Login

Forgotten your details?

« Back to previous page

Managing risk in industrial control systems

28 May 2010

The viability of modern society is underpinned by processes controlled by IT systems. These include the continuous supply of basic utilities such as electricity, water, gas and telecommunications; the production and distribution of food and the operation of national and international transportation infrastructures

The importance of these 'critical national infrastructures' has been recognised by governments for some time and agencies have been established to coordinate security improvement activities such as the Centre for the Protection of National Infrastructure (CPNI) in the UK and the Department of Homeland Security in the US.
Despite this, there is widespread complacency about the risks of disruption of these critical infrastructures and this tends to be based on two prevalent myths:
1. Myth One – that industrial control systems employ specialized operating systems and network protocols that are highly robust and resistant to attack by virtue of their obscurity; and
2. Myth Two – that industrial control systems are supported by physically separate networks with 'air gaps' between them and the rest of the world.
These assumptions may have been true 20 or 30 years ago but today most of these critical process control systems are based on common, off-the-shelf technologies such as Windows, UNIX and TCP/IP and they are highly connected with the outside world to allow remote management and the sharing of data with 'business' applications.
So when you come across press releases such as, "XYZ Power Corp gets an electrifying new web-based process control system built with Microsoft software", your reaction is probably not so much, "Hey, that's cool" as, "Arrrrgh, I know what that means!".
One key implication of this convergence of industrial control and day-to-day business IT systems is that organizations can and should apply to industrial control systems the principles of active risk management that that have evolved to a fairly mature state for business IT systems. This involves identifying and characterizing the critical information assets that contribute to the industrial control system, assigning ownership/responsibility for them and conducting regular risk assessments using an objective and repeatable methodology. The results of the risk assessments need to be fed back to the individual asset owners, consolidated to provide senior management with an overview of risk status and used to develop and maintain risk remediation plans that will enable organizations to drive risk down over time.
Within this common risk management structure, the way in which risk is assessed for industrial control systems should take into account the characteristics that distinguish them from business IT systems, for example the higher emphasis on continuous availability and data integrity and the implications of this for control requirements. This can have a significant impact on specific areas of policy, for example the patching of industrial control systems needs an approach that balances the need to fix known software problems with a general aversion to change of any kind in high-availability systems.
With these differences addressed, organizations that contribute to critical national infrastructures can successfully build common approaches to risk management that recognise and account for the interconnectedness of their different technology environments.
Simon Oxley, Director, Citicus

Latest News

Public awareness campaign needed to combat cyber c… More…
03 February 2012

SAR Europe, 15-16 March, Dublin, Ireland… More…
02 February 2012

Meet & network with key industry players at the le… More…
02 February 2012

Schiphol selects RescueSim emergency training sof… More…
02 February 2012

RSS Feed symbol | What is RSS?
View all news items…

Latest Events

7-9 February, 2012
7th Annual Peacekeeping, Recon…
Location: Washington, DC/VA (USA)

13-14 February, 2012
Business Continuity and Emerge…
Location: Abu Dhabi, UAE

14-17 February, 2012
Security and Safety Technologi…
Location: Moscow, Russia

View all events…

Key Articles

Is the password dead?… More…
01 February 2012

Hackers chasing gold at London's Olympics… More…
27 January 2012

City simulates cyber attacks… More…
27 January 2012

How resilient is the UK? … More…
27 January 2012

RSS Feed symbol | What is RSS?
View all articles…


Design: Burnthebook