Securing an Industrial Control System (ICS) environment has always been
one of the most important considerations for any business but as these
systems have evolved from closed, proprietary environments to the modern
IP connected systems that we see today, the security risk has evolved
with it. Additionally, as the drive towards more connectivity using IP
systems gathers speed, it brings with it all the associated
vulnerabilities and malware that have already been seen in the IT side
of the house. This includes understanding your responsibilities to
comply with various regulation(s) such as the EU NIS Directive, as well
as educating your staff in what to look for and how to report anomalous
behaviour. There has also been a growth in understanding how your risk
may be increased by the lack of security in your Supply Chain.
A modern ICS is subject to all the threats and vulnerabilities that any
normal office network may encounter and, as the attackers are gaining
more knowledge about what these systems actually do, the attack is less
likely to come from the ‘script-kiddies‘ who seek notoriety,
but is more likely to come from criminal or state-sponsored groups whose
motivation, resources and skills are far more advanced.
We have succesfully been delivering hands-on, instructor-led ICS
Security courses for CPNI/NCSC for over 4 years now. The success of
these courses has grown into a secondary market of individual companies
requiring additional multiple courses, as well as the vendors of
products and services who need to understand what the front-line
business will be demanding from them.
A vital stage in any Development Lifecycle is the testing phase including FAT and SAT. For any project that is business critical there are several tests to be carried out before ‘Go Live’ and these include checking for known coding errors, a vulnerability checking and a penetration test. Once these have been carried out and any high-level findings addressed, the project will be in a much better place!
In addition, the understanding of what to audit and what a satisfactory level of compliance look like may well vary from system to system and industry sector to industry sector. Having a view of what this bigger picture looks like, as well as understanding the set of metrics that will help prove the current position, is key to any business, after all security is really difficult to prove when the best result is ‘nothing happens’!!
Our courses have been designed to help users understand this approach, whether they are looking into the available Open Source information that a company may not be aware is leaking out to the wider world or carrying a full penetration test to see what holes there are.
The security discipline of ‘Implementing Secure Systems’ combines the security requirements and ensures that any system is then designed and built the right way, with security as a concern right from the word go.
Applying the concepts from multiple architecture frameworks (TOGAF, SABSA, etc) it takes the different skills required for Enterprise Security Architecture, Technical Security Architecture and Secure Development to help staff understand the whole concept of secure by design so that security is built and not bolted on as an afterthought.