Cyber Security – How is ICS different from IT? (Part 1)

Cyber security has always been a concern in the general Information Technology (IT) environment, but not so in the Industrial Control Systems (ICS) until recent years (IEC 61511 [1] requested a security risk assessment in its 2016 edition). This is because traditionally, ICS was built using bespoke hardware and software (immune from malware) and separated from outside world with air gaps (not susceptible to remote cyber attacks). Cyber security has increasingly become an issue for ICS due to

  • the increasing use of Commercial Off The Shelf (COTS) software and hardware
  • the increasing connectivity between ICS and the enterprise network
  • the adoption of standard network protocols such as TCP/IP

Cyber Security - How is ICS different from IT - Engineering Safety Consultants

How is ICS different from IT?

For ICS, much can be learned from IT on cyber security. However, there are significant differences between IT and ICS in terms of cyber security. Firstly, in IT, cyber security is concerned about data; whilst in ICS, cyber security is concerned about critical assets (see Figure to the right). In the event of a security breach, the major risk in IT would be delay of business operations (financial impact), while in ICS the major risk would be potential loss of lives, environmental impacts, or/and asset (equipment, production and reputation) damage (see Figure below).

Cyber security environmental impact - Engineering Safety Consultants

The figure below [2] illustrates how security breaches could lead to hazardous consequences in ICS. This is also the reason why the latest edition of IEC 61511 (edition 2 issued in 2016) [1] explicitly requests a security risk assessment.

How security breaches could lead to hazardous consequences in ICS - Engineering Safety Consultants

In a series of blogs, I’ll examine the major differences between IT and ICS in terms of cyber security.

ESC offers a range of cyber security services in supporting the functional safety of ICS, including cyber security training, cyber security risk assessment and cyber security management system, see ESC’s Industrial Control Systems Cyber Security page for more details.

References

[1]      IEC 61511:2016, Functional safety – Safety instrumented systems for the process industry section.

[2]      Draft IEC Guide 120 Edition 1, Security aspects – Guidelines for their inclusion in standards. January 2017.