There is a pressing need to improve cyber security in Industrial Control System (ICS) environments to avoid future breaches that could impact critical national infrastructure, concludes CREST, the not-for-profit accreditation body representing the technical information security industry, in its latest position paper, ‘Industrial Control Systems: Technical Security Assurance’. In addition to identifying several key technical challenges, the report suggests that increased technical security testing could go a long way towards achieving higher levels of security assurance.
The report proposes a model for gaining greater assurance in ICS environments based on the findings of a research project. The project’s goal was to identify the main challenges and possible solutions for protecting today’s Industrial Control Systems, many of which are based on older legacy technologies.
One of the key findings in the report is the absence of periodic standards-based technical security testing that is commonplace in many other industries. Because of this, ICS environment owners and operators have no objective way of knowing whether cyber risk is being adequately managed and at present there is no definitive standard for testing ICS environments that is mandated by regulatory bodies. The fact that ICS environments are rapidly changing also leads to a higher degree of exposure.
“ICS environment owners require assurances that risk is being identified, assessed and evaluated. Above all else they need to know that there are appropriate measures in place to manage and mitigate risk,” explained Ian Glover, president of CREST. “Research on the project has helped to identify the high-level characteristics of a practical technical security testing approach and organizations should consider how this could add value and protection. It is clear that ICS environments are more sensitive than conventional IT environments and any penetration testing of systems needs to be planned and undertaken with a high degree of trust, skill and caution.”
“This position paper is supporting the work CREST is doing in many parts of the critical national infrastructure in the roll out of intelligence led penetration testing,” added Glover.
CREST is now looking to expand on this initial ICS research to develop detailed guidance material that can be used by specialist to help secure ICS environments and in particular those that make up the Critical National Infrastructure. You can obtain a .pdf version of at the full report by clicking here:
For more information contact: Allie Andrews, [email protected]
Filed Under: Industrial automation