Search
-
Recent Posts
Recent Comments
- Gabi Spencer on The importance of Process Hazard Analysis studies
- Ephraim Gasitene Phonela on The importance of Process Hazard Analysis studies
- Gabi Spencer on ESC’s TÜV Rheinland Cyber Security Training Program
- David Dewdney on ESC’s TÜV Rheinland Cyber Security Training Program
- David Balfour on Functional Safety (FS) for Technicians – Proposed CompEx modules
Archives
- May 2022
- May 2021
- April 2021
- March 2021
- February 2021
- January 2021
- December 2020
- November 2020
- October 2020
- September 2020
- August 2020
- July 2020
- June 2020
- May 2020
- April 2020
- March 2020
- January 2020
- July 2019
- May 2019
- April 2019
- March 2019
- February 2019
- January 2019
- November 2018
- August 2018
- April 2018
- March 2018
- February 2018
- November 2017
- May 2017
- March 2017
- February 2017
- January 2017
- December 2016
- November 2016
- October 2016
- September 2016
- August 2016
- July 2016
- June 2016
- May 2016
- April 2016
- March 2016
- February 2016
- August 2015
- June 2015
- May 2015
- February 2015
- November 2014
- September 2014
- July 2014
- April 2014
Categories
Cyber Security – How is ICS different from IT? (Part 1)
Cyber security has always been a concern in the general Information Technology (IT) environment, but not so in the Industrial Control Systems (ICS) until recent years (IEC 61511 [1] requested a security risk assessment in its 2016 edition). This is because traditionally, ICS was built using bespoke hardware and software (immune from malware) and separated from outside world with air gaps (not susceptible to remote cyber attacks). Cyber security has increasingly become an issue for ICS due to
- the increasing use of Commercial Off The Shelf (COTS) software and hardware
- the increasing connectivity between ICS and the enterprise network
- the adoption of standard network protocols such as TCP/IP
How is ICS different from IT?
For ICS, much can be learned from IT on cyber security. However, there are significant differences between IT and ICS in terms of cyber security. Firstly, in IT, cyber security is concerned about data; whilst in ICS, cyber security is concerned about critical assets (see Figure to the right). In the event of a security breach, the major risk in IT would be delay of business operations (financial impact), while in ICS the major risk would be potential loss of lives, environmental impacts, or/and asset (equipment, production and reputation) damage (see Figure below).
The figure below [2] illustrates how security breaches could lead to hazardous consequences in ICS. This is also the reason why the latest edition of IEC 61511 (edition 2 issued in 2016) [1] explicitly requests a security risk assessment.
In a series of blogs, I’ll examine the major differences between IT and ICS in terms of cyber security.
ESC offers a range of cyber security services in supporting the functional safety of ICS, including cyber security training, cyber security risk assessment and cyber security management system, see ESC’s Industrial Control Systems Cyber Security page for more details.
References
[1] IEC 61511:2016, Functional safety – Safety instrumented systems for the process industry section.
[2] Draft IEC Guide 120 Edition 1, Security aspects – Guidelines for their inclusion in standards. January 2017.