Achieving ICS Resilience and Security through Granular Data Flow Management

Modern Industrial Control Systems (ICS) rely on enterprise to plant floor connectivity. Where the size, diversity, and therefore complexity of ICS increase, operational requirements, goals, and challenges defined by users across various sub-systems follow. Recent trends in Information Technology (IT) and Operational Technology (OT) convergence may cause operators to lose a comprehensive understanding of end-to-end data flow requirements. This presents a risk to system security and resilience. Sensors were once solely applied for operational process use, but now act as inputs supporting a diverse set of organisational requirements. If these are not fully understood, incomplete risk assessment, and inappropriate implementation of security controls could occur. In search of a solution, operators may turn to standards and guidelines. This paper reviews popular standards and guidelines, prior to the presentation of a case study and conceptual tool, highlighting the importance of data flows, critical data processing points, and system-to-user relationships. The proposed approach forms a basis for risk assessment and security control implementation, aiding the evolution of ICS security and resilience.

[1]  Marina Krotofil,et al.  A Rising Tide: Design Exploits in Industrial Control Systems , 2016, WOOT.

[2]  David Hutchison,et al.  Socio-Technical Security Analysis of Industrial Control Systems (ICS) , 2014, ICS-CSR.

[3]  Jose M. Such,et al.  Assurance Techniques for Industrial Control Systems (ICS) , 2015, CPS-SPC '15.

[4]  Edward Humphreys,et al.  Information security management standards: Compliance, governance and risk management , 2008, Inf. Secur. Tech. Rep..

[5]  日本規格協会 情報技術-セキュリティ技術-情報セキュリティ管理策の実践のための規範 : ISO/IEC 27002 = Information technology-Security techniques-Code of practice for information security controls : ISO/IEC 27002 , 2013 .

[6]  Karen A. Scarfone,et al.  Guide to Industrial Control Systems (ICS) Security , 2015 .

[7]  尚弘 島影 National Institute of Standards and Technologyにおける超伝導研究及び生活 , 2001 .

[8]  Andrew Jones,et al.  Risk Management for Computer Security - Protecting Your Network and Information Assets , 2005 .

[9]  Arun Khosla,et al.  Intelligent Security System for HMI in SCADA Applications , 2012 .

[10]  Nils Ole Tippenhauer,et al.  SWaT: a water treatment testbed for research and training on ICS security , 2016, 2016 International Workshop on Cyber-physical Systems for Smart Water Networks (CySWater).

[11]  W. Kastner,et al.  The Evolution of Factory and Building Automation , 2011, IEEE Industrial Electronics Magazine.

[12]  Ron Ross Managing Enterprise Security Risk with NIST Standards , 2007, Computer.

[13]  Herbert J. Mattord,et al.  Principles of Information Security , 2004 .

[14]  Joint Task Force Transformation Initiative,et al.  Security and Privacy Controls for Federal Information Systems and Organizations , 2013 .

[15]  Sylvain Frey,et al.  Testbed diversity as a fundamental principle for effective ICS security research , 2016 .

[16]  David Hutchison,et al.  Design and construction of an Industrial Control System testbed , 2014 .