Over the next couple of blogs, I plan to map out the importance of ISA/IEC-62443/ISA-99 based cybersecurity and how it applies to your work environment. I'll also explain some of our services so that you can see what might pertain to you. For part 1, I started from the beginning and outlined what exactly ICS cybersecurity is and why it is important.
For part 2, I will explain the difference between IT vs. ICS cybersecurity and differing the security focus between IT and ICS.
Differing Security Focus Between IT and ICS
The most important things in IT is confidentiality, then integrity, and then the availability. If your network goes down, you're going to be mad, but nothing's really going to happen. But in the Industrial Control System world, we look at it a different way. We look at the availability of the network as being the prime thing to keep up and running. We need to keep that network up to keep the process under control to make sure that everything is running correctly and we don't get that big "Kaboom"!
IT versus ICS
IT vs. ICS network, some of the main takeaways is that, in IT it's got to be fast, but ICS has got to be real time. For ICS, you sometimes have millisecond response figures in some of your values. You can't take it down for no reason, like doing a patch. Sometimes these things go 20-25 years without being patched. The privacy in the data across a IT network, again it could be the recipe for original Coke. Across an ICS network, it's a valve on / valve off, half full / half empty. Taken out of context, again, it's very limited in its value. Some of the areas can be difficult to patch. It used to be difficult to put anti-virus on.
In conclusion, security awareness in the IT world is very good. It's been around for a long time. It's a very stable concept. It's a discipline. In the ICS world, it's becoming better quickly, but it's still a generation behind. They know how the process runs; they don't all understand how security will affect their process.
In the next part of this blog, I will focus on control system security layers of responsibility and requirements for the cybersecurity standard IEC 62443-2-1.