Industrial Automation and Control Systems (IACS) security has become a significant concern for organizations in the last decade. Cyber resilience for IACS means being able to recover from cybersecurity incidents quickly, with a priority on safety and maintaining system integrity and availability. To have a successful cyber resilience program, organizations should define their goals and commonly identify objectives when building a cybersecurity program.
Identify and Detect
This involves continuous security monitoring and attack surface management to detect anomalies and potential intrusions before a major attack on the ICS.
Respond and Recover
This consists in implementing adequate incident response planning to ensure that your operations can continue safely or safely shutdown in
an event.
Protect
This involves the use of Endpoint protections, network security, network segmentation, and of
course, configuration and change management. Etc.
Effective & Durable:
This is the final element to ensure that your cyber resilience program is adaptive, dynamic, and evolving and is part of your routine business and operation.
There are many ways to start building Cyber resilience for your IACS systems. In some cases, you may have already begun. Many organizations have a lot of effort already directed toward securing and managing risks for their OT Assets and IACS environments. So, for such organizations, it is about structuring their cyber security efforts, organizing, prioritizing, and strategically defining their objectives and achieving them and thus improving the overall OT Security posture of the organization.
Here are some questions that your OT Security caretakers can start looking at as a first step towards creating your program towards building Cyber Resilience for Process Control Systems.
- What are your crown jewels?
Start answering this question by making a list of Mission-critical assets.
For example:
- Without user's access to these systems, such as ____________________, my operators will not be able to operate the units.
- If the safety system, such as____________________ was not fully operating or was compromised, then the unit will be shut down, and the business would not make money.
- What types of security controls do we have now in place?
- We currently have Asset monitoring in place.
- We currently have periodic patching of OS and Anti-virus in place.
- How effective are the control measures that are already in place?
- Conduct Risk Assessments and audits periodically, develop a baseline and follow up with a security posture assessment.
- The following types of methods can be used in combination to understand your current control measures and security posture:
> Vulnerability Scanning
> Cyber PHA Risk Assessments
- How does a cyber incident affect your OT Environment?
Conducting a risk assessment provides insights into how your cyber incident affects your OT environment.
- What techniques & strategies can restore your operations?
Building Cyber Resilience for Process Control Systems starts with identifying your most critical assets and identifying your goals; it involves understanding your journey and carefully plotting a security roadmap. The ISA/IEC 62443 standard can be your guiding standard as it specifies security capabilities for control system components and aims to provide a common language for product suppliers and IACS stakeholders.
You can find more information on ISA/IEC 62443 standards by going to https://www.isa.org/standards-and-publications/isa-standards/isa-iec-62443-series-of-standards
Originally published in the ISA SAFETY & SECURITY NEWSLETTER NOVEMBER 2022
Featured Image Credit: Robert Ullmann, New York - United States of America