What is ICS Security?

ICS security is cover not only virus, malware and hacker threats to the ICS environment but it is beyond those concerns. The ICS security should be viewed as the integrated concept that cover several entities such as corporate policy, procedure and manual, emergency response management, data access and protection, account management, secure network architecture and management, asset risk profile and security controls, periodic review and audit activities.
 

Where to Start?

The best way to start the whole ICS security assurance activities is by ensuring the awareness level of the resources are in the same level (minimum knowledge level that required to operate the production operations safely and securely).
This first step of the milestone will define the security posture of the organization in the ICS environment. By having proper awareness level across the organization it will be easier to collaborate together to strategize the ICS security assurance activities.
The support from management that represented in the corporate goals will be one of the strongest enforcement to have the ICS security assurance in place.
 

Resource Awareness and Periodic Refreshment

As the first engagement to the resources that have daily responsibility to ensure the sustainable production operations of ICS environment, the entry level awareness training that cover the fundamental of ICS security concern could be viewed as one of the solution.
A periodic training to refresh the mindset should also be implemented internal organization to ensure the minimum knowledge and best practices in ICS security correlated activities are deployed in place.
Some organization may have a periodic IT security awareness training to all employees, while this training scheme can also be adopted in ICS security awareness training approach but targeted more specific to the persons that have correlation with ICS environment (engineering, technician, operations, maintenance, IT and managerial level).
 

Typical ICS Security Training

žEntry level training

• Security awareness training that aimed to the general resources within organization, such as security training for HR employees, Controllers, Procurement, etc.
• This type of training commonly will expose more in the IT security side as this concern is reflecting the participants day to day personal and business activities. It is expected that this type of training can be the fundamental layer of developing corporate security culture.
• The content mainly will expose more about the introduction and tips on dealing with cyber threats either as personal or as business professional.

žManagement training

• Security awareness training that aimed more specific to the management level in order to deliver the understanding and the urgency concern related to IT security and ICS security within their asset.
• IT security is more common term that can be used as the gateway to enter the ICS security understanding. That is why the delivery of the ICS security assurance can use IT security approach, with the ultimate materials will cover the more specific ICS security cases in the more general point of view.
• Medium level training with exposure level that can be adjusted depends on the targeted management positions.
• Keep it simple as the executive summary format with exposure more to the business impact in case by case example. The main goal of this type of training is to leverage the awareness level of the management so they can support the ICS security assurance activities in the future.

žProfesional training

• The top advance training aimed to the professional that has strong relation to the ICS environment activities in daily basis, such as Instrument & Electrical Engineer/Technician, Control System Engineer, IT Infrastructure Engineer, IT Security professional, IT PCN, SCADA specialist, ICS security auditor, Operations and Maintenance organization, etc.
• High level training with deep and detail technical exposure, combined with best practices, lesson learned, case studies and practical knowledge.

The ICS Security Policy and Its Correlation to the ICS Security Assurance

The ICS security policy establishment within organization is a hard work task with long term sequence. The safety and security aspects to ensure the production operations of the critical infrastructure industries should be viewed as the license to operate. These critical infrastructure industries, such as Oil and Gas; Petrochemical; Refinery; Mining; Power Generation; Public Infrastructure and Utilities, have strong dependency to the Industrial Control System (ICS) environment as the critical system to support continuous plant performance. The proper way to treat the ICS environment is by having proper security policy that will govern the whole aspects across the system environment, its interface and framework.
Surely it is not an easy task to develop and deploy proper ICS security policy within the organization.  As per mentioned previously, the security awareness training in the ICS environment can be one of the first step milestone in order to build the strong ICS security policy and deploy it in the business environment.
The ICS security assurance will not be achieved without having ICS security culture. While the ICS security culture itself will not be established without having proper ICS security policy that triggered from ICS personal security awareness within the corporate environment.
 
[highlights]Join us in ICS Cyber Security Management System training[/highlights]
“Explore more regarding ICS security training upcoming agenda“