Cyber Risk in Modern ICS Calls for Engineered Security
A missing component in current ICS acceptance testing practices, such as Factory Acceptance Testing (FAT) or Site Acceptance Testing (SAT), is cybersecurity. In fact, many organizations have reported that the cybersecurity of their ICS was actually compromised as a result of FAT or SAT. This is not surprising as the goal of FAT/SAT is to verify the functionality of the system – not the cybersecurity. As such, cybersecurity policies, procedures and controls are often bypassed in order to expedite completion of the testing.
aeSolutions believes that ICSs should undergo Cybersecurity Acceptance Testing (CAT) following FAT and/or SAT. CAT should include verification that the system complies with the ICS Cybersecurity Requirements Specification. For example, the required security settings were configured correctly and the necessary security components (e.g. firewalls) were installed and properly configured. Additionally, CAT should include cybersecurity robustness testing, sometimes referred to as penetration testing, which is testing designed to discover and identify the weaknesses or vulnerabilities in a system. This type of testing should not be performed on a production system, but it can be safely performed before the system is operational.
Modern Industrial Control Systems (ICS) combine traditional automation technologies (e.g., sensors, actuators, PLCs and industrial protocols like Modbus and CIP) with digital information technologies (e.g., Ethernet, Microsoft Windows PCs and Servers, and Internet protocols like TCP/IP and HTTP).
While these newer digital technologies provide many benefits to organizations, they can also inadvertently create exposures to cybersecurity risk, which in turn, if not properly identified and mitigated, could compromise the safety, integrity and reliability of your operations. It makes sense, then, that organizations are increasingly incorporating cyber risk evaluations into their design, engineering, testing and commissioning activities.