Industrial Control Systems (ICS) Security: Regulations
Industrial Control Systems (ICS) are critical systems used in industrial enterprises like electricity, water, oil, gas, and data. ICS operate based on centralized supervisory commands that are pushed to remote stations and devices. These field devices control operations, collect data, and monitor the environment.
Over the last few years, cyber-attacks on ICS have dramatically increased, signaling a need for advanced industrial control systems security. Attacks on these systems can have devastating consequences to the communities and environments that surround them.
With over 10,000 registered ICS in France alone, it is easy to imagine the countless population of ICS worldwide, all of which have a high risk of cyber-attack. In just the past five years, the US has seen the number of attacks on its ICS increase by 490%. Similarly, more than half of oil and gas companies in the EU are not sufficiently prepared for a major attack on industrial control systems, with91% of SCADA systems particularly vulnerable to breaches in the UK.
Industrial Control Systems Security Regulations
In an effort to prevent catastrophic attacks, many nations have begun putting industrial control systems security regulations in place. Here’s a summary of the relevant regulatory agencies and rules for the following countries and sectors. We’ve summarized the information in this handy infographic.
USA: ICS Security
Critical Infrastructure Protection mandates are enforced by the North American Electric Reliability Corporation (NERC). These regulations relate to the preparedness and response protocols for serious incidents involving critical infrastructure in a particular region or nation. In this case, the reliability standards for the bulk of the US power system.
For nuclear energy, the 2013 Cyber Security Directorate handed all enforcement and regulatory responsibility to the United States Nuclear Regulatory Commission (USNRC). The directorate centralized oversight to ensure reliability in the North American Power grid. These extensive regulations have been put in place to protect digital computers, communication systems, and networks associated with nuclear power.
At this time, all regulations outlined by the Critical Infrastructure Protection and the Cyber Security Directorate are mandatory and have non-compliance sanctions in place.
Critical infrastructure systems must establish protocols to handle cyber-attacks.
The Security of Network and Information Services Directive, or NIS Directive, was adopted by the European Parliament in July 2016. It was developed with the help of the European Agency for Network and Information Security (ENISA) who supports the advancement and implementation of such policies, in addition to collaborating with European operational teams for compliance.
The Directive hopes to enact a high common level of network and informational security across the Union.
The NIS Directive dictates that:
- Member states must have proper incident response teams in place and select a proper NIS authority
- Member states must cooperate and exchange pertinent security information with other member states by setting up a Computer Incident Response Team Network to promote quick and effective sharing
- Member states are required to take appropriate security measures to protect sectors considered vital to the economy and society (energy, transport, water, financial institutions, healthcare, digital infrastructure, etc.)
The NIS Directive puts regulations in place to ensure a high common level of network and information security across the EU.
Currently, the implementation of the NIS Directive is in transition, as member nations work towards adding the Directive’s rules to their own national laws. By May 18, 2018, all member nations must have their national laws in place and have identified the operators of essential services who must comply with said laws.
GERMANY: ICS Security
Enforced by the Federal Office of Information Security the IT Security Act requires companies to improve their IT security systems.
- Improve the availability, integrity, confidentiality, and authenticity of IT security throughout Germany
- Improve IT security within companies
- Provide greater IT security and protection for citizens using the internet
- Protect infrastructure considered critical to community function
The IT Security Act forces companies to improve their IT security systems in an effort to protect infrastructure critical to the community.
The IT Security Act affects website operators, telecommunication companies, and critical infrastructure operators. Compliance is mandatory for all service providers and third parties, but includes a two-year transitional period to refurbish critical infrastructure. Non-compliant providers and operators are subject to fines.
The Centre for the Protection of National Infrastructure in England has developed an advisory guide about the latest cybersecurity measures and practices. The Passport to Good Security guides users through a 20-step process to ensure that their organizations are protected against a variety of security threats. Some of the steps include identifying threats, managing risks, controlling access to systems, putting a security alert systems in place, and much more.
The Passport to Good Security is a 20-step guide for evaluating and protecting organizations from cyber threats.
The National Cybersecurity Agency of France is working on complying with the NIS Directive with the introduction of the Military Programming Act. The Act outlines what parties are subject to the rules, and what kinds of systems need to be put in place. Critical infrastructure and service providers in a wide range of industries must have industrial control systems security in place for any service that has an impact on:
- Military operations
- The economy
- The security of France
- The survival of France in case of natural disaster or warfare
- The safety of the French population
The Military Programming Act outlines what critical industries and infrastructures must be updated to meet the NIS Directive requirements.
The Military Programming Act includes over 60 mandatory rules and is enforced by the National Cybersecurity Agency of France. Entities that are not complying with the decrees outlined are subject to fines.
Meet Compliance Standards with WALLIX
Understanding all of these industrial systems security regulations and the changes they require is daunting. Ensuring you are compliant with every rule can be a challenge, but WALLIX makes it easy to meet these important standards and mitigate risk within your organization.
WALLIX privileged access management provides you with the platform to:
- Mitigate external threats
- Control third party access to your systems
- Prevent insider threat
- Meet IT compliance standards