A building’s control systems are compromised when its operations, personnel, and/or technology present weaknesses or vulnerabilities
that malicious threat actors can take advantage of through intent, capability or simple opportunity. Managing such risks is
a company-wide commitment.
Activities by such intruders can:
- Interrupt operations, forcing systems to stop
- Capture and modify data, including employee information, control data, and alarm data
- Store inaccurate data in station databases and histories
- Prevent systems from issuing alarms
- Interfere with communication between remote devices and the dashboard used to monitor them potentially causing life-threatening
harm
Defending against these threats requires technology, best practices and rigorous standards. “Organizations must constantly
adjust and refine security countermeasures to ensure protection against known and emerging threats” (From: “Recommended Practice:
Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies,” which is available at the Homeland Security-sponsored
web site: https://ics-cert.us-cert.gov). This paper recommends “layers of monitoring and protection based on the business’s
exposure to cybersecurity risks.”
The precautions your company needs to take against such threats depend on management’s ability and willingness to implement
security measures. The process begins with recognizing the threats, understanding the technology provided by the Niagara Framework
to mitigate the threats, and articulating a reasonable definition of acceptable risk. This document summarizes the security
features of the Niagara Framework. The white paper, mentioned above, recommends a three-pronged approach to risk assessment:
- The organization sets the company’s risk management strategy: establishing risk-analysis methodologies; identifying mitigation
measures; articulating the level of risk (risk tolerance) to accept; establishing on-going risk management procedures; and
specifying who will oversee the company’s risk management strategy.
- Based on the company’s strategy, business processes need to be put in place: defining core functions; prioritizing functions;
identifying needed information, interdependencies and information flows; developing security requirements; and identifying
who should be involved with what aspects of the implementation.
- Implementation is based on the life-cycle of a threat: identifying, protecting, detecting, responding, and recovering.
The
Niagara Framework provides multiple levels of security for industrial control system operations. Even if your company has not yet developed
a top-down security strategy, you should take advantage of all framework security features, retrofitting procedures in legacy
systems and implementing robust security mechanisms in new systems.