A view of Facility Industrial Control System Security
by Ron Martin, CPP, CPOI
A 2019 US Department of Energy Inspector General Report found that physical and logical access security controls did not always provide sufficient restrictions over information technology (IT) resources. (Energy OIG 2019 p 2) This statement is an illustration of the environment facing critical infrastructure protection (CIP).
Technology is advancing in the system-use and connectivity within buildings, facilities, and complexes. The Edith Cowan University research team in their 2017 building automation and control (BAC) system (BACS) report found that BAC is “… embedded into the contemporary building environment…” (BACS 2017 p i). The proliferation of interconnected systems brought about by the internet-of things (IoT) will enhance the facility’s ability to become “system-smart.” A system-smart facility from an infrastructure perspective is dependent of other systems within its architecture. This architecture will access and use local and external systems. To acquire the secure access to external system facility owners must have agreements to assure the security of the external system’s access and connectivity.
The BAC Report found the building’s environment must be flexible, adaptable, and sustainable. The building’s vulnerability from threats and interconnectivity security issues. Secure local and remote access to devices, networks, and software applications is paramount (BAC2017 p i). The BAC Report recommends
The facility owners promote awareness of threats and risks
Improve organizational cross-department liaison
Build partnerships among BACS experts, in-house, and external third-parties
Provide a guideline to aid the stakeholders to achieve the security of the BACS
The BACS Guideline is a governance tool to promulgate a common language among the facility’s stakeholders (BAC 2017 p iii).
The BAC Report is definitive in its research findings and recommendations. The implementation of key parts of the report will take time. The international implications of BACS is a CIP imperative. Systems and devises can be accessed from any where there is connectivity. In the United States the US Department of Homeland Security (DHS) provided guidance to the CIP community in the form of the National Infrastructure Protection Plan (NIPP). The NIPP provide guidance to the 16 industry categories or sectors. “Our national well-being relies upon secure and resilient critical infrastructure—those assets, systems, and networks that underpin American society. To achieve this security and resilience, critical infrastructure partners must collectively identify priorities, articulate clear goals, mitigate risk, measure progress, and adapt based on feedback and the changing environment.” (NIPP 2013 p 1) From this governance each industry sector interprets the NIPP guidance to develop specific sector guidance in the form of sector specific plans. The Commercial Facilities sector-plan (CFSP). The Sector plan provide general guidance to the industry that is based on the guidance provided by the NIPP. “…this plan represents a collaborative effort among the private sector; Federal, State, local, tribal, and territorial governments; and nongovernmental organizations to reduce critical infrastructure risk…” (CFSP 2015 p iii). To serve the sector’s need to provide cybersecurity guidance to the industry, DHS released the Commercial facilities sector cybersecurity framework (CFCSF) implementation guidance of 2015.
This document “…recommends an approach that enables organizations to prioritize their cybersecurity decisions based on individual business needs without additional regulatory requirements…” (CFCSF 2015 p 1). The CFS cybersecurity release in 2015, provided provides an approach that will enable sector stakeholders to frame and prioritize their cyber security decisions (CFS-Cyber 2015 p 1). This cybersecurity guidance was based on the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity Version 1.0, which was issued in February 2014. The current version is Version 1.1 of 2018. “… Version 1.1 of this Cybersecurity Framework refines, clarifies, and enhances Version 1.0, which was issued in February 2014. It incorporates comments received on the two drafts of Version 1.1…” (Framework 1.1 (2018) p ii). The CFS Cyber release of 2015 is a use-case implementation of the NIST Cybersecurity Framework.