The Value of ICS Security
Nearly every presentation I give has at least a few audience members acknowledging to me that they weren’t really conscious of their own reliance on Industrial Control Systems (ICS) in so many aspects of their daily lives. It’s difficult to avoid awareness of the Internet of Things (IoT), of course, with popular and business media both pumping out articles frequently on “smart” refrigerators and watches, or lightbulbs that talk to your Wi-Fi router and systems like wireless security cameras being hacked, but what is the Industrial Internet of Things (IIoT)?
The IIoT really predates the broader category of IoT, since the much of the technology both depends on (inexpensive sensors, ubiquitous connectivity) was developed for industrial purposes, and the distinctions between them can be nebulous at times because of hardware/software overlaps, with some components appearing in either type of system. Both can gather and share data continuously and perform their prescribed functions as directed by the programs installed on them but, where the IoT aims to address consumer or mass market demands, the IIoT focuses on process control, machine learning and the automation of other systems. It enables, for example, manufacturing equipment to monitor itself for signs of wear and tear and notify operators of the need for maintenance, providing huge savings in lost productivity versus unplanned shutdowns, and smart grids, continually monitoring power flows and adapting to changes in electric supply and demand faster than human operators can respond.
As impressive as these things are, what is just starting to enter many peoples’ awareness is the integration of this technology into so many aspects of daily life. Our offices, apartment buildings, hotels and other facilities of any size have Building Automation Control System (BACS, a type of ICS) managing their HVAC, lights, power and security systems. The water from our taps comes from a Supervisory Control and Data Acquisition (SCADA, a type of ICS)-controlled water treatment plant. The traffic and street lights in our cities are likely managed by control systems, and our phone and internet traffic most certainly is regardless of where we are. The medicines we take, food we eat and beverages we drink are all processed and packaged by various ICS.
While all of these control systems have greatly increased efficiency, reliability and productivity in innumerable ways, there is one catch – security. What used to require direct physical access can increasingly be done remotely. If someone wants competitive business information on factory output or the chemical process used to make your trade secret-protected product, if they want to track your cell phone traffic or know when the lights in your office are turned off each night, the right tools and skills can allow this to be done from anywhere in the world. The hurdles are higher if they want to cause problems in your ICS but serious damage can and is done without anyone noticing until it’s too late.
As you go through the rest of your day today, look around at some of the things you usually take for granted, such as electricity at the flip of a switch, traffic management without a cop posted at each intersection, and accurately labeled medications, and consider how important it is to know if you can continue to rely on these in the future. That should help answer the question: what is ICS security worth to you?
The article was written by Derek Harp, an industry leader in Industrial Control System cyber security. Mr. Harp has worked tirelessly to educate and guide companies in their journey to achieving cyber resilience. He is currently a board member of NexDefense, and the founder and Chairman of Control System Cyber Security Association International (CS2AI), a nonprofit organization dedicated to supporting local practitioner peer groups around the globe.