Industrial control systems (ICS) cybersecurity is a branch of general cybersecurity in which the systems being protected have physical characteristics which if compromised can lead to down-time, injury or death, and economic loss.
Industrial control systems include supervisory control and data acquisition (SCADA) systems, localized work-cells, enterprise control systems, and cloud-based factory collection systems. Traditional information technology (IT) systems differ from operational technology (OT) systems primarily in their cybersecurity priorities. In general, IT systems defend against data extractions. Encryption used to provide confidentiality is of primary concern. In OT systems, confidentiality is no longer of paramount concern. While eavesdropping can lead to reverse engineering of proprietary factory methods and design, it is usually more important to keep the factory running. Therefore, technologies must assure that both cybersecurity controls and cyber-attack do not limit or prevent the capability of the factory running with high availability. Table 1 lists the priorities of IT and OT systems. It is important for IT professionals to recognize that wireless security practices used in the office may not be available for factory deployments. If they are available, they may not be desirable to maintain system availability. Securing the industrial network can be summarized in the following considerations:
- Secure the physical environment;
- Secure the end-points;
- Secure the controller;
- Secure network transmissions/data.
Industrial wireless networks have the same consideration as wired networks with the addition of protecting the electromagnetic spectrum allocated for the industrial wireless network operation.
 |
| Table 1 - Typical Priorities of IT and OT Systems |
The number of devices connecting to industrial networks is increasing at a rapid rate. It exposes systems to security breaches and cyberattacks. As a result, security is paramount for industrial operations. Some manufacturers think wireless will create new vulnerabilities in the network that may result in potential threats. Just making the wireless network accessible through a password is not adequate. One key concern is how to identity and eliminate rogue access points. Therefore, wireless intrusion detection systems and intrusion prevention systems are in demand.
In addition, isolation of production devices on a separate network from corporate networks, internet traffic, and phone and surveillance systems is necessary. In other words, one can employ an “island” approach to networking that limits the movement of traffic and devices between islands. By properly segmenting a network, it can limit movement between networks to appropriate devices and block the movement of devices that are unnecessary or provide little value.
Reprinted from Guide to Industrial Wireless Systems Deployments produced by The National Institute of Standards and Technology. A free copy of this entire publication is available here.
