The loss of control of and Industrial Control System can have a deep impact on people and environment.
The EU has identified the critical infrastructures – that include energy and water networks, chemical substances and transportation networks – as areas to be regulated
While todays’ cyber threats are mainly aimed to automation systems, the threats’ continuous evolution identifies the necessity of a double defence, cyber security and functional safety.
The Industrial Automation Control System (IACS) need to implement its’ Security to protect its’ Functional Safety.
Without security measures, security functions can be compromised.
If IACS performs safety functions, a cyber attack can surely be a hazard, therefore there is the necessity to develop IEC 62443 standards’ Security Control Systems in order to:
- Reach security against external threats
- Protect data and increase security
- Increase system reliability
XEFRACERT can support its clients in:
- security develop Information Security risk assessment procedures
- risk assessment procedure’s staff training
- threats’ modelling
- Identifying Cyber security’s (SL) Targets
- Cyber security Vulnerability Assessment implementation
- existing countermeasures’ assessment
- penetration tests’ campaign implementation
- products’ verification and validation
Here under, some examples of IACS:
- Industrial Control Systems (ICS), incl. Distributed Control Systems (DCS)
- Programmable Logic Controllers (PLCs)
- Remote Terminal Units (RTUs)
- Intelligent Electronic Devices (IEDs)
- Supervisory Control and Data Acquisition (SCADA)
We have different Security Levels:
Security Level 0 (SL0) No protection requirements.
Security Level 1 (SL1) Protection against casual or coincidental violation.
Security Level 2 (SL2) Protection against intentional violation using simple means with low resources, generic skills and low motivation.
- Networked Electronic Sensing & Control and Monitoring & Diagnostic Systems (includes Safety-Instrumented Systems (SIS))
Security Level 3 (SL3) Protection against intentional violation using
- sophisticated means with moderate resources, system specific skills and moderate motivation.
- Security Level 4 (SL4) Protection against intentional violation using sophisticated means with extended resources, system specific skills and high motivation.
The followings steps are part of a SA (Security Assessment – SA):
Step 1: establish Security Capability (i.e. Management)
Step 2: establish a Risk Target: establish the risk to be addressed by means of techniques such as formal hazard identification: set maximum tolerable failure rates
Step 3: identify Related Countermeasure(s) for each hazardous event
Step 4: establish SL for the IACS (@ component or system level)
Step 5: threat analysis, risk assessment
Step 6: connection port scanning, penetration testing, fuzz testing, communication port load testing and binary code scanning.
Step 7: assessment against the target SL
Step 8: establish Residual Risk