A European Perspective on ICS SecurityAs such, many states and international organizations have developed national strategies and policies, like the United States’ NIST 800-82 and OECD’s Digital Security Risk Management for Economic and Social Prosperity. On 10 May 2018, the enacted the Network and Information Systems (NIS) Security Directive, which aims to achieve a high common level of critical infrastructure systems security across the European Union so as to improve the cyber security posture of member states and to minimize the vulnerabilities and threats facing such systems. In accordance with the Directive, security of these systems is defined as “the ability to resist, at a given level of confidence, any action that compromises the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the related services offered by, or accessible via, those systems”. Hence system security is system resilience. The following paragraphs provide a quick overview of the NIS key points for ICS security.
To achieve and maintain a high level of security, each state should have a national strategy on the security of critical systems defining the strategic objectives and concrete policy actions to be implemented. Given the pervasiveness of information systems and networks in our societies, all entities, private and state, need to recognize that their action or inaction may harm others. Ethical conduct is therefore crucial, and the development and adoption of best practices must respect the legitimate interests of others and should be compatible with essential values of a democratic society.Of equal importance is the cooperation between nations and between the state and the private sector. As most of the critical infrastructure systems are privately operated, cooperation between the public and private sectors is essential. Given the global nature of security problems affecting ICS and critical systems, there is a need for closer international cooperation to improve and harmonize the security standards and information exchange and to promote a common global approach to security issues. Exercises that simulate real-time incident scenarios such as the CyberEurope coordinated by ENISA are essential for testing the states’ preparedness and cooperation. These exercises are a useful tool for testing and drawing up recommendations on how incident-handling should improve over time. The goal of these directives and policies is to build a culture of security. A culture of risk management, involving risk assessment and the implementation of security measures appropriate to the risks faced, should be promoted and developed through appropriate regulatory requirements and voluntary industry practices. Each stakeholder is an important actor for ensuring security. Stakeholders, as appropriate to their roles, should be aware of the relevant security risks and preventive measures, assume responsibility and take steps to enhance the ICS security. Promotion of a culture of security will require both leadership and extensive participation and should result in a heightened priority for security planning and management as well as an understanding of the need for security among all. Security issues should be topics of concern and responsibility at all levels of government and business and for all stakeholders. In the military, they say that if you want peace, you should prepare for war. Such should be the case for ICS and critical infrastructure security. To learn more about ICS and Tripwire solutions, click here. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.