Industrial Control Systems (ICS): what to consider when protecting industrial assets from cyber threats? Part 1. Secure ICS Architecture design
Шрифт:
• Control engineers are less likely to use centralized cybersecurity. On all issues, they voted that services are either not needed at all or are needed for extensive systems. These results indicate the reluctance of control engineers to add new services to classic ICS.
• Cybersecurity engineers are more inclined to use centralized cybersecurity and consider their use justified even for small systems. This is most likely because the use of centralized cybersecurity management tools can significantly reduce labour costs for configuration and management of the system, analysis of incidents, and more.
More information on the results of the survey is provided in Appendix 1.
2. Complexity of systems and standards. The IEC 62443 standard considered in this paper has a rather complex structure, and the standard has many requirements that can be interpreted ambiguously and are not always interpreted correctly by users. When it comes to practical applications, users have many questions related to the variety of systems and architectures used, the peculiarities of technological processes, and more. In this work, I will consider some of them and try to help the reader to find the optimal way.
The first problem faced by engineers when designing a secure control system is the development of a secure ICS architecture. This stage is the first and most crucial stage of creating a system. Any errors and shortcomings at this stage can subsequently lead to serious system deficiencies in cybersecurity and/or significant economic losses due to correction of errors on an already implemented system. Thus, qualitative work at this stage will help increase the cybersecurity of control systems and significantly reduce the cost of implementing and maintaining cybersecurity countermeasures.
3. Method of Development of a Secure Industrial Control System Architecture
The concept of "zones and conduits" described in IEC 62443, despite its shortcomings, is an excellent basis for development of the secure ICS architecture. The concept of "zones and conduits" describes how different systems interact with each other, how and in what form information is transmitted between systems and the differences in security requirements in different zones. This concept is initially focused on ICS. In addition, recommendations from the following standards were used in this paper:
– "Cyber Security for Industrial Automation and Control Systems (IACS) EDITION 2", developed by the UK Health and Safety Executive and focused on the practical implementation of IEC 62443.
– "Framework for Improving Critical Infrastructure Cybersecurity" by National Institute of Standards and Technology, which allows a high-level, but structured and comprehensive assessment of the current state of a company’s cybersecurity. It also allows to plan improvements to cybersecurity.
– Local standards that are mandatory in the country, but may be inferior to international standards in terms of detail and level of coverage.
I would like to note that despite differences in legislative requirements in different countries, the principles and approaches to ICS cybersecurity are the same everywhere.
4. Inventory
The first step when building a best-in-class secure ICS should be to collect all existing information about assets, including:
• Manufacturing cells and material flow diagrams;
• Location plans for equipment and manufacturing cells;
• Information systems and ICS supporting the operation;
• Dependencies between information systems, industrial control systems, and manufacturing cells;
• General information about information systems and ICS, including vendor names, versions of firmware, hardware and application software, list of, and other data;
Конец ознакомительного фрагмента.