Industrial Control System Security Vulnerabilities
- ics security vulnerabilities
The security assurance of Industrial Control System environment should be considered as one of the priority due to its critical function in the critical industry sector. The vulnerabilities of the ICS environment should be identified in order to implement the proper strategic action to control the risk into the ALARP level. This short article explain briefly regarding the common ICS security vulnerabilities that being faced in the current period.
THE COMMON VULNERABILITIES IN INDUSTRIAL CONTROL SYSTEM (ICS) ENVIRONMENT
The Industrial Control System is playing critical role in the critical industry sector, such as oil & gas, petrochemical, power plant, nuclear and public infrastructure. The risk exposure of unperformed ICS operations on these critical industries can drive the financial/HSE losses. The reliability and security aspects of the Industrial Control System as the critical system should be managed properly in order to maintain its best performance.
The vulnerability on the ICS environment can drive the risk exposure level. The level of probability and consequence are closely related to the vulnerability severity level and threats exposure. It is important to understand the ICS threats and vulnerabilities in order to ensure the security assurance in ICS environment is properly deployed.
One of the methods to explore the vulnerabilities is by using the vulnerability assessment as commonly performed in the IT environment. Unfortunately, the ICS environment is differ from the IT environment, in term of the nature of operations, platform and CIA assurance.
The other method that can be used to explore the ICS vulnerabilities is by using the “non-destructive” vulnerability assessment, such as by assessing the current security policy in the organization, BCP/DRP validity and availability, network configuration, security log management, AAA management (storage and communication), in place procedure and best practice and asset inventory management.
By doing the “non-destructive” vulnerability assessment, the vulnerabilities on the ICS environment can be determined properly, while the risk exposure of doing this assessment can be managed in the acceptable level.
Following is the global categorization of the ICS vulnerabilities by using the NIST SP 800-53 security controls categorization perspective,