Lack of awareness of the cyber security criticality in ICS environment
Why ICS Security Assurance is Important?
Industrial Control System security concern has getting up and up in this decade due to the increasing cyber risk and attack that has been recorded across the globe that targeted ICS environment. The risk of cyber attack mostly came from internal organization, while the external portion also playing quiet significant contribution with the worst impact as the consequence.
The Reasons Why
- The computerized Industrial Control System environment with open protocol and open platform
- The integration between Industrial Control System and Corporate Network
- Heritage risk from the common IT infrastructure that being adopted in Industrial Control System
- Lack of awareness of ICS security if compared to IT security environment
- Threat and vulnerability vs. Risk -> Safety, business and environment consequences
The cyber security concern in Industrial Control System environment is not just talking about the virus and malware but it is beyond that mindset. The concept of ICS security should be seen as the integrated aspect that consist of several management system that related into it, they are Access Management, Asset Management, Data Management, Emergency Response Management, Network Management and Risk Management.
It is a complex concern that requires all of the related entities within the organization to take part, from management to the technician, since the ICS security is not just one man show activities but it is a team work and work as team approach.
Industrial Control System Security Challenges
People thinking of ICS has no relation with ICT stuff, no need to deploy cyber security in ICS environment
Lack of capable professionals that has ability to cover Automation Control engineering and Information Communication Technology disciplines to deal with the Cyber Security Management and Compliance in ICS
Business driven is not seeing the critical requirement of having cyber security assurance for their ICS environment
Standards/policy/procedures/manuals not in place or inadequate
The organizational culture that still lack of cyber security compliance, the security culture should be developed from the security practice and behavior in personal level. It also requires governeanve from the systemic framework
The Core Activities of ICS Security Assurance
The core activities of ICS Security Assurance Project is covering three main segments that integrated each other. The first step is called “Asset Management”. This stage is dealing with Asset Inventory Management including Asset Verification & Validation, gap finding, and final documentation of Asset Management Documentation as the reference for the next stage.
The next stage is Risk Management, with the core activity on this stage is called Risk Assessment Workshop. The RA workshop is required to map the risk profile of the current ICS environment into risk matrix, assess the existing risk, strategize the prevention and mitigation, put the controls action and come up with risk level (with the optimum effort to put the risk into the ALARP condition). The Controls Catalog documentation is the final report on this stage that will be used as the reference for the next stage.
The last stage is called the ICS Security Assessment. This assessment can use the NIST SP 800-82 as the main standard with the additional standard such as ISA 99, IEC 62443, API STD 1164, ISO 27001 and some other standards or company standards if available. The final result from this stage is the Security Profile and detail compliance against the audited object compare to the standard. The report will cover the overall compliance status, the most critical segments to be taken action, the dashboard for stewardship and executive summary review, and the detail result covering the gap details and the reason (including the strategic action items as per integrated with the Controls Catalog).
ICS Security Assurance Lifecycle
The Core Activities
ICS Security Assurance Milestone Video
Let's Us Do The Hardest Part
We provide Integrated ICS Security Assurance solution that cover the Core Activities of ICS Security Assurance Project. We also provide full ICS security audit and assessment (by using non destructive approach – without vulnerability assessment and penetration testing) or partial ICS Security Assessment (with the selected ICS environment object, such as DCS only, SCADA only, etc.). By agreement, the ICS Security Audit (full or partial) can be integrated with the vulnerability assessment and penetration testing (but sure this option should go through the detail and careful walk through prior to agreement and execution).