applesorganges

You are pounded with the message: ICS security is different than IT security. The fact is the Operations Technology (OT) in an ICS is a mission critical / high value IT system and needs to be treated like one. Don’t let the ICS is different argument allow you to accept fragility and insecurity in your OT.

The trigger for this entry is Bob Huba’s article in ISA’s Intech: Top Ten Differences Between ICS and IT Cybersecurity. The article is well written and accurate in comparing ICS and IT Desktop management, but that is the wrong comparison. ICS should be compared to mission critical / high value IT where companies can tell you how much money they lose, and it’s often a big number, for every minute of downtime.

There are plenty of mission critical IT systems that have availability requirements that rival ICS (1: Security Objectives). They have a better availability strategy than the too often ICS approach of make it redundant and don’t touch it if it is working. This is software and hardware that must be managed and supported to meet the availability requirements and not devolve into fragility.

Bob’s 8: Untested Software applies to both high value IT and OT. The change management around both includes rigorous testing, phased deployment, rollback strategy, etc. If you load up a patch or upgrade in high value IT and bring something down, you will see a similar management reaction to an ICS outage. Clearly the physical danger in a lack of integrity or availability is a factor in ICS, but do you honestly believe that a large financial impact is not treated with a similar level of concern to a business?

#9: Patching and #10: Security Inconveniences are ICS excuses and actually make the ICS more insecure and fragile than the high value IT. An ICS needs to be designed with a plan to support and maintain the mission critical IT system that it is. Would you put in physical equipment and not consider what maintenance will be required to the physical equipment to support reliable operation? I always point to Langner’s Robust Control System Networks as the book to hand an engineer who needs to understand why a fragile ICS is a problem.

The #3: Network Topology for ICS actually sounds like high value IT systems. #2 Network Segmentation is a partially valid difference. Some high value IT systems are Internet accessible, others are not. The high value IT systems will use DMZ’s and least privilege rulesets that quite frankly are much more restrictive than the average ICS firewall ruleset.

#6: User Accounts really is not a valid difference between IT and ICS, except that ICS too often accepts poor identification. Role based authorization is common in both as are other authorization methods and principles. Authorization has traditionally been an area of strength for ICS, and increasingly this is being performed in Active Directory.

There are a few areas of genuine ICS and High Value IT difference that Bob points out:

  • High value IT does not typically have Safety Instrumented Systems (#7: SIS)
  • The Purdue model does not apply to IT (#4: Functional Modeling), but you could argue that they have similar data flow and responsibility models with different names.
  • Many of the #5: Physical Components are unique to ICS … although you are seeing some of these physical components in a Data Center.

I agree with Bob that if you treat ICS HMI, EWS, Historians, Real Time Servers, PLC’s, RTU’s … like desktop user PC’s you will cause some serious problems, but this is a flawed comparison.

There is a lot the ICS community can learn and emulate from Mission Critical / High Value IT in designing, deploying and maintaining a robust OT environment. We should be leveraging their knowledge and processes rather than pushing them away. And certainly we shouldn’t continue down the path of install and don’t maintain because we didn’t plan to support the OT and don’t know how.

This is not to say that High Value IT is perfect. There are systems running with uncertainty and fragility and just hoping things won’t break … a similarity with many critical infrastructure ICS.

Image by Dan McKay