanisms and credentials for users of the corporate network and the ICS network.
  • The application of role-based access control and the configuration of each individual role based on the principle of least privilege, which means restricting ICS user privileges according to who is required for each job.
  • The employment of security controls such as intrusion detection software, antivirus software and file integrity checking software, where technically feasible, to prevent, deter, detect, and mitigate the introduction, exposure, and propagation of malicious software to, within, and from the ICS.
  • The implementation of security techniques such as cryptographic hashes and/or encryption to ICS data storage and communications where appropriate.
  • The rapid deployment of security patches after testing all patches under field conditions before installation on the ICS.
  • The disablement of unused ports and services on ICS devices after testing to reduce impact ICS operation.
  • Tracking and monitoring audit trails on critical areas of the ICS.
  • Ensuring that critical components are redundant and are on redundant networks.
  • The design of critical systems for graceful degradation (fault tolerant) to prevent catastrophic 
cascading events.
  • Addressing security throughout the lifecycle of the ICS from architecture design to procurement to installation to maintenance to decommissioning.
  • The development of security policies, procedures, training and educational material that are specifically applicable to the ICS.
  • Taking into account the ICS security policies and procedures following the Homeland Security Advisory System Threat Level, and employing progressively amplified security measures as the Threat Level increases.

Guide to Industrial Control Systems (ICS) Security by NIST

An Introduction to Industrial Control Systems Security Part I: An Overview of Industrial Control Systems


Today’s major industries rely on finely automated industrial control sectors and are operated by critical infrastructures of highly interconnected and mutually dependent systems known as industrial control systems (ICS). These are predominantly found in industries such as transportation, electric, oil and natural gas, utility power, pulp and paper, mining, discrete manufacturing (i.e. durable goods, automotive, aerospace, etc.), chemical, metals, food and beverage, water and wastewater, and pharmaceutical.

The term ICS comprises three main types of systems which include distributed control systems (DCS), supervisory control and data acquisition (SCADA) systems, along with the incorporation of smaller controller hardware components such as the skid-mounted Programmable Logic Controllers (PLC).

DCS are usually found within a localized area, such as an industrial process plant or a factory, as a specific functional distributed control system design that relies on supervisory and regulatory control. DCS emerged as a tool for controlling the systems involved beyond a small cell area, while collecting data in real time on high-bandwidth/low-latency data networks. Because everything operates in real time, loop control will commonly extend up to the DCS top level controllers. Such systems can be found in refineries and chemical plants, among others.

SCADA systems were designed to cater to distribution applications where remote data must be gathered through more unreliable data networks, such as those with low-bandwidth/high-latency links. These systems are implemented in widely separated geographical sites (often scattered over thousands of square kilometers) using an open-loop control, through centralized data acquisition and supervisory control. Supervisory data is typically sent back to a control center through remote terminal units (RTUs), which tend to be restricted to a limited capacity for handling local controls whenever the master station is not available. With technological advances, however, the capability of these RTU systems continues to grow, allowing for better performance. SCADA systems are normally used in water pipelines and natural gas industries, to name a few.

PLCs are computer-based devices and are the result of the technological replacement of relay racks in ladder form. They are the primary components in small control system configuration and are used in almost all discrete industrial processes. PLCs are commonly integrated into DCS architectures as key components that provide feedback or feed forward control loops which automatically maintain the desired conditions of a process around a specific set point. Here, the PLC settings are specified to determine the desired tolerance and provide the rate of self- regulation and self-correction whenever there is a system upset.

Today, the boundaries are blurring between these three system definitions as current ICS architectures are evolving into hybrids that integrate features of both SCADA systems and DCS.

The key components for the operation of an ICS include: a control loop, Human-Machine Interface (HMI) and Remote Diagnostics and Maintenance Utilities (see glossary).

The main control components of an ICS encompass: a control server, a SCADA Server or Master Terminal Unit (MTU), Remote Terminal Units (RTUs), Programmable Logic Controllers (PLCs), Intelligent Electronic Devices (IEDs), a Human-Machine Interface (HMI), a Data Historian and an Input/Output (IO) Server (see glossary).


SCADA system general layout (NIST 800-82)

Control networks have merged with corporate networks in order to facilitate monitoring and controlling systems from the outside, which allows decision-makers at an enterprise level have access to process data. Network topologies can vary greatly from ICS to another, with different characteristics for each layer within a control system hierarchy, but the most important components they must include are: a fieldbus network, a control network, communications routers, a firewall, modems, and remote access points.

Originally, ICS used specialized hardware and software to run proprietary control protocols, making them completely isolated systems with little resemblance to traditional information technology (IT) systems. However, in order to facilitate remote access capabilities and corporate connectivity, IT solutions are being designed and implemented into ICS. The use of standard computers, operating systems (OS) and network protocols, along with low-cost Internet Protocol (IP) devices to replace proprietary solutions, provides new IT capabilities, but reduces the ICS isolation from the outside world, thus increasing the possibility of cyber security vulnerabilities and incidents. Despite the availability of solutions to deal with these security issues in typical IT systems, special considerations and precautions must be tailored to secure the ICS. Additionally, efficiency and safety goals can sometimes conflict with security in the design and operation of control systems. Because each one of these ICS is unique in its performance and reliability, each one requires its own unique, and sometimes unconventional, operating system and applications which might be regarded as odd or challenging by typical IT personnel.

The implementation of an ICS always involves some form of impact, which is complex and can go far beyond the immediate processes at hand. Some of the ICS characteristics differ from traditional information processing systems because they affect the physical world directly. These might risk human and environmental health and safety, as well as detonate financial issues related to production losses which can compromise proprietary information and even have a negative impact on a country’s economy.


Control loop – contains measurement sensors, controller hardware (such as a PLC), and actuators (such as motors, switches, control valves and breakers), all interconnected, which share the communication of variables. The sensors transmit controlled variables to the controller which then interprets the signals it receives and, based on the set points, manipulates this information to generate new variables. It sends this new information to the actuators which perform accordingly to adjust the system involved into a stated within the set points. Whenever the system or the process is disturbed, the sensors will send new signals to the controller, in order for there to be a readjustment.

Control network – an interconnection between the lower-level control modules and the supervisory control level.

Control server – a host to the supervisory control software of a PLC or DCS that communicates with lower-level control devices. It has access to subordinate control modules within an ICS network.

Data Historian – a centralized database for storing all the ICS process information. This information can be accessed to support statistical process control.

Fieldbus network – a network that connects sensors and other components to a PLC or other controller. Using fieldbus technology eliminates the need for point-to-point wiring between the controller and each device. Communication between the fieldbus controller and the devices is through a variety of protocols. The messages sent between the controller and the sensors identifies each of the sensors uniquely.

Human-Machine Interface (HMI) – these are used by engineers and operators to monitor and configure set points, control algorithms, and establish and regulate parameters in the controller. This interface also displays information on the status of the process, reports, historical information, and other information to administrators, business partners, operators and other authorized users. The platform, interface and location may vary greatly.

Intelligent Electronic Devices (IED) – “smart” devices that combine both sensor/actuator attributes which, when used in SCADA and DCS systems, allow for automatic control at a localized level. They can gather data, communicate with other devices, and perform local processing and control.

Input/Output (IO) Server – a control component that collects, buffers and provides access to process information from control sub-components such as RTUs, IEDs and PLCs. It can be found on the control server or on an independent computer platform. These servers can also be used for interfacing third-party control components such as a control server and an HMI.

Modem – a device that enables communication between components by converting between serial digital data and a signal suitable for transmission over a telephone line. Modems are used in SCADA systems to allow long-distance serial communication between remote field devices and MTUs. They are also used for gaining remote access to operational and maintenance functions in DCS and SCADA systems.

Remote Diagnostics and Maintenance Utilities – are used to identify, prevent and recover from abnormal operation, disruptions or failure.

Remote Terminal Unit (RTU) – (also known as remote telemetry unit) is a control unit for special purpose data acquisition in SCADA remote stations. These field devices support traffic to and from remote sites were wire-based communications are unavailable since they are equipped with wireless radio interfaces.

SCADA Server or Master Terminal Unit (MTU) – this device performs as the master in a SCADA system, in which PLCs and remote terminal units which are located in remote sites act as slaves.

Guide to Industrial Control Systems (ICS) Security by NIST

Image courtesy of hin255 /