ICS Best Practice Resources
By Jonathan Means on October 3, 2022
Executive Summary
Cyber attackers and online criminal gangs have disrupted corporations and critical infrastructure globally through cyberterrorism for over 20 years. Today, they are utilizing their resources to target Operations Technology (OT) and Industrial Control System (ICS) networks to cause significant damage, and their attacks are growing fiercer. However, due to the number of attacks that companies have endured over the years, there are many examples that cyber security professionals can use to establish reliable guidelines, policies, and procedures. These are known as industry best practices and can advise the cybersecurity community on how to better protect organizations with OT environments. Furthermore, because cyber threats are not disappearing, implementing the industry best practices could increase security assurance for corporations, governments, stakeholders, and critical infrastructure.
Background
Attacks on OT systems can trace back to
the Maroochy water system hack in Queensland, Australia, more than 20 years
ago. The attacker utilized a radio transmitter and his laptop to manipulate 150
sewage pumping stations. Over three months, millions of gallons of untreated
sewage were discharged into waterways and local parks. Though the incident was
not very sophisticated, the threats against OT grew in number and
sophistication as time continued. Stuxnet occurred in 2010 and was, at the
time, among the most sophisticated malware developed to strike OT systems. The
malware infected control system networks, resulting in as many as one-fifth of
the nuclear centrifuges in Iran being damaged, decreasing their enrichment
efficiency [7]. One of the most iconic and significant OT-related cyberattacks
was the attack on Ukraine’s electric grids by Russia. In 2015, the control
centers of three Ukrainian electricity distribution companies were remotely
accessed by hackers attributed to being in Russia. Once in, they opened
breakers at some 30 distribution substations in the capital city Kyiv and the western
Ivano-Frankivsk region, causing more than 200,000 consumers to lose power [8].
This attack opened the eyes of many countries, prompting the evaluations of
current security postures. The Colonial Pipeline attack has recently reminded
the public of the consequences of attacks against organizations with OT
environments critical to national security. As Colonial Pipeline shut down its
OT environments after ransomware compromised its information technology (IT)
systems, it highlighted the ongoing security difficulty between meshing IT and
OT environments. This was further proven as Colonial Pipeline released a
statement stating its shutdown was a proactive measure to prevent the malware
from leaping from IT to OT [1]. As the days pass, advanced persistent threats
and criminal groups are continuously probing at the protections and standards
in place to prevent disastrous outcomes.
Best Practice Resources
Cybersecurity incidents dealing with OT have increased in frequency over recent years. Attacks have reached many industry sectors, including nuclear plants and water treatment facilities, forcing OT owners and operators to consider increasing their security posture. As a result, several essential resources are worth considering when applying industry best practices to secure an organization’s OT environment.
The International Society of Automation (ISA) developed ISA 99 (Industrial Automation and Control Systems Security), a framework for ICS network operators to address and reduce existing and future security vulnerabilities in industrial automation and control systems (IACS) [4]. In addition, they developed ISA 95 (Enterprise-Control System Integration), which builds upon the Purdue Enterprise Reference Architecture to define best practices for the relationship between OT and IT networks [6]. Both standards can help organizations reduce the risk of failure and exposure of ICS networks to cyber threats.
The Cybersecurity and Infrastructure Security Agency (CISA) values the importance of OT security since OT is vital to supporting US critical infrastructure and maintaining national security [3]. Therefore, CISA offers a comprehensive publication recommending best practices for ICS environments [2]. The publication proposes recommendations, such as implementing a network topology with multiple layers, where the most critical communications occur in the most secure and reliable layer [2]. Furthermore, implying organizations should not allow a persistent remote vendor or employee connection to the control network and should harden the remote access process to reduce the risk [2].
The National Institute of Standards and Technology (NIST) released Special Publication 800-82 Revision 2 (SP 800-82 Rev 2). SP 800-82 Rev 2 is a security guide to industrial control systems. It provides an overview of ICS and typical system topologies and identifies common threats and vulnerabilities to these systems [5]. Likewise, it provides recommended security countermeasures to mitigate the associated risks, including critical concepts such as defense-in-depth.
After March 2009, the nuclear regulatory commission (NRC) required protection from cyberattacks for all digital communication and computer systems associated with a nuclear power plant’s safety, security, and emergency preparedness functions. Thus, the NRC issued Title 10 of the Code of Federal Regulations (10 CFR) 73.54, “Protection of Digital Computer and Communication Systems and Networks.” In addition, in January 2010, the NRC issued guidance on implementing the requirements of 10 CFR 73.54 in Regulatory Guide 5.71, “Cyber Security Programs for Nuclear Facilities [9]. These documents are an excellent source of information to aid licensees in developing sound cybersecurity plans.
The office of cybersecurity, energy security, and emergency response (CESER) and industry partners developed the Electricity Subsector Cybersecurity Capability Maturity Model (C2M2) to improve electricity subsector cybersecurity capabilities. The model assists private sector owners and operators in better assessing their cybersecurity capabilities. Meanwhile, the C2M2 evaluation helps organizations prioritize and improve cybersecurity activities [10]. In addition, after the President signed Executive Order (EO) 13636, NIST and stakeholders developed a voluntary Framework for reducing cyber risks to critical infrastructure. Hence, the Energy Sector Cybersecurity Framework Implementation Guidance discusses how the C2M2 maps to the voluntary Framework, providing a comprehensive and credible approach that all energy sector companies can use to improve their cybersecurity posture [10].
- https://www.energy.gov/ceser/energy-sector-cybersecurity-preparedness
- https://www.energy.gov/ceser/cybersecurity-capability-maturity-model-c2m2
- https://www.energy.gov/ceser/downloads/energy-sector-cybersecurity-framework-implementation-guidance
Finally, Verve Industrial offers a comprehensive guide that provides a holistic perspective on the procedures and technologies that protect and defend operational technology assets and processes from cyber threats and attacks. It includes foundational components of OT security relevant to those just learning about the space, descriptions of various standards available to system defenders, and deeper dives into specific aspects of OT security [11].
Significance
The security of OT systems is vital to
supporting critical infrastructure and national security within the United
States and every other nation. This importance comes when OT organizations and
operations face threats from various adversaries whose intentions include
gathering intelligence and disrupting National Critical Functions [3]. In 2021,
the ransomware group Darkside demonstrated this by attacking Colonial
Pipelines, causing a six-day stoppage leading to fuel shortages and price
increases nationwide. By tightening security around OT and following the
current best practices, an organization can guard its physical processes and
assets and the people and systems dependent on them.
Sources
[1] Jones, D. (2022, 9 15). Colonial Pipeline disconnects OT systems to silo ransomware IT threat. Retrieved September 15, 2022, from https://www.cybersecuritydive.com/news/colonial-pipeline-OT-IT-ransomware/600046/
[2] Cybersecurity and Infrastructure Security Agency. (n.d.). Recommended Cybersecurity Practices for Industrial Control Systems. Retrieved September 20, 2022, from https://www.cisa.gov/sites/default/files/publications/Cybersecurity_Best_Practices_for_Industrial_Control_Systems.pdf
[3] Cybersecurity and Infrastructure Security Agency. (n.d.). Cybersecurity Best Practices For Industrial Control Systems. Retrieved September 20, 2022, from https://www.cisa.gov/publication/cybersecurity-best-practices-for-industrial-control-systems
[4] International Society of Automation. (n.d.). ISA99, Industrial Automation and Control Systems Security. Retrieved September 20, 2022, from https://www.isa.org/standards-and-publications/isa-standards/isa-standards-committees/isa99
[5] Stouffer, K., & Lightman, S., & Pillitteri, V., & Abrams, M., & Hahn, A. (2015, 5 1). Guide to Industrial Control Systems (ICS) Security. Retrieved September 20, 2022, from https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-82r2.pdf
[6] International Society of Automation. (n.d.). ISA95, Enterprise-Control System Integration. Retrieved September 20, 2022, from https://www.isa.org/standards-and-publications/isa-standards/isa-standards-committees/isa95
[7] Hemsley, Kevin E., & E. Fisher, Dr. Ronald. (2018 12 31). History of Industrial Control System Cyber Incidents. Retrieved September 20, 2022, from https://www.osti.gov/servlets/purl/1505628
[8] Council on Foreign Relations. (2015 12). Compromise of a power grid in eastern Ukraine. Retrieved September 20, 2022, from https://www.cfr.org/cyber-operations/compromise-power-grid-eastern-ukraine
[9] United States Nuclear Regulatory Commission. (2021, 9 21). Cybersecurity. Retrieved September 27, 2022, from https://www.nrc.gov/security/cybersecurity.html
[10] Office of Cybersecurity, Energy Security, and Emergency Response. (n.d.). Energy Sector Cybersecurity Preparedness. Retrieved September 27, 2022, from https://www.energy.gov/ceser/energy-sector-cybersecurity-preparedness
[11] Ganzer, M. (2020 09 30). 2021-2022 ICS ADVISORY REPORT. Retrieved September 27, 2022, from https://verveindustrial.com/resource_type/guide/
-
New Cybersecurity Regulations Pose Major Shifts for ICS Operators
New Cybersecurity Regulations Pose Major Shifts for ICS Operators
4/4/2025 -
New Threats in Familiar Code: Open-Source Risks in ICS
New Threats in Familiar Code: Open-Source Risks in ICS
4/4/2025 -
The MOVEit Data Breach: Understanding the Risks and Mitigation Strategies
The MOVEit Data Breach: Understanding the Risks and Mitigation Strategies
3/14/2025