How to Build an Effective ICS Security Program
Of all the different areas of cybersecurity, not many are as important, or have as far-reaching consequences as industrial control systems (ICS) security. While most relevant organizations would agree that ICS security is a significant concern for their operations, it is easier said than done. Many find it difficult to put into practice the measures and solutions necessary for sufficient ICS security. As noted in the Kaspersky State of Industrial Security report, there are many hurdles and setbacks for organizations to overcome in order to establish effective ICS security and protection against both accidents and attacks. Building an effective ICS security program is vital and requires a layered and holistic approach to security.
Defining ICS Security
An ICS security program is a plan that helps organizations protect their ICS technologies. Such a program should reflect the complexity of modern industrial environments if it is to be effective. As such, organizations should make sure their program takes both IT and OT assets into consideration—and bridges the gap between the two as much as possible (by using the same tools and metrics even when the networks are not connected). Of course, an ICS cybersecurity program is not a static plan. Just as the threats themselves are constantly changing, organizations need to review and update their plans to reflect their security needs in light of new operations, equipment, regulations and changing business requirements. Only then can they hope to achieve comprehensive visibility into risks threatening their IT and ICS assets.
Building an Effective ICS Security Program
Let’s now look at how organizations can build an effective ICS security plan:
Create Executive Buy-In
An ICS security program will be successful if and only if the organization’s executives champion it. In order to obtain executive buy-in, it’s imperative to build a business case for the ICS security program. This should explore the benefits of creating such a program, highlight the costs and potential damages of not creating a plan, discuss the steps needed to create and maintain the framework and identify associated costs and resources, all while reflecting the business concerns of senior management. To build this case, security professionals should enlist the help of major internal groups such as corporate communications and consider appealing to external subject matter experts, including those who are familiar with applicable regulations.
Security professionals should then present their completed business case to the organization’s executives by framing it within the context of a successful third-party example. As explained in NIST’s Guide to Operational Technology (OT) Security, taking this approach can help engender executive interest in the organization’s challenges and what the company can do to address those issues. The security team can then work with supportive executives to receive an initial investment for creating the plan and craft a schedule that allocates necessary funding for the program’s future.
Assemble Your Team
Just like superheroes, security works better when working as team like the Avengers, instead of each on their own. You don’t want Hulk and Iron Man fighting each other as that doesn’t help reach the common goal - they need to team up.
One of the greatest mistakes that security professionals make when building an ICS security program is that they end up working in silos without oversight. Security professionals should enlist the help of someone with authority, such as an information security manager, to oversee the initiative. In that context, they can begin dividing up and delegating tasks among a dynamic team that ideally consists of IT personnel, control engineers, control system operators, security subject matter experts and enterprise risk management staff members.
Define Scope and Security Policies
With a holistic team in place, security professionals can then begin shaping the program itself. They should start by taking an inventory of all IT and ICS systems, prioritize them and then ensure they are protected using passive and active scanning tools as required. They’ll want to be careful in inventorying ICS assets, however, as scanning for resources like PLCs and SCADA units could disrupt the industrial environment. Therefore, those heading the ICS security team should heed NIST’s advice and first conduct an assessment of how each scanning tool works before trying them in the OT environment. They can then enter their results into an automated management platform and update their inventory on an ongoing basis.
Next, the team should move on to defining the scope of the ICS security program. Under this process, the information security manager and or whoever else has oversight should craft a policy that documents the goal of the program, specifies necessary budget and resources and identifies key divisions of responsibilities. This policy should also reference what practices, if any, the program will borrow from any existing information security plan. The information security manager can make this determination after they’ve conducted a risk assessment of the ICS environment.
Test the ICS Environment
At this point, security professionals can begin testing the ICS environment. These efforts should ideally proceed under the umbrella of an ICS security risk management framework, with guidelines specifying the duties of selected individuals and groups. Together, the team can support the information security manager in choosing security controls that both reflect the results of the risk assessment performed on the ICS environment and complement the ICS security plan’s program management controls. It’ll then be up to everyone involved to do their duty in support of implementing those ICS security controls.
Streamlining an ICS Security Program
The four-step process identified above doesn’t need to be difficult. To make matters even easier for themselves, organizations can invest in a trusted solution for the purpose of implementing relevant ICS security controls. This solution should ideally provide organizations with controls and capabilities designed to strengthen the security of their industrial environments. The individuals in Security and IT working together as a team can be your superheroes accomplishing great security together. Click here to learn how Tripwire can streamline your ICS security program.