ICS Information Security Assurance Framework 3

ICS Information Security Assurance Framework 3

January 17, 2020 | Adeline Zhang

Development of ICS Information Security

Since the Stuxnet virus explosion, countries all over the world have taken ICS security issues to a new height by actively working out and introducing related policies, standards, technologies, and solutions.

A look into ICS security developments around the world reveals that the USA is the first to research and implement ICS security standards. North America Electric Reliability Corporation has conducted security checks on electric power (including nuclear power) enterprises according to requirements defined in CIP series standards. Europe has inspected security of industrial control products in accordance with WIB standards. Some counties represented by Germany are diverting their efforts to ICS security in compliance with ISO 27009. Japan, in line with requirements of IEC 62443 and Achilles Certification, stipulated in 2013 that all ICS products can be applied in the country only after they are certified by national standards. Also, this country has conducted ICS security checks and construction in energy, chemical, and other critical sectors. Israel has set up a state-level ICS product security inspection center to perform security inspection on ICS products before they are connected to networks.

As a leader in information industry development, the USA has attached great importance to ICS security since long ago, as demonstrated by the following: made national security a top national priority in 2003; took ICS products as critical infrastructure that should be put under special protection in 2008; issued the Strategy for Securing Control Systems in 2009, covering ICS security in 14 sectors such as energy, electric power, and transportation; set up the Industrial Control Systems Cyber Emergency Response Team under CERT (ICS-CERT) in 2009 to monitor ICS-related security incidents, analyze vulnerabilities and malicious code, and provide data support for incident response and forensics analysis.

By launching information products, releasing security bulletins, and sharing vulnerability and threat information, ICS-CERT monitors for ICS security incidents, analyzes the ICS security posture,
and releases security reports to the public on a quarterly basis. The U.S. Department of Homeland Security (DHS) has initiated the Control System Security Program (CSSP) to use ICSs to emulate a simulation platform to perform vulnerability analysis and verification for ICS products by conducting assessment both in the field and laboratory. The National Institute of Standards and Technology (NIST) and Department of Energy respectively issued the Guide to Industrial Control Systems (ICS) Security (SP800-82. The latest revision was released in 2013) and 21 Steps to Improve Cyber Security of SCADA Networks and other documents concerning security development standards and best practices.

Meanwhile, traditional information security vendors such as Symantec, McAfee and Cisco, traditional ICS vendors like Rockwell Automation and General Electric Company, as well as some emerging professional ICS security vendors have done intensive research, practice, and industrialization work regarding ICS security protection to provide excellent products and services, and have thus, by and large, secured a leadership position around the world.

However, ICS informatization, intelligence, and security issue resolving cannot be supported without support from ICS vendors. In Europe, ICS providers, represented by Siemens and Schneider Electric, provide security products, services, and solutions for customers. For instance, Siemens sets up an ICS security laboratory and provides ICS security advisory services, training, and products like ICS firewall. In the ICS realm, Siemens and Schneider Electric have absolute technology and market advantages, which enable them to dominate the ICS security realm for a long time in the future.

Among professional ICS security vendors, Tofino, a Canadian company, relies on its well-known ICS firewall to become a leading ICS security vendor to provide products that are widely applied in various sectors including the petrochemical sector. With a fuzzing test tool for vulnerability discovery, Codenomicon has gained a leading position in the ICS security realm. Meanwhile, some open-source organizations also provide ICS security tools, including Nessus which is available in both professional (paid) and evaluation versions (free of charge). The professional version can use related ICS security plug-ins for detection and assessment of vulnerabilities in SCADA systems or PLC control devices.

As far as international standard research in ICS security is concerned, IEC/TC65/WG10 and the ISA 99 committee jointly developed IEC 62443 standards in 2007 which has been revised and renamed the Industrial Process Measurement, Control, and Automation-Network and System Information Security in 2011. This series of standards is divided into four parts which involve 12 documents in total:

  • IEC 62443-1-1 Terminology, Concepts and Models
  • IEC 62443-1-2 Master Glossary of Terms and Abbreviations
  • IEC 62443-1-3 System Security Compliance Metrics
  • IEC 62443-2-1 Establishing an Industrial Automation and Control Systems Security Program
  • IEC 62443-2-2 Operating an Industrial Automation and Control Systems Security Program
  • IEC 62443-2-3 Patch Management in the IACS Environment
  • IEC 62443-2-4 Certification of IACS Supplier Security Policies and Practices
  • IEC 62443-3-1 Security Technologies for IACS
  • IEC 62443-3-2 Security Assurance Levels for Zones and Conduits
  • IEC 62443-3-3 System Security Requirements and Security Levels
  • IEC 62443-4-1 Product Development Requirements
  • IEC 62443-4-2 Technical Security Requirements for IACS Components

To avoid conflicts, IEC 62443 standards have also integrated the WIB standard developed by an oil and gas organization from the Netherlands and the NERC-CIP standard enacted by National Electric Reliability Council (NERC). Research based on IEC 62443 standards is exemplified as follows:

  • In 2010, the USA initiated the ISA 99 industrial infrastructure certification program by setting up a laboratory in Nevada to do research in ICS vulnerability discovery, detection, and verification.
  • In 2013, Japan conducted security verification for ICSs based on IEC 62443 standards before such systems went live.
  • In 2015, IEC built a network security assessment system for ICS manufacturers, suppliers/system integrators, and operators/asset owners, as per IEC 62443 standards. This system provides
    network security verification for products, processes, and personnel, verifying that they conform to security requirements defined in IEC 62443 standards in a bid to provide security guarantee for asset owners.

To be continued.