One of the very largest problems facing the automation professional is the security of the Industrial control systems in plants and the SCADA systems that tie together decentralized facilities such as power, oil, and gas pipelines and water distribution and wastewater collection systems.
All those above-mentioned examples are designed to be open, robust, and easily operated and repaired, but not necessarily secure.
Industrial control system requires both mainstream and control system expertise, acknowledging the operating differences and accepting the similarities
Factors considered for Industrial Automation security:
- Develop a clear understanding of ICS cyber security
- Develop a clear understanding of the associated impacts of industry, government, and private citizens on system reliability and security.
- Defines cyber threats as widely as possible, including intentional, unintentional, natural and other electronic threats, such as electromagnetic pulse (EMP) and wireless electronic warfare.
- Develop security technologies and best practices based on actual and expected ICS cyber incidents for field devices.
- Develop academic curricula in ICS cyber security
- Use suitable IT technologies and best practices to secure workstations using commercial off-shelf operating systems (COTS).
- Establish ICS processes, systems, personnel, and cyber security standard certification metrics.
- Promote / mandate the adoption of the NIST Framework for Risk Management for all critical infrastructure, or at least the industrial infrastructure subset.
- Establish a global, nongovernmental Cyber Incident Response Team (CIRT) for control systems, staffed with system control expertise to disclose vulnerability and share information.
- Establish, promote and support an open demonstration facility for ICS systems.
- Establish a means to examine ICS experts instead of using traditional security clearances.
- Provide regulation and incentives for cyber security of critical infrastructure industries.
- Develop guidelines similar to that of the Sarbanes-Oxley Act for adequately securing ICS environments.
- Include subject matter experts with experience in the control system at high-level planning sessions for cyber security.
- Change the production culture in critical industries to make safety as important as performance and safety.
- Develop guidelines similar to the Sarbanes-Oxley Act to ensure that ICS environments are adequately secured.