One of the most prominent challenges a true security professional encounters when looking into Industrial Control System (ICS) Security is the dichotomous relationship between process control engineers and the traditional IT security support staff. In reality both sides have the same objective in mind, however the focus and approach differs greatly. IT security teams tend to focus on security of information and have a hard time detaching from that mind set, while process control teams tend to insist that security measures hinder the ability to perform their duties efficiently and safely. Both teams speak from experience yet both teams speak half truths when it comes to ICS security.
As in many things in life, a happy balance is necessary to succeed in securing an ICS. Good solid process and accountability is the best offense and defense. Traditional IT Security measures must be balanced with compensating controls to accommodate the safety and availability challenges in the ICS world. Basics like password complexity, rotation and even use must be rethought to satisfy the basic purpose and function of these systems.
Risk assessment driven policy and process, however is always a prudent approach. Identification of the most critical systems, ones with the highest impact on health/safety, financial loss, environmental hazards, production loss and public image is essential to be able to address the assets that effect the overall security of the organization.
The risk assessment process in its self can be a bridge in the gap between the IT and Process Control groups. Leveraging the opportunity to bring these sides of the house to a single conclusion on meeting the challenges is a good start By having them collaborate on the importance of assets and talking through the challenges in security, eyes are opened on both sides of the aisle when it comes to the true use and operational challenges with these systems.
No comments:
Post a Comment