Edward J. Liebig
There are a lot of “me too” vendors jumping on the OT Cybersecurity bandwagon. Many businesses are finding out the hard way that the cybersecurity rules for information technology (IT) systems don't necessarily apply to industrial control systems (ICS). Not just technologically, but IT processes and policies don’t seamlessly apply to OT as well. Why? The answer lies in the fundamental differences between IT systems and "Purpose Built" ICS assets.
"Purpose Built" – What does it mean?
Purpose-built ICS assets, such as Programmable Logic Controllers (PLCs), Distributed Control Systems (DCSs), and Supervisory Control and Data Acquisition (SCADA) systems, are designed and configured for specific operational tasks. They typically focus their purpose on the control of industrial processes or systems, from production lines in manufacturing facilities to electrical grid management systems.
In contrast, designers typically make IT systems with a more general-purpose functionality. These assets are "programmed" to perform a dynamic and broad range of tasks, such as data processing, information management, communications, and network services.
The difference in the approach between "programming" and "configuration" is what sets these systems apart. IT assets are programmed for various functionalities and can thus operate in widely differing capacities. Meanwhile, ICS assets are typically customized through configuration for a specific task, making their functionality more restricted.
What is the connection to cybersecurity?
The implications of this difference are profound when it comes to cybersecurity. In IT systems, vulnerabilities and potential attack vectors are more easily identified and studied due to the widespread use of these systems and the standardization of their programming languages and techniques. In many cases, this makes automation of vulnerability detection and security patch deployment more straightforward.
Conversely, ICS assets are in a class of their own. Their unique configurations and custom-built functionalities can make them much more elusive to study and understand from a cybersecurity standpoint. Cybersecurity research in the ICS realm can be challenging due to the specific nature of each system and the lack of standardization. This also makes automation of vulnerability detection and security hardening much more difficult.
Let's take the case of an energy grid managed by SCADA systems. These highly specialized systems are configured to control and monitor every aspect of the grid with precision. A vulnerability in such a system might not present in the same way it would in a general-purpose IT system, or it may be hidden within the custom configuration of the system.
This complexity is compounded by the potential for significant real-world consequences if an ICS asset is compromised. An IT system security breach is bad, but a successful attack on an ICS asset may cause physical damage or even threaten human safety.
The Leadership Perspective
From an executive leadership perspective, the unique cybersecurity challenges presented by purpose-built ICS assets necessitate a tailored approach. We must prioritize understanding these systems in their specificity and invest in dedicated ICS cybersecurity solutions. To effectively search for signs of compromise or attack, it is necessary to have visibility into, and a thorough understanding of, the ICS asset configuration files.
A one-size-fits-all IT cybersecurity strategy will not suffice. While applying general cybersecurity best practices is crucial, we also need to focus on system-specific vulnerability assessments and penetration testing for ICS assets. This requires a deep understanding of each system's unique configurations and the potential cybersecurity threats they might pose.
To better safeguard our essential industrial infrastructures, we need to blend a robust OT-specific cybersecurity foundation with an individualized approach to ICS security processes, policies, and procedures.
No comments:
Post a Comment