Industrial Control Systems (ICS) are composed of physical entities whose functioning heavily relies on ICT components. ICS are ubiquitous and can be found in a number of safety-critical infrastructure, including energy, chemical processes, health-care, aerospace, manufacturing, and transportation. While originally isolated and inherently secure, ICS have been increasingly exposed to cyber attacks (e.g. Stuxnet). While it is impossible to eliminate such risk, security measures and controls must be in place to guarantee an acceptable level of risk exposure.
The ICS Security initiative was a joint project of the Global Cyber Security Center and an Italian Energy Utility Company carried on in 2011 and 2012. The work aims at
1. identifying the state-of-the-art of security practices and countermeasures developed and achieved by the most relevant and influential international bodies and institutions of the field.
2. conducting a review of the cyber security policy used by the Utility Company and of the security controls in place in a representative set of power plants of the Utility Company, in order to determine the actual level of protection and if necessary to find appropriate additional security checks.
The first point can be reused and applied to many critical infrastructures, as most of security documents reviewed are equally valid across most industrial sectors. While the second point is targeted to the energy sector, and specifically to the Utility Company environment, the methodology developed by the project still can be systematically applied to any critical infrastructure and to any ICS area.
The project team collected and analyse a large number of international standards, recommendations, guiding policies, and guidelines issued by pertinent and remarkable institutes. The following international institutes have been considered:
• American Petroleum Institute (API)
• International Electrotechnical Commission (IEC)
• Institute of Electrical and Electronics Engineers (IEEE)
• International Society of Automation (ISA)
• International Organization for Standardization (ISO)
• North American Electric Reliability Corporation’s (NERC)
• American Gas Association (AGA)
• U.S. Government Accountability Office (GAO)
• National Institute of Standards and Technology (NIST)
• Sandia National Laboratories
• UK Centre for the Protection of National Infrastructure (CPNI)
• US Department of Energy (DoE)
• US Department of Homeland Security (DHS)
• US Nuclear Regulatory Commission (NRC)
The documents were classified and sorted out according a structured collection model developed by the team. The collection structure was inspired to the information security domains describe in the ISO/IEC 27001 standard. This allowed the team to select the most effective security controls and measures from each document and to compared them by domain of application. The outcome of this first phase of the project was a big set of security requirements relevant for energy control systems. The requirement address governance, network security, and host security issues.
The second phase of the project delivered a gap analysis between the collection of security requirements, developed in the first phase, and the security policies and control in place in the Utility Company environment. To this aim, the team checked for each security control whether and to what extent:
• the control is considered in the Utility Company ICS security policies and documents
• the control is implemented in practice, according to the documentation and to the support provided by the Utility Company.
In order to have a better view of the implication of the security controls, they have been analysed and classified according to different characteristics like affected asset, vulnerability, threat class, security domain, and security priority. This classification allowed the Utility Company to understand the risk associated to the missing controls and to prioritize the most important ones that must implemented.