Assuring Industrial Control System (ICS) Cyber Security

Industrial Control Systems (ICS) are an integral part of the industrial infrastructure providing for the national good. These systems include Distributed Control Systems (DCS) Supervisory Control and Data Acquisition systems (SCADA), Programmable Logic Controllers (PLC), and devices such as remote telemetry units (RTU), smart meters, and intelligent field instruments including remotely programmable valves and intelligent electronic relays. While sharing basic constructs with Information Technology (IT) business systems, ICSs are technically, administratively, and functionally more complex and unique than business IT systems. There have been more than 100 intentional and unintentional ICS cyber incidents, ranging from trivial impacts, to significant environmental damage, to serious equipment damage, to deaths. Efforts to secure these critical systems are too diffuse and do not specifically target the unique ICS aspects. The following recommendations provide steps to improve the security and reliability of these very critical systems: Develop a clear understanding of ICS cyber security Develop a clear understanding of the associated impacts on system reliability and safety on the part of industry, government and private citizens Define “cyber” threats in the broadest possible terms including intentional, unintentional, natural and other electronic threats such as Electro Magnetic Pulse (EMP) Develop security technologies and best practices for the field devices based upon actual and expected ICS cyber incidents Develop academic curricula in ICS cyber security Leverage appropriate IT technologies and best practices for securing workstations using commercial off-the-shelf (COTS) operating systems Establish standard certification metrics for ICS processes, systems, personnel, and cyber security Promote/mandate adoption of the NIST Risk Management Framework for all critical infrastructures or at least the industrial infrastructure subset Establish a global, non-governmental Cyber Incident Response Team (CIRT) for Control Systems staffed with control system expertise for information sharing Establish a means for vetting ICS experts rather than using traditional security clearances Provide regulation and incentives for cyber security of critical infrastructure industries Establish, promote, and support an open demonstration facility dedicated to best practices for ICS systems Include Subject Matter Experts with control system experience at high level cyber security planning sessions Change the culture of manufacturing in critical industries so that security is considered as important as performance and safety