Positive Trends but No Universal ICS Security

Positive Trends but No Universal ICS Security

Because basic documentation and structuring elements such as network plans are still missing, many companies are unable to properly assess the impact of identified vulnerabilities. As a result, contingency plans are not put in place, so comprehensive ICS security remains elusive despite many positive developments.

Positive trends but no universal ICS security

A study conducted by Vasgard GmbH and Bielefeld University of Applied Sciences in the spring of 2020 in East Westphalia-Lippe on the current state of Industrial Control Systems (ICS) Security in companies reveals a rather heterogeneous picture. Based on the 2013 ICS Security Compendium of the BSI (German Federal Office for Information Security), important aspects were selected as part of the study, and their degree of implementation was surveyed among the participants in the survey.

While certain basic principles of IT security have already found their way into every day operations across all areas, others are still neglected by almost all companies. As a recent study by Fortinet points out, the reason for this lies in the lack of cooperation between IT and OT teams, but also in the lack of regulations governing responsibilities.

Strengths of ICS Security


  • Continuously updating lists of IT systems
  • Carrying out data backups
  • Restricting access permissions for important assets
  • Deleting data when IT assets are disposed of
READ:  What is CVSS (Common Vulnerability Scoring System)?

are already in place for the majority of respondents. The importance of implementing these topics is seemingly clear to almost all respondents.

This is because an up-to-date list of IT systems helps to avoid incompatibilities and inconsistencies of software in specific versions as well as configurations (e.g., IP address conflicts). In addition, ICS components can be quickly identified for updates or changes.

Regular data backups reduce the risk and consequences of data loss. The use of different levels as well as intervals and scopes of data backups is another advantage and increases flexibility.

Access rights to ICS are only granted as far as necessary and the assignment of authorizations is based on the principle of least privilege.

Finally, defective equipment is only given for repair or maintenance of confidential information has been removed or securely deleted. The same is done when disposing of hardware, which is also stored securely until collection.

Weaknesses in ICS security

In some places, however, there is a lack of structured procedures and, in particular, the following measures:

  • Listing all IT components in a network plan.
  • Regular implementation and adaptation of emergency plans
  • Complete dissemination of processes for change and patch management
  • Communication of relevant documents to affected employees

This assessment is consistent with the low level of dissemination of IT security best practice approaches (ISO 27001, ISO 62443, or IT-Grundschutz BSI) among the participants.

READ:  What is a Chief Risk Officer (CRO)?

The structure of the network should be documented in a physical network plan with the locations and infrastructure of the ICS and a logical network plan with the structural view and security zones.

A recovery plan (business continuity plan) or contingency plans for the assets requiring protection should be checked at regular intervals and at least annually to ensure that they are up to date and revised if necessary.

On the one hand, a patch process should be defined with role-specific responsibilities and consideration of patches and updates released by the manufacturer as well as third-party software. The criticality of patches should also be assessed, for example using the Common Vulnerability Scoring System (CVSS). On the other hand, a change management system should be established that checks in particular whether changes have security-relevant effects on the ICS.

Affected employees from the service and maintenance staff, as well as administrators, should have the required information about the functions and about the operation of the ICS available in order to ensure secure and uninterrupted operation.

In addition to ISO/IEC 27001 and IT-Grundschutz from the BSI, certifications in the area of IT security should also include, in particular, the industry-specific standards and best-practice approaches that are better tailored to ICS.

The positive results of the study correspond to the “SANS 2019 State of OT/ICS Cybersecurity Report”, according to which the threats to ICS security remain at a high level and are associated with increasing challenges. However, in many companies, the security situation has improved significantly in recent years, and strategies that address OT/IT convergence have been increasingly implemented.

READ:  What Is a Wireless Intrusion Prevention System (WIPS)?

So a start has been made, but corporate priorities still need to be adjusted to the changed reality, as do budgets. The challenge remains that, particularly with the increased proliferation of the Internet of Things (IoT), the networking of production systems, machines, and devices is progressing faster than securing them. It is not uncommon for these to be legacy systems without integrated cyber security mechanisms, posing a major risk that can only be mitigated with great effort and cost.

A complete and regularly maintained network plan and constantly tested and updated recovery plans are effective tools here. Underestimated in this context are also the risks of mobile devices and wireless communication. In addition to the increasing use of cloud-based services, including for ICS system functions, these are the new attack surfaces and serious consequences can be the result of a lack of protection.

It is, therefore, necessary to develop a holistic and structured defense and protection paradigm that implements an enterprise-wide and uniform IoT, ICS, and cyber security strategy.