Understanding of threats to ICS has grown rapidly over the last few years. While the security industry has developed as a response largely to threats against data and data systems, ICS involves industrial processes and control systems. The cyber threat evolved when these systems, with little cybersecurity background, started to be attached to the internet.
"Until a few decades ago," explains Udo Helmbrecht, director of ENISA, "ICS functioned in discrete, separated environments, but nowadays they are often connected to the Internet. This enables streamlining and automation of industrial processes, but it also increases the risk of exposure to cyber-attacks."
The nature of ICS at the heart of the processes that drive critical national infrastructures makes the potential impact of cyber incidents inevitably severe at both a personal and national economy level. "ICS cyber-attacks are more likely to cause significant damage due to the nature of the sectors where control systems are found," notes the report. "For example, a cyber-attack that takes an electrical power station offline, even for a limited amount of time, could cause significant economic damage and create the potential for injury and/or loss of life." The primary purpose of this manual is to help industry develop specific ICS cyber emergency response capabilities (ICS-CERC).
The advice on how to establish and operate ICS-CERC uses four categories: mandate capabilities (discussing the differences between ICS-CERC and traditional ICT-CERC); technical capabilities (discussing the services to be provided in the main phases of the incident management cycle); organizational capabilities (discussing operational aspects, and personnel and qualifications); and co-operational capabilities (discussing the need for and advantages in both national and international cooperation between ICS CERTs).
One of the main conclusions to come from the guide is a fundamental difference between ICT and ICS security. In the former, 'integrity of data' is often considered to be the prime motivator within the CIA (confidentiality, integrity and availability) triumvirate of requirements. But in ICS, the continuing 'availability of the process' is the most important.
Another conclusion is that there is as-yet insufficient cybersecurity expertise in operating ICS. But, says ENISA, "Given the potential significant damage of ICSs, the hiring process for ICS-CERC teams requires staff to be vetted thoroughly, and consideration should be given to many things, for example, an individual's ability to perform under pressure and response willingness during non-working hours."
And finally, the manual stresses the need for cooperation between ICS CERTs. "The importance of cooperation at both the domestic and international level must be recognised," says ENISA.