https://www.iotworldtoday.com/wp-content/themes/ioti_child/assets/images/logo/footer-logo.png
  • Home
  • News
    • Back
    • IoT World 2020 News
  • Strategy
  • Special Reports
  • Galleries
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • IoT World 2020 News
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Video / Podcasts
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Strategic Partners
  • IOT World Events
    • Back
    • Internet of Things World: San Jose
    • IoT World 2020 News
Iot World Today
  • NEWSLETTER
  • Home
  • News
    • Back
    • IoT World 2020 News
  • Strategy
  • Special Reports
  • Galleries
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • IoT World 2020 News
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Video / Podcasts
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Strategic Partners
  • IOT World Events
    • Back
    • Internet of Things World: San Jose
    • IoT World 2020 News
  • newsletter
  • IIoT
  • Cities
  • Energy
  • Homes/Buildings
  • Transportation/Logistics
  • Connected Health Care
  • Retail
  • AI
  • Architecture
  • Engineering/Development
  • Security
ioti.com

Security


Getty Images

ICS security

An ICS Security Checklist

Because industrial control systems (ICS) security is complicated, it is vital to have comprehensive defenses. 
  • Written by Brian Buntz
  • 21st January 2020

In traditional cybersecurity, a breach can expose, corrupt or even hold enterprise data systems captive. 

While a traditional data breach can cost money and debilitate enterprise IT systems, a cyberattack on industrial control systems can affect mission-critical data and operations. Given that industrial control systems control everything from nuclear power plants to refineries, power grids, factories and heavy equipment, ICS security is vital. 

While IT systems are hardware in software in traditional enterprise settings, industrial control systems—sometimes known as operational technology (OT)—encompass devices, systems and networks to operate and/or automate industrial processes.

Here, we offer a set of ICS security principles to help industry professionals lower their cybersecurity risk. 

1. Understand Your Assets 

 Most industrial organizations aren’t ready for advanced cybersecurity techniques. They should start with the basics. “Most organizations don’t know what technology they’ve got deployed,” said Bill Malik, vice president of infrastructure strategies at Trend Micro.  

Part of the challenge is the fact that operational technology assets often differ from IT assets, said Jason Haward-Grau, chief information security officer at PAS. A server in a data center, for instance, is an IT asset. But a system in a server room at a plant is a “capability that gets you to an asset,” he added. “It will run a control system for PLCs [programmable logic controllers], SCADA [supervisory control and data acquisition] or DCS [distributed control system] systems.” 

So counting servers, IP addresses or networking switches won’t capture the full picture. “There are a ton of [industrial] systems that aren’t on a formal network,” Haward-Grau said. Another challenge is aging equipment. “There is still technology from the 1960s and 1970s at the core of many plants,” he added. 

In the enterprise, performing a vulnerability assessment or establishing asset inventory is generally straightforward, those same actions in the world of OT and ICS usually aren’t. Doing an inventory-check “in the OT environment could bring a device or a whole environment down,” said Sean Peasley, Deloitte risk and financial advisory partner IoT security leader. Specialist ICS security vendors can make an inventory of devices passively, he said.

2. Look to Frameworks for Help 

Securing industrial infrastructure may be challenging, but there is a growing body of standards that can help. Having a common framework that includes cybersecurity can bridge the gap between IT and OT and foster “a holistic mindset” across an industrial organization, Peasley said. 

There is considerable overlap between most ICS standards, Haward-Grau said. “Start with a framework. I don’t care which one,” he advised.  

Relevant standards and frameworks include the following: 

  • The DHS Strategic Principles for Securing the Internet of Things
  • ISA/IEC 62443
  • ISO/IEC 27001
  • MITRE ATT&CK Framework for Industrial Control Systems
  • NERC CIP
  • NIST Cybersecurity Framework, NIST Guide to Industrial Control Systems (ICS) Security and NIST Recommendations for IoT Device Manufacturers 
  • UL 2900 standards

3. Have a Cyber Disaster Recovery Plan

While cybersecurity standard documents are often dense, at the end of the day, a framework should enable staff to discuss cybersecurity in plain English and give them a plan for how to respond to cyber-nightmare scenarios. “[With] frameworks, we are talking about, ‘How do I identify and protect things? How will I detect, respond and, more importantly, recover from [cyberattacks]?’” Haward-Grau said.  

4. Invest in Cyberinsurance

 Because cyberattacks often cause  cyberinsurance is invaluable. Purchasing insurance, however, is not straightforward. Legacy industrial equipment is commonplace, so it makes more sense to insure industrial processes rather than specific technology, according to Haward-Grau. “If I have stuff I can’t patch, the cyber-insurer is going to look for compensating controls,” he said. Even with a robust cybersecurity program in place, there may be other exclusions in the insurance policy to note. 

5. Embrace ‘Least Privilege’

 In cybersecurity, the “least privilege” concept counsels that an organization should limit access controls between IT systems and users without comprising core activities. 

Firewalls are a traditional IT-based strategy to accomplish this goal, but they are vital in OT security as well. “Consider how malware might spread across a production facility, and set up firewalls,” Malik said. To avoid potential interference, white-list allowable processes.

There’s more to “least privilege” than firewalls, said David Goldstein, CEO of AssetLink Global. For instance, Goldstein recommended “limiting traffic in directions that are not needed for the application. If you are monitoring only, disable the ability to control, and so forth.” 

Remote access is another worry. “Use unique IDs for maintenance tasks,” Malik said. “When accessing technology over IP networks in an industrial environment, require unique authentication by each user.”

The use of a generic PC in an ICS environment is also a risk. “Lock it down. Disable installs, remove compilers and disable any unknown or unnecessary processes,” Malik said. 

6. Consider a Bug Bounty Program 

Bug bounty programs—where a reward is given to developers who identify system vulnerabilities— have gained popularity in recent years, including in industrial contexts. “Bug bounty programs are a hallmark of forward-thinking IoT and industrial IoT vendors,” Malik said.   

“The whole digitalization journey is going to change how plants operate,” Haward-Grau said. “If you start introducing IIoT devices and 5G, you will need bug bounties.”

But that doesn’t mean it makes sense to prioritize bug bounties in every case. An organization with decades-old equipment and workstations running unpatched or outdated operating systems would likely find the results of a bug-bounty program overwhelming.  

7. Manage Third-Party Risk 

 Third-party risk management programs are of increasing importance in the OT realm, Peasley said. But managing risk across an extended supply chain is often challenging, he stressed. “For large companies, there might be thousands of different third-, fourth-, and fifth-parties that they have to consider,” he said. “Whether it’s a supplier that embeds something into a subcomponent or .. .  a software product, all of those need to be considered,” Peasley added.  

8. Take Inspiration from Safety Programs

Many industrial organizations have had safety programs in place for decades. Now that cybersecurity threats can cause safety-related threats, “we need to have a similar mentality around security,” Peasley said. 

The idea has gained ground. The American Institute of Chemical Engineers, for instance, recommends integrating cybersecurity considerations into traditional process hazard analysis, which traditionally focuses on the risk of human error, equipment failure and the like in chemical engineering facilities. 

One strategy to protect industrial facilities from potential disaster is the use of safety instrumented systems. But such systems themselves can be vulnerable to compromise, Malik said. And retrofitting security functionality into existing safety instrumented systems is not advisable, according to Malik. “You would be building infrastructure on top of a platform that was never designed to be cybersecure,” he said. 

While Haward-Grau acknowledged that safety-instrumented systems are imperfect, he stressed that they are a vital defense. “As we start to expand operations, and we connect more things, the need for more effective safety-instrumented systems is not going to go away by any stretch. They are going to become more important.” 

Tags: Network security Security services IIoT/Manufacturing Security Technologies Features

Related


  • HPE Edgeline Converged Edge Systems
    Converged OT and enterprise IT in a single rugged system for the edge
  • smart manufacturing
    Smart Factory Technology Upgrades: 5G, Cybersecurity Dominate
    Forrester's An expert says that smart factory technology investments while focusing on solving tangible problems.
  • IoT security
    Zero-Trust Security for IoT: Establishing Rigorous Device Defenses
    IoT security pros can benefit from zero-trust security to authenticate rogue devices that try to connect to a network. Zero trust should be the hallmark of your IoT strategy.
  • At Microsoft Ignite: How IoT and Robotics Are Driving Industry 4.0
    Microsoft ignite laid bare the gathering steam of robotics given the reduced price of hardware and the increasing sophistication of AI.

Leave a comment Cancel reply

-or-

Log in with your IoT World Today account

Alternatively, post a comment by completing the form below:

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Content

  • How To Become A Software-Driven Car Manufacturer with an Autonomous Digital Platform
  • Persistent Pandemic Heightens Need for Supply Chain Data Transparency
  • IoT Supply Chain Vulnerability Poses Threat to IIoT Security
  • IoT Security Needs Pen Testing Approach

News

View all

Webex Collaboration Banks on Hybrid Workplace Model at Cisco Live 2021

2nd April 2021

Cisco Enlists Networking Automation, CX Cloud in COVID-19 Response

31st March 2021

White Papers

View all

Telehealth and COVID Infographic

30th March 2021

Medical Supply Chain Management with Smart Devices and Sensors

30th March 2021

Special Reports

View all

Cybersecurity Protection Increasingly Depends on Machine Learning

28th October 2020

Webinars

View all

Weber’s Journey: How a Top Grill Maker Serves Up Connected Cooking

25th February 2021

From Insights to Action: Best Practices for Implementing Connected Device Security

15th December 2020

Galleries

View all

Top IoT Trends to Watch in 2020

26th January 2020

Five of the Most Promising Digital Health Technologies

14th January 2020

Industry Perspectives

View all

IoT Spending Holds Firm — Tempered by Dose of ‘IoT Pragmatism’

1st December 2020

The Great IoT Connectivity Lockdown

11th May 2020

Events

View all

Embedded IoT World 2021

28th April 2021 - 29th April 2021

The Virtual Industrial AI Summit

29th June 2021 - 30th June 2021

IoT World 2021

2nd November 2021 - 4th November 2021

Twitter

IoTWorldToday, IoTWorldSeries

IoT Enterprise Deployments Continue Apace, Despite COVID-19 dlvr.it/RxWwsS https://t.co/BSkxdf17vs

12th April 2021
IoTWorldToday, IoTWorldSeries

🥳Happy #IoTDay! How are you celebrating? We're giving $50 off All Access Passes to join our upcoming virtual event,… twitter.com/i/web/status/1…

9th April 2021
IoTWorldToday, IoTWorldSeries

🎉 Announcing #EIOTWORLD sponsor, @InnoPhaseinc — a fabless wireless semiconductor platform company specializing in… twitter.com/i/web/status/1…

8th April 2021
IoTWorldToday, IoTWorldSeries

Digital Health Infrastructure Benefits From Cloud-to-Edge Architecture dlvr.it/RxBwQ4 https://t.co/AILVdUVWDA

7th April 2021
IoTWorldToday, IoTWorldSeries

Meet the #EIOTWORLD keynote lineup: Google, Facebook, Linux Foundation, STMicroelectronics, Antmicro, OpenHW Group,… twitter.com/i/web/status/1…

6th April 2021
IoTWorldToday, IoTWorldSeries

Network Data Analytics Supports Back-to-Work Health and Safety dlvr.it/Rx5xlL https://t.co/VvxxpdUMJ3

6th April 2021
IoTWorldToday, IoTWorldSeries

IoT Cybersecurity Act Places Security Onus on Device Makers dlvr.it/Rx2jHK https://t.co/fyd3nQ1r1Z

5th April 2021

Newsletter

Sign up for IoT World Today newsletters: vertical industry coverage on Tuesdays and horizontal tech coverage on Thursdays.

Special Reports

Our Special Reports take an in-depth look at key topics within the IoT space. Download our latest reports.

Business Resources

Find the latest white papers and other resources from selected vendors.

Media Kit and Advertising

Want to reach our audience? Access our media kit.

DISCOVER MORE FROM INFORMA TECH

  • IoT World Series
  • Channel Futures
  • RISC-V
  • Dark Reading
  • ITPro Today
  • Web Hosting Talk

WORKING WITH US

  • Contact
  • About Us
  • Advertise
  • Login/Register

FOLLOW IoT World Today ON SOCIAL

  • Privacy
  • CCPA: “Do Not Sell My Data”
  • Cookies Policy
  • Terms
Copyright © 2021 Informa PLC. Informa PLC is registered in England and Wales with company number 8860726 whose registered and Head office is 5 Howick Place, London, SW1P 1WG.
This website uses cookies, including third party ones, to allow for analysis of how people use our website in order to improve your experience and our services. By continuing to use our website, you agree to the use of such cookies. Click here for more information on our Cookie Policy and Privacy Policy.
X