Industrial control systems (ICS) security was much simpler before the web. Firewalls and demilitarized zones (DMZs) separating the corporate and plant networks either didn’t exist or weren’t necessary. Organizations were primarily concerned with physically protecting their systems behind gates, fences and other barriers.
For that reason, vendors designed control systems with automation and reliability in mind; all communications technologies were proprietary and lacked compatibility with Ethernet and TCP/IP. But then the Internet came, and with it, the threat of connectivity-enabled attacks that don’t require physical access to plants or their systems.
Industrial Cybersecurity Is Ever-Evolving
Organizations are now dedicating resources to protecting their ICS assets, which include supervisory control and data acquisition (SCADA) programs, against intentional or accidental security threats. Defending these systems is like other industrial safety programs. People and technology must work together to develop policies and processes that they can implement, build upon, enforce, modify and improve.
Even so, ICS security has plenty of challenges. Several of them owe their existence to the ongoing convergence of information technology (IT) and operational technology (OT).
As noted in another State of Security post, IT and OT at one point in time generally did different things. There was some limited collaboration if either IT or OT need to use the other’s technology to complete their jobs. But that was the extent of their cooperation.
Today, a convergence of a logical and physical resources now means a closer relationship between IT and OT. This union makes it difficult to determine who is responsible for protecting ICS systems owned and operated by the organization. Is it IT, which has experience and budget for digital security but lacks direct oversight over the industrial control systems? Or is it OT, which supervises industrial control systems but isn’t chiefly responsible for defending (Read more...)
*** This is a Security Bloggers Network syndicated blog from The State of Security authored by David Bisson. Read the original post at: https://www.tripwire.com/state-of-security/ics-security/ics-security-challenge-organizations/