Top five hurdles to security and compliance in industrial control systems
by Jacob Kitchel - Sr. Manager of Security and Compliance Industrial Defender - Thursday, January 24, 2013.
For many decades, Industrial Control Systems (ICS) have been the operational systems relied upon to safely and reliably deliver the essentials of daily life. Sometimes referred to as a Critical Infrastructure, they are the backbone of a modern economy. With these systems generally working well, there has been little need to make major changes to them. There has been innovation and some incremental changes, but in the ICS world, it has largely been ‘business as usual.’

That’s very different than other industries and sectors, such as enterprise IT, where seismic technology shifts seem to occur about every two years. Change in industrial control environments has been handled at a more measured pace and with a lot more caution.

There are several good reasons for this. The first is that the processes these systems control are usually very large and critical to the general public and the normal functioning of society. They support the provisioning of essentials like electricity, water, oil and gas and other basics.

If these systems go down, people’s health and safety are quickly put at stake. For that reason, reliability and availability have long been the overriding priorities in the design and operation of these systems, making broad-based changes in these environments a real challenge. That’s why slow, methodical and incremental change has been the norm for so long.

Another reason why ICS and Supervisory Control and Data Acquisition (SCADA) environments have not seen a more rapid rate of change was because it was not needed. Designed for a simpler era, automation systems typically were designed as proprietary (closed) systems and were implemented in isolated settings, both physically and electronically.

For many years, these systems successfully controlled industrial processes without requiring direct connections to enterprise networks, the Internet, or too much else for that matter.

But the time has come to upgrade or replace these aging systems. There are now compelling reasons to connect these systems to corporate networks and the Internet. As those connections are made, the isolation – or ‘air gaps’ – that protected these systems disappears. The long-standing strategy of ‘security through obscurity’ no longer holds up. In addition, corporate and operations staffs have other realities and requirements to consider, including:
  • Shifting from proprietary to open, standards-based solutions can lower costs, increase operational flexibility and avoid vendor lock-in
  • Generating real-time business intelligence from operational data can enhance service delivery
  • Improving the effectiveness of automation systems drives new efficiencies into the industrial processes they control, yielding better performance and results
  • Ensuring that the operational health and safety levels of the systems and processes are continually maintained.
Another major change that ICS and SCADA system professionals must manage is the explosive growth in the number of intelligent endpoints in industrial environments. In rapidly growing industry segments such as the Smart Grid, the numbers and types of networked and IP-enabled devices is increasing exponentially. This array of issues, including economic, operational and technological drivers, is forcing automations systems professionals to grapple with much more change at a much faster pace than ever before.

The following are five of the major hurdles that critical infrastructure and industrial process companies often face as they move forward with initiatives to modernize their control environments.


Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco ASA products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th