It's imperative that organizations protect their industrial control systems (ICS) against intentional and accidental security threats. As I discussed in a previous article, that effort begins with understanding the potential threats confronting their network. Organizations can then leverage that information to create a digital security strategy, or a plan that hopefully protects assets that are most critical to their operations. Lots of factors go into creating a digital security strategy. Expert advice, regulation requirements, frameworks, technology and other disciplines shape which assets could benefit from prioritization. To sort through these influences, organizations should conduct quarterly security assessments. Some companies might benefit from bringing in a third-party, but so long as they have management buy-in and a cross-foundational team, they can use the internal resources of information technology (IT) and operational technology (OT) to get the job done. These professionals can draw upon the Department of Homeland Security's Cyber Security Evaluation Tool and other files to conduct their own security assessments. When conducted properly, security assessments will help organizations identify what frameworks and standards apply to them. Companies can then use the results of these assessments to analyze their systems for security gaps. From there, they can prioritize their assets according to their industry, environment and desired security posture. No two organizations are alike in their ICS security strategies but that doesn't mean they can't benefit from implementing the same digital security principles. In their e-book entitled Industrial Cyber Security for Dummies, Tripwire and its parent company Belden explain that organizations should take a risk-based approach to industrial control security. This methodology relies on two elements. First, companies should consider implementing at least the first five CIS Critical Security Controls. These controls assert the following best security practices:
- CSC 1: Inventory of authorized and unauthorized devices
- CSC 2: Inventory of authorized and unauthorized software
- CSC 3: Secure configurations for hardware and software on mobile devices, laptops, workstations, and servers
- CSC 4: Continuous vulnerability assessment and remediation
- CSC 5: Controlled use of administrative privileges
By implementing these controls, organizations can reduce their risks by as much as 95 percent. Second, companies should create defense-in-depth strategies that help to limit the impact of an intrusion. It's not always easy to detect when a potential vulnerability is susceptible to exploitation. As a result, some organizations might want to consider calling in an expert. Alternatively, they can refer to a document (PDF) published by the Department of Homeland Security that discusses defense-in-depth elements. For more information regarding how critical security controls and defense-in-depth strategies can strengthen an ICS security strategy, please download Tripwire and Belden's resource here. If you are interested in learning more about Industrial Cyber Security you can download our new e-book, “Industrial Cyber Security For Dummies” here.