ICS Information Security Assurance Framework 21

ICS Information Security Assurance Framework 21

March 17, 2020 | Adeline Zhang

What to Expect for ICS Security in the Coming Years

With the policy guidance of various ministries and commissions under the State Council, related  financial support, and the increased emphasis on ICS security by ICS enterprises, the ICS information security will get on the fast track of development. With the advancement of “one network, one database, and three platforms” proposed by the Ministry of Industry and Information Technology (MIIT), the introduction of Classified Protection of Information System Security 2.0 , and the introduction of Critical Information Infrastructure Security Protection Regulations , industrial security will see a very good opportunity for development.

Industrial enterprises have experienced the following three stages in developing industrial control security:

1. Security assessment stage driven by compliance and security events;

2. Pilot construction and lessons learned stage to find solutions and methods;

3. Stage of large-scale application upon promotion with a mature model.

At the current stage, with further regulatory requirements, the application of industrial security in various industries has begun to scale up from sporadic pilots and demonstrative applications. In
some industries such as the electric power industry, especially the power generation industry and rail transportation industry, regional large-scale deployment and application have emerged. From the perspective of the industrial control security development, large-scale deployment and application is still a long time effort. Currently, stimulating industrial security with pilots is a big trend of industrial security.

At present, the core technology of industrial control security has not been effectively addressed. The technical development has entered a bottleneck period, witnessing serious product homogeneity. Technical bottlenecks lead to small product function differences. Therefore, vendors are facing an intense competition in a narrow space with few market yields. The industrial control security technology still needs a new round of innovations. Whether incorporating techniques of IT information security or constructing the technology of its own characteristics, industrial control security needs to reflect characteristics of industrial control systems. How to effectively integrate the unified security technical methods of IT+OT into industrial control security capabilities should also be taken into consideration.

Technically, the association between lightweight, undisturbed, business data collection and security data collection should be taken into consideration, and so are the differences of application in various industries, extraction of common technologies, and application of heterogeneous technologies.

Controller vendors, another important participant, have also attached more importance to industrial control security. On the one hand, they add relevant security features to their own control systems, forming “inherent security functions”. On the other hand, they have enlarged cooperation with security enterprises, in a bid to jointly promote security solutions matching their own business characteristics and attributes.

As for security capability building, integration with the business management platform, integration of security and business data collection, platform-level data exchange and sharing, and comprehensive business fault diagnosis and analysis will be a development trend of industrial control security in the future. In the building process, security data and business data need to be translated and interpreted, forming an effective “exchange mechanism”. The bridge and channel between security data content and business data content need to be gradually set up. In this way, business channels will provide effective data for security, which, in turn, provides effective support for business guarantee.

At the same time, in the major trend of industrial information transformation and extensive interconnection, due to the convenience and cost advantages of interconnection, the enclosed model
of original industrial systems will be gradually broken and new business application forms will bring new security risks, such as cloud security risks, edge security risks, and plant-level security risks. With an eye to the future, industrial information security is bound to be comprehensive security, covering cloud security, border security, control security, and data security. The value of security should also be reflected in its role of promoting business, which conforms to industrial attributes and characteristics.

Abbreviations

References

[1] https://me-en.kaspersky.com/about/press-releases/2016_91-1–of-vulnerable-industrial-control-systems-likely-belonging-tolarge-organizations
[2] https://ics-cert.kaspersky.com/reports/2018/09/06/threat-landscape-for-industrial-automation-systems-h1-2018/#_Toc523849948
[3] https://ics-cert.us-cert.gov/advisories
[4] https://ics-cert.us-cert.gov/sites/default/files/Annual_Reports/NCCIC_ICS-CERT_2016_Annual_Vulnerability_Coordination_Report_S508C.pdf
[5] ICS-CERT Annual Vulnerability Coordination Report, https://ics-cert.us-cert.gov/sites/default/files/Annual_Reports/NCCIC_ICSCERT_2016_Annual_Vulnerability_Coordination_Report_S508C.pdf
[6] https://www.fireeye.com/blog/threat-research/2018/10/ics-tactical-security-trends-analysis-of-security-risks-observed-in-field.html