Security Technology Executive

SEP-OCT 2018

Issue link:

Contents of this Issue


Page 29 of 59

30 SECURIT Y TECHNOLOGY E XECUTIVE • September/October 2018 • www. INDUSTRIAL SECURIT Y a range of sophisticated attackers; and the nature, scale, complexity and costs associated with ICS and the machinery they control. • Inconsistent ICS regulatory land- scape: Some ICS environments, par- ticularly those that support CNI, are subject to stringent legal, regulatory or contractual requirements, which often extend to providing assurance that security obligations have been met. However, for many ICS environ- ments, information security require- ments and obligations are often inad- equate, vague or incomplete, particu- larly those relating to ICS products and services. Consequently, there can be a lack of assurance regarding ICS information security. • Heavy reliance on ICS suppliers: Many organizations are heavily reli- ant on specialized products and services from ICS suppliers, who focus on functionality, often at the expense of information security. These external suppliers are seldom managed closely enough, or have suf- ficient input from security specialists, to ensure that the provision of ICS products and services meet security requirements. Increasing yet Unclear Level of ICS Information Risk Research identified details about the volume and type of attacks on ICS and related components and the exploita- tion of technical security vulnerabilities. However, limited quality information could be identified to help accurately determine the likelihood of attacks suc- cessfully exploiting these vulnerabilities or the true level of business impact they cause. Inherent ICS design weaknesses can be exploited ICS and the physical machinery they control are often built using propriety hardware and software, with little consideration for information security. Consequently, the implementa- tion of many generic enterprise IT securi- ty controls may be impractical or unsafe. Some of the reasons why ICS suffer from security-related design weaknesses are because there is: • An absence of rigorous regulatory requirements for security in ICS • A lack of choice for customers look- ing to acquire secure ICS products and services • Difficulty in upgrading or replacing ICS components • Insufficient pressure on vendors from customers to improve security in ICS products Many technical ICS security vulnerabilities: Technical security vulnerabilities frequently exist in ICS, including inherent design failings; inflex- ible network configuration; system and network monitoring restrictions; and access control weaknesses. Once techni- cal ICS security vulnerabilities have been exploited, ICS components are suscepti- ble to a range of attacks. Larger attack surface due to increased connectivity: ICS are exposed to a much larger attack surface due to increased connectivity, providing attack- ers with greater opportunities to access and target vulnerable ICS environments. ICS, therefore, requires a higher level of protection, including security mecha- nisms such as authentication, encryption and rigorous monitoring. Targeting by sophisticated attackers: Threats to ICS environments are increasing in number, sophistication and potency. Members are particularly concerned about adversarial threats to ICS environments, including nation- states, hacktivists, organized criminal groups, suppliers, unscrupulous com- petitors and disgruntled employees. ISF members have reported that these threats are becoming increasingly prevalent and well-resourced. Preparing and Instituting an ICS Security Program Many different circumstances, also referred to as triggers, can drive organi- zations towards reviewing or improving the security of ICS environments. These triggers often influence the urgency with which the risk needs to be addressed. Circumstances, such as an issue raised by the organization's governing body, a significant audit finding or a major ICS information security incident, will result in a clear mandate for action, often in About the author: Steve Durbin is Managing Director of the Information Securit y Forum. His main areas of focus include the emerging securit y threat landscape, cyber securit y, BYOD, the cloud, and social media across both the corporate and personal env ironments. Prev iously, he was senior v ice president at Gartner. the form of an approved ICS Security Program. Conversely, if recognition of circumstances originates from concerns expressed by only a few individuals within the organization, it may be neces- sary for them to persuade senior manage- ment to approve an ICS Security Program before significant investment. Following approval to establish an ICS Security Program, preparatory arrange- ments need to be made to ensure that the program is run in a structured, systematic manner, and that it meets both business and information security requirements. A range of preparatory arrangements should be made, including: 1. Establish an ICS Security Governance model 2. Define ICS Security Program scope 3. Develop an approach for assessing ICS Information risk 4. Design an ICS security controls framework Implementing a Risk-Based Approach The growing need for business leaders to improve and sustain the security of ICS environments has been brought into sharp focus by recent research from many quarters. However, many of these same organi- zations are grappling with fast-chang- ing , interconnected and complex ICS environments. At a time of increasing yet unclear levels of risk, business lead- ers are questioning the effectiveness of ICS security arrangements. With so many organizations heav- ily reliant on ICS to support business operations, the potential impact of get- ting information security wrong can be catastrophic. Costs can be extensive, cor- porate reputation severely damaged and lives put at risk.

Articles in this issue

Links on this page

Archives of this issue

view archives of Security Technology Executive - SEP-OCT 2018