Securing automation and control systems calls for a structured and comprehensive approach
Industrial automation and control systems have become increasingly connected to internal and external networks. This exposure has resulted in a number of new threat vectors, and we have seen the frequency of cyber attacks grow significantly over the last few years. Given the complexity of Industrial Control Systems (ICS), and the serious impact of downtime in these environments, there are often very limited opportunities to patch vulnerable systems. The challenge of securing these systems calls for a structured and comprehensive approach.
GE addresses steps system operators can take to secure the benefits of a physical-digital environment.
First step: Assess Risks and Consequences.
Consider a variety of possible security outcomes and differentiate between a vulnerability that will result in a minor inconvenience and a flaw that will cause downtime, revenue loss or worse consequences.
Second step: Develop objectives and goals.
Once a security assessment is complete, develop objectives and goals to address the most important systems with the biggest, most impactful and immediate risks.
Third step: Policy and Procedure Vulnerabilities.
Examine the June 2011 NIST guidelines to help improve the security posture of control systems configurations.
Fourth step: Ensure security through the supply chain.
Incorporate robustness and security certifications into the procurement process to drive supply chain change.
Fifth step: Risk Mitigation Designed Specifically for ICS.
Utilizing devices explicitly designed to protect the critical infrastructure can greatly reduce the risk of these vulnerabilities.
Sixth step: Establish Strong Corporate Buy-in and Governance.
From our experience, the number one inhibitor to improving an organization’s security posture isn’t technical know-how; it’s corporate support and governance for implementation.
The key issues are uptime and safety. If systems are down due to a cyber attack, production stops. Worse, injury to people and the environment opens up organizations to significant risk.
Systems operators have a big job, and keeping secure an increasing number of physical assets digitally connected is one more task to manage—and one the most critical.