The move by most, if not all, DCS vendors towards “open systems” and the resulting incorporation of off-the- shelf technologies represented a significant shift in control system design. System integration became easier, product development by manufacturers was accelerated, and training was simplified as it leveraged common tools and concepts. While the benefits have been tremendous, at the same time, open technology has now allowed control systems to be exposed by frequent and significant security vulnerabilities, putting production, assets, and human safety at risk. Gone are the days of proprietary operating systems and communication busses, isolated systems, and inherently secure processing environments.
Identifying and mitigating these threats requires organizations to develop a better understanding of their overall process control system security, their vulnerabilities and risks, and how they are positioned to address them.
The process can be broken down into three phases:
In Phase 1, or the pre-assessment phase, existing information is collected from those responsible for the system. Items such as network diagrams, lists of cyber assets, existing policies and procedures etc. are reviewed in order to provide the assessment team with a basic understanding of the system before they arrive on site.
Phase 2 is performed onsite and is primarily focused on data-gathering. Among other data gathering steps, the assessment team will assess physical and administrative security, verify the network architecture and traffic flows. They will examine networked devices to collect basic information such as make, model, and analyze the configuration and susceptibility to threats (access control measures, open ports, applications and services, status of patches, anti-virus tools, etc.) of each device. They will evaluate and assess remote and 3rd party connections to the Process Control Network. The assessment team will also interview key staff to better understand actual procedures that are being followed and their cybersecurity awareness. Before leaving your site the assessment team will meet with management to provide a briefing on key and initial recommendations.
Phase 3 is for the assessment team to fully analyze the data and formally document the results in an assessment report. Vulnerabilities identified in devices or applications will be documented, architecture deficiencies, physical security lapses, identified gaps between current practices and standards/best practices are documented and recommendations are identified and prioritized.