Managing risk in industrial control systems
The viability of modern society is underpinned by processes controlled by IT systems. These include the continuous supply of basic utilities such as electricity, water, gas and telecommunications; the production and distribution of food and the operation of national and international transportation infrastructures
The importance of these 'critical national infrastructures' has been recognised by governments for some time and agencies have been established to coordinate security improvement activities such as the Centre for the Protection of National Infrastructure (CPNI) in the UK and the Department of Homeland Security in the US.
Despite this, there is widespread complacency about the risks of disruption of these critical infrastructures and this tends to be based on two prevalent myths:
1. Myth One – that industrial control systems employ specialized operating systems and network protocols that are highly robust and resistant to attack by virtue of their obscurity; and
2. Myth Two – that industrial control systems are supported by physically separate networks with 'air gaps' between them and the rest of the world.
These assumptions may have been true 20 or 30 years ago but today most of these critical process control systems are based on common, off-the-shelf technologies such as Windows, UNIX and TCP/IP and they are highly connected with the outside world to allow remote management and the sharing of data with 'business' applications.
So when you come across press releases such as, "XYZ Power Corp gets an electrifying new web-based process control system built with Microsoft software", your reaction is probably not so much, "Hey, that's cool" as, "Arrrrgh, I know what that means!".
One key implication of this convergence of industrial control and day-to-day business IT systems is that organizations can and should apply to industrial control systems the principles of active risk management that that have evolved to a fairly mature state for business IT systems. This involves identifying and characterizing the critical information assets that contribute to the industrial control system, assigning ownership/responsibility for them and conducting regular risk assessments using an objective and repeatable methodology. The results of the risk assessments need to be fed back to the individual asset owners, consolidated to provide senior management with an overview of risk status and used to develop and maintain risk remediation plans that will enable organizations to drive risk down over time.
Within this common risk management structure, the way in which risk is assessed for industrial control systems should take into account the characteristics that distinguish them from business IT systems, for example the higher emphasis on continuous availability and data integrity and the implications of this for control requirements. This can have a significant impact on specific areas of policy, for example the patching of industrial control systems needs an approach that balances the need to fix known software problems with a general aversion to change of any kind in high-availability systems.
With these differences addressed, organizations that contribute to critical national infrastructures can successfully build common approaches to risk management that recognise and account for the interconnectedness of their different technology environments.
Simon Oxley, Director, Citicus
