What is industrial
control system
security?

Industrial control system (ICS) security is the protection of operational technology (OT) systems that monitor critical infrastructure and industrial processes. That includes protecting systems that provide energy, water, manufacturing, and more. These systems process sensor data from across industrial enterprises, enabling alerting and management of processes.

Over time, industrial control systems have become more connected to the internet through enterprise IT systems and internet of things (IoT) devices, making them more vulnerable to disruption and breach. Therefore, ICS security involves more than just the ICS itself.

Verizon’s 2020 Data Breach Investigations Report notes that mining and utilities industry breaches are composed of a variety of actions. However, financially-motivated social attacks, including phishing and pretexting, dominate incident data. Cyber-espionage-motivated attacks and incidents involving operational technology assets are also of concern.

This is reinforced by a recent alert from the US National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA). The agencies warned of increased malicious activity against operational technology and control systems, including:

• Spearphishing to gain IT network access as a means to access the organization’s OT network.
• Ransomware to encrypt data for impact on both IT and OT networks.
• Connecting to internet-accessible programmable logic controllers in the OT network that require no authentication for initial access.

ICS security requires a tailored blend of best practices for IT networks and for your specialized ICS networks. It starts with an inventory. You need to know what, how and where elements connect and communicate. You need to know how they are configured. You may need to give some ICS elements extra attention because they are specialized or are based on legacy technology.

It is complex. Fortunately, CISA, the US Department of Energy, and the UK’s National Cyber Security Centre, jointly-released a detailed infographic that offers helpful overview. Recommendations include:

• Segment networks to limit ICS access where possible.
• Use one-way communication diodes, where possible, to prevent external access.
• Implement a network topology for ICS that has multiple layers, with the most critical communications occurring in the most secure and reliable layer.
• Set up demilitarized zones to create a physical and logical subnetwork that acts as an intermediary for connected security devices to avoid exposure.
• Employ reliable and secure network protocols and services where feasible.

• Baseline ICS operations and network traffic; configure intrusion detection systems (IDS) to alert on ICS traffic outside normal operations.
• Track and monitor audit trails for critical ICS areas.
• Set up security incident and event monitoring (SIEM) software to monitor, analyze, and correlate ICS network event logs to identify intrusion attempts. 

• Promote a culture of patching and vulnerability management.
• Test all patches in off-line test environments before implementation.
• Implement application whitelisting on human machine interfaces.
• Harden field devices, including tablets and smart phones.
• Replace out-of-date software and hardware devices.
• Disable unused ports and services on ICS devices after testing to assure this will not impact ICS operation.
• Implement and test system backups and recovery processes.
• Configure encryption and security for ICS protocols.