SANS Strategy Guide: ICS is the business

By Dean Parsons, SANS Certified Instructor CEO of ICS Defense Force
There's a growing need for an ICS-specific security mindset.
There's a growing need for an ICS-specific security mindset.

Industrial control systems (ICS) and operational technology (OT) specific security controls are paramount for the protection of our world’s critical infrastructure. Relying on IT security principles and processes alone leaves ICS environments at high risk. Implementing ICS-specific controls enhances industrial incident response and engineering troubleshooting capabilities while supporting safety. However, achieving high return on investment (ROI) from ICS security investments required to protect our critical infrastructure requires specialised ICS-trained resources and an active focus on the following measures:

Position ICS security for engineering: Chief security officers (CSOs) must position their teams as enablers for engineering and supporters of operational staff and safety culture, communicate the security, safety and engineering benefits of ICS specific controls, and obtain ICS dedicated funding for what matters most.

ICS defensible network architecture: Enable tactical teams to create a segmented network architecture around the ICS from hostile networks (IT and internet). An ICS defensible architecture enhances industrial incident response and drives asset protection while enabling ICS network visibility. Tactical teams must review all IT, ICS and internet access paths, including firewalls and remote access solutions to ensure least privilege for all connections, including engineering vendors.

ICS network visibility: ICS/OT-specific network visibility is the top security control being implemented today in mature ICS facilities. It safely identifies ICS assets, vulnerabilities and threats. In addition, it enhances industrial incident response and engineering troubleshooting capabilities. It requires ICS-specific trained resources.

IT security controls and workflows will kill the ICS: IT security plans and controls are insufficient for ICS environments and will damage control system integrity while providing a false sense of security. ICS incident response plans must be engineering-driven and regularly tested and prioritise safety. Engineers know engineering – CSOs must enable them to lead the charge.

ICS defender skillsets: Hire and train security practitioners with both IT and ICS security skills, who prioritise safety as the main mission. Staff must be positioned to adapt or replace IT security controls for ICS controls and workflows, understand ICS-specific network operations and engineering processes, and distinguish normal and abnormal engineering network traffic commands.

In this strategy guide, I will provide an in-depth assessment of the growing need for an ICS-specific security mindset in 2024 and beyond. This strategy guide will continually underscore the critical importance of CSOs approaching ICS/OT security as its own business-critical function separate from the organisation’s IT-specific efforts. Based on more than 20 years of experience in the field, I wholeheartedly believe that it has never been more important to prioritise fortifying our critical infrastructure environments. The safety, health and well-being of our society depends on it. In organisations that have ICS, ICS is the business. 

Please download the guide below to read on.

Share