INDUSTRIAL AND IT MANAGEMENT SECURITY
It is not our intention to reproduce, summarize or paraphrase the new ISA/IEC 62443 standard (series ISA-62443-4-2, and ISA/IEC 624433-3) which specifies security capabilities for control system components that provides a flexible framework to address and mitigate current and future security vulnerabilities in industrial automation and control systems (IACSs) but simply to draw your attention to what seems to me fundamental and especially what are the minimum but indispensable protection steps to be taken to ensure the safety of industrial installations.
For the sake of clarity I will use indifferently the terms institution or company to refer to a company or institution that owns an industrial installation or high-tech equipment. I will also use indifferently the terms assets, device or institutions when speaking about an industrial and/or high-tech equipment.
Risk analysis in the field of industrial and/or high-tech equipment or risk analysis of the functionalities of companies or institutions such as that those active in the Energy, High Tech Industry, Mining, Metro and Railways, Construction, Laboratories, Medical and Paramedical, Data Center, Telecommunications, Research, Banks, Education sectors…can start by drawing up a list of assets to be protected classified according to their order of importance for the activity of the company or institution, followed by an analysis of the impact in the event of a loss. But it is usually said that this analysis can also start by drawing up a table of risks which will be sorted according to their level of dangerousness and the probability of their occurrence.
For me, the probability aspect of the occurrence of a cyber-attack is of secondary importance, even meaningless. Indeed, the consequences of a cyber-attack can be disastrous even if the probability of its occurrence was low. As an example, hadn’t we foreseen a disaster scenario for Covid-19 in Africa that didn’t happen? Better not to play Russian roulette.
But in any case, the parameters to which most attention should be paid are the degree of importance of the assets (installations) to be protected for the company’s activity and the consequences of a cyber-attack depending on the aim (threat) of the cyber-criminal, who may be seeking easy gain or acting with the simple intention of causing harm, or may still be acting in the context of industrial espionage.
Let’s not forget that we are dealing with industrial protection and not with the protection of the information system of the company that has these programmable devices. Therefore, except in the case of devices whose purpose is to collect information (I am thinking here of programmable and connected medical devices or those used for research purposes), we should not concern ourselves with the confidentiality, integrity and availability of the data collected.
The establishments that have such devices can be classified into three categories according to the place these devices occupy in the company’s activity.
Thus we will have in:
CLASS 1: Companies which consist of only one department with a single programmable installation or which have several departments with such installations which are interconnected and for which this installation or these installations constitute(s) the main activity.
CLASS 2: Companies which comprise more than one department and whose connected and/or programmable installations are not interconnected with each other but for which such facilities constitute the principal activity.
CLASS 3: Companies that have one or more departments with facilities that may or may not be interconnected, but where these facilities do not constitute the main activity.
The danger of a cyber-attack, depending on the goal pursued by the cyber-criminal, can also be either (1) destruction of the installation or encryption of the data that it has collected if the cyber attacker is pursuing easy gain or simply intends to cause harm, (2) deprogramming of the facility if the cyber attacker is pursuing the same goal, and (3) theft of the collected data if the cyber attacker is in the business of industrial espionage.
The impact on the company can then be considered as being:
- MAJORif the company is class 1 regardless of the purpose of the cyber-attacker,
- MAJORif the company is class 2 and the cyber-attacker is pursuing easy money or industrial espionage goal,
- MEDIUMif the company is class 2 and if the result of the attack is the deprogramming of an installation,
- MEDIUMif the company is class 3 and the goal of the cyber attacker is the destruction of the installation and,
- MINORif the company is class 3 and the goal of the cyber-attacker results in deprogramming or industrial espionage.
It is therefore obvious that the greater the impact on the company, the more serious should be the protection of its installations.
The next quadrant represents the need for protection of a facility with respect to the threat it may face where the RED color indicates that the installation requires the maximum security, the ORANGE color indicates the need of a medium level of security and the GREEN color indicates that the installation requires a standard security.
This quadrant is very useful to determine the type of protection the installation needs to counter a cyber-attack. We’ll see that in our next article.