Industrial Control Systems (ICS) play a vital role in critical infrastructures, such as power distribution, oil and natural gas distribution. They are also at the core of medical devices, alarm systems, and transportation management.
These control systems are increasingly interconnected, integrating Information Technology (IT) and Operational Technology (OT). This convergence exposes critical infrastructures to greater cybersecurity risks, which can not only disrupt production but also compromise worker safety, facilities, and the environment.
Therefore, assessing the cybersecurity of an industrial system is of utmost importance in today’s landscape, where digital threats are constantly evolving.
For new systems, incorporating cybersecurity assessments from the early design stages helps build robust and resilient systems. This proactive approach, known as “Security by Design,” aims to identify and mitigate potential vulnerabilities before the system is even deployed. For existing installations, cybersecurity assessments often face challenges such as infrastructure heterogeneity, equipment obsolescence, and IT/OT convergence, which increases the attack surface.
In both cases, assessing the cybersecurity of industrial facilities enables the implementation of adequate protective measures. It complements other expertise areas (Safety, IT) by providing an essential layer of protection against digital threats, significantly reducing the risk of compromise and ensuring optimal operational continuity.
OT Cybersecurity: State of the Art
IT and OT: Exploring the Challenges of an Inevitable Convergence
- IT and OT: Understanding the Two Systems
- IT/OT Convergence
- Components of an OT System
- Industrial Cybersecurity: Standards and Best Practices
Find this section in a dedicated article: link
CERMA Methodology and Integrated Cybersecurity/Safety Approach
- Evaluation and Securing an OT System
- Maintaining Safety Conditions
- A Word on the Convergence of Cybersecurity and Safety (Safety)
Find this section in a dedicated article: link
The convergence between Information Technology (IT) and Operational Technology (OT) represents a major shift in contemporary industrial environments. This convergence aims to integrate traditional IT systems with the equipment and physical processes used in industrial production, creating interconnected and interdependent systems. It reflects a growing recognition of the importance of connectivity between IT systems and industrial control systems to enhance operational efficiency, flexibility, and innovation capabilities of businesses.
At the same time, the convergence between Cybersecurity and Safety is another crucial aspect of the evolution of industrial environments. It aims to address the risks related to cybersecurity and process safety in a cohesive manner to ensure the overall safety and security of industrial operations.
By combining these two convergences, companies aim to tackle the complex security challenges in modern industrial environments.
Although the practice of Security by Design is still rare among companies, it represents the most effective strategy to protect industrial systems from cyber threats. By combining rigorous standards, risk analysis methodologies, advanced technologies, solid management practices, and an integrated approach to cybersecurity and safety, companies can better prepare to face the growing threats. Implementing security from the design phase not only creates more robust systems but also reduces the costs and efforts needed to address vulnerabilities identified afterward.
References :
Book
[1]. ACKERMAN, P. (2021). Industrial Cybersecurity: Efficiently monitor the cybersecurity posture of your ICS environment Packt Publishing
Thesis
[2]. CHEMALI, R. (2021). Méthodologie orientée sûreté de fonctionnement pour la cybersécurité des systèmes de contrôle-commande; [Thèse de Doctorat, Université de Lille]. https://theses.hal.science/tel-04198264v1
Reports
[3]. ANSSI. (2018, Décembre). Cybersécurité pour la maintenance des installations industrielles. https://cyber.gouv.fr/publications/la-cybersecurite-des-systemes-industriels
[4]. ANSSI, (2014, Octobre). Mesures détaillées. https://cyber.gouv.fr/sites/default/files/2014/01/securite_industrielle_GT_details_principales_mesures.pdf
[5]. Rockwell Automation. (2022, Mars). Securely Traversing IACS Data across the Industrial Demilitarized Zone Design and Implementation Guide, https://literature.rockwellautomation.com/idc/groups/literature/documents/td/enet-td009_-en-p.pdf
[6]. Cigref. (2019,Décembre). Convergence IT/OT. Un rapprochement fructueux des systèmes d’information et des systèmes industriels, https://www.cigref.fr/un-rapprochement-fructueux-des-systemes-industriels-et-des-systemes416 dinformation-convergence-it-ot
[7]. Clusif. (2021, Février). Guide cybersécurité des systèmes industriels, https://clusif.fr/publications/guide418 cybersecurite-des-systemes-industriels-2021/
Standards
[8]. NIST Special Publication 800-82 Revision 2: Guide to Industrial Control Systems (ICS) Security.
[9]. IEC 62443-3-2. Juin 2020. Security for industrial automation and control systems – Part 3-2: Security risk assessment for system design
[10]. IEC 62443-3-3. Août 2013. Industrial communication networks – Network and system security – Part 3-3: System security requirements and security levels
Websites
[11]. America’s Cyber Defense Agency. Consulté en avril 2024 sur https://www.cisa.gov/uscert/ics/Recommended427 Practices
[12]. Nicaise, V. (2020, Juillet) consulté en avril 2024 sur https://www.stormshield.com/fr/actus/iec-62443-le-standard429 incontournable-de-la-cybersecurite-industrielle/
[13]. HAUET, JP. (Octobre, 2016). Processus et normes de cybersécurité dans l’industrie L’IEC 62443 consulté en avril 2024 sur https://archive.g-echo.fr/20161005-hauet-kb.pdf
[14]. KASPERSKY (2021, Octobre) APT Attacks on industrial organizations in H1 2021 consulté en Avril 2024 sur
433 https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf
[15]. NIST (2023, Juillet) Computer security ressource center, consulté en Avril 2024 sur
436 https://csrc.nist.gov/publications/sp
[16]. Industrie du futur . (2020, Décembre) consulté en avril 2024 sur https://industrie-du-futur.info/larchitecture-opc-ua438 repond-aux-attentes-des-reseaux-dautomatismes-industriels-daujourdhui
