“Common sense is the best distributed thing in the world, for we all think we possess a good share of it.”
(René Descartes, Discours de la Méthode)
In a context of economic crisis and increased competition, cyber security is rarely a priority for French industry top management. But this could quickly change because of the recent attack campaigns targeting companies in the United States or in Europe; and the time of activism or denial of service is gone, we now deal with a systematic strategy of industrial espionage and theft of confidential information.
However, the security and safety of industrial computer systems (ICS or “SCADA systems”) cannot be ensured only by the implementation of traditional IT best practices. It is therefore necessary to rethink the security methodologies and tools developed during the past fifteen years for “classical” IT environments in order to adapt those to the constraints and specificities of ICS environments.
The good old IT management toolbox
Security management (Business Impact Analysis and risk analysis, information security policy, action plans) and methodological tools (ISO 2700x, EBIOS, Mehari, etc..) used to secure information systems rely on organizational and technical solutions which are largely standardized : once the security action plans have been identified, CIOs and CISOs can count on a human organization (IS Dpt., or the computer technician) and a set of standard tools (directories, password policy, centralized management tools, patch management, firewalls, antivirus, etc..) to secure information systems. In addition, governance and technical solutions can be centralized and applied to multiple remote sites.
While the implementation of the approach outlined above is complex and depends on many factors specific to each company, it is possible to mix pragmatic security governance and proven technical solutions, be it for a multinational or a SME.
ICS : the need for a specific approach
The situation is quite different in the industrial world. A different type of vocabulary is used, constraints add up, priorities are totally different from one site to another.
Security becomes safety, key personals are operations staff, automation team, quality managers or plant managers directly, not to mention multiple providers involved in the day to day operation of various control systems on site. Depending on the industry, specific standards may apply, and some production systems can be 10 or 15 years old. Finally, even if they belong to a national or even international firm, industrial sites, facilities or subsidiaries have extensive local autonomy which makes it hard to design global standards and recommendations.
In these contexts, methodologies developed for the classical office IT are not applicable and it is necessary to build new ones. But it would be a mistake to address industrial safety with a purely technical strategy.
Even if the controllers have multiple vulnerabilities made public in recent years, the first answer to ICS security is not a technical answer. Technical issues are part of the issues to be addressed, but they are not THE main problem.
The methodology developed by LEXSI consultants starts with a diagnostic based on 10 key points. This diagnostic facilitates the security strategy definition: physical security, inventory management, suppliers contracts review, network architecture, staff training and security awareness, etc. These are some of the topics covered in our diagnostic.
Once the findings shared and validated by plant management, it becomes possible to develop tailored action plans both technical and organizational such as identifying the perimeters, zones and conduits (ISA / IEC 62 443) to secure in priority, inventory and ICS asset management, introduce security requirements in suppliers contracts, develop security awareness and training programs, etc.
This proven approach is flexible, pragmatic and perfectly adapted to the very specific constraints of industrial plants.
This methodology is at the heart of two days of training on ICS security organized by LEXSI in Paris on April 22nd and 23rd. UPDATE: Additional dates have been planned in Paris on June 5th and 6th to meet demand.
Starting with a detailed overview of attacks and problems affecting industrial systems in recent years and a review of the best standards and practices, the training aims to provide participants with all the practical tools necessary to make a diagnosis of an industrial site and take appropriate security actions.
Hands-on labs session: in order to manipulate security tools and techniques, the last afternoon is dedicated to practical work on different industrial systems and security solutions installed in LEXSI University lab.