ICS security is concerned with securing and safeguarding industrial control systems, keeping processes and machinery running smoothly, and ensuring that the information and data shown on the control room dashboards and screens are accurate. Like every system that is networked to the Internet, ICS must be properly secured. The problem is that ICS security is often overlooked because it is tied to mission-critical systems and infrastructure. As such, disruptions are often avoided, which includes taking these systems down for security updates. This gives rise to the problem of having an ICS that is out-of-date, unpatched, and vulnerable to attacks, which in turn raises a growing number and a wider variety of threats and vulnerabilities for ICS security. Existing capabilities have proven insufficient to ensure a high level of ICS security. Different states have very different levels of preparedness, which has led to fragmented approaches against ever-increasing threats. Additionally, the lack of common security requirements makes it impossible to set up a global and effective mechanism for transnational and international cooperation. The criticality and importance of these infrastructures to the stability and economy of states make them centers of gravity, as Clausewitz defined in his book On War. You can only imagine the impact of a disrupted electrical grid in major cities or the health issues that could arise from a contaminated water grid in Paris or Los Angeles. One word can describe it in full: chaos. It is therefore imperative that ICS security is not only an inter-organizational issue but rather a state and international priority.
A European Perspective on ICS Security
As such, many states and international organizations have developed national strategies and policies, like the United States’ NIST 800-82 and OECD’s Digital Security Risk Management for Economic and Social Prosperity. On 10 May 2018, the enacted the Network and Information Systems (NIS) Security Directive, which aims to achieve a high common level of critical infrastructure systems security across the European Union so as to improve the cyber security posture of member states and to minimize the vulnerabilities and threats facing such systems. In accordance with the Directive, security of these systems is defined as “the ability to resist, at a given level of confidence, any action that compromises the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the related services offered by, or accessible via, those systems”. Hence system security is system resilience. The following paragraphs provide a quick overview of the NIS key points for ICS security.
To achieve and maintain a high level of security, each state should have a national strategy on the security of critical systems defining the strategic objectives and concrete policy actions to be implemented. Given the pervasiveness of information systems and networks in our societies, all entities, private and state, need to recognize that their action or inaction may harm others. Ethical conduct is therefore crucial, and the development and adoption of best practices must respect the legitimate interests of others and should be compatible with essential values of a democratic society.
Of equal importance is the cooperation between nations and between the state and the private sector. As most of the critical infrastructure systems are privately operated, cooperation between the public and private sectors is essential. Given the global nature of security problems affecting ICS and critical systems, there is a need for closer international cooperation to improve and harmonize the security standards and information exchange and to promote a common global approach to security issues. Exercises that simulate real-time incident scenarios such as the CyberEurope coordinated by ENISA are essential for testing the states’ preparedness and cooperation. These exercises are a useful tool for testing and drawing up recommendations on how incident-handling should improve over time. The goal of these directives and policies is to build a culture of security. A culture of risk management, involving risk assessment and the implementation of security measures appropriate to the risks faced, should be promoted and developed through appropriate regulatory requirements and voluntary industry practices. Each stakeholder is an important actor for ensuring security. Stakeholders, as appropriate to their roles, should be aware of the relevant security risks and preventive measures, assume responsibility and take steps to enhance the ICS security. Promotion of a culture of security will require both leadership and extensive participation and should result in a heightened priority for security planning and management as well as an understanding of the need for security among all. Security issues should be topics of concern and responsibility at all levels of government and business and for all stakeholders. In the military, they say that if you want peace, you should prepare for war. Such should be the case for ICS and critical infrastructure security. To learn more about ICS and Tripwire solutions, click here. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
