Strategy for Securing Control Systems

Tuesday, July 13, 2010 @ 03:07 PM gHale

The country, much less the world, depends on the continuous and effective performance of an interconnected critical infrastructure to sustain a modern way of life.
It is really that simple. At least in the U.S., this infrastructure, owned mainly by the private sector, consists of critical infrastructure and key resource sectors as identified in the National Infrastructure Protection Plan (NIPP). These sectors include Energy, Chemical, Banking and Finance, Water Treatment, Postal and Shipping, Agriculture and Food, Defense Industrial Base, Commercial Nuclear Reactors, among others.
Although each of the critical infrastructure industries is vastly different, they are all dependent on control systems to monitor, control, and safeguard vital processes. With that in mind, the U.S. Department of Homeland Security’s (DHS) goal is to protect and secure control systems. [private]
Industrial control systems perform various functions and vary in lifecycle duration throughout the nation’s critical infrastructure.
Much of the industrial control systems used today started operations during an era when security received low priority. Actually, security was not a high priority because of the proprietary nature of the individual systems.
However, in today’s open communications environment, industrial control systems are now highly network-based and use common standards for communication protocols. Owners and operators have gained immediate benefits by extending the connectivity of their industrial control systems. This connectivity does expose networks to cyber infiltration and subsequent manipulation of sensitive operations.
Not only that, but sophisticated cyber attack tools can exploit vulnerabilities in commercial industrial control system components, telecommunication methods, and common operating systems found in modern industrial control systems.
The Department’s National Cyber Security Division (NCSD) created the Strategy for Securing Control Systems as part of the overall mission to coordinate and lead efforts to improve control systems security in the nation’s critical infrastructures.
The primary goal of the Strategy is to build a long-term common vision where effective risk management of control systems security is possible. Implementing the Strategy will create a common vision with respect to participation, information sharing, coalition building, and leadership. Its implementation should improve coordination between the government and private-sector, thereby reducing risks to control systems.
The plan leverages the risk management framework and partnership model described in the NIPP, by providing a path forward for coordination between owners, government, and industry associations.
The control systems security strategy has two principal components: (1) a new entity known as the Industrial Control Systems Joint Working Group (ICSJWG), and (2) an expanded Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), managed by the Control Systems Security Program (CSSP), that provides recognized cyber incident response and analysis capabilities in conjunction with the United States Computer Emergency Readiness Team (US-CERT).
The ICSJWG consists of two subgroups, one for coordination with government stakeholders and the other for private sector stakeholders and partnerships. The ICSJWG coordinates and builds upon the NIPP partnership framework for control systems security efforts by leveraging activities sponsored by members of the Government Coordinating Councils and/or Sector Coordinating Councils.
The ICS-CERT provides a control system security focus in collaboration with US-CERT and the private sector critical infrastructure by expanding the technical and response capabilities and coordination for situational awareness, incident response, and vulnerability management. The focus on control systems cyber security provides a direct path for coordination of US-CERT with the stakeholders; recognizing that control system security issues are unique.
The following is the Strategy for Securing Control Systems. [/private]

Leave a Reply

You must be logged in to post a comment.