How to implement baseline security measures for every ICS organization
The development of Industrial Control Systems (ICS) over the past two decades has changed the face of many industries. Operational Technology (OT) – largely industrial equipment – has become increasingly connected, and the integration of Information Technology (IT) components allows such devices to leverage software that drives data collection and analysis, resulting in enhanced performance and ultimately “smarter” machines.
With these benefits came vulnerabilities, including the possibility of malicious actors gaining access to critical assets through networks. The growing recognition of cyber security threats to critical infrastructure (e.g. energy, water, transportation) has brought the topic into the spotlight. Further, regulatory requirements on these industries have increased. Standards and policies have been created in an attempt to address the rapid technological changes; however, it is still challenging for companies to implement needed processes and keep personnel up to date and aligned, given the pace of change.
Meanwhile, the cyber threat landscape continues to increase. According to IBM, the number of attacks aimed at ICS increased by 110% in 2016 compared to 2015. To add to this, leveraging third-party vendors and new cloud-based services result in additional areas of risk previously non-existent in ICS.
Designing products to be secured from cyber attack only became a topic of concern about a decade ago, and the prevailing sense at that time was that isolation (“air gap”) and limited availability of technical knowledge (“security by obscurity”) protected ICS products. This false belief was quickly dismissed as wishful thinking after Stuxnet, and vendors began to respond to customer demands for more secure products. However, with often heterogeneous equipment and life cycles counted in decades, it will take time for secure components to become the norm.
In this paper, the authors will share insights to enhance your understanding of the ways in which governance, technology, and business requirements intersect. The paper will also illustrate ways in which organizations can leverage digitalization opportunities to better manage increasing risks. The authors will break down these risks to help your organization address these sometimes overwhelming challenges. Further, you will find recommendations for organizations to improve their cyber security posture in a holistic and sustainable model.
Contents
- The state of industrial cyber security
- The impact of real cyber attacks
- Meeting cyber security challenges
- How to implement baseline security measures for every ICS organization
- Effective risk management
- Cyber security information sharing
- Cyber security governance
This is an excerpt from the Securing industrial systems in a digital world. Approach cyber security with confidence white paper written by Dee Kimata, Product Manager, Power Generation & Water at ABB and Jim Lemanowicz, GICSP Director, Cyber Security Power Generation & Water at ABB.