homepage
Open menu
Go one level top
  • Train and Certify
    Train and Certify

    Immediately apply the skills and techniques learned in SANS courses, ranges, and summits

    • Overview
    • Courses
      • Overview
      • Full Course List
      • By Focus Areas
        • Cloud Security
        • Cyber Defense
        • Cybersecurity and IT Essentials
        • DFIR
        • Industrial Control Systems
        • Offensive Operations
        • Management, Legal, and Audit
      • By Skill Levels
        • New to Cyber
        • Essentials
        • Advanced
        • Expert
      • Training Formats
        • OnDemand
        • In-Person
        • Live Online
      • Course Demos
    • Training Roadmaps
      • Skills Roadmap
      • Focus Area Job Roles
        • Cyber Defence Job Roles
        • Offensive Operations Job Roles
        • DFIR Job Roles
        • Cloud Job Roles
        • ICS Job Roles
        • Leadership Job Roles
      • NICE Framework
        • Security Provisionals
        • Operate and Maintain
        • Oversee and Govern
        • Protect and Defend
        • Analyze
        • Collect and Operate
        • Investigate
        • Industrial Control Systems
      • European Skills Framework
    • GIAC Certifications
    • Training Events & Summits
      • Events Overview
      • Event Locations
        • Asia
        • Australia & New Zealand
        • Latin America
        • Mainland Europe
        • Middle East & Africa
        • Scandinavia
        • United Kingdom & Ireland
        • United States & Canada
      • Summits
    • OnDemand
    • Get Started in Cyber
      • Overview
      • Degree and Certificate Programs
      • Scholarships
    • Cyber Ranges
  • Manage Your Team
    Manage Your Team

    Build a world-class cyber team with our workforce development programs

    • Overview
    • Why Work with SANS
    • Group Purchasing
    • Build Your Team
      • Team Development
      • Assessments
      • Private Training
      • Hire Cyber Professionals
      • By Industry
        • Health Care
        • Industrial Control Systems Security
        • Military
    • Leadership Training
  • Security Awareness
    Security Awareness

    Increase your staff’s cyber awareness, help them change their behaviors, and reduce your organizational risk

    • Overview
    • Products & Services
      • Security Awareness Training
        • EndUser Training
        • Phishing Platform
      • Specialized
        • Developer Training
        • ICS Engineer Training
        • NERC CIP Training
        • IT Administrator
      • Risk Assessments
        • Knowledge Assessment
        • Culture Assessment
        • Behavioral Risk Assessment
    • OUCH! Newsletter
    • Career Development
      • Overview
      • Training & Courses
      • Professional Credential
    • Blog
    • Partners
    • Reports & Case Studies
  • Resources
    Resources

    Enhance your skills with access to thousands of free resources, 150+ instructor-developed tools, and the latest cybersecurity news and analysis

    • Overview
    • Webcasts
    • Free Cybersecurity Events
      • Free Events Overview
      • Summits
      • Solutions Forums
      • Community Nights
    • Content
      • Newsletters
        • NewsBites
        • @RISK
        • OUCH! Newsletter
      • Blog
      • Podcasts
      • Summit Presentations
      • Posters & Cheat Sheets
    • Research
      • White Papers
      • Security Policies
    • Tools
    • Focus Areas
      • Cyber Defense
      • Cloud Security
      • Digital Forensics & Incident Response
      • Industrial Control Systems
      • Cyber Security Leadership
      • Offensive Operations
  • Get Involved
    Get Involved

    Help keep the cyber community one step ahead of threats. Join the SANS community or begin your journey of becoming a SANS Certified Instructor today.

    • Overview
    • Join the Community
    • Work Study
    • Teach for SANS
    • CISO Network
    • Partnerships
    • Sponsorship Opportunities
  • About
    About

    Learn more about how SANS empowers and educates current and future cybersecurity practitioners with knowledge and skills

    • SANS
      • Overview
      • Our Founder
      • Awards
    • Instructors
      • Our Instructors
      • Full Instructor List
    • Mission
      • Our Mission
      • Diversity
      • Scholarships
    • Contact
      • Contact Customer Service
      • Contact Sales
      • Press & Media Enquiries
    • Frequent Asked Questions
    • Customer Reviews
    • Press
    • Careers
  • Contact Sales
  • SANS Sites
    • GIAC Security Certifications
    • Internet Storm Center
    • SANS Technology Institute
    • Security Awareness Training
  • Search
  • Log In
  • Join
    • Account Dashboard
    • Log Out
  1. Home >
  2. Blog >
  3. ICS Security Management VS. ICS Attack Targeting
DeanParsons_340x340.png
Dean Parsons

ICS Security Management VS. ICS Attack Targeting

ICS/OT security managers can build an effective team and take an effective approach to risk management.

September 7, 2022

ICS Connectivity: Business Benefits and Cyber Risk

Engineering systems: PLCs (programmable logic controllers), RTUs (remote terminal units), protection control relays, embedded HMIs (human machine interfaces), SIS (safety instrumented systems), DCS (distributed control systems), solenoids, meters, field bus communications, sensors, and actuators. These engineering devices and systems have been operating the critical infrastructure we rely on, for decades in their own engineering environments. Modern connectivity into ICS has led to increased data accessibility across traditional IT (information technology), OT (operational technology) environments and several benefits as we see here:

ICS_Security_Man_v_ICS_attack_Target-01.png

However, enabling connectivity to engineering environments that were originally designed to operate in isolation with an inherent trust inside their own networks results in these environments now being exposed. The increased targeting of control systems through impactful cyber-attacks in recent months has resulted in an attack surface more widely available and vulnerable to cyber-attacks. These attacks are created and deployed by adversaries-for-hire and rogue nation-states which have the means and motivation to disrupt operations and cause safety impacts. The good news - ICS/OT cyber security defense is totally doable - with an effective team and approach to risk management!

IT Security Is Not ICS/OT Security

Traditional IT security focuses on moving and securing data at rest or data in transit, and the traditional security pillars of C.I.A. (Confidentiality, Integrity, and Availability). Operating technology/industrial control systems (OT/ICS) manage, monitor, and control real-time engineering systems for physical input values and control output for physical actions in the real world. The main priority in OT/ICS is safety and reliability of operations. As ICS/OT security managers we should never just “copy” & “paste” IT security controls into ICS/OT environments. As the US Department of Homeland Security says, “…incident response deployed in IT business systems may result in ineffective and even disastrous results when applied to ICS cyber incidents.”

ICS Incident Response Objectives

The objectives for industrial control system incident response are to adapt traditional incident response steps to suit engineering environments, which prioritize safety at every single step. This involves a specific ICS incident response plan with several teams beyond that in a traditional incident response. These may include engineering operators, external control system support vendors, government agencies, physical safety teams, physical security teams, etc., with instruction from owner/operators of facilities and the engineering processes.

ICS_Security_Man_v_ICS_attack_Target-02.png

Main objectives for each phase of an ICS-specific incident response engagement:

Preparation - Have well-defined, well-communicated roles and responsibilities, trained ICS-specific security defenders who understand engineering and can investigate cyber events related to control systems. A cyber defensible position should be part of a well-tested and regularly updated ICS-specific incident response plan.

Threat Detection & Identification – Here, the objective is ICS-specific network visibility and threat identification based on consuming and applying sector-specific threat intelligence.

ICS Incident Response Evidence Acquisition – At this stage, the goal is to attain the ability to fight through the attack while maintaining safety and acquiring key evidence for meaningful and timely forensics analysis.

ICS Time Critical Analysis – In this area, we want to continue to fight through attacks, maintaining safety while conducting time critical analysis. (Traditional IT Containment & Eradication may cause more damage to ICS than the threats themselves.)

ICS Incident Response Containment – The focus is on the preservation of operations through logical or physical changes in the control environment to further reduce safety and control system impacts. ICS Security, Engineers, and Operator teams fight through the attack, and Evidence & Intel could be shared for reporting, compliance, legal, etc.

Eradication & Recovery – Eliminate the threat(s) from the environment(s) when it is safe to according to engineering. Restore engineering systems to normal operational state, full production of engineering operations.

Lessons Learned - Apply knowledge to improve response and restoration efforts for future incidents in the engineering environment.

ICS Incident Response Information Sharing - Share relevant tactical, strategic, and operational threat intelligence, and cyber security lessons learned which might be of use for defense in the larger ICS and critical infrastructure community.

ICS security managers would do well to host a practical, sector-specific, threat-intelligence-driven, ICS incident response tabletop exercise with applicable ICS security, engineering, safety teams, and ICS owners/operators, who will be critical to be attendance during the exercise and for the follow-up actions. For reference, the top ICS tabletops have been outlined in this blog here: Top 5 ICS Incident Response Tabletops and How To Run Them.

Risk Management Tracking - HILF in Critical Infrastructure

Tabletop metrics should be captured where HILF (high impact low frequency) events are brought forth and tracked through the organizations’ risk department for senior leadership discussions on business risk. They should be considered to pose risk like that of other engineering related risks where cyber to physical impacts in control environments are possible.

One of the principal types of HILF events is a well-planned cyber, physical, or blended attack conducted by an active adversary against multiple points on the system. Attacks such as damaging or destroying key system components of critical infrastructure like the power system could result in prolonged outages to large parts of the system.

Take, for example, the rapid convergence of the electric power systems infrastructure with traditional information and communications technologies. When combined with a new awareness of the sophistication of adversary capabilities in attacking control systems, improving the protection, resilience, and response capabilities of the bulk power system requires a fresh understanding of the risk and well-coordinated steps. Mapped here are some of the historic and recent ICS events.

ICS_Security_Man_v_ICS_attack_Target-03.png
Reference: The ICS Cyber Kill Chain: https://www.sans.org/white-papers/36297/


ICS Security Management Choices VS. ICS Attack Group Targeting

There is a common misconception in control system security whereby a utility may think they are too small to be a target of an ICS cyber-attack or impactful cyber event. The reality is, adversaries likely develop and test capabilities in smaller facilities in preparation for the final attack in their ultimate target environment. As managers and tactical cyber defenders in ICS/OT, we get to choose many things about our control system security program—one of which is not whether we are a target. Only the adversary has complete control over that.

The ICS418: ICS Security Essentials for Managers course empowers leaders responsible for securing critical infrastructure and operational technology environments. The course addresses the need for dedicated ICS security programs, the teams that run them, and the skills required to map industrial cyber risk to business objectives to prioritize safety. The course effectively addresses today’s challenges and shows how to reduce cyber risk in ICS, covering the needs of the full range of managers, including:

  • Managers asked to "Step-Over"
    • Traditional IT security managers who must create, lead, or refine an ICS security program
  • Practitioner to Manager "Step-Up"
    • Industrial engineers, operators, or ICS security practitioners promoted to a manager position to create, lead, or refine an ICS security program
  • "In-Place" Managers
    • Existing ICS security managers who need to further develop their leadership skills specific to industrial security

In-Class Industrial Management Simulation

Those familiar with the Cyber42 cybersecurity leadership simulation game may have learned about it when taking SANS Management courses. SANS has extended this awesome tool for ICS418 by introducing Cyber42: Industrial Edition, which borrows many features from the traditional Cyber42 game. The scenarios are specific to industrial control systems, and of course, safety is added to the mix of industrial cyber incidents. In Industrial Cyber42, the object of the game is to finish with the highest safety culture.

Take ICS418 with Dean and get to know him!

Check out Dean's upcoming ICS418 scheduled classes, see more of his ICS community contributions, and learn more about him here.

Share:
TwitterLinkedInFacebook
Copy url Url was copied to clipboard
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Recommended Training

  • SEC503: Network Monitoring and Threat Detection In-Depth
  • MGT516: Building and Leading Vulnerability Management Programs
  • ICS410: ICS/SCADA Security Essentials

Tags:
  • Industrial Control Systems Security

Related Content

Blog
ICS_blog_-_Developing_ICS_OT_Engineering_Cyber_Defense_Teams2.jpg
Industrial Control Systems Security
August 17, 2022
Developing ICS/OT Engineering Cyber Defense Teams
ICS security managers don't get to choose if they're a target of a cyber attack, but do get to choose many things about their OT security program.
DeanParsons_340x340.png
Dean Parsons
read more
Blog
ICS_Blog_Series-_A_Look_into_ICS-Part_22.jpg
Industrial Control Systems Security
April 4, 2022
A Look Into ICS612: ICS Cybersecurity In-Depth: Part 2
In OT security, you'll eventually be placed in an environment where you'll face the pressures of dealing with a process that's not responding.
370x370_jeffrey-shearer.jpg
Jeffrey Shearer
read more
Blog
ICS_Webcast_Series_-_Cyber_Resilience_Active_Defense_&_Safety_Blog2.jpg
Industrial Control Systems Security
January 24, 2022
ICS Cyber Resilience, Active Defense & Safety Series: Parts 1-5
This series covers foundational, intermediate, and advanced ICS cyber security defense techniques. Watch Parts 1 - 5 below.
SANS ICS
read more
  • Register to Learn
  • Courses
  • Certifications
  • Degree Programs
  • Cyber Ranges
  • Job Tools
  • Security Policy Project
  • Posters & Cheat Sheets
  • White Papers
  • Focus Areas
  • Cyber Defense
  • Cloud Security
  • Cybersecurity Leadership
  • Digital Forensics
  • Industrial Control Systems
  • Offensive Operations
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
  • © 2023 SANS™ Institute
  • Privacy Policy
  • Contact
  • Careers
  • Twitter
  • Facebook
  • Youtube
  • LinkedIn