Health, safety, and environment (HSE) programs are deeply ingrained in every organization and industrial site we work with. The benefits of HSE programs are reduced injuries, reduced lost time incidents, and reduced liability and insurance costs as a result. Safety programs have a long history of statistical evidence showing how different types of documented unsafe work conditions, near misses, and incidents have been reduced through training, reinforcement, and controls. Each safety program is a continuous cycle, with each year building upon the good practices of the last and working towards zero incidents.
The subject of cyber security for industrial control systems (ICS) does not have the benefit of decades of statistics, legislation, training, and budgets to build on, but are as important as their conventional mechanical and human counterparts. While many organizations dedicate countless hours to protecting their employees and their physical assets, the cyber security of ICS assets are strangely neglected in many organizations.
It is therefore essential that an organization understands and actively mitigates the security risks that threaten their industrial assets. Understanding and mitigating these risks is fundamental to the safe and reliable continuation of organization’s daily operations.
It is in every ICS owner’s and operator’s best interest to be well prepared to protect their assets against increasingly prevalent security threats. The following controls prioritize security functions that are effective against the latest threats, with a strong emphasis on what actually works. There is evidence that having and applying cyber hygiene rules can stop a lot of security incidents and contribute to a safe and reliable operations.
Here are some highlights from the Applied Risk’s Online ICS Security Awareness Training, which is exclusively developed to enhance engineers/operator understanding for dealing with security situation in the field:
- Register all ICS assets within a maintained register
- Apply strict access control (Zones, conduits and channels) for granting and controlling system access (locally and remotely)
- Always lock unused systems (logically or physically).
- Restrict and Control the use of portable media and devices (laptops, mobile devices etc.).
- Protect system credentials. Do not divulge or share user accounts and passwords.
- Intervene and report when an asset is not adequately protected.
- Scan all portable media and devices before connecting to an ICS.
- Strictly protect ICS system and project documentation.
- Always follow Management of Change (MoC) and Permit to Work (PtW) procedures.
- Always report incidents or suspicious activities.