- Posted by fedco
- On January 30, 2015
- ics security, ics security solutions, ics security training, ics security vulnerabilities
The security assurance of Industrial Control System environment should be considered as one of the priority due to its critical function in the critical industry sector. The vulnerabilities of the ICS environment should be identified in order to implement the proper strategic action to control the risk into the ALARP level. This short article explain briefly regarding the common ICS security vulnerabilities that being faced in the current period.
The Common Vulnerabilities in Industrial Control System (ICS) Environment
The Industrial Control System is playing critical role in the critical industry sector, such as oil & gas, petrochemical, power plant, nuclear and public infrastructure. The risk exposure of unperformed ICS operations on these critical industries can drive the financial/HSE losses. The reliability and security aspects of the Industrial Control System as the critical system should be managed properly in order to maintain its best performance.
The vulnerability on the ICS environment can drive the risk exposure level. The level of probability and consequence are closely related to the vulnerability severity level and threats exposure. It is important to understand the ICS threats and vulnerabilities in order to ensure the security assurance in ICS environment is properly deployed.
One of the methods to explore the vulnerabilities is by using the vulnerability assessment as commonly performed in the IT environment. Unfortunately, the ICS environment is differ from the IT environment, in term of the nature of operations, platform and CIA assurance.
The other method that can be used to explore the ICS vulnerabilities is by using the “non-destructive” vulnerability assessment, such as by assessing the current security policy in the organization, BCP/DRP validity and availability, network configuration, security log management, AAA management (storage and communication), in place procedure and best practice and asset inventory management.
By doing the “non-destructive” vulnerability assessment, the vulnerabilities on the ICS environment can be determined properly, while the risk exposure of doing this assessment can be managed in the acceptable level.
Following is the global categorization of the ICS vulnerabilities by using the NIST SP 800-53 security controls categorization perspective,
The sub-categories that considered belong to each global category is showed by the following diagram (the sample of the related vulnerabilities is not intended to limit the scope of the other vulnerabilities type, it is solely to simplify the explanation),
Culture & Mindset
Personal ICS security awareness, ICS security culture in organization, ICS security practice vs. behavior
Internal ICS security professionals (availability & capability), education & training requirement, security compliance (active & passive), vendor & third party management
Technical & operational procedures (availability & validity), procedures awareness and buy-in
Standard & Policy
Company ICS security standard (availability, validity & implementation), ICS security policy, ICS security standard awareness and resources buy-in
Management involvement in ICS security assurance, security leadership and planning, ICS security as business driven, cost & budgeting for ICS security assurance
Risk management, security audit and assessment framework, AAA management framework, system periodic review, emergency response framework, system ownership & custodianship, change management
Hardware obsolescence, physical protection, environmental condition and protection, infrastructure segregation, physical access management, critical spare part management
Software/application obsolescence, setting & configuration, logical access protection & management, back-up & restore management, system testing & verification
Defense-in-depth framework, DMZ, L4/L3 interconnection, segregation layer and protection management, communication protocol and interconnection framework, system entities domain management, external network management
Industrial Control System Security Control Management
By the completion of the vulnerability assessment, the security posture on the ICS environment can be explored in order to develop the strategic planning to control the risk exposure (risk management can be performed to address the risk level, security control strategy and its implementation).
The security control baseline as per described in the NIST SP 800-53 can be used as one of the reference to determine the proper controls strategic for the exposed vulnerabilities.
“The ICS security assurance in not “one man show” activities, it is require unified collaboration as a team to work the plan”