By Erwin van der Zwan, CISA, CISM, CISSP
Over the last couple of years, the protection of critical infrastructures, in particular, the cyber security aspects, and, hence, industrial control systems (ICS or SCADA), have been hot topics. In my opinion, this was long overdue since, in general, ICS security is still several years behind (information) cyber security practices. To illustrate some of the highlights of vulnerable areas, take a look at the article “Security of Industrial Control Systems: What to Look For
?” in volume 4, 2010, of the ISACA Journal
In most ICS deployments, the resistance and resilience for technical failures and continuity during incidents with a natural cause (acts of nature), are well taken care of. What I would like to discuss, or rather get your views on, is the protection against malicious cyber attacks. Looking at the news on cyber security, one cannot help but notice that, when you have to believe the media, we are already doomed. So, do you agree? Could a malicious man-made cyber incident really cause significant (physical) damage? Should we be concerned about terrorists or, what really frightens me, malicious insiders, ex-personnel or targeted cyber attacks from a psychotic activist with hacking skills?
Another question to address is what kind of risk management strategy to deploy. My best bet is to focus on lowering the exposure, closing vulnerabilities, and developing an appropriate business continuity and disaster recovery capacity. Of course, you could also try to influence the likelihood of events occurring. However, I do not believe that a sufficient and lasting risk reduction can be established by just warning possible attackers off. I also do not believe that a large enough reduction of the impact of events can be achieved when we talk about critical infrastructures such as electricity, gas, oil, telecommunications or major transportation systems. However, I can control my own procedures and assets and, thus, have the means to reduce the vulnerabilities, to design for a strong robust system and to prepare for incidents.
So what do you think are the top 5 vulnerabilities to eliminate? Is a complete elimination possible? For example, a lack of security awareness, inadequate organization of security, network interconnections, remote access and the long repair time in case of a total destruction are, in my opinion, maybe the most important points to worry about.
What are your views and concerns as a security auditor or manager? Which security controls do you think are the most effective and would you deploy? What would you put your money on?
Read Erwin van der Zwan’s recent Journal Article: