Connecting industrial control and SCADA systems to the corporate IT network gives organisations access to improved management information and consequently a better understanding of what is happening across the business. In addition, the ability to connect systems in this way provides new opportunities for supporting manufacturing and automation systems remotely.
However, this new degree of connectivity means that industrial control systems are exposed to cyber security threats similar to those faced by corporate networks – and this threat is increasing. Energy companies have already been subjected to a series of cyber-attacks such as ‘Night Dragon’, while ‘Stuxnet’ was the first publicly known example specifically targeting industrial control systems.
How can organisations continue to capitalise on the opportunities presented by integrated systems, while at the same time securing their businesses against this increasing cyber security threat?
Any successful approach to tackling the cyber security threat to industrial control systems must identify and understand the key security risks, and then ensure ongoing protection.
Organisations can understand and address cyber security risk to industrial control systems by following a seven-point approach:
1. Understand the business risk
The first step is to establish a clear picture of what systems are in place, how they are connected, what the vulnerabilities are, what the impact of system failure would be and what security measures are in operation.
2. Select and implement quick wins and longer-term solutions
Many simple, low-cost actions, such as removing unauthorised connections, can provide fast and significant security improvements. However, more detailed planning is required for long-term improvements, such as network segregation and implementation of security zones.
3. Ensure effective incident response
Incident management plans rarely cover cyber security events, such as the systemic failure of entire systems or technologies. Organisations must enhance their plans to address the particular characteristics of industrial control system security incidents and to ensure a rapid response to cyber attacks.
4. Raise awareness and skills
A greater understanding of security amongst control and SCADA engineers will help to ensure that security issues are managed as ‘business as usual’. Furthermore, building bridges between the IT, engineering and operations communities can help to create a strong team that collectively has the required skills needed to manage these risks.
5. Manage third-party risks
With systems and support arrangements increasingly being outsourced, organisations must be confident that vendors and suppliers are aware of security risks, operate good practices themselves and have mechanisms for alerting customers when new vulnerabilities are discovered. Risks from partner companies in the supply chain also need to be addressed.
6. Build in security early in the project lifecycle
Bolting on security into projects late in the lifecycle of a project is often difficult and costly. So security measures must be incorporated into the specification, design and development of new systems at the earliest possible stage.
7. Establish on-going governance
Standards and guidelines for industrial control system security provide a degree of assurance that security practices will be maintained. However, an ongoing assurance process is necessary to ensure that the standards reflect the latest threats and that compliance is maintained.
PA’s expertise in practice for a major energy company
PA’s extensive cyber security experience includes working with a major energy company to improve industrial control system security at more than 300 sites worldwide. We worked closely with systems vendors and staff to understand the security options available for existing systems, and to influence the development of future security measures. This initiative delivered a solution that has enabled our client to avoid significant health, safety or environmental incidents, and the associated damage to its reputation.
To find out how PA can help your organisation operate connected industrial control systems safely as the cyber threat grows, please contact us now.