Building a Resilient World:
The ISAGCA Blog

Welcome to the official blog of the ISA Global Cybersecurity Alliance (ISAGCA).

This blog covers topics on automation cybersecurity such as risk assessment, compliance, educational resources, and how to leverage the ISA/IEC 62443 series of standards.

The material and information contained on this website is for general information purposes only. ISAGCA blog posts may be authored by ISA staff and guest authors from the cybersecurity community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

Read More

Practical Insights for Implementing Control System Security

Read More

Categories Arrow

All Posts

Practical Insights for Implementing Control System Security

Introduction

In this blog post, we’ll share practical insights from operational experience in managing cybersecurity for industrial control systems (ICS) in process plants. The goal is to help asset owners embark on their journey toward securing plant operations, especially as cyber incidents continue to rise, potentially impacting safety, reliability and financial performance.

Take 1 – Cybersecurity is Not a “Project;” It’s a Continuous Process

    • Treat ICS cybersecurity like safety. Ensure senior management is actively engaged, as safety and security both impact process safety and reliability.
    • Recognize ICS users as a first line of defense. Invest in user awareness training to promote a cultural shift. Engage users through regular training sessions, quizzes and cybersecurity bulletins.
    • Stay informed. Establish processes for regularly reviewing and acting on ICS security advisories from OEMs, CERTs and other trusted sources.
    • Implement incident handling processes. Enable ICS users to efficiently report and manage cybersecurity incidents or near-misses to minimize downtime and foster a culture of continuous learning.
    • Adopt industry standards. Implement the ISA/IEC 62443 series of standards as a framework for managing ICS security. These provide a comprehensive approach to securing industrial systems.

Take 2 – Do the Basics First, and Do It Right

      • Physical security matters. Ensure that all ICS components — including HMIs, servers, engineering stations, control devices, switches and firewalls — are physically secured. Remember: If you can touch it, you can break it.
      • Implement basic cybersecurity controls. Focus on system hardening, individual accountability, role-based least-privilege access and control over removable media and remote desktop access.
      • Advanced tools are only effective if the basics are in place. Security surveillance and monitoring tools are ineffective if foundational controls like access restrictions and system hardening are not properly implemented.
      • Restrict remote and external connections. By default, limit these connections and allow exceptions only when the associated risks have been adequately mitigated.
      • Audit and log what matters. Configure audit policies and security logs on all ICS systems locally. Detective controls are essential to track potential incidents and take corrective actions.
      • Air-gap safety systems. Isolate safety systems to secure them inherently. Remember safety systems are our last line of defense.

Take 3 – Avoid Generalizing Risk

      • Identify your assets. Develop realistic risk scenarios based on credible threats specific to your assets and systems.
      • Avoid emotional engineering — oversimplified, fear-driven projections of cybersecurity risks. Generic risks may not be applicable to your specific assets or systems.
      • Consider asset location. Physical location can “mitigate or avoid” certain threats, so assess your asset risk based on geography.
      • Perform detailed risk assessments. Maintain an updated asset inventory and assess specific risks to each asset. Communicate these risks clearly to asset owners and stakeholders.

Take 4 – Apply Fit-for-Purpose Controls

      • Tailor controls to the risk. Not all assets need the same level of security. For example, an intrusion detection system (IDS) might not be appropriate for stand-alone or physically isolated systems.
      • Adopt a “defense in depth” approach to improve the resilience of your control systems. Adding more unrelated controls doesn’t guarantee stronger security. Ensure each layer contributes meaningfully to your risk treatment strategy.
      • Identify common cause failures that could compromise all controls simultaneously. Apply truly independent controls to minimize single points of failure.
      • Remember, one size doesn’t fit all!

Take 5 – Implement a Cybersecurity Sustainment Program

      • Include cybersecurity sustainment tasks within the plant preventive maintenance (PPM) program. Sustainment of cybersecurity controls is essential for continued safety and reliability.
      • Implement basic sustainment controls, including but not limited to periodic operating system patching, antivirus updates, system backups and user access reviews.
      • Ensure a robust training and competency management system is in place to keep ICS security personnel’s skills up-to-date with the evolving threat landscape and emerging technologies.
      • Apply change management consistently, especially for ICS security configuration changes, and include these in the management of change (MOC) process. Failing to capture even seemingly simple software changes could have a major impact on safety and availability of plant operations.

Closing Remarks

Effective control system security is a continuous, evolving process that requires a combination of technical measures, user awareness and a structured approach to improvement. By focusing on these practical steps, organizations can reduce risk, strengthen resilience and ensure operational integrity in the face of increasingly complex cybersecurity challenges.
Pinakin Gokhale
Pinakin Gokhale
Pinakin Gokhale, CAP, GICSP, CISA, TUV FSE, is the director of OSICS Technologies. He is a member of the ISA99 standards committee and actively involved in development activities for the ISA/IEC 62443 series of standards.

    Recent Posts

    Brighten Your Automation Future with ISA Self-Paced, Modular Training

    Related Posts

    Practical Insights for Implementing Control System Security

    Introduction In this blog post, we’ll share practical insights from operational experience in managing cy...
    Pinakin Gokhale Nov 29, 2024 7:00:00 AM

    Innovations in R&D: How AI Is Transforming Industrial Cybersecurity Operations

    Industrial control systems are becoming more complex as evolved cyberattacks threaten industry functions....
    Devin Partida Nov 15, 2024 7:00:00 AM

    In Conversation with Authors of ISAGCA White Paper on Zero Trust and ISA/IEC 62443

    The ISA Global Cybersecurity Alliance (ISAGCA) recently published a white paper exploring the application...
    Kara Phelps Nov 8, 2024 12:00:00 PM

    The International Society of Automation (ISA) is a non-profit professional association founded in 1945 to create a better world through automation. ISA advances technical competence by connecting the automation community to achieve operational excellence and is the trusted provider of standards-based foundational technical resources, driving the advancement of individual careers and the overall profession. ISA develops widely used global standards; certifies professionals; provides education and training; publishes books and technical articles; hosts conferences and exhibits; and provides networking and career development programs for its members and customers around the world.


    The material and information contained on this website is for general information purposes only. ISA blog posts may be authored by ISA staff and guest authors from the automation community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

    We're on social media. Keep in touch!

    © 2024 International Society of Automation. All rights reserved.