homepage
Open menu
Go one level top
  • Train and Certify
    • Overview
    • Get Started in Cyber
    • Courses
    • GIAC Certifications
    • Training Roadmap
    • OnDemand
    • Live Training
    • Summits
    • Cyber Ranges
    • College Degrees & Certificates
    • Scholarship Academies
    • NICE Framework
    • Specials
  • Manage Your Team
    • Overview
    • Group Purchasing
    • Why Work with SANS
    • Build Your Team
    • Hire Cyber Talent
    • Team Development
    • Private Training
    • Security Awareness Training
    • Leadership Training
    • Industries
  • Resources
    • Overview
    • Internet Storm Center
    • White Papers
    • Webcasts
    • Tools
    • Newsletters
    • Blog
    • Podcasts
    • Posters & Cheat Sheets
    • Summit Presentations
    • Security Policy Project
  • Focus Areas
    • Cyber Defense
    • Cloud Security
    • Digital Forensics & Incident Response
    • Industrial Control Systems
    • Cyber Security Leadership
    • Offensive Operations
  • Get Involved
    • Overview
    • Join the Community
    • Work Study
    • Teach for SANS
    • CISO Network
    • Partnerships
    • Sponsorship Opportunities
  • About
    • About SANS
    • Our Founder
    • Instructors
    • Mission
    • Diversity
    • Awards
    • Contact
    • Frequently Asked Questions
    • Customer Reviews
    • Press
  • SANS Sites
    • GIAC Security Certifications
    • Internet Storm Center
    • SANS Technology Institute
    • Security Awareness Training
  • Search
  • Log In
  • Join
    • Account Dashboard
    • Log Out
  1. Home >
  2. Blog >
  3. ICS OT Systems Engineering is Not Dead
Isiah Jones

ICS OT Systems Engineering is Not Dead

This blog includes excerpts of Isiah Jones' paper: ICS OT Systems Engineering is Not Dead

March 20, 2020

Systems Security Engineering? For ICS?

So, what exactly is Systems Security Engineering? How does it apply to ICS OT? What resources exist that should be used in a disciplined Systems Security Engineering culture and methodology? Systems Security Engineering has become in many cases a forgotten skillset and disciplined multidisciplinary art that merges multiple worlds into a methodical, rigorous set of practices. NIST SP 800-160 was created to educate the engineering and cyber communities on the basics of system security engineering. Now more than ever it must see a revival and more specifically that revival must occur within the ICS OT community to make all societies safer, more secure and more resilient long-term. ISA and IEC have worked together to create a life cycle of international security and safety standards such as ISA/IEC 62443 and ISA84/IEC 61511. Various parts of the 62443 such as 3-3 for system level security capabilities, 4-1 for secure by design systems development and 4-2 for component and device level security capabilities can and should be leveraged throughout a rigorous systems security engineering discipline and set of practices. The key stakeholders I must address in system security engineering for ICS OT are the vendors and OEMs, integrators and solutions providers, asset owners and operators and dedicated full-time ICS OT cybersecurity focused professionals. The chain is only as strong as its weakest link. Systems Security Engineering requires all stakeholders to participate throughout the lifecycle of assets and operations that directly impact the safety, security and resiliency of societies and the infrastructures they depend on.

Why do we need it?

Many in industry have appeared to have abandoned the idea that secure design, security hardening, in-depth and robust prevention and protection can be done for industrial control systems (ICS) or operational technology (OT) as it is known today. As a career systems and cybersecurity professional I believe otherwise. I believe it is a societal imperative, due care, due diligence, and standard of good practices responsibility for all ICS OT, Industrial Internet of Things (IIoT), Internet of Things (IoT) and critical embedded devices to be designed, acceptance tested, validated, integrated, implemented, operated and maintained with safe, secure and resilient functional capabilities. I believe all stakeholders throughout the asset, environment, societal and ICS OT dependent infrastructure ecosystems should develop and maintain a proactive security culture and mindset throughout the life cycle of assets and operations. I believe that to not do so would put the very infrastructures, raw materials, consumed products, goods and services that society depends on at unnecessary and preventable risk. I believe this is especially paramount in this new era of technology convergence and integration of the physical, electronic, communications, societal and digital worlds. To many Systems Security Engineering is a lost art and a forgotten skillset within cybersecurity. However, when it comes to ICS OT IIoT IoT and critical embedded devices such as chillers, boilers, pumps, valves, breakers, safety systems and implantable medical devices, systems security engineering is absolutely essential.

Conclusion

In this new decade, the new roaring 20s of this 21st century, containing this fourth industrial age, a revival of systems security engineering should be seen as a societal imperative that is no longer optional. Systems security engineering is especially paramount for ICS OT use cases such as IIoT and IoT integration. It is unsafe and unwise for society to continue down the path of automate everything, converge everything and make everything smart without ensuring a social construct that embeds systems security engineering rigor into everything that we make, integrate and operate. The leaders of this new era will be those who have the fortitude to put societal safety, security and resilience above their financial and or political bottom line. How do we measure the cost to society moving forward if we continue to neglect systems security engineering as a culture? The next couple of decades will be the final judge as we build out the infrastructures of tomorrow today without thinking of the future. The wise will leverage NIST SP 800-160 in combination with ISA/IEC 62443 3-3, 4-1, 4-2 and ISA84/IEC 61511 to ensure that all ICS OT is built, verified, tested, validated, integrated, operated, maintained and disposed of from a systems security engineering rigor perspective as a cultural way of life across all domains and all levels of society.


About the Author

Isiah Jones is a Senior ICS OT Cybersecurity Engineer and Cyber professional with 15 years of progressive experiences in various aspects of IT, security, assurance, and ICS OT. Working exclusively on ICS security since 2014. Isiah has performed ICS OT cybersecurity work in the Middle East, East Africa, Europe, Hawaii, and throughout the continental United States. Isiah has delivered cyber IT or ICS OT security services or support for the US Navy, US Marine Corps, Siemens, FERC, and many commercial asset owners, ICS OEMs, ICS integrators and operators across several sectors and asset type verticals globally.
Isiah has held national security clearances as high as TS/SCI and Q. He has had a network of affiliations that reach into the US intelligence community, Defense community, US Congress, FERC, Department of Energy, Depart of Homeland Security, Department of Commerce, National Labs, ICS OEM vendors, ICS integrators, and asset owners/operators. He is a former US Navy civil services Information Assurance Officer (IAO) and Systems Analyst as well as a former FERC civil services GS-15 subject matter expert on ICS OT cybersecurity for US national security critical energy infrastructures. He is also a former ICS OT cyber mission assurance and Information Systems Security Engineering (ISSE) consultant and contractor. He is an active volunteer contributor on multiple working groups within the ISA/IEC 62443 international standards committee, the ISA84 standards committee working group for cybersecurity for safety systems as well as multiple committees within American Water Works Association (AWWA). He brings well rounded experiences, access, insights, connections and visibility into critical infrastructure security issues across many asset types and sectors (water, wastewater, electric, oil, gas, LNG, building automation, airfields, maritime, hydro dams, manufacturing, life sciences, logistics & warehouse, ERP etcetera).

For the full paper, download it here.

Share:
TwitterLinkedInFacebook
Copy url Url was copied to clipboard
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kingdom of Saudi Arabia
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia (Slovak Republic)
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe

Tags:
  • Industrial Control Systems Security

Related Content

Blog
340x340-Blog-8-Reasons_ICS-2022[46].jpg
Industrial Control Systems Security
May 5, 2022
8 Reasons You Don’t Want to Miss SANS ICS Security Summit & Training 2022
ICS Security Summit & Training kicks off June 1. Register today.
SANS ICS
read more
Blog
ICS_Blog_Series-_A_Look_into_ICS-Part_22.jpg
Industrial Control Systems Security
April 4, 2022
A Look Into ICS612: ICS Cybersecurity In-Depth: Part 2
In OT security, you'll eventually be placed in an environment where you'll face the pressures of dealing with a process that's not responding.
370x370_jeffrey-shearer.jpg
Jeffrey Shearer
read more
Blog
Untitled_design-43.png
Digital Forensics and Incident Response, Cybersecurity and IT Essentials, Industrial Control Systems Security, Purple Team, Open-Source Intelligence (OSINT), Penetration Testing and Ethical Hacking, Cyber Defense, Cloud Security, Security Management, Legal, and Audit
December 8, 2021
Good News: SANS Virtual Summits Will Remain FREE for the Community in 2022
They’re virtual. They’re global. They’re free.
Emily Blades
read more
  • Register to Learn
  • Courses
  • Certifications
  • Degree Programs
  • Cyber Ranges
  • Job Tools
  • Security Policy Project
  • Posters & Cheat Sheets
  • White Papers
  • Focus Areas
  • Cyber Defense
  • Cloud Security
  • Cyber Security Leadership
  • Digital Forensics
  • Industrial Control Systems
  • Offensive Operations
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kingdom of Saudi Arabia
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia (Slovak Republic)
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe
  • © 2022 SANS™ Institute
  • Privacy Policy
  • Contact
  • Careers
  • Twitter
  • Facebook
  • Youtube
  • LinkedIn