IT security for industrial control systems includes the protection of all systems in an industrial operation. SCADA (Supervisory Control and Data Acquisition) is a key issue here. SCADA systems are often accessible over the Internet, exposing them to hacker attacks. Often the operators are overwhelmed. The SCADA engineers do not feel responsible for the IT, the IT administrators, who previously had Office networks, do not know the special requirements of a SCADA network.
Due to the often long lifetime of an industrial plant and the problematic patch situation, a higher level of security infrastructure must be provided when setting up a SCADA network. These include in particular firewalls and intrusion detection systems (IDS). But technology alone is far from enough. The security must be ‘managed’!
Security is a process
Although control systems do not change as fast as the rest of IT, changing conditions must be taken into account here as well.
Not only that new weak points in software and hardware are found, also systems are changed and extended. Here already a change in the normal office network can represent a new threat to the SCADA network. Therefore, safety must be checked and adjusted at regular intervals. In order not to forget anything during this test, it is worth using standards or other guidelines that describe exactly what and how to test. There are a number of international descriptions that can also be used well in the European market. An adaptation of the well-known IT-Grundschutz of the Federal Ministry for Security in Information Technology (BSI) is in the discussion. Whatever the orientation, the whole process has to be well planned and monitored.
IACS Security Management System (ISMS)
The IT security law requires operators of critical infrastructures of a certain size to ensure that the IT security of the systems is set up and permanently checked and improved. An IACS safety management system (I-SMS) is required for this. In the IT area, the construction and operation of such a system are described by the IS0 27001 standard.
There are a number of best practices in the field of industrial control systems. The most promising approach is the IEC 62443 standard. This standard is partly based strongly on the ISO 27001. If there is already an information security management system (ISMS) according to ISO 27001 for IT, there are many synergies with ICE 62443-2 that can be used or added comparatively easily. The standard addresses operators, integrators and manufacturers and forms a holistic approach to IT security in the IACS.