Cyber Risk in Modern ICS Calls for Engineered Security
Modern Industrial Control Systems (ICS) combine traditional automation technologies (e.g., sensors, actuators, PLCs and
industrial protocols like Modbus and CIP) with digital information technologies (e.g., Ethernet, Microsoft Windows PCs and Servers, and Internet protocols like TCP/IP and HTTP).
While these newer digital technologies provide many benefits to organizations, they can also inadvertently create exposures to cybersecurity risk, which in turn, if not properly identified and mitigated, could compromise the safety, integrity and reliability of your operations. It makes sense,
then, that organizations are increasingly incorporating cyber risk evaluations into their design, engineering, testing and commissioning activities.
A missing component in current ICS acceptance testing practices, such as Factory Acceptance Testing (FAT) or Site Acceptance Testing (SAT), is cybersecurity. In fact, many organizations have reported that the cybersecurity of their ICS was actually compromised as a result of FAT or SAT. This is not surprising as the goal of FAT/SAT is to verify the functionality of the system – not the cybersecurity. As such, cybersecurity policies, procedures and controls are often bypassed in order to expedite completion of the testing.
aeSolutions believes that ICSs should undergo Cybersecurity Acceptance Testing (CAT) following FAT and/or SAT. CAT should include verification that the system complies with the ICS Cybersecurity Requirements Specification. For example, the required security settings were configured correctly and the necessary security components (e.g. firewalls) were installed and properly configured. Additionally, CAT should include cybersecurity robustness testing, sometimes referred to as penetration testing, which is testing designed to discover and identify the weaknesses or vulnerabilities in a system. This type of testing should not be performed on a production system, but it can be safely performed before the system is operational.
Frequently asked questions
How does aeCyberFAT and aeCyberSAT work?
Put simply, the aeCyberFAT and aeCyberSAT integrates into your FAT and SAT testing plans in order to: (1) identify and document any cybersecurity vulnerabilities found in your ICS, and (2), provide you and your vendor/integrator with documented recommendations to mitigate those vulnerabilities.
How does it integrate into the FAT/SAT?
aeCyberFAT and aeCyberSAT provides a comprehensive set of ICS cybersecurity testing and validation scripts. Each script is designed to inspect and/or test a specific component of the system looking for any known vulnerabilities that might typically be found in that type of component. Your aeSolutions team will systemically follow these scripts, testing each component in turn, scoring every test as Pass/Fail along with recording other pertinent information about the test, the specific component, and any related findings.
All the tests are fully documented, but failing scores are also entered into your project’s punch-list for follow-up and resolution. In this way (i.e., by integrating into the official ‘punch list’), cybersecurity vulnerabilities are treated no differently than other punchlist items and are fully integrated into your testing process, prioritizations for resolution, and project documentation.
Is there any difference in process for FAT vs. the SAT?
Typically, the FAT scripts (or a selected subset of them) are repeated in the SAT to ensure that the mitigations have been correctly applied and are working. Additionally, during the SAT some items not typically configured in the FAT can be tested – for example, any connections to the corporate network, connections to the Internet for remote access, etc.