Information Systems Security Controls Guidance: Industrial Control Systems

Industrial Control Systems

An industrial control system (ICS) consists of combinations of control components like electrical, mechanical, hydraulic, and pneumatic devices that act together to achieve an industrial objective. ICS may be fully automated or may incorporate human input into the processes that the systems carry out.

Advances in technology have led to many improvements to such systems that make them perform better and more cost-efficiently. The systems are as a result safer and more reliable than ever. However, the more reliant that entities are on the functionality of these systems, the more critical it is that they ensure each system has provisions in place to ensure safety and security.

The entity must ensure that these systems are secured against intentional or unintentional interference that could impact the safety and security of BSAT through malfunction or failure of an ICS. Work with the IT department and facility departments to put provisions place to protect the entity’s ICS. An ICS security management system must be a part of the information system security control plan. The plan should directly address systems like:

  • Power
  • Water
  • Water Waste
  • HVAC
  • Transportation

The ICS should function inside the network and be protected by the same antivirus and firewall systems in place for the entity’s computers, servers, and other equipment.

ICS Security Program Development

Incidents that impact the ICS are likely to have a physical impact (e.g. an attack on the HVAC system may shut down the air filtration system), even if the incident is the result of a virtual attack. The Information System Security Control plan should fully describe provisions put in place to mitigate virtual and physical risks to the ICS. Follow the following steps to develop the ICS component of the Information System Security Control plan.

  1. Build a cross-functional team of subject matter experts.
  2. Perform a risk assessment specifically for the entity’s ICS. Identify risks and vulnerabilities to the system. Determine the likelihood and consequence of those risks to determine the threat level.
  3. Define and fully describe policies and procedures to mitigate the risks determined in the risk assessment. These provisions should focus on preventing threats and vulnerabilities to the ICS from occurring.
  4. Implement the ICS security policies and procedures.
  5. Provide policy and security awareness training for ICS staff.
  6. Describe how the entity will patch and update their ICS.
Page last reviewed: September 9, 2020