Control system security

In the past, industrial control systems (ICS) were kept separate from external networks and utilized vendor produced hardware and software, this set up was referred to as an air gap, and produced a false sense of security as people believed that the systems were safe from external attacks. As modern innovation progressed, companies advanced and started using technologies such as Ethernet, TCP/IP, and common commercial hardware (COTS). This connected the control systems called operational technology (OT) and corporate IT networks. This led to shared security risks. Stuxnet was a powerful computer worm that infected Programmable Logic Controllers (PLCs) used in industrial machines. It targeted Iran's nuclear program by secretly changing how the machines were operating and displayed fake normal readings on the screens that were being monitored. This resulted in substantial physical damage and no one noticed it immediately. The attack was monumental and showed that malware was not limited to only stealing data, and could also destroy equipment. == ICS Components and Architecture ==

ICS equipment such as sensors, actuators, controllers, and SCADA servers form a layered structure. Data flows from field devices up to central monitoring systems. Because each component has a different role in controlling physical processes, attackers can target weaknesses at any layer of the structure. Understanding these components explains why ICS systems require individual protection that goes beyond the regular IT security measures. == Subgroups of Control Systems ==

Industrial control systems (ICS) are made up of several subsections that work cohesively. Each group is designated with a specific role; however, they all rely on each other to operate and maintain security. The structure of this system makes communication between devices flexible, scalable, and overall more efficient. However with this, it can also increase the risk of timing delays, opportunities for data manipulation, and synchronization failures from cyberattacks. == Risks and Vulnerabilities ==

ICS networks face risks from malware, misuse of remote access, insider threats, and process manipulation attacks. Many vulnerabilities also come from devices that are outdated, use of weak authentication, and an increased dependence on technologies like Ethernet and Windows. Underestimating attackers and overestimating a network's security results in organizations being more vulnerable than they realize. Vulnerabilities become even more dangerous when systems lack defense in depth. Which essentially means that there are not enough layered protections to stop attackers from progressing forward once they breach a single point. Once an attacker gets past one weak point, like a remote access port or an outdated controller, it is very easy for them to move deeper into the network. == Government efforts ==

The U.S. Government Computer Emergency Readiness Team (US-CERT) originally instituted a control systems security program (CSSP) now the National Cybersecurity and Communications Integration Center (NCCIC) Industrial Control Systems, which has made available a large set of free National Institute of Standards and Technology (NIST) standards documents regarding control system security. The U.S. Government Joint Capability Technology Demonstration (JCTD) known as MOSAICS (More Situational Awareness for Industrial Control Systems) is the initial demonstration of cybersecurity defensive capability for critical infrastructure control systems. MOSAICS addresses the Department of Defense (DOD) operational need for cyber defense capabilities to defend critical infrastructure control systems from cyber attack, such as power, water and wastewater, and safety controls, affect the physical environment. The MOSAICS JCTD prototype will be shared with commercial industry through Industry Days for further research and development, an approach intended to lead to an innovative, game-changing capabilities for cybersecurity for critical infrastructure control systems. == Automation and Control System Cybersecurity Standards ==

The international standard for cybersecurity of automation and control systems is the IEC 62443. In addition, multiple national organizations such as the NIST and NERC in the USA released guidelines and requirements for cybersecurity in control systems. IEC 62443 The IEC 62443 cybersecurity standards define processes, techniques and requirements for Automation and Control Systems (IACS). The IEC 62443 standards and technical reports are organized into four general categories called General, Policies and Procedures, System, Component, Profiles and Evaluation. • The first category includes foundational information such as concepts, models and terminology. • The second category of work products targets the Asset Owner. These address various aspects of creating and maintaining an effective IACS security program. • The third category includes work products that describe system design guidance and requirements for the secure integration of control systems. Core in this is the zone and conduit design model. • The fourth category includes work products that describe the specific product development and technical requirements of control system products. • The fifth category provides profiles for industry-specific cybersecurity requirements according to IEC 62443-1-5. • The sixth category defines assessment methodologies that ensure that assessment results are consistent and reproducible. NERC The most widely recognized and latest NERC security standard is NERC 1300, which is a modification/update of NERC 1200. The latest version of NERC 1300 is called CIP-002-3 through CIP-009-3, with CIP referring to Critical Infrastructure Protection. These standards are mandatory for electric systems and are used to secure bulk electric systems although NERC has created standards within other areas. NIST Special Publication 800-82 Rev. 2 "Guide to Industrial Control System (ICS) Security" describes how to secure multiple types of Industrial Control Systems against cyber attacks while considering the performance, reliability, and safety requirements specific to ICS. == Control system security certifications ==

Certifications for control system security have been established by several global Certification Bodies. Most of the schemes are based on the IEC 62443 and describe test methods, surveillance audit policy, public documentation policies, and other specific aspects of their program. Certification for industrial control systems is becoming increasingly vital as the systems grow increasingly advanced. The IEC 62443 standard is not being used for both older ICS equipment as well as new devices like industrial IoT and cyber-physical systems. It is necessary that certification is done clearly and consistently across all aspects in order to ensure that different products can be tested fairly. Safety and security should also be checked together as a cyberattack on these systems can have dire physical damage. Certification programs are being updated to cover the new risks that come with control systems being more connected and modern. ==External links==