ENISA Publishes “Communication Network Dependencies for ICS-SCADA Systems” Report for Critical Infrastructure Protection
The clear emergence of cyber weapons used for political interference — cyber espionage such as the OPM breach probably related to China; political manipulation such as the breach and leaks relating to the DNC by Russia; and physical damage such as the Ukraine power outages by Russia or its supporters — has focused attention on the security of the critical national infrastructures. Much of that infrastructure is controlled and operated by ICS/SCADA systems.
The European Union Agency for Network and Information Security (ENISA) has published a new analysis and recommendations on ‘Communication network dependencies for ICS/SCADA Systems’ (PDF). The report concentrates on two of the primary causes of security concern: network segmentation and communication between the segments; and the wider issue of communications with the outside world that often uses the Internet.
The report was compiled from an analysis of stakeholder conversations with members of the ENISA ICS and SCADA groups together with data from official sources and other ICS/SCADA experts in the field. It highlights three primary causes for concern, and makes eight specific security recommendations for its target audience of asset owners and operators of electricity, oil, gas, transport, health, water supply, and the manufacturing industry.
The three worrying attack scenarios are remote compromise allowing an attacker to take control of one or multiple assets within the network; the insider threat from a disgruntled employee, contractor or third-party staff with in-depth knowledge of the infrastructure; and the risk of infection during the maintenance or upgrade process. Associated with the third concern is the website where the update files and firmware are located.
Related: Learn More at SecurityWeek’s ICS Cyber Security Conference
The report examines ICS/SCADA communication networks and their interdependencies, and examines the threats, vulnerabilities, incidents and attacks affecting those networks while focusing on those that might result in cascading effects. It also presents a gap analysis to highlight areas that require further work.
A section on security good practices outlines the necessary steps in first understanding and then protecting the network. This includes a list of technology and processes that can “greatly increase the protection of the availability, integrity, confidentiality and non-repudiation” of the network and its communications.
Finally, it presents a list of eight “high-level recommendations for manufacturers, operators and security experts that will help them to improve the security level and resilience of the ICS/SCADA systems and communication network functions.” These are:
1. Include security as a main consideration during the design phase of ICS SCADA systems.
2. Identify and establish roles of people operating in ICS/SCADA systems.
3. Define network communication technologies and architecture with interoperability in mind.
4. Establish brainstorming and communication channels for the different participants on the lifecycle of the devices to exchange needs and solutions.
5. Include the periodic ICS/SCADA device update process as part of the main operations of the systems.
6. Establish periodic ICS/SCADA security training and awareness campaign within the organization.
7. Promote increased collaboration amongst policy decision makers, manufacturers and operators at EU Level.
8. Define guidelines for the establishment of reliable and appropriate cybersecurity insurance requirements.
These recommendations, modified where necessary, would make part of good practice for any industry. The ENISA report goes further to focus their particular relevance to operational technology. For example, for the first ‘security by design’ recommendation, it explains that, “Traditionally, only safety is included as one of the main considerations during the design of an ICS/SCADA system or infrastructure (alongside efficiency, real-time constraints, etc.). However, the concept of security is not, although it is now one of the main risk sources that should be covered to prevent future attacks and incidents.”
While users have little control over ICS/SCADA development and manufacturing processes, ENISA recommends that “during the design phase, the security of the devices, and the communications between them, has to be one of the main concepts that will impact on the choice of devices, measures to implement, and overall design of the architecture.”
As a result of this process, writes ENISA, “the systems’ security is increased as many threats have been mitigated. This can be measured via risk assessment, vulnerability assessment or penetration test.”
This basic structure is repeated for each of the recommendations: a description of the issue, action required, and effect of implementation. The result is a thorough examination of the ICS/SCADA security landscape together with practical steps to improve the security posture of the critical national infrastructure.
rn More at SecurityWeek’s ICS Cyber Security Conference