Security Experts:

Connect with us

Hi, what are you looking for?



Three Questions Every ICS Security Team Should Ask

ICS Network Security

ICS Network Security

Securing ICS networks is an extremely challenging task. Primarily because they lack many of the threat monitoring, detection, and response capabilities commonly found in IT infrastructures. To put ICS security in context, let’s consider the top three questions every organization should ask themselves about securing their network.

1. Do we know what needs to be protected?

To protect the network, the first step is to create an inventory of the technologies and critical assets in place. Without this baseline understanding, it’s impossible to secure it. Generally, industrial controllers (PLCs, RTUs, DCSs) are the most critical components of ICS networks, since they are responsible for the entire lifecycle of industrial processes. Automation controllers ensure continuous and safe operations.

Securing controllers requires accurate knowledge of the firmware they are running, the code and logic they execute, and their current configuration. Any change to controller firmware, logic or configuration can cause operational disruptions.

Since most ICS networks were deployed decades ago, it is commonplace for some assets to be forgotten about. Most organizations don’t have a clear picture of the critical assets that need to be protected in their environment. Manual processes used to document them are not only inaccurate, but they are also tedious and resource intensive. 

This lack of automated asset discovery and management forces many organizations to rely on manual documentation using spreadsheets. This outmoded approach not only results in employee burnout and gross inaccuracies, it also creates opportunities for network breaches.

Automated asset discovery and management provides ICS security teams an accurate, up-to-date inventory, empowering them to plan and roll-out effective security controls.

2. What is happening in the ICS network?

Unfortunately, a great deal of what happens in ICS networks is unknown. Inherently different from IT networks, they  not only lack visibility and security controls, but also use specialized technologies and vendor specific communication protocols. This makes IT controls unsuitable for these environments.

ICS Cyber Security Conference

Some ICS network monitoring solutions focus on HMI/SCADA application activity, which occurs at the data-plane of ICS networks. This activity is executed over known and standardized communication protocols that are easier to monitor. 

However, the core engineering activities performed on industrial controllers, including changes to control-logic, configuration settings and firmware uploads/downloads, can’t be monitored  in these data-plane network protocols. That’s because these control-plane activities are executed in proprietary vendor-specific protocols, which are are often undocumented and unnamed. This makes them very difficult to monitor. 

In IT networks, performing control-plane activities typically requires special privileges. However, most ICS networks lack authentication or encryption controls. Therefore, anyone with network access can execute the above activities. In addition, there are no audit trails or logs that capture changes and activities which can be used to support forensic investigations. 

Gaining visibility into the engineering activities executed in the industrial control-plane should be a top priority for ICS security teams. This is where malicious activity and human error can cause the greatest disruptions.

3. Can we effectively manage and respond to security events?

Due to the general absence of visibility and controls in ICS networks, most organizations are unable to respond to events in a timely and effective manner. Their failure to do so not only  weakens their defences, but also increases the overall costs of mitigation.

Real-time visibility into industrial networks is the key to ICS security. To protect against external threats, malicious insiders, and human error, industrial organizations must monitor all ICS activities — whether executed by an unknown source or a trusted insider, and whether the activities are authorized or not.

Only with full visibility into data-plane and control-plane network activity  can organizations  apply effective security and access management policies that govern who is allowed to make what changes,  when and how.

The implementation of accurate security policies can also ensure that ICS security teams get timely alerts when unauthorized and unexpected activity occurs. These can provide  the information required  to quickly pinpoint the source of problems and mitigate them to minimize disruptions and damage.

Related: Learn More at the ICS Cyber Security Conference

Related: The Top 3 Threats to Industrial Control Systems

Related: Flaw Allows Attackers to Modify Firmware on Rockwell PLCs

Written By

Click to comment

Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.


Vulnerabilities in GE’s Proficy Historian product could be exploited for espionage and to cause damage and disruption in industrial environments.


A hacktivist group has made bold claims regarding an attack on an ICS device, but industry professionals have questioned their claims.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...


Vulnerabilities in industrial routers made by InHand Networks could allow hackers to bypass security systems and gain access to OT networks.


Researchers have demonstrated that threat actors could obtain global private keys that protect some of Siemens’ industrial devices, and the vendor says it cannot...


Schneider Electric in recent months released patches for its EcoStruxure platform and some Modicon programmable logic controllers (PLCs) to address a critical vulnerability that...