Blog by Chris Gausden, Arcanum Principal Consultant.
Despite the title, this is not some scribblings on the subject of chemically vaporous pollution or global warming. However, it does represent a view of managing the practical security and compliance state of current UK Operational Technology/Industrial Control Systems (OT/ICS). It also introduces the not unexpected idea that OT/ ICS may soon join the many other enterprise IT functions in being cloud hosted.
The relatively recent introduction of the IEC 62443 framework has created a worthwhile methodology for supporting the creation, and operation of secure and resilient ICS; and assessing them against a credible and relevant control set. The risk analysis process is dependent on the existence of up to date quality technical design diagrams, and a maintained asset list that represents the various ICS technologies in use including vendor, model, and version. The link below provides a very useful guide written by Honeywell who manufacture enterprise ICS component systems globally and identifies the use of IEC 62443 and its benefits and limitations.
[1] IEC 62443: Industrial Network and System Security Guide
Used intelligently, the IEC 62443 framework should help organisations to identify any vulnerabilities in their ICS design and operation, and identify cost efficient security improvements to reduce the risk to business owners and their customers.
Arcanum has been working with a number of CNI organisations and the NCSC to provide IEC 62443 risk assessments. Most current ICS systems have traditional physical on premises topologies, with some now making the move to local virtualisation hosting for infrastructure. However, in most cases the underlying hosting technologies and ICS are on physical sites that are still under the direct control of the business owner or their contracted third party. The move to cloud would change some of that model and whilst introducing all of the benefits of cloud technology; it will place a lot more reliance on having a secure logical topology/zoning in design and operation, and effective security monitoring, alerting, and response. CSO United Kingdom give a view of current thinking and the key players in this field whilst acknowledging both the risks and the inevitability of the trend towards enterprise cloud hosting for OT/ICS [2].
[2] CSO: ICS as a cloud service is coming: Will the benefits outweigh the risks?
Our thinking on the topic is that it all comes down to the same OT/ICS business/security risk management principles:
- Early identification of the business requirements/benefits and the corresponding security risks in the new ICS/OT model you wish to adopt and design/plan the solution.
- Use IEC 62443 framework principles and processes to clearly identify, understand, and minimise the security risks in design and operation with the business accepting the levels of residual security risk.
- Agree (contractually), with the cloud provider what security responsibilities and risk mitigations they will own for the ICS architecture, and plan/budget for the rest.
- Accept that intelligent focused security monitoring and response will need to be part of the ongoing business operational function for future secure OT/ICS, especially where it is cloud hosted.
To find out more information about the IEC 62443 framework, and how Arcanum can help you, click here.
Get in touch by calling: 01558 669140 or alternatively email: marie.caruso@arcanumis.com
About ArcanumĀ
Arcanum Information Security is a leading National Cyber Security Centre (NCSC) accredited provider, certified in both Risk Assessment and Risk Management to provide specialist Cyber Security consultancy services. Arcanum consultants are NCSC Certified Professionals, with extensive knowledge and experience. In addition, we provide Digital Forensics through our ISO 17025 accredited laboratory.
Sources:
[1] https://www.isa.org/getmedia/b75b5611-1fa8-4807-99e5-d8707b7cff18/Phinneydone.pdf