Ics Cyber Security Incident Response and the Troubleshooting Process
Essay by annieyu • May 25, 2018 • Essay • 2,905 Words (12 Pages) • 916 Views
Essay Preview: Ics Cyber Security Incident Response and the Troubleshooting Process
ICS Cybersecurity Incident Response and the Troubleshooting Process
Masatoshi TAKANO1†
1Technical Committee on Instrument and Control Networks, Industrial Applications Division, SICE, Japan
(E-mail: masatoshi_takano @ m ail.toyota.co.jp)
Abstract: An awareness of the potential for cyber security incidents along with ordinal troubleshooting procedures
contributes to improved handling of these incidents in industrial control system (ICS). Organizations that use ICS will
benefit by adding cyber-oriented incident handling to existing ICS troubleshooting trees. Case studies of both non-cyber
and cyber incidents show the advantages of using ordinal troubleshooting flows and efficient configuration of layered
security defense with minimum services for buying time against unknown vulnerability exploitation.
Keywords: Industrial control system, Cyber security, Cyber incident response, Incident handling, Troubleshooting,
Human behavior, Defense in Depth
1. INTRODUCTION
Consideration of industrial control system (ICS)
operators’ perspective and today’s security defense
results in a practical twofold approach to ensure
cybersecurity: improving incident response and building
an efficient configuration to buy time.
We determine an ordinal plant-floor operation and
troubleshooting capabilities that serve as a suitable
starting point or front end for cybersecurity incident
handling for ICS. Having a cybersecurity
incident-handling installation that is separate from the
ordinal troubleshooting flow makes the operations and
troubleshooting capabilities more complex. Case studies
show that when cyber-oriented incident handling is
added to existing ICS troubleshooting flows, the
improved troubleshooting process is an efficient way to
realize the cause of the non-cyber or cyber issue.
In addition, multilayered defense, so called “Defense
in Depth” with minimum services, has the effect of
buying time to retard the exploitation of zero-day
attacks, which are difficult to measure because they are
unknown to us.
2. PRIORITIES OF ICS CYBERSECURITY
APPROACHES
Figure 1 illustrates a typical layered-defense
architecture that contains an IT system level, ICS
network level, and field controller level. In general, ICS
controls and monitors plant facilities automatically,
while an operator manually controls the facilities via
man-machine interface (MMI) in the case of a startup or
abnormalities of a plant. Monitoring data or alarm
messages from ICS appear on MMI to alert the operator.
By contrast, cyber-incident exploitation initiates no
alerts because all messages or alerts are located at plant
data trends or at system diagnosis. With general
consideration to Fig. 1, an attacker on the Internet has
roots to intrude through the three-layered defense of ICS
or to connect via cellular or wireless networks for
remote maintenance [1] [2] [3].
This section focuses on the operator’s perspective and
today’s security defense to identify the priorities of ICS
cybersecurity approaches.
2.1 Consideration of operator’s perspective
For many plant-floor operators and organizations, the
most challenging part of a cyber-related
incident-handling process is the detection of possible
cyber-incidents during the procedures involved in daily
troubleshooting. However, phenomena or damages of
the cyber-incident would appear the same as a
non-cyber case at the equipment level of a plant.
Let us first consider the procedure of incident
handling. Most ICS troubleshooting is for
non-cyber-related issues, as shown in Table 1. This is in
contrast to IT security incidents, which frequently occur
and always require an awareness of cyber-related issues;
moreover, ICS cyber-related incidents may be less
recognized than IT cases. The incident handling in IT
cases is based on cyber-intrusion detection; however,
ICS platforms may not run such cybersecurity software
to detect intrusion or cyber viruses [3]. Thus, many
types of general cybersecurity policies for IT system
protection are not applicable to ICS cyber-related
incident responses. Operator experience may be one of
the best sources for detecting deviations from normal
operation status. Experienced operators can
...
...