Lack of awareness of the cyber security criticality in ICS environment
Why ICS Cyber Security Assurance is Important?
Why it is important, because ICS is the backbone of the Critical Infrastructure industry, and also because the Critical Infrastructure industry is the backbone of modern living things. It is related to human living and all critical aspects of our human lives.
Why it is important, is because if the ICS is compromised, then it may trigger Safety Risk (Health, Safety and Environment Risk), it may also lead to people getting injured, or even fall in into fatality, or it may also lead to environmental damage, community disruption, or even it can bring a nation to its darkest age.
The ICS Cyber Security Assurance, it is our responsibility to ensure its safety production operations, maintain business continuity and performance, and ensure that "Nobody Gets Hurt, Nobody Gets Hacked".
The Reasons Why
- The computerized Industrial Control System environment with open protocol and open platform
- The integration between Industrial Control System and Corporate Network
- Heritage risk from the common IT infrastructure that being adopted in Industrial Control System
- Lack of awareness of ICS security if compared to IT security environment
- Threat and vulnerability vs. Risk -> Safety, business and environment consequences
The cyber security concern in Industrial Control System environment is not just talking about the virus and malware but it is beyond that mindset. The concept of ICS security should be seen as the integrated aspect that consist of several management system that related into it, they are Access Management, Asset Management, Data Management, Emergency Response Management, Network Management and Risk Management.
It is a complex concern that requires all of the related entities within the organization to take part, from management to the technician, since the ICS security is not just one man show activities but it is a team work and work as team approach.
Industrial Control System Security Challenges
People thinking of ICS has no relation with ICT stuff, no need to deploy cyber security in ICS environment
Lack of capable professionals that has ability to cover Automation Control engineering and Information Communication Technology disciplines to deal with the Cyber Security Management and Compliance in ICS
Business driven is not seeing the critical requirement of having cyber security assurance for their ICS environment
Standards/policy/procedures/manuals not in place or inadequate
The organizational culture that still lack of cyber security compliance, the security culture should be developed from the security practice and behavior in personal level. It also requires governeanve from the systemic framework
The Core Activities of ICS Security Assurance
The core activities of ICS Cyber Security Assurance Project is covering three main segments that integrated each other. The first step is called “Asset Management”. This stage is dealing with Asset Inventory and Criticality Assessment and Management
The next stage is ICS Cyber Security Risk Management which includes performing ICS Cyber Security Risk Assessment through Risk Assessment Workshop. This stage is required to map the risk profile of the current ICS environment into the risk matrix, assess the existing risk, strategize the prevention and mitigation, design the security controls, and come up with risk level (with the optimum effort to put the risk into the ALARP condition). The Risk Register is the final deliverable from this stage, as it will be the baseline reference for the ICS Cyber Security Assurance on the next level
The next stage is performing ICS Cyber Security Audit and Assessment. The methodology to perform this activity at least consist of three (3) categories, Maturity Assessment, Vulnerability Assessment (VA), and Penetration Testing (PT/Pentest). Maturity Assessment is the would of this operations since it will drive the VA and PT whether it will be necessary or not, and how to conduct VA and PT in correlation with the current ICS environment. The final deliverable from this stage is the ICS Cyber Security Profile (with integrated Risk Register that produced from the second phase and this phase). The compliance level is presented through dashboards with the detailed level of compliance covered under the site detail report. The recommendation and strategy for closing the gaps and ensuring cyber security in ICS environment are conveyed on the final report, as this document will be the master document for the next step, the implementation, stewardship and continuous improvement phase.
ICS Cyber Security Assurance Lifecycle
The Core Activities
ICS Cyber Security Assurance Milestone Video
Let's Us Do The Hardest Part
We provide the Integrated ICS Cyber Security Assurance services and solutions covering the Core Activities of ICS Cyber Security Assurance life cycle process, starting from the development of ICS Cyber Security Program, deploying Asset Inventory & Criticality Assessment & Management, performing ICS Cyber Security Risk Assessment and Management, Executing ICS Cyber Security Audit & Assessment, and ensuring the Implementation, Stewardship & Monitoring