ICS Cyber Awareness is a Critical Factor


Educating ICS cyber security in every organization shall be high on the priority list of top-floor executives. The process shall involve a) ICS operators and experts who must expand their Cyber security knowledge, b) IT experts who must learn ICS basics and also learn specific risks and solution related to ICS architectures and finally c) managers who must have the knowledge needed to make correct decisions related to allocation of resources.

Boosting the awareness of your workforce is the “P-People” part of the PPT (People-Policies-Technologies) Triad and has the highest return on investments. This paper will highlight the most important measures and actions and help you selecting the most appropriate training program for your organization.

Differentiating among IT and ICS

Employees interested becoming ICS cyber security experts, must adopt few basic principles. Once realized the value of these guidelines, they are a step ahead towards dealing with ICS.

  • Prior dealing with ICS Cyber security, you must study ICS basics, which are primarily focusing on layers 0-2 of the Purdue Model. Important visiting couple of fields sites to learn the details.
  • Study the differences among IT and ICS. IT experts are targeting assurance of Confidentiality-Integrity and Availability, and the goal of ICS experts are Safety-Reliability and Productivity.
  • Cyber defense measures for IT and IC are different. While a testing process of IT may cause just an unexpected shutdown, the ICS pen-testing might lead to damage and risk of life.
  • IT experts are constantly patching, updating and upgrading their systems. ICS experts can not do that as every change or update represent risk to operating safety and reliability.
  • While there is no single cyber defense method to prevent an attack on your system, the best you can do is deploy layered cyber defense combined the principles of the PPT Triad.
Analyzing Cyber risk factors

Understanding the attack vectors and the attack surface is a key principle. You may correlate these paths with the 7-steps of the LM Industrial Cyber Kill Chain, Refer to the following”

  • Non-attack factors: Consider 2 options which might interfere with the ICS process a) failure of a sensor, PLC or a software bug and b) incorrect action done by an authorized person.
  • Negligence of people: Consider actions such and inserting a foreign USB stick, failure to detect social engineering attack, supply chain processes, use of simple password, etc.
  • System oriented attacks: The adversary may attack the ICS through the internal or external utility system in buildings (HVAC, generators, data center cooling, UPS, etc.
  • Attacking the ICS: Access to the network through “Backdoor” connection, might lead to an MitM access, DDoS attack on the ICS network, leaking out information from the ICS, etc.
  • Attacking the process: Considering attacks on the HMI, Engineering station, PLCs, field sensors, which might manipulate the process through exploiting vulnerabilities.
ICS Cyber defense methods

Deployment of cyber defense on ICS shall be selected based on the risk factor, calculated by the probability of occurrence and the impact of the attack.

  • Adhere to corporate policies related to servicing the ICS and operating computers
  • Deploy hierarchical zoning among segments which are not communicating each with other
  • Use of ICS oriented firewall or DMZ or Data Diode between the IT and ICS sections
  • Use strong authentication prior connecting process-oriented devices to the ICS network
  • Prevent remote access to the ICS unless it becomes mandatory for critical purposes
  • Use of IDS for detecting anomaly conditions at levels 0,1,2 of the Purdue Model
  • Conduct periodic ICS architecture assessment and detect new vulnerabilities
  • Perform updates for the OS, antivirus and application program only after intensive testing
  • Strengthen the physical security for all installations which attackers, might access
Methods for educating the staff

Experts know well that very high % of “successful” cyber-attacks were possible due to lack of awareness and experience to detect and stop these attacks. Therefore, educating of all personnel shall be considered as a mandatory requirement for boosting ICS Cyber security awareness.

  • Operators and ICS maintenance engineers must upgrade their ICS cyber security skills
  • IT cyber personnel who must learn how ICS architectures can be correctly protected
  • Decision makers who must understand this for properly approving the budget

Organizations must have a methodology for educating employees related to cyber risk and response. These actions will help you complying with regulations and preventing incidents that might risk lives, cause operating outages, damages to machinery and severely damage the reputation of your organization. Therefore, management’s attention to ICS cyber security shall be high on the priority list and it worth the investment.

Daniel Ehrenreich

Consultant, Secure Communication and Control Experts (SCCE)