Modern industrial control systems are increasingly comprised of connected, information-enabled systems. These connected enterprises inherently increase security risks, and with it the responsibilities of control system providers and users alike.
In the past, industrial control systems used proprietary technologies that were static and custom built. Importantly these systems were generally segregated from the information systems at most companies. They were largely incompatible and the commercial technologies that were used in office spaces simply didn’t fit the requirements of control systems.
As technology has advanced and the Internet of Things has become a reality, devices have moved from the office and home into the factory, adapted for use in control systems. This has helped in improving costs, compatibility and ease of use. With these improvements, connectivity between systems became simpler and increasingly demanded by users.
Bringing together enterprise-level IT and plant-level operations technology into a common infrastructure creates more opportunities to improve operations, but without proper cybersecurity hygiene may also provide increased opportunities for cyberattacks against industrial control systems (ICS) equipment.
These challenges are changing the way industrial control systems ICS providers and users work together, bringing increased responsibilities to each. Such attacks, if successful, can have severe impact on worker, environmental and product safety, intellectual property, reputation, productivity and essential supply chains.
A comprehensive cybersecurity strategy includes cybersecurity hygiene beginning with asset inventory to understand what you have, then controlling physical and digital access, segmentation, system configuration, training of the humans using the systems and other actions. It also includes adoption of NIST CSF to identify, protect, detect, respond and recover from cyberattacks.
It also requires that ICS providers constantly test products and review applications to identify and remediate vulnerabilities in products. Disclosing remediated vulnerabilities through patch and version management helps protect ICS users from cyberattacks.
It is part of an ethical, comprehensive cybersecurity strategy to help verify customers’ security and safety. While not actually new, the increased focus on security in recent years and the more frequent disclosures may seem surprising to some. To others that have worked closely with IT, it will seem natural and expected. To all, it should be welcomed as a clear focus on supporting the safety and security of industrial control systems. It provides transparency into the threats faced across industries and gives other enterprises the opportunity to learn from other’s challenges.