Control system security: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 12:03, 8 April 2023 edit Whizz40 (talk \| contribs) Extended confirmed users, Pending changes reviewers, Rollbackers 22,437 edits →External links: Fix link Tags: Mobile edit Mobile web edit Advanced mobile edit ← Previous edit		Latest revision as of 12:28, 20 May 2025 edit undo Had0j (talk \| contribs) Extended confirmed users 1,662 edits m →Government efforts: "MOSIACS" -> "MOSAICS"
(13 intermediate revisions by 7 users not shown)
Line 1: '''~~Industrial~~ Control ~~System~~system security''', or '''automation and control system (~~ICS~~ACS) ~~Cybersecurity~~cybersecurity''', is the prevention of (intentional or unintentional) interference with the proper operation of [[automation\|industrial automation]] and [[industrial control systems\|control systems]]. These control systems manage essential services including electricity, petroleum production, water, transportation, manufacturing, and communications. They rely on computers, networks, operating systems, applications, and [[programmable logic controller\|programmable controllers]], each of which could contain [[vulnerability (computing)\|security vulnerabilities]]. The 2010 discovery of the [[Stuxnet\|Stuxnet worm]] demonstrated the vulnerability of these systems to cyber incidents.<ref name="tofinoexida201202">{{cite web \| url=http://www.exida.com/index.php/News/new_whitepaper_the_7_steps_to_ics_and_scada_security/ \| title=The 7 Steps to ICS Security \| accessdate=March 3, 2011 \| author1=Byres, Eric \| author2=Cusimano, John \| date=February 2012 \| publisher=Tofino Security and exida Consulting LLC \| url-status=dead \| archiveurl=https://web.archive.org/web/20130123141949/http://www.exida.com/index.php/News/new_whitepaper_the_7_steps_to_ics_and_scada_security/ \| archivedate=January 23, 2013 }}</ref> The United States and other governments have passed [[cyber-security regulation]]s requiring enhanced protection for control systems operating critical infrastructure. Control system security is known by several other names such as ''[[SCADA]] security'', ''PCN security'', ''Industrial [[network security]]'', ''[[Industrial control system]] (ICS) Cybersecurity'', ''[[Operational Technology]] (OT) Security, Industrial automation and control systems'' and ''Control System Cyber Security''. == Risks == Insecurity of, or vulnerabilities inherent in ~~industrial~~ automation and control systems (~~IACS~~ACS) can lead to severe consequences in categories such as safety, loss of life, personal injury, environmental impact, lost production, equipment damage, information theft, and company image. Guidance to assess, evaluate and mitigate these potential risks is provided through the application of many Governmental, regulatory, industry documents and Global Standards, addressed below. == Vulnerability of automation and control systems == ~~Industrial~~Automation and Control Systems (~~ICS~~ACS) have become far more vulnerable to security incidents due to the following trends ~~that have occurred over the last 10 to 15 years~~. * ~~Heavy~~Increasing use of Commercial Off-the Shelf Technology (COTS) and protocols. Integration of technology such as MS Windows, SQL, and Ethernet means that ~~process control~~these systems ~~are~~may now ~~vulnerable to~~have the same ~~malware~~or ~~(viruses,~~similar ~~worms~~vulnerabilities ~~and trojans) that affect~~as common IT systems. * Enterprise integration (using plant, corporate and even public networks) means that ~~process control systems~~these (legacy) ~~are~~systems may now ~~being~~be subjected to stresses that they were not designed for. * Demand for Remote Access - 24x7 access for engineering, operations or technical support ~~means~~increases the attack surface, possibly leading to more insecure or rogue connections ~~to control system~~. * Increased awareness and understanding of industrial systems - As more and more people become aware of these systems, the strategy of [[Security through obscurity\|Security Through Obscurity]] is no longer viable. * [[Security through obscurity\|Security Through Obscurity]] - Using non-standard, private or proprietary protocols or standards is detrimental to system security ~~The~~* Although the cyber threats and attack strategies on automation systems are changing rapidly. , ~~Regulation~~regulation of industrial control systems for security is rare and is a slow -moving process. The United States, for example, only does so for the [[nuclear power in the United States\|nuclear power]] and the [[chemical industry\|chemical industries]].<ref name="gross201104">{{cite ~~web~~magazine\|url=http://www.vanityfair.com/culture/features/2011/04/stuxnet-201104\|title=A Declaration of Cyber-War\|author=Gross, Michael Joseph~~\|first=~~\|date=2011-04-01\|~~work~~magazine=Vanity Fair\|publisher=Condé Nast\|archiveurl=https://web.archive.org/web/20140713082739/http://www.vanityfair.com/culture/features/2011/04/stuxnet-201104\|archivedate=2014-07-13\|accessdate=2017-11-29~~\|df=~~}}</ref>▼ ▲The cyber threats and attack strategies on automation systems are changing rapidly. Regulation of industrial control systems for security is rare and is a slow moving process. The United States, for example, only does so for the [[nuclear power in the United States\|nuclear power]] and the [[chemical industry\|chemical industries]].<ref name="gross201104">{{cite web\|url=http://www.vanityfair.com/culture/features/2011/04/stuxnet-201104\|title=A Declaration of Cyber-War\|author=Gross, Michael Joseph\|first=\|date=2011-04-01\|work=Vanity Fair\|publisher=Condé Nast\|archiveurl=https://web.archive.org/web/20140713082739/http://www.vanityfair.com/culture/features/2011/04/stuxnet-201104\|archivedate=2014-07-13\|accessdate=2017-11-29\|df=}}</ref> == Government efforts == The U.S. Government [[Computer Emergency Readiness Team]] (US-CERT) originally instituted a [[control systems security program]] (CSSP) now the National Cybersecurity and Communications Integration Center (NCCIC) Industrial Control Systems, which has made available a large set of free National Institute of Standards and Technology (NIST) standards documents regarding control system security.<ref>{{cite web\|url=http://www.us-cert.gov/control_systems/csstandards.html\|title=Standards and References - NCCIC / ICS-CERT\|website=ics-cert.us-cert.gov/\|access-date=2010-10-27\|archive-url=https://web.archive.org/web/20101026045026/http://www.us-cert.gov/control_systems/csstandards.html\|archive-date=2010-10-26\|url-status=dead}}</ref> The U.S. Government Joint Capability Technology Demonstration (JCTD) known as ~~MOSIACS~~MOSAICS (More Situational Awareness for Industrial Control Systems) is the initial demonstration of cybersecurity defensive capability for critical infrastructure control systems.<ref>{{Cite web\|title=More Situational Awareness For Industrial Control Systems (MOSAICS) Joint Capability Technology Demonstration (JCTD): A Concept Development for the Defense of Mission Critical Infrastructure – HDIAC\|url=https://hdiac.org/articles/more-situational-awareness-for-industrial-control-systems-mosaics-joint-capability-technology-demonstration-jctd-a-concept-development-for-the-defense-of-mission-critical-infrastructure/\|access-date=2021-07-31\|language=en-US}}</ref> MOSAICS addresses the Department of Defense (DOD) operational need for cyber defense capabilities to defend critical infrastructure control systems from cyber attack, such as power, water and wastewater, and safety controls, affect the physical environment.<ref>{{Cite web\|title=More Situational Awareness for Industrial Control Systems (MOSAICS): Engineering and Development of a Critical Infrastructure Cyber Defense Capability for Highly Context-Sensitive Dynamic Classes: Part 1 – Engineering – HDIAC\|url=https://hdiac.org/articles/more-situational-awareness-for-industrial-control-systems-mosaics-engineering-and-development-of-a-critical-infrastructure-cyber-defense-capability-for-highly-context-sensitive-dynamic-classes-par/\|access-date=2021-07-31\|language=en-US}}</ref> The MOSAICS JCTD prototype will be shared with commercial industry through Industry Days for further research and development, an approach intended to lead to an innovative, game-changing capabilities for cybersecurity for critical infrastructure control systems.<ref>{{Cite web\|title=More Situational Awareness for Industrial Control Systems (MOSAICS): Engineering and Development of a Critical Infrastructure Cyber Defense Capability for Highly Context-Sensitive Dynamic Classes: Part 2 – Development – HDIAC\|url=https://hdiac.org/articles/more-situational-awareness-for-industrial-control-systems-mosaics-engineering-and-development-of-a-critical-infrastructure-cyber-defense-capability-for-highly-context-sensitive-dynamic-classes-par-2/\|access-date=2021-07-31\|language=en-US}}</ref> == ~~Industrial~~Automation and Control System Cybersecurity Standards == The international standard for cybersecurity ~~in industrial~~of automation and control systems is the [[IEC 62443]]. In addition, multiple national organizations such as the NIST and NERC in the USA released guidelines and requirements for cybersecurity in control systems. === IEC 62443 === Line 26: {{Main\|IEC 62443}} The IEC 62443 cybersecurity ~~standard~~standards ~~defines~~define processes, techniques and requirements for ~~Industrial~~ Automation and Control Systems (IACS). ~~Its~~The ~~documents~~IEC ~~are the result of the IEC~~62443 standards ~~creation~~and ~~process~~technical ~~where~~reports ~~all~~are ~~national~~organized ~~committees~~into ~~involved~~four ~~agree~~general ~~upon~~categories acalled ~~common~~''General'', ~~standard. The IEC 62443 was influenced by~~''Policies and isProcedures'', ~~partly~~''System,'' ~~based~~''Component'', ~~on the ANSI/ISA-99 series of standards~~''Profiles'' and ~~the VDI/VDE 2182 guidelines~~''Evaluation''. [[File:ISA-62443_Standard_Series_2012.png\|thumb\|right\|alt=The numbering and organization of IEC 62443 work products into categories.\|Planned and published IEC 62443 work products for IACS Security.]] All IEC 62443 standards and technical reports are organized into four general categories called ''General'', ''Policies and Procedures'', ''System'' and ''Component''. # The first category includes foundational information such as concepts, models and terminology. Line 34 ⟶ 32: # The third category includes work products that describe system design guidance and requirements for the secure integration of control systems. Core in this is the zone and conduit design model. # The fourth category includes work products that describe the specific product development and technical requirements of control system products. # The fifth category provides profiles for industry-specific cybersecurity requirements according to IEC 62443-1-5. # The sixth category defines assessment methodologies that ensure that assessment results are consistent and reproducible. ===NERC=== Line 40: ===NIST=== {{Main\|National Institute of Standards and Technology}} The [[NIST Cybersecurity Framework]] (NIST CSF) provides a high-level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes. It is intended to help private sector organizations that provide [[critical infrastructure]] with guidance on how to protect it.<ref>{{cite web \| url=https://www.nist.gov/cyberframework/ \| title=NIST Cybersecurity Framework \| accessdate=2016-08-02 }}</ref>▼ ▲~~The~~Although it is not a standard, the [[NIST Cybersecurity Framework]] (NIST CSF) provides a high-level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes. It is intended to help private sector organizations that provide [[critical infrastructure]] with guidance on how to protect it.<ref>{{cite web \| url=https://www.nist.gov/cyberframework/ \| title=NIST Cybersecurity Framework \| work=NIST \| date=12 November 2013 \| accessdate=2016-08-02 }}</ref> NIST Special Publication 800-82 Rev. 2 "''Guide to Industrial Control System (ICS) Security''" describes how to secure multiple types of Industrial Control Systems against cyber attacks while considering the performance, reliability, and safety requirements specific to ICS.<ref>{{cite web \| last=Stouffer \| first=Keith \| last2=Lightman \| first2=Suzanne \| last3=Pillitteri \| first3=Victoria \| last4=Abrams \| first4=Marshall \| last5=Hahn \| first5=Adam \| title=Guide to Industrial Control Systems (ICS) Security \| website=CSRC \| NIST \| date=2015-06-03 \| doi=10.6028/NIST.SP.800-82r2 \| url=https://csrc.nist.gov/publications/detail/sp/800-82/rev-2/final \| access-date=2020-12-29}}</ref>▼ ▲NIST Special Publication 800-82 Rev. 2 "''Guide to Industrial Control System (ICS) Security''" describes how to secure multiple types of Industrial Control Systems against cyber attacks while considering the performance, reliability, and safety requirements specific to ICS.<ref>{{cite ~~web~~journal \| ~~last~~last1=Stouffer \| ~~first~~first1=Keith \| last2=Lightman \| first2=Suzanne \| last3=Pillitteri \| first3=Victoria \| last4=Abrams \| first4=Marshall \| last5=Hahn \| first5=Adam \| title=Guide to Industrial Control Systems (ICS) Security \| website=CSRC \| NIST \| date=2015-06-03 \| doi=10.6028/NIST.SP.800-82r2 \| url=https://csrc.nist.gov/publications/detail/sp/800-82/rev-2/final \| access-date=2020-12-29}}</ref> == Control system security certifications == Line 51 ⟶ 52: * [https://www.iec.ch/cyber-security IEC 62443] * [http://www.nist.gov US NIST webpage] * [http://www.nerc.com/page.php?cid=2\|20 US NERC Critical Infrastructure Protection (CIP) Standards] {{Webarchive\|url=https://web.archive.org/web/20110101035920/http://www.nerc.com/page.php?cid=2%7C20 \|date=2011-01-01 }} * [https://www.npsa.gov.uk/tools-catalogues-and-standards UK NPSA Tools, Catalogues and Standards]