Industrial Control System (ICS) operators recognize the need to improve cybersecurity, but many lack the understanding on how to operate a system in a secure manner. Schneider Electric has authored a whitepaper “Effectively Maintaining the Security of Industrial Control Systems” that takes asset owners through the system maintenance process. In this blog article, I will provide a brief overview of the concepts presented in the whitepaper.
The Maintenance Phase consists of a variety of independent activities that must be effectively managed on an ongoing basis. Activities can be divided into 2 key types – those that occur on a continual basis, and those that are event driven.
Continual Monitoring – Security monitoring is typically not as simple as having personnel look at the alarms each morning. Personnel must have in depth knowledge of the monitoring applications.
- Asset Monitoring – Ongoing monitoring of the network to track devices connected to the system, and whether elements are using the latest software versions.
- Security Monitoring – This activity is focused around monitoring the technologies that has been implemented to detect malicious activity.
Event Driven Maintenance – In addition to activities that operate in the background, there are a variety of event driven components of the Maintenance Phase.
- Patch Management – Patches are utilized by equipment vendors to address vulnerabilities, and thus are critical to system security.
- System Backup – Defines elements requiring backup, backup interval, number of backups, manual vs. automatic backup, backup schedules, file storage locations, and how to properly dispose of backup systems that have reach end of life.
- Change Management – During the implementation phase, system architecture diagrams, network diagrams, and asset inventories were created. Changes will occur when the system is operational. A formal change management process should be utilized to ensure that changes are effectively requested, decided on, implemented, and documented.
- Incident Handling – A critical process in the Maintenance Phase is incident handling. Incident handling creates a plan to deal with unauthorized intrusion, cyber theft, denial of service, malicious code, and other security related events.
A third key area associated with maintenance is auditing. Companies should create a comprehensive plan to audit key cybersecurity related policies and procedures on a regular basis. The priority of the policy/procedures drive the audit schedule. Examples include change management process audits, incident response audits, system recovery audits, and risk assessment process audits.
The threat of cyber-attack is real and will continue to be an issue plaguing ICS for the foreseeable future. Following the steps outlined in the whitepaper will enable operators to effectively maintain ICS infrastructure.