Industrial Automation and Control System Security Principles
A Great IACS Security Resource - Jun 25, 2013
Drawing upon concepts from information security and risk management, Dr. Krutz discusses various vital aspects of securing control systems, such as the concepts of defense in depth, fail safe, least privilege and separation of duties. Borrowed from the information security realm, these are now central to securing highly-networked industrial automation and control systems. Essential roles such as identification, authentication, authorization, accountability, auditability and non-repudiation are introduced to extend the import of security into this environment, which is experiencing an ever-closer convergence of information technology, networking and industrial control systems.
With an application focus on distributed control systems and the Smart Grid, the book covers various security models and programs that are necessary to securing Industrial Automated Control Systems (IACS), such as various NIST Special Publications, ANSI/ISA99 standards, NERC CIPs, the DHS Catalog of Control Systems Security, and a section on AMI Security and DoD Instruction 8500.2. Most importantly, the author constructs a consolidated table of Best Practices Controls from a cross-section of the preceding standards documents. Krutz also pays special attention to the role of EMI in several areas of the book. As a member of the EMIIWG under the SGIP, I certainly appreciate the role of EM interference in control system operation and security.
Process-based methodologies are highlighted throughout the book. In terms of management controls, security training, and performance-based security models, Krutz provides comparisons and contrasts of each. A comparison of models highlighted by the Smart Grid Maturity Model and the Automation Maturity Model provide one example of this methodology. In developing an overall view of security automation domains and the NIST Risk Management Framework, he provides an essential point of view into this process. Additionally, in discussing the Information Security Continuous Monitoring process, he introduces a multi-layered combination of cyclical processes that provide for a lifecycle of security monitoring, enhancements and improvements.
One deficiency that this reviewer noted in the overall work was a lack of depth in the control system area. It is my assumption that this was intentional, owing to the fact that the intended audience is the experienced control system engineer. However, this seeming omission does not diminish the intended purpose of the book, which is to elucidate control engineers in foundational security principles. In this regard, Krutz does an admirable job, as he recognizes that securing this evolving environment requires expertise from a wide variety of disciplines by using an ongoing process approach to security. Indeed, he notes, “These methodologies must be embraced and coupled with the latest technological knowledge in order to maximize the security and efficiency of tomorrow’s automation and control systems.”
All contents copyright of ISA © 1995-2013 All rights reserved.