1.
INDUSTRIAL CONTROL
SYSTEM (ICS) CYBER
SECURITY
DR. MOFEED TURKY RASHID
ELECTRICAL ENG. DEP.
BASRAH UNIVERSITY
HUDA AMEER ZEKI
COMPUTER SCIENCE DEP.
SHATT AL-ARAB UNI. COLLEGE
National Institute of Standards and Technology
(NIST) Special Publication 800-82
Revision 2
https://www.nist.gov/

2.
OUTLINE
 Introduction to Industrial Control Systems (ICS).
 Supervisory Control and Data Acquisition (SCADA).
 Distributed Control Systems (DCS).
 Programmable Logic Controller (PLC).
 Comparing ICS and IT Systems Security.
 The Risk Management Process.
 ICS Security Architecture.
 Authentication and Authorization.
 Applying Security Controls to ICS.

3.
INTRODUCTION TO ICS
An ICS is a general term that encompasses several types
of control systems, including
• Supervisory control and data acquisition (SCADA).
• Systems, distributed control systems (DCS).
• Control system configurations such as Programmable
Logic Controllers (PLC).
• Human Machine Interfaces (HMIs).
• Remote diagnostics and maintenance tools built using
an array of network protocols.

4.
ICS control industrial processes are typically used in:
• Electrical.
• Water and wastewater.
• Oil and natural gas.
• Chemical.
• Transportation.
• Pharmaceutical.
• Pulp and paper.
• Food and beverage.
• Discrete manufacturing (e.g., automotive, aerospace,
and durable goods) industries.

5.
INDUSTRIAL CONTROL SYSTEM
OPERATION
Controlled Processes
Sensors
Actuators
Controller
Human Machine
Interface (HMI)
Remote Diagnostics
and Maintenance
Disturbances
Outputs
Inputs

6.
SCADA SYSTEMS
 SCADA systems are designed to collect field
information, transfer it to a central computer facility, and
display the information to the operator graphically or
textually, thereby allowing the operator to monitor or
control an entire system from a central location in near
real time.
 Typical hardware includes a control server placed at a
control center, communications equipment (e.g., radio,
telephone line, cable, or satellite), and one or more
geographically distributed field sites consisting of
Remote Terminal Units (RTUs) and/or PLCs, which
controls actuators and/or monitors sensors.

7.
SCADA SYSTEM GENERAL LAYOUT

8.
DISTRIBUTED CONTROL
SYSTEMS (DCS)
 DCS are used to control production systems within the
same geographic location for industries such as oil
refineries, water and wastewater treatment, electric
power generation plants, chemical manufacturing plants,
automotive production, and pharmaceutical processing
facilities.
 DCS are integrated as a control architecture containing a
supervisory level of control overseeing multiple,
integrated sub-systems that are responsible for
controlling the details of a localized process. A DCS uses
a centralized supervisory control loop to mediate a group
of localized controllers that share the overall tasks of
carrying out an entire production process.

9.
DCS IMPLEMENTATION EXAMPLE

10.
PROGRAMMABLE LOGIC
CONTROLLER (PLC)
 PLCs are used in both SCADA and DCS systems as the
control components of an overall hierarchical system to
provide local management of processes through
feedback control.
 PLCs are also implemented as the primary controller in
smaller control system configurations to provide
operational control of discrete processes such as
automobile assembly lines and power plant soot blower
controls.
 PLCs have a user-programmable memory for storing
instructions for the purpose of implementing specific
functions such as I/O control, logic, timing, counting, PID
controller, communication, arithmetic, and data and file
processing.

11.
PLC CONTROL SYSTEM IMPLEMENTATION EXAMPLE

12.
COMPARING ICS AND IT
SYSTEMS SECURITY
ICS control is the physical world while IT system is data
management. ICS have many characteristics that differ
from traditional IT systems, including
• Significant risk to the health and safety of human
lives.
• Serious damage to the environment.
• Financial issues such as production losses and
negative impact to a nation’s economy.
• ICS have different performance and reliability
requirements, and also use operating systems and
applications that may be considered unconventional
in a typical IT network environment.

13.
The following lists some special considerations when
considering security for ICS:
 Timeliness and Performance Requirements.
 Availability Requirements.
 Risk Management Requirements.
 Physical Effects.
 System Operation.
 Resource Constraints.
 Communications.
 Change Management.
 Managed Support.
 Component Lifetime.
 Component Location.

14.
THE RISK MANAGEMENT PROCESS
The risk management process has four components:
Framing, Assessing, Responding and Monitoring.

15.
ICS SECURITY ARCHITECTURE
 It is usually recommended to separate the ICS network from the
corporate network.
 Internet access, FTP, email, and remote access will typically be
permitted on the corporate network but should not be allowed on
the ICS network.
 If ICS network traffic is carried on the corporate network, it could
be intercepted or be subjected to attacks.
 By having separate networks, security and performance problems
on the corporate network should not be able to affect the ICS
network.
 If the networks must be connected, it is recommended that only
minimal (single if possible) connections be allowed and that the
connection is through a firewall and a demilitarized zones (DMZ).
 A DMZ is a separate network segment that connects directly to the
firewall.

16.
NETWORK SEGMENTATION AND SEGREGATION
 The aim of network segmentation and segregation is to minimize
access to sensitive information for those systems and people
who don’t need it, while ensuring that the organization can
continue to operate effectively.
 Traditionally, network segmentation and segregation is
implemented at the gateway between domains.
 ICS environments often have multiple well-defined domains,
such as:
 operational LANs.
 control LANs.
 operational DMZs.
 gateways to non-ICS.
 less trustworthy domains such as the Internet and the corporate
LANs.
 Network segregation involves developing and enforcing a rule
set controlling which communications are permitted through the
boundary.

17.
FIREWALLS
Network firewalls are devices or systems that
control the flow of network traffic between
networks employing differing security postures.
There are three general classes of firewalls:
• Packet Filtering Firewalls at layer 3 (transport)
by IP. (More Delay).
• Stateful Inspection Firewalls at layer 4 (TCP /
UDP). (Complex and expensive).
• Application-Proxy Gateway Firewalls at
Application layer. (Overheads and Delay).

18.
FIREWALL BETWEEN CORPORATE NETWORK
AND CONTROL NETWORK

19.
FIREWALL AND ROUTER BETWEEN CORPORATE
NETWORK AND CONTROL NETWORK

20.
FIREWALL WITH DMZ BETWEEN CORPORATE
NETWORK AND CONTROL NETWORK

21.
PAIRED FIREWALLS BETWEEN CORPORATE
NETWORK AND CONTROL NETWORK

22.
AUTHENTICATION AND AUTHORIZATION
 An ICS may contain a large number of systems, each of which must be
accessed by a variety of users. Performing the authentication and
authorization of these users presents a challenge to the ICS.
 Authentication and authorization can be performed either in a
distributed or centralized approach.
 Managing these user’s accounts can be problematic as employees are
added, removed, and as their roles change.
 As the number of systems and users grow, the process of managing
these accounts becomes more complicated.
 The authentication of a user or system is the process of verifying the
claimed identity.
 Authorization, the process of granting the user access privileges, is
determined by applying policy rules to the authenticated identity and
other relevant information. Authorization is enforced by some access
control mechanism.
 The authentication process can be used to control access to both
systems (e.g. HMIs, field devices, SCADA servers) and networks (e.g.,
remote substations LANs).

23.
APPLYING SECURITY
CONTROLS TO ICS
Executing the Risk Management Framework Tasks for Industrial
Control Systems

24.
STEP 1: CATEGORIZE INFORMATION
SYSTEM
 The first activity in the Risk Management Framework
(RMF) is to categorize the information and information
system according to potential impact of loss.
 For each information type and information system under
consideration, the three Federal Information Security
Modernization Act (FISMA) defined security objectives:
(confidentiality, integrity, and availability) are associated
with one of three levels of potential impact should there
be a breach of security.
 The standards and guidance for this categorization
process can be found in FIPS 199 and NIST SP 800-60.
 The following ICS example is taken from FIPS 199:

25.
A power plant contains a SCADA system controlling the
distribution of electric power for a large military
installation. The SCADA system contains both real-time
sensor data and routine administrative information.
The management at the power plant determines that:
(i) for the sensor data being acquired by the SCADA
system, there is no potential impact from a loss of
confidentiality, a high potential impact from a loss of
integrity, and a high potential impact from a loss of
availability; and
(ii) for the administrative information being processed by
the system, there is a low potential impact from a loss of
confidentiality, a low potential impact from a loss of
integrity, and a low potential impact from a loss of
availability.

26.
 The resulting security categories, SC, of these
information types are expressed as:
SC sensor data = {(confidentiality, NA), (integrity, HIGH),
(availability, HIGH)},
and
SC administrative information = {(confidentiality, LOW),
(integrity, LOW), (availability, LOW)}.
 The resulting security category of the information
system is initially expressed as:
SC SCADA system = {(confidentiality, LOW), (integrity,
HIGH), (availability, HIGH)},

27.
STEP 2: SELECT SECURITY CONTROLS
 This framework activity includes the initial selection of
minimum security controls planned or in place to protect the
information system based on a set of requirements.
 FIPS 200 documents a set of minimum-security requirements
covering 18 security-related areas with regard to protecting the
confidentiality, integrity, and availability of federal information
systems and the information processed, stored, and transmitted
by those systems.
 An overlay is a fully specified set of security controls, control
enhancements, and supplemental guidance derived from the
application of tailoring guidance to security control baselines
described in NIST SP 800-53.
 In general, overlays are intended to reduce the need for ad hoc
tailoring of baselines by organizations through the selection of
a set of controls and control enhancements that more closely
correspond to common circumstances, situations, and/or
conditions.

28.
STEP 3: IMPLEMENT SECURITY CONTROLS
The security control selection process can be applied to ICS from
two different perspectives: (i) new development; and (ii) legacy.
For new development systems, the security control selection
process is applied from a requirements definition perspective
since the systems do not yet exist and organizations are
conducting initial security categorizations. The security controls
included in the security plans for the information systems serve
as a security specification and are expected to be incorporated
into the systems during the development and implementation
phases of the system development life cycle.
In contrast, for legacy information systems, the security control
selection process is applied from a gap analysis perspective when
organizations are anticipating significant changes to the systems
(e.g., during major upgrades, modifications, or outsourcing).

29.
STEP 4: ASSESS SECURITY CONTROLS
 This activity determines the extent to which the
security controls in the information system are
effective in their application.
 NIST SP 800-53A provides guidance for assessing
security controls initially selected from NIST SP 800-
53 to ensure that they are implemented correctly,
operating as intended, and producing the desired
outcome with respect to meeting the security
requirements of the system.
 To accomplish this, NIST SP 800-53A provides
expectations based on assurance requirements
defined in NIST SP 800-53 for characterizing the
expectations of security assessments by FIPS 199
impact level.

30.
STEP 5: AUTHORIZE INFORMATION SYSTEM
This activity results in a management decision to authorize the
operation of an information system and to explicitly accept the
risk to agency operations, agency assets, or individuals based on
the implementation of an agreed-upon set of security controls.
STEP 6: MONITOR SECURITY CONTROLS
This activity continuously tracks changes to the information
system that may affect security controls and assesses control
effectiveness. NIST SP 800-137 provides guidance on
information security continuous monitoring.

31.
THANK YOU