ICS/IIoT Taxonomy Needed for Effective Communication

Friday, October 12, 2018 @ 01:10 PM gHale

By Dale Peterson
There have been many events and data points that show even people knowledgeable in ICS and security are having difficulty communicating together because we have different views and experiences on what an ICS is.

The latest example is Kaspersky’s Threat Landscape for Industrial Automation Systems H1 2018 report.

The report stated “42 percent of all machines had regular or full-time Internet connections,” and based on the other statistics a large percentage of that 42 percent were sending and receiving email. In case you think Kaspersky isn’t looking at ICS, they characterized the 320 computers in the survey as SCADA servers, historians, OPC gateways, engineering workstations (EWS) and operator stations/HMI.

RELATED STORIES
GSX: Integrate All Security
ICSJWG: Solid Solutions ‘Not Rocket Science’
ICSJWG: ‘If it Isn’t Secure, it Isn’t Safe’
Black Hat: Breaking Down Safety System Attack

My initial reaction was, that’s crazy.

We see almost no direct Internet access from ICS computers and certainly these computers are not receiving email. Even taking into account our clients are obviously security conscious, since they are hiring an expensive consultant to help them, those numbers were ludicrous.

On second thought, the computers that Kaspersky was monitoring likely were under the broad ICS definition. They were likely building automation systems, that are often on the corporate network, and low value ICS. Whereas, I typically work with ICS that run power plants, pipelines, large manufacturing plants, large water systems, etc.

This demonstrates the challenge we have in communicating effectively about ICS when we use these broad terms without some sort of taxonomy.

Mounting Confusion
There are even more important areas where this large ICS category inhibits effective communication and action including appropriate architecture, security controls, regulation, and risk. And the confusion is getting worse.

DHS decided that medical devices, including those implanted in humans, are ICS. It’s going to be very difficult to proceed with solutions that encompass both an implanted medical device and a turbine DCS and safety system, except in the broadest, and not particularly helpful way.

I’ve had an ongoing disagreement with ARC on their term Industrial Internet of Things (IIoT). At first I thought they coined this to cover IoT devices and systems that connect with what was traditionally called ICS. No. IIoT, in their definition, includes everything that existed in the ICS world plus everything new in the IoT world that is industrial-related. Unlike the term Cyber Hygiene that we need to kill before it takes root, ICS and IIoT are likely here to stay and are as good as any to describe a broad category similar to the term Enterprise. They are not sufficient or helpful for productive discussions.

ICS/IIoT Taxonomy Needed
The taxonomy doesn’t need to be perfect or overly detailed; it’s purpose is to assist in effective communication.

Here are some possible categories:
• Value – what would be the consequence if integrity or availability of the ICS/IIoT is compromised?
• Architecture – classic Purdue model, IoT, classic + cloud?
• Maturity of ICSsec program – huge difference in what should be done based on maturity. This is one of the biggest issues today with asset owners just starting their ICSsec efforts spending time and money on actions with minimal risk reduction.
• Sector/System Type – This is the most obvious category. There are some sectors and systems that are homogenous while others, such as the chemical manufacturing, that have significant variance between small and large manufacturers. My thought is you could have three to five numbered sectors, and then place industries in one of those as appropriate. We could then discuss, for example, Sector 2 systems should deploy these security controls or have these threats.
• Your category here … this is far from a complete list of possibilities.

The bundling of more and more sectors and systems into ICS/IIoT term is helpful only in that it is increasing awareness and hopefully corresponding action. It is leading to unhelpful and confusing discussions even amongst those active in ICS. Executives and those peripherally involved in ICS will almost certainly be misled by “ICS” information that is unrelated to their ICS.

We need an ICS/IIoT taxonomy.

Dale Peterson is the founder, chief executive and head catalyst of industry security provider Digital Bond. He also founded the well-regarded ICS-related S4 conference. This year’s S4x19 ICS Security Event will be held January 14-17 in Miami, FL’s South Beach.



Leave a Reply

You must be logged in to post a comment.