Emerging consensus for an ICS security approach

An increasing body of experience with industrial control system (ICS) security, as well as the emerging Industrial Internet of Things (IIoT) are driving a new consensus as to the difference between information technology (IT) and operations technology (OT) / ICS security programs.

NIST, ANSSI, the ARC, the Gartner Group and others all recognize that preventing mis-operation of industrial systems in order to preserve safe and reliable operations is a fundamental priority for industrial sites, while the top priority on IT networks is one variation or another of data protection.

Defining ICS cybersecurity

IT cybersecurity has long been defined as a set of measures intended to protect the confidentiality, integrity and availability of data. ICS cybersecurity is increasingly defined as a set of measures intended to protect the safe and reliable operation of physical industrial processes and the computers that control those processes, rather than measures to protect data. For example:

• NIST 800-82r2 advises that “ICS cybersecurity is essential to the safe and reliable operation of modern industrial processes.”
• The ARC Advisory Group points out that “Safe and reliable operation is an imperative for industrial processes. […] This distinguishes industrial cybersecurity deliberations from those used for IT cybersecurity programs.”
• Gartner observes that “From a security planning and operations perspective, OT environments are designed for safety and reliability first. This contrasts with IT, which emphasizes confidentiality, integrity and availability of data as primary goals.”

This difference in priorities drives important differences between IT and OT security programs. IT risk assessment methodologies are inadequate when applied to reliability-critical or safety-critical networks. IT security programs are equally inadequate.

For example, the Gartner’s 2017 paper “Demystify Seven Cybersecurity Myths of Operational Technology and the Industrial Internet of Things” concludes that it is a mistake to use IT risk assessment methodologies to assess OT risks and that “an organization cannot expect that [a security] architecture and design originally meant to protect information can address requirements specific to physical systems.”

ICS security is different

When designing industrial security programs, intrusion prevention is seen as a much higher priority than security incident detection, response and recovery. Essential elements of a preventative OT-centric approach to security include:

Perimeter security – important industrial sites always have strong physical and network perimeter protection. No such site allows members of the public to walk up to sensitive physical equipment and start smacking it with a hammer. No such site allows packets from all over the Internet to test their systems for zero-day vulnerabilities.

Capabilities-based design – well-protected industrial sites design their security programs to defeat reliably all widely-available attack capabilities, rather than try to intuit motives of the moment that might attributable to specific threat actors.

The reason for the emphasis on prevention in ICS is that, as the Gartner report says, “Many OT security failures have direct consequences on physical environments, potentially resulting in death, injury, environmental damage or large-scale disruptions of critical services. While serious and business-threatening, IT security failures are seldom life- or property threatening.” Detection, response and recovery are still important on ICS networks, but the first focus must be on prevention – human lives, environmental disasters and damaged physical equipment cannot after all be “restored from backups.”

Unidirectional gateway technology

A wide variety of experts, standards and guidance are going on the record regarding firewalled connectivity in ICS networks, recommending that unidirectional security gateways and related technology be used instead of firewalls in many industrial contexts. The ANSSI standards for industrial cybersecurity for example permit firewalls on IT networks, strongly recommend unidirectional gateways for the IT/OT interface, and forbid firewalls entirely for interfaces to the most sensitive industrial networks.

Unidirectional gateways are also seen as important enablers for IIoT deployments. Unlike firewalls, unidirectional gateways can connect industrial networks directly to IT, Internet and cloud systems without risk of attacks leaking back into protected industrial networks.