A review of security assessment methodologies in industrial control systems

Excerpt from "A review of security assessment methodologies in industrial control systems.

Author: Qais Saif Qassim, Norziana Jamil, Maslina Daud, Ahmed Patel, and Norhamadi Ja’affar.

Publication:Information & Computer Security Vol. 27 No. 1, 2019 pp. 47-61.

The escalating interconnectivity of ICS (Industrial Control Systems) networks is exposed to a wide range of vulnerabilities and security threats. Thus, ICS have become a target of cyber-attacks, hence posing significant risks to the nation’s critical operations. Besides, lack of viable ICS security measures and inadequate security mechanisms could eventually lead to severe disruption of the normal ICS operations, upon being attacked. These may result in catastrophic consequences on the physical world. As such, security analysis and countermeasure planning are deemed as mandatory. The ICS security analysis aids in detecting vulnerabilities, threats and possible attacks that may target the ICS and their underlying components. These tasks are essential to protect and to secure the system against cyber-attacks. Nevertheless, due to the scale and the intricacy of ICS, as well as the communication technologies linked with planning, executing and reviewing cyber and physical vulnerability assessments, are rather difficult. Therefore, several standards and guidelines have been proposed in the literature. With that, this work has reviewed several ICS security assessment methodologies and carried out detailed analysis of the examined methodologies so as to explore the sufficiency of these existing methodologies in meeting the needs and requirements of cyber security evaluations meant for power networks. Furthermore, the literature showed that the security assessment techniques in ICS and IT systems are quite similar, as both rely on performing vulnerability analysis and risk management techniques to identify and to fix loopholes within the system.

From the findings, most of the examined methodologies seem to concentrate on vulnerability identification and prioritisation techniques, whilst other security techniques received noticeably less attention. This is because these two techniques have been considered as the essential steps towards implementing a secure system. The review also displayed that the least attention is devoted to patch management process due to the critical nature of the ICS. Additionally, this review portrayed that only two security assessment methodologies exhibited absolute fulfilment of all NERC-CIP security requirements, whilst the others only partially fulfilled the essential requirements.