Baseline in ICS Cybersecurity

By mayur_nj4bdivn — In Cyber Security — October 18, 2019



Understanding Baseline Security Controls and ICS Cybersecurity

ICS (Industrial Control Systems) owners and operators alike, want to know the state of Cybersecurity within their ICS. Further, understanding regulatory and compliance needs for ICS Cybersecurity requires an awareness of the underlying concepts. In simple terms, ICS Cybersecurity is the state of Security Controls of the ICS. This blog explains what is a baseline and goes on to illustrate the concept of Baseline Security Controls in Cybersecurity.

Change is a fact of life and Change Management is an important idea in any ICS. Baseline is a very interesting concept in Change Management. In the context of ICS Cybersecurity, Security Controls Baseline, provides a simple, yet powerful mechanism to implement and manage change to Security Controls without disrupting ICS operations and functions.

Understanding Change to a Single Object

Though everything is changing in relation to something! We limit our scope by first considering a single isolated object. An object Obj-1 has a state S1 at time t1. It then changes to a state S2 at time t2. This is illustrated in Fig.1

Understanding Change to a Collection of Objects

We now look at change to a Collection of objects – objects that are working together as a cohesive whole.  This is illustrated in Fig.2. We consider the collection having an initial state C-S1 which is distinct from the states of the objects (O1-S1… O3-S1) that make up the collection. A change in the state of one or more objects changes the state of the collection as a whole! Each state of an object or collection is called a version! For every change, we increase the version number assigned to the individual objects and the collection. Henceforth, we will use the word, “version” followed by a number to indicate the state of artifacts (Software, documents, concepts, etc.)

Change & Configuration Management – Art or Science

It is important to understand that a collection is not objects thrown together at random; objects in the collection share specific relationships with one-another; objects in the collection work together as an integrated unit! Random changes to one or more objects within the collection may render the whole collection dysfunctional. The art and science of change management is hinged around making changes to individual components without breaking the collections’ operation/function or integrity. The discipline in computer science and information technology that practices this is referred to as, Change and Configuration Management. A list of components in a “working collection” along with their respective version numbers is called a “working configuration”.

Change Management in ICS Cybersecurity

The Cybersecurity of an ICS is a “working collection” of Security Controls. For the purpose of this example we consider 5 security controls that comprise the Cybersecurity posture (state) of an ICS. Technically speaking, the “version” of Cybersecurity of the ICS is distinct from the “version” of the individual Security Controls.

Fig.3.a shows an example of 5 security controls SeCo1 to SeCo5 which collectively make up the Cybersecurity of an ICS. The initial version of Cybersecurity of the ICS is distinctly identified by CybSec1 – the state of the collection.  Fig.3.b shows the version of the 5 controls at a time t2, after changes were made to some of them. The changes were warranted because the collection was not working. If the version of the collection at t2 – CybSec2 works, we draw a line over versions as shown in Fig.4. b. This line is called, a Baseline!

We can make a list of Security Controls and their respective version numbers that comprise the baseline. Any changes henceforth will be made on the baseline versions.

Configuration at Baseline (Ref. Fig.4.b)
ComponentsVersion Number

Build and Baselines

When we make changes to various components and bring them together to check if the collection works – we call that a build. At times, builds may not work, in that case we discard the build and continue making changes to fix issues. If a build works, we baseline it! Further, most projects and organizations give each build/baseline a number or name.  All baselines are builds, but all builds may not become baselines!


We can understand the Cybersecurity posture of an ICS by examining the state of the Security Controls within the ICS. The state of the “collection of Security Controls” is distinct from the state of individual Security Controls. A “working collection” of security controls is called, the Baseline Security Controls. The list of security controls and their respective versions (states) at a particular time indicates the Cybersecurity posture of the ICS at that time. Fig.5 shows the state of security controls at two points in time – one point is in the future and baseline at that point is called, the Target Profile; the other point is in the present and is referred to as, the Current Profile.

Balakrishna Subramoney (Balu), is a Lead Analyst – Cybersecurity at Sam Analytic Solutions, in Durham, NC. Sam Analytic Solutions provides Services to make your ICS Cybersecurity Compliance Journey– effortless and easy – We believe Cybersecurity concepts are easy to understand and adopt.

Cybersecurity is not about building impregnable barriers, it is about timely response!

Spread the love