GRD Journals- Global Research and Development Journal for Engineering | Volume 4 | Issue 1| December 2018 ISSN: 2455-5703
Industrial Control Systems (ICS) Deployment Challenges Ashish Yadav IT Security Consultant Department of Information Technology CERT INDIA
Abstract Industrial Control Systems (ICS) are used for controlling, operating and monitoring industrial processes. That current ICS infrastructures and elements are not amply secured against cyber threats in context of security. Woefully, due to the specific nature of these systems, the application of common security counter-measures is often not effective. We suggest building tools and mechanisms to improve the security and awareness in ICS. We discuss challenges and opportunities identified during a comprehensive analysis of ICS data system resources. Industrial processes are more exposed to cybersecurity risks through a range of vulnerabilities in software and hardware technologies as well as weaknesses inherited from the legacy design of ICS networks. Keywords- Industrial Control Systems, Apparatus Security Controls, Data Leakage, Security Controls, SCADA (Supervisory Control and Data Acquisition) Systems, RTUs (Remote Terminal Unit), PLCs (Programmable Logic Controllers) and DCSs (Distributed Control Systems)
I. INTRODUCTION Cybersecurity challenges are also increasing within sequential and current plants and other big infrastructure systems, infrastructure systems required secure control systems and management to ascertain safe, reliable development and operation. These systems are important to the uninterrupted operation, control, evaluation to provide an overall view into the operation management of industrial processes globally. Industrial Control Systems can reckon in any or all of the following components: – DCSs (Distributed Control Systems) – PLCs (Programmable Logic Controllers) – RTUs (Remote Terminal Unit) – SCADA (Supervisory Control and Data Acquisition) systems These Industrial Control Systems (ICS) continue to be Improvise, adapt, overcome, improved and replaced, and the technology that exist between various Industrial Control Systems (ICS) components regularly. Industry or Organizations which use Industrial Control Systems (ICS) face a significant anomaly based on the requirement which need regular or continuous improvement with process efficiency, policy, productivity, regulatory compliance and security with safety of Industrial Control Systems (ICS) continues to increase.
II. INDUSTRIAL CONTROL SYSTEMS (ICS) DEPLOYMENT CHALLENGES Step 1: Classification of Information System Step 2: Choose Security Controls Step 3: Implement Security Controls Step 4: Evaluate Security Controls Step 5: Approve Information System Step 6: Monitor Security Controls
All rights reserved by www.grdjournals.com
1
Industrial Control Systems (ICS) Deployment Challenges (GRDJE/ Volume 4 / Issue 1 / 001)
Fig. 1: Industrial Control Systems (ICS) Deployment Challenges
A. Step 1: Classification of Information System Distributed Control Systems (DCSs), Programmable Logic Controllers (PLCs), Remote Terminal Unit (RTUs) and Supervisory Control and Data Acquisition (SCADA) systems are the Control system component have Challenges like Non-conjunction tracking, upgrade the Legacy systems, I/O modules upgrade Scaling, Integrating multiple process unities, Steady-State detection, Multi-scale optimization and Dynamic Real Time Optimization. [1] 1) DCSs (Distributed Control Systems): The sensor input-output can be controller or pointed remotely by a Zonal network. Controllers currently available have comprehensive computational capabilities with summation to continuous process wise control, with this it’s also perform sequence and logic control. Distributed Control Systems are to pivot organisation operations to give additional like control, reporting and monitoring of particular processes and components at a given place. 2) PLCs (Programmable Logic Controllers): Programmable Logic Controllers (PLCs) are central computers systems that command and control industrial robots perform their responsibilities. (PLCs) are designed to take multiple input and output commands, these computers used to control machinery by incessantly monitoring input and output systems., digital computers full fill the need, which may be programmed to do a variety of Techno-logical functions. 3) RTUs (Remote Terminal Unit): Remote Terminal Unit is a type of micro-processor-based computing device used in industrial control systems (ICS) to integrate many hardware to Distributed Control Systems (DCS) or Supervisory Control and Data Acquisition (SCADA). [2] 4) SCADA (Supervisory Control and Data Acquisition) systems: SCADA stands for supervisory control and data acquisition. It is a type of S/w application program for implement control. SCADA is a central control system which consist of control various network, communication equipment’s, I/O, and software. SCADA systems are used to monitor and control the appliance in the industrial process which reckon manufacturing, production, development, etc. B. Step 2: Choose Security Controls Industrial Control Systems (ICS) are empowering industries to monitor and control the critical infrastructure remotely over the internet. This allow the comfort in context of control management, permitting for a distributed workforce with real time monitoring and control. This enable to create a big security concern, producing a real need for security testing, auditing, and monitoring. [3] 1) The proper incident management system in context of ICS security. 2) The Deployed system proper information’s with components in context of ICS security. 3) ICS cybersecurity control policies implementation 4) ICS trust the components or devices output 5) IT security protection mechanism causing more problems 6) Appropriate information of dedicated system and network access 7) Threat and risk assessment with the incident management capabilities in place
All rights reserved by www.grdjournals.com
2
Industrial Control Systems (ICS) Deployment Challenges (GRDJE/ Volume 4 / Issue 1 / 001)
C. – – – 1) 2) 3) 4) 5) 6)
Step 3: Apparatus Security Controls Confidentiality: controlling who gets to read or study information. Integrity: confirming that information and system programs are altering only in an appointed and authorized way. Availability: assuring that authorized appropriator have continued successful access to information and system resources. [4] Improving Industrial Control Systems (ICS) information security with Defence-in Depth Plans: Establishing Network Segmentation, Firewalls, and DMZs. Remote Access for Industrial Control Systems Must Use the VPNs and Encryption in Securing Communications: must put the controls for Authentication, Authorization, and Access Control for Direct and Remote Connectivity System components Patch Management for Control Systems Implement the security in the context of establishing a Secure Topology with Architecture basis. Implement the security in the basis of Asset, Vulnerability, and Risk Assessments: VAPT and Common Vulnerabilities in Critical Infrastructure Control Systems. Security Awareness and Training for all workers
D. Step 4: Evaluate Security Controls Organisation or system must to evaluate their Security Controls for Vulnerabilities and take corrective and preventive measures on basis of which the existing security controls have been implemented for protecting the infrastructure. [5] 1) Evaluate Vulnerability-Threat-Risk Assessment. 2) Evaluate Network Architecture (with Security Devices in place and position). 3) Evaluate International Standards applied. 4) Evaluate Organisational Policies. 5) Evaluate set of security policy covers (Crisis Management Plan (CMP), IT (Information Technology) and OT (Operation Technology) Sub-policies, Access Control Policy, Maintenance Policy, Personnel Security Policy, System and Services Acquisition Policy, Media Protection Policy & Procedures, System Control and Integrity Policy, Security Assessment Policy, Cryptographic Policy, Risk Assessment Policy, Mobile Phone Policy, Wireless Network Policy, BCP(Business Continuity Plan) Policy & Procedures, Change Control Policy & Procedures). E. Step 5: Authoritative Approval of Information System Operations The authorizing official grants Authorization to Operate (ATO) to authorize the system operation based on an intensification of the residual risks to organizational system operations. The acceptance level of risk is added to the authorizing official, as decision maker is taking all the accountabilities for accepting that risk. [6] Define the status of system-specific settings, who will maintain these systems? who will perform back-up for these systems? who will be authorised to modify these systems? The "need to know" or "least privilege" principle to access right discontinuity, and endorse the law of "access only granted if specifically, authorised" for system access. Secure boot process and mechanisms for preventing unauthorized changes to the software like firmware etc. Furnished your organization is to monitor and recognized unauthorized changes Identify Threats by implementing the conditions and mechanisms established for authorized individuals to access the ICS systems from an external system, Find Unauthorized access (malicious or accidental), Find Misuse of information (or privilege) by an authorized user, etc. – Define system and critical network access privileged. – Put the limit to access the critical host file changes, unauthorized and authorized client connection activity, and ad-hoc and network creation. – Find out only known authorised protocols permitted to access and execute. – The unauthorized system scanned activity for wireless access points must have to take appropriate if such access points are discovered. – Record and Inventory of authorized and unauthorized systems, software and devices. Only known systems, software and devices are being utilized. F. Step 6: Monitor Security Controls The continuous auditing with regular monitoring provides to the organizations more transparency through accurate, timely reporting practices. Continuous vulnerability assessment with counterbalancing, system Account monitoring and access control, Controlled use of level privileges, Maintenance, monitoring and analysis of security audit logs, Secure configurations for network devices (e.g. firewalls, routers, switches), Limitation and control of network ports, protocols and services, Data leakage or loss prevention mechanism [7] The system and network design combined with appropriate controls over data flows between the different domains defined and minimize the damage caused by any possible threat of a device in a given system or infrastructure. Secure system configurations for hardware and software on workstations and servers. Record all known vulnerabilities which need to eliminate and reduce the risk level across the network and make sure proper audit logging is in place. The security controls selected based on the security arrangement and grouping of the ICS are appropriately documented in the security strategically to provide a verification of the security needs for the ICS information security program and describes
All rights reserved by www.grdjournals.com
3
Industrial Control Systems (ICS) Deployment Challenges (GRDJE/ Volume 4 / Issue 1 / 001)
the security controls in place for meeting those requirements. The development of security plans is addressed in NIST Special Publication 800-18 Revision part 1, Guide for Developing Security Plans for Federal Information Systems. [8]
III. CONCLUSION Due to these proper suggest secure design of Industrial Control Systems (ICS) networks and system need an implementation of basic security controls like authentication and encryption, so the most ICS based attacks are not able to exploit software and system vulnerabilities. ICS defence need to implement an active threat-mitigation process with log monitoring of devices and system network traffic activity and also monitor the behaviour to identify patterns and threat indicators of possible attack and take appropriate action before it damages Industrial Control Systems (ICS).
REFERENCES [1] incibe.es, https://www.incibe.es/extfrontinteco/img/File/intecocert/ManualesGuias/incibe_protocol_net_security_ics.pdf, may 2015. [2] slcontrols.com, "security-challenges-of-industrial-automation-control-system," pp. https://slcontrols.com/security-challengesof-industrial-automation-control-systems/. [3] https://www.computerweekly.com/news/2240232680/Industrial-control-systems-What-are-the-security-challenges. "pp. https://www.computerweekly.com/news/2240232680/Industrial-control-systems-What-are-the-security-challenges. [4] staffmanagement.com, "the-challenges-of-increased-automation-and-systematic-controls,"pp. https://www.staffmanagement.com/the-challenges-of-increased-automation-and-systematic-controls/. [5] andrew.cmu.edu, p. https://www.andrew.cmu.edu/user/md4l/practices/Recommended_Practices.html. [6] citeseerx.ist.psu.edu, "citeseerx.ist.psu.edu,"p. http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.348.6796&rep=rep1&type=pdf. [7] information-age.com, "information-age.com," pp. https://www.information-age.com/risks-facing-industrial-control-systemsreach-all-time-high-123467315/. [8] N. S. P. 800-18, "NIST Special Publication 800-18," pp. NIST Special Publication 800-18.
All rights reserved by www.grdjournals.com
4