by Alexander Winnicki, Security Integrator ICS
Critical infrastructure operated by Industrial Control Systems (ICS) form the backbone of modern societies. However, as opposed to safety, cyber security in ICS has not been addressed at a level adequate to the criticality of these systems. Most ICS and their communication protocols have been designed and implemented in the pre-internet era with limited to no security considerations. However, in the context of the Internet of Things (IoT) and Edge Computing these systems become increasingly interconnected and expose their vulnerabilities to the internet.
State-of-the-art: ICS are vulnerable to cyber-attacks
The potential consequences of successful cyber-attacks against ICS differ significantly compared to traditional Information and Communication Technology Systems (ICTS), and may include human, environmental, and equipment damage. However, as opposed to ICTS which are regularly updated and replaced, ICS are expected to operate for multiple decades, and often grow and evolve over the years with significantly longer replacement periods.
Furthermore, new devices and functionalities introduced into ICS during their life-span are not always thoroughly documented. As a result, ICS constitute technologically heterogeneous landscapes of both legacy and cutting-edge systems that together contribute to the common goal of operating a process, but where the presence and contributions of specific assets to this goal are not evident.
In contrast to ICTS, ICS have significant limitations regarding component maintenance and replacement, as the orchestrated cyber-physical processes are subject to very stringent availability requirements. Therefore, unless it is absolutely necessary, replacing components of running ICS is usually avoided due to the operational and economic impact of halting the respective process.
ICS security needs to be urgently addressed
With regard to the severe consequences of potential cyber-attacks against ICS, cyber security needs to be established and managed in a systematic manner. Various well-known and acknowledged standards exist for this purpose such as ISA/IEC 62443* or the NIST Cybersecurity Framework**.
However, most of these standards require an inventory of assets as a baseline input for assessing risks, and deriving adequate mitigation measures. For instance, risk assessments conducted according to the ISA/IEC 62443 standard include an investigation of cyber threats that affect each component of an ICS. These threats need to be determined based on detailed information about an asset’s properties and vulnerabilities, which is not feasible without having at least a baseline of existing assets and their features.
Understanding the link between business goals and ICS assets is fundamental
Moreover, awareness of existing assets enables the establishment of a link between business goals and specific assets contributing to them. Understanding this relation allows a company to subsequently determine its most critical assets. Knowledge of business critical assets enables further assessments of business risks, and allows implementing methods and plans of graceful degradation and disaster recovery to minimise damage during and after incidents. Furthermore, an understanding of business critical assets allows prioritising security measures to use available resources as efficiently as possible.
In addition, a structured and thoroughly maintained asset inventory helps to document new devices and functionalities that are introduced during the life-cycle of ICS, thereby preventing gaps in the documentation. A major advantage of such an up-to-date documentation is that it allows tracking and validating patching activities automatically to ensure that assets are adequately protected.
A comprehensive inventory of assets is therefore indispensable for securing ICS in a systematic manner.
Our approach to establishing asset inventories
To achieve comprehensive results when building asset inventories, the approach of Airbus CyberSecurity consists of tool-based automated asset discovery as well as service-based inventory maintenance by experts.
We detect and analyse existing assets using specialised tools which are capable of disclosing a wide range of security-relevant insights about discovered assets. For instance, our tools acquire information regarding an asset’s known vulnerabilities and vendor-specific characteristics, which help to determine adequate mitigation measures. However, despite their automated nature and significant detection capabilities, these tools are not able to build and maintain a comprehensive asset inventory all by themselves. Therefore, the information gathered by these tools is reviewed, validated, and enriched by our domain experts.
The significance of keeping asset inventories up-to-date
Furthermore, an asset inventory is to be considered as a living system, and updated regularly because only a thoroughly maintained asset inventory can serve as a basis for highlighting and validating newly discovered assets. Inventory maintenance can be automated using tool-based asset detection and alerting, and subsequent expert review and validation. This entire process is best performed as a complete service by experienced specialists. Expert input is particularly important for a correct categorisation of assets, which is a prerequisite for performing subsequent risk analyses and selecting appropriate mitigation measures.
How our services secure ICS for the long-term and in compliance with relevant standards
Although a set of distinguished standards has been established to advance the state-of-the-art of cyber security for ICS towards comprehensive protection, the necessary condition for applying these standards is rarely fulfilled as most ICS do not feature a complete and up-to-date asset inventory.
Based on our cross-industry experience with cyber security for both IT and OT systems, Airbus CyberSecurity supports ICS stakeholders to establish and maintain an asset inventory as the necessary foundation for securing ICS. In addition, our services include further steps to cover the entire cyber security life-cycle.
We have tested and compared the OT security products of major market leaders, and the expertise we acquired with their tools enables us to customise and integrate these solutions according to specific customer requirements.
Moreover, we have respective experience with the development and maintenance of large asset inventories, which we offer as a service to both internal and external customers.
In addition to the detection of assets, and their integration into an existing or newly developed inventory, our service includes the analysis of these assets regarding specific characteristics, such as configurations and vulnerabilities. During this analysis we discover unknown and suspicious devices, communications, and configurations, thereby enabling an investigation and resolution of these circumstances.
Gain visibility of your assets, communication pathways and potential vulnerabilities
Based on the final results of our analysis we provide our customers with a prioritised action plan for improving the cyber security of their systems directly, while the asset inventory we establish provides the foundation for securing the systems long-term, and in compliance with renowned standards. In summary, we help our customers to secure their business and prepare for the cyber threats of tomorrow.
More information on Asset DiscoveryDownload