Control system security compliance: Assess risk before it’s too late

Control system security complianceCybercrime is no longer a problem restricted to IT. The Department of Homeland Security recently warned that thousands of industrial control systems (ICS) can be hacked remotely. More specifically, the vulnerability was found within an ESC 8832 data controller, which, at a glance, allows a plant worker to see exactly how an industrial unit is working. The flaw can be easily exploited by a low skilled attacker.

Even more worrying, however, is that the manufacturer has stated it is unable to fix the vulnerability as there is no code space to install a security patch. With targeted attacks aimed at nuclear and energy facilities on the rise, the need for greater regulation and compliance to ensure plant security is rising up the agenda.

Combatting the problem through increased regulation

In the Netherlands, a bill on the notification of data leaks was recently passed. This is a new law which imposes a responsibility on data controllers in the Netherlands to notify the Dutch Data Protection Authority, as well as the individuals affected, in a timely manner in light of a data breach. Failure to do so can lead to fines of up to €810,000, or 10 per cent of a company’s net annual turnover.

This is presenting a considerable challenge for organisations, which are now coming to the realisation that in order to remain compliant and combat the threat of fines, it is essential to undertake a detailed assessment of a company’s security maturity.

Other European countries will also face larger fines if businesses are not compliant to security standards and practices, such as IEC 62443 standards. Earlier this year, the EU’s General Data Protection Regulation (GDPR) was finalised. This means that fines for businesses found to be breaking regulations are set to increase, and these will far-outweigh the scale of those currently being handed down from the UK’s Information Commissioner’s Office (ICO), the largest of which is £500,000. Under GDPR, this will increase to €20m, or four per cent of a company’s global annual turnover – whichever is greater.

The problem the industry is facing is that, without security, governance or risk processes in place, many are unable to guarantee that a breach hasn’t already occurred, and therefore find it difficult to determine if they are in control of their systems or data. This means that many insurance companies are no longer willing to insure industrial companies due to the increasing security risks these systems are facing.

Assessing your industrial asset before it’s too late

The answer for businesses looking to be compliant with new regulations, such as IEC 62443 or the GDPR, is to assess security maturity from the outset. The issue the industry is currently facing is that many industrial control systems are insecure by design and thus vulnerable to a range of cyber threats. This means companies may have been using insecure products for a number of years, without ever being aware of the issue.

Such companies are at huge risk of data breaches, fines and a loss of productivity, resulting in a drop in profit. For this reason, not only is it essential that manufacturing products are produced with security built in from the outset, but businesses must begin conducting assessments of their own operational technology to ensure they aren’t susceptible to a breach.

The increased amount of regulations that businesses are having to adhere to has led to large droves of companies beginning to undertake risk and vulnerability assessments. These help a firm to identify vulnerabilities and risks in the security of physical products, IT and OT systems, at an early stage. As manufacturers look to adopt new regulations, these services have been designed to ensure businesses are compliant to legislation, and ultimately, fines are kept at bay. It is imperative that organisations measure and establish control in order to mitigate risk and address vulnerabilities.