Closing the Cybersecurity Gap for Industrial Control Systems

Many of today’s industrial control systems (ICS) are considered to be antiquated, making them vulnerable to a cyberattack, especially if they are interconnected with traditional information and communications technology (ICT). Think about electricity, water and energy production as typical places where ICS are in place.

The problem is that these ICS systems have been isolated—separate and apart from IT. But, in today’s converged system environment, ICS are becoming part of the greater enterprise. This makes ICS and IT vulnerable to the same threat agents and attack vectors.

Risk management and governance are critical, no matter if someone is responsible for defending the infrastructure of a manufacturing plant or the corporate network.

In fact, the current state of ICS cybersecurity is described as “turbulent,” according to ISACA’s new, comprehensive white paper about ICS and related risks, titled: “Industrial Control Systems: A Primer for the Rest of Us.”

The guide looks at the current environment of ICS, and discusses the differences and similarities between ICS and IT. The guide points out that while ICS people are operational in nature, IT professionals have a focus that is system or task- specific. An understanding of these cultural differences provides a context where it is possible to explore similarities and distinctions.

The guide suggests there are many advantages to creating and sustaining cross-functional teams of ICS and IT cybersecurity professionals, including:

• Opportunity to for cybersecurity professionals to share their unique perspectives
• An agreed understanding of risk management and governance
• Establishment of a dialogue about shared assets and associated risks

The good news is that much positive work has already been done to create standards, offer training, hold conferences and create relevant certifications.

Monica Jain, CGEIT,CSSBB, CSQA, GSLC
Senior program/project manager

[ISACA]