Blog by Chris Gausden, Arcanum Principal Consultant.
As part of my far sighted Open University degree in Computer Science in the 1990s, I completed a course that taught the social impacts of IT (before the days of social media); and postulated the future “de-skilling” of the workplace in favour of IT controlled automations. In the days when IT and the internet as we know it was in its infancy, the course foresaw the march of remotely managed industrial control systems, artificial intelligence/machine learning systems, and the creation of IOT to connect and control much of the home and workplace.
Since the completion of my degree a lot of things have changed in the world of information technology, and as predicated on that course, the inexorable march of automation and new industrial control systems have indeed changed the workplace. However, it seems likely that we are still in the early stages of that journey and have a long way to go until we have achieved a safe and fully automated and IT/OT controlled world, if that is the ultimate objective. It is interesting that we are only just waking up to the organised criminal exploitation of this new technology and still struggle to get the technologists and business owners to recognise the cyber threats and invest in their control and management.
Many of the specific threat paths to industrial control systems are not new as discussed in Computing magazine; “The internet, email and removable media remain as the leading sources of cyber-attacks in the ICS environment.” The principles and processes that can help an organisation to understand, and risk assess industrial control technology implementations are there in IEC 62443 and NIST 800-32. Their effective use still requires someone to look at the specific threats and risks identified in an IACS implementation and decide what can/should be done to reduce them. In many cases, the recommended options to reduce risk are no surprise and they are the same old suspects that were ignored or forgotten from previous network/data/application security risk assessments:
- Create logical zones to separate and protect your important assets from unauthorised authenticated users and any unknown threats using external connectivity.
- Set up protective and detective security technologies and monitor for anything unusual and respond when you find it.
- Identify vulnerabilities and reconfigure, update and patch (where you can) promptly and risk assess and otherwise protect where you cannot.
- Educate people to recognise the early signs of a security breach and give them a quick and responsive reporting path to validate and deal with their suspicious when they report things.
Security Boulevard has recognised these risks and provides similar advice to companies with IACS.
The recent COVID crisis has served to accelerate the widespread adoption of connected IT/OT into most aspects of our working and even private lives, and only those who can remember life before IT can see how much has changed. What has not changed, is the presence of criminals who will take advantage of any weaknesses and flaws in security and exploit them to make easy money. In the same way that new technology has allowed you to operate automated business processes from a distance, without good security the same technology allows the next generation of criminals to rob companies and people safely from afar.
It all starts with knowing where the risks to your industrial control systems are and what you could do to reduce them. For more information and advice, speak to Arcanum Cyber Security about IEC 62443 IACS risk assessments for your industrial control systems.
Arcanum Information Security is a leading National Cyber Security Centre (NCSC) accredited provider, certified in both Risk Assessment and Risk Management to provide specialist Cyber Security consultancy services. Arcanum consultants are NCSC Certified Professionals, with extensive knowledge and experience. In addition, we provide Digital Forensics through our ISO 17025 accredited laboratory.
For more information, get in touch by calling: 01558 669140 or alternatively email: email@example.com