ISACA, the US-based association for IT, has published a new guide about the cybersecurity threat for industrial control systems (ICS). Titled “Industrial Control Systems: A Primer for the Rest of Us,” the guide takes a look at ICS and why security practitioners face a daunting challenge in defending an infrastructure that is often full of antiquated technology.
According to the guide, ICS were never intended to be interconnected, but are now more vulnerable because of their convergence with traditional information and communications technology (ICT). The guide discusses the differences and similarities between ICS and IT; ICS has an operational focus and IT is system or task-specific. Regardless of their differences, threat agents and attack vectors are the same for both systems.
A section called “Defining Industrial Control Systems” provides an in-depth overview of what comprises today’s ICS—generally understood as systems such as electricity, water and energy production as well as manufacturing and distribution. It defines:
Architecture and all of its components
Distributed Control Systems (DCS)
Supervisory Control and Data Acquisition (SCADA) Systems
Process Logic Controllers (PLC).
Robert E Stroud, CGEIT, CRISC, international president of ISACA and vice president of strategy and innovation at CA Technologies, said: “ICS were originally designed to perform tasks in environments that were separate and apart from traditional IT systems. In today’s environment, understanding IT risk and governance principles is increasingly critical to the ICS community, especially in converged enterprises.”
The guide suggests there are great advantages to creating and sustaining cross-functional teams between ICS and IT cybersecurity professionals. This scenario will help both teams leverage development and execution of enterprise cybersecurity strategies.
“Industrial Control Systems: A Primer for the Rest of Us” is available for free download at www.isaca.org/ics.
