Industrial Control Systems (ICS) encompass several types of systems designed to control and automate industrial processes. From controlling the temperature of an oven to the movement of a conveyer belt in a factory.
A simplified and typical view of the architecture of ICS could be made up of the following elements.
- Sensors: They receive information from the physical world and translate it into an electric range (such as flow sensors for pipelines).
- Actuators: Capable of physically altering certain parameters that can affect the process (following with the example, a valve that can close the water flow in a pipeline).
- Supervisory Control And Data Acquisition (SCADA): A system that enables controlling and supervising industrial processes, sending instructions to actuators depending on the information received by the sensors. Decisions made regarding the actions taken by SCADA can be automatic, as a result of precharged logic in the system, or can also be made by an operator (in our example it would be a screen where the flow appears and the valve is opened or closed depending on the flow).
These systems use communication protocols that are mainly designed for real-time communication. A quick and effective communication is prioritized over the security of the communication in these protocols. Normally, the deployments made using this type of protocols are quite expensive (proprietary protocols, there are few manufacturers…).
The development and widespread growth of Internet in recent years has lead to a reduction in the costs of electronic networks associated to communication protocols related to Internet, in particular to TCP/IP. This reduction in costs of electronic networks, along with the opportunity of making systems more interconnectable, lead to industrial control protocols adopting TCP/IP as their base protocol and implementing them as higher layer protocols. That is when TCP versions of some protocols appear (such as Modbus, which maintains a version for communicating via serial port and another for communicating via Ethernet).
The use of industrial protocols based on TCP has provided these systems with a greater standardization, resulting in a two-edged sword for the industry. On one hand it makes the job of people responsible for monitoring and controlling industrial processes easier as they can do their job from the corporate network by interacting and using tools commonly used in modern operating systems. However, connecting ICS networks to corporate IP networks has provided cybercriminals with new targets, as they look for gateways to “jump” from a compromised corporate network to the industrial control network, which is generally more vulnerable.
It is therefore a priority to provide industrial control systems designers with cybersecurity knowledge so that they keep security in mind in every phase of their work and incorporate security elements whenever possible. It is also recommendable for technicians that operate these systems to improve their cybersecurity knowledge, in order to improve their capacity to detect attacks aimed towards this collective.
Security certifications are a way of improving the cybersecurity capacities of these actors. Therefore, the European Union Agency for Network and Information Security (ENISA) has put together the initiatives for the certification of cybersecurity professionals for Industrial Control Systems and SCADA professionals on a European level in a document named “Certification of Cyber Security skills of ICS/SCADA professionals” with the collaboration of the Centro de Ciberseguridad Industrial (CCI) and other industry members.
This document also includes other roles for professionals, along with the knowledge that is necessary, in ICS environments, as well as the results of a poll which asked experts about security certifications. This poll reveals that three out of four experts are thinking about obtaining some type of certification in ICS cybersecurity, but that only one out of three had started the process to obtain it.
The document goes on to put forward the obstacles that need overcoming to create a scheme of certifications for professionals on a European level. Obtaining the support of all the actors involved, avoiding the commercial interests of manufacturers and managing to combine IT cybersecurity with technical operating knowledge stand out amongst these obstacles, meaning that the cybersecurity measures that are introduced must be made from an operation of industrial control processes point of view.