When we think of critical national infrastructure (CNI), we think of power, water, and transport industries. Although CNI also includes communications and finance, but we first consider the heavier, safety-critical sectors. Typically, these involve sizeable industrial control systems (ICSs) that operate 24/7, 365 days a year, which we depend on daily.
Also, they cannot be shut down quickly for maintenance and have high availability requirements. Therefore, the risks and mitigations must be specific to each system Successful attacks on these systems could cause serious injury or death, as illustrated by the recent attack on a water purification plant in Florida. The threats to these systems may come from actors with similar motivations as IT systems, but the risks and how to address them can differ.
The first thing to understand is that while IT systems are all much the same, using similar components and architectures, ICS solutions are very different. Industrial designs are not physically secured in a friendly, air-conditioned room. Still, they are often spread over several square kilometers or even many kilometers along a pipeline, making them highly vulnerable to tampering.
Also, they cannot be shut down quickly for maintenance and have high availability requirements. Therefore, the risks and mitigations must be specific to each system underpinning this, and there should be an excellent understanding of the system and the processes it supports.
Therefore, the first steps to securing an ICS system must be to create an accurate plan of the system and its interconnections (as it exists, not how it was designed) and document the processes it supports. This will allow a risk assessment to be carried out to identify, analyze and evaluate the risks before determining measures to mitigate them.
Suppose an organization’s IT and operational technology (OT) systems are connected. In that case, this exercise must be applied to both IT and OT as a single overall system, and, critically, this must involve the people on the shop floor who run the system and understand how it works. Things will change over time, so the system and risk assessment must be reviewed and updated regularly.
It is nearly ten years since Eric Byres first presented his paper Unicorns and air gaps: do they exist? The mythical air gap exists today, but only in highly critical control systems such as nuclear reactors. A genuinely air-gapped system can only accept data from outside through a physical device (such as a keyboard) and output data through another (a printer, for example).
