Industrial control systems (ICS) security is an important concern for businesses in today’s world. Kaspersky Lab is well aware of this fact. It observed as much in its “The State of Industrial Cybersecurity 2018” report when three-quarters of respondents affirmed ICS security to be a top concern for their organization. But the Russian security firm found that many organizations weren’t taking appropriate action to address this anxiety. For instance, it noted how less than a quarter (23 percent) of survey participants were compliant with minimal mandatory industry or government guidance and regulations pertaining to ICS cybersecurity. It also discovered that 10 percent of organizations still do not measure the number of incidents and breaches they experience. These findings highlight how organizations need to do more to strengthen their ICS security. One of the best ways to do this is by no longer implementing piecemeal security measures to protect their industrial control systems. With the ongoing IT-OT convergence, industrial environments are now too complex for such an ad hoc approach. Instead, organizations should structure all of their efforts to secure their industrial control systems within the context of a formal ICS security program.
What Is an ICS Security Program?
An ICS security program is a plan that helps organizations protect their ICS technologies. Such a program should reflect the complexity of modern industrial environments if it is to be effective. As such, organizations should follow FireEye’s guidance and make sure their program takes both IT and OT assets into consideration. Of course, an ICS cybersecurity program is not a static plan. Just as the threats themselves are constantly changing, organizations need to review and update their plans to reflect their security needs in light of new operations, regulations and changing business requirements. Only then can they hope to achieve comprehensive visibility into risks threatening their IT and ICS assets.
Breaking Down the Steps
Let’s now look at how organizations can build an effective ICS security plan:
Create Executive Buy-In
An ICS security program will be successful if and only if the organization’s executives champion it. In order to obtain these individuals’ buy-in, it’s imperative to build a business case for the ICS security program. This should explore the benefits of creating such a program, highlight the costs and potential damages of not creating a plan, discuss the steps needed to create and maintain the framework and identify associated costs and resources, all while reflecting the business concerns of senior management. To build this case, security professionals should enlist the help of major internal groups such as corporate communications and consider appealing to external subject matter experts including those who are familiar with applicable regulations. Security professionals should then present their completed business case to the organization’s executives by framing it within the context of a successful third-party example. As explained in NIST’s “Guide to Industrial Control Systems (ICS) Security,” taking this approach can help engender interest in the executives regarding their own organization’s challenges and what the company can do to address those issues. The security team can then work with supportive executives to receive an initial investment for creating the plan and craft a schedule that allocates necessary funding for the program’s future.
Assemble Your Team
One of the greatest mistakes that security professionals make when building an ICS security program is that they end up working in silos without oversight. Per Leidos, security professionals need to make sure they enlist the help of someone, preferably the information security manager, with authority to oversee the initiative. In that context, they can begin dividing up tasks among a dynamic team that ideally consists of IT personnel, control engineers, control system operators, security subject matter experts and enterprise risk management staff members.
Define Scope and Security Policies
With a holistic team in place, security professionals can then begin shaping the program itself. They should start by taking an inventory of all IT and ICS systems they’d like to protect using passive and active scanning tools. They’ll want to be careful in inventorying ICS assets, however, as scanning for resources like PLCs and SCADA units could disrupt the industrial environment. Therefore, those heading the ICS security team should heed NIST’s advice and first conduct an assessment of how each scanning tool works before trying them in the OT environment. They can then enter their results into an automated management platform and update their inventory on an ongoing basis. Next, the team should move onto defining the scope of the ICS security program. Under this process, the information security manager and or whoever else has oversight should craft a policy that documents the goal of the program, specifies necessary budget and resources and identifies key divisions of responsibilities. This policy should also reference what practices, if any, the program will borrow from any existing information security plan. The information security manager can make this determination after they’ve conducted a risk assessment of the ICS environment.
Test the ICS Environment
At this point, security professionals can begin testing the ICS environment. These efforts should ideally proceed under the umbrella of an ICS security risk management framework, with guidelines specifying the duties of selected individuals and groups. Together, the team can support the information security manager in choosing security controls that both reflect the results of the risk assessment performed on the ICS environment and complement the ICS security plan’s program management controls. It’ll then be up to everyone involved to do their duty in support of implementing those ICS security controls.
Streamlining an ICS Security Program
The four-step process identified above doesn’t need to be difficult. To make matters even easier for themselves, organizations can invest in a trusted solution for the purpose of implementing relevant ICS security controls. This solution should ideally provide organizations with controls and capabilities designed to strengthen the security of their industrial environments. Click here to learn how Tripwire can streamline your ICS security program.