Full Report
Alan Weissberger of the IEEE Communications Society (ComSoc) Techblog felt the ongoing culture and education gaps been network security and engineering needed to be highlighted as it is keeping critical infrastructures from being cyber-secured. While IT and OT network security are essential, securing control systems presents fundamentally different challenges. Engineering devices, particularly field and process […]
Analysis Summary
# Best Practices: Bridging the Gap Between Network and Control Systems Cybersecurity
## Overview
These practices address the critical security gap between traditional Information Technology (IT)/Operational Technology (OT) network security and the specialized requirements of Control Systems (CS). It focuses on securing the "Level 0/1" devices—field sensors and process controllers—that often lack native security features and are overlooked by standard network-centric security approaches.
## Key Recommendations
### Immediate Actions
1. **Inventory Field Assets:** Identify all process sensors, actuators, and controllers that lack native authentication or encryption capabilities.
2. **Establish Cross-Functional Communication:** Initiate weekly briefings between the Network Security team and the Control Systems Engineering team to align on reliability vs. security priorities.
3. **Physical Access Audit:** Because Level 0 devices often lack digital logs, reinforce physical security and "tamper-evident" seals on junction boxes and sensing equipment.
### Short-term Improvements (1-3 months)
1. **Specialized Training:** Enroll control system personnel in cybersecurity fundamentals and provide network security staff with "Control Systems 101" to understand physical process impacts.
2. **Legacy Protocol Assessment:** Identify non-Ethernet serial communications and legacy protocols that do not support logging or forensics.
3. **Baseline Process Behavior:** Establish "normal" operating ranges for process sensors to detect anomalies that may indicate electronic interference or cyber tampering.
### Long-term Strategy (3+ months)
1. **Hardware-in-the-Loop Forensics:** Develop a strategy for capturing forensic data from devices that do not have internal logging (e.g., using out-of-band monitoring).
2. **Engineering-Centric Security Policy:** Rewrite security policies to account for "unintentional electronic communication issues" that can destabilize control systems without a traditional "hackers" presence.
3. **Procurement Requirements:** Update procurement standards to require future control system devices to support built-in authentication and cyber-logging.
## Implementation Guidance
### For Small Organizations
- Focus on vendor-provided security patches for PLCs.
- Prioritize physical isolation (Air-gapping) where complex monitoring tools are unaffordable.
### For Medium Organizations
- Implement passive network monitoring that recognizes industrial protocols (Modbus, DNP3, etc.).
- Cross-train at least one engineer to act as a "Security Liaison."
### For Large Enterprises
- Deploy a dedicated SOC (Security Operations Center) capability specifically for ICS/Control Systems.
- Implement formal "Consequence-driven Cyber-informed Engineering" (CCE) methodologies.
## Configuration Examples
*While specific code varies by vendor, best practices include:*
- **Port Security:** Disable all unused physical ports on switches located in field cabinets.
- **Log Unification:** Mirror traffic from control system switches to a dedicated analyzer that understands Level 0/1 sensor traffic, rather than just Level 2/3 Ethernet traffic.
## Compliance Alignment
- **ISA/IEC 62443:** The primary standard for the security of Industrial Automation and Control Systems (IACS).
- **NIST SP 800-82:** Guide to Industrial Control Systems (ICS) Security.
- **NERC CIP:** For organizations within the bulk electric system.
## Common Pitfalls to Avoid
- **The "IT-Only" Fallacy:** Assuming that securing the Ethernet network automatically secures the sensors and controllers attached to it.
- **Encryption Overload:** Implementing encryption on time-sensitive control loops that cannot tolerate the resulting latency.
- **Ignoring Physics:** Forgetting that an "attack" on a control system may simply be an unintentional signal interference that violates physical safety limits.
## Resources
- **IEEE ComSoc Techblog:** hxxps[://]techblog[.]comsoc[.]org/
- **Control Global - Unfettered Blog:** hxxps[://]www[.]controlglobal[.]com/blogs/unfettered
- **ISA (International Society of Automation):** hxxps[://]www[.]isa[.]org/standards-and-publications/isa-standards