Understanding Cyber Security Services for Industrial Control Systems

By mayur_nj4bdivn — In Cyber Security — October 11, 2019



This week’s post is about Cyber Security Services. What do Cyber Security Practitioners within an Industrial Control System (ICS) do? ‘Learning through analogy’ is used to illustrate the concepts.

Data is the life blood of Enterprises in today’s world

If doctors want to understand what is going on within the human body; they take a blood sample and study it – this a passive way of understand the functioning and condition of the human body. When Cyber Security practitioners want to know what is going on within an ICS, they study “data samples” collected from various key processes within the ICS.

This approach can be used to study an entire factory, a single production line or a single aspect of a complex system. The important artifact being the “data sample”.

Medical practitioners study the condition of the human body using blood samples. They look for the presence or absence of specific substances in blood samples. Cyber Security practitioners look for the presence or absence of specific information in “data samples” to understand the Cyber Security of the system under consideration.

What data samples need to be collected? What is the best way to collect them? How are the samples analyzed? What are the key insights from the analyses? Cyber security services from Sam Analytic Solutions help customers with these kinds of questions and much more. This post is NOT about business development!

Cyber Security services are akin to medical services in that, organizations need them only they are faced with issues! (Just kidding ?) However, in the case of ICS “prevention is better than cure”. A plant owner or operator does not want the plant shutting down due to Cyber Security issues!

Data Driven Decision Making

Blood carries nutrients and signals to various parts of the human body. “Data” is the carrier of information that moves within and outside the ICS which is also used for decision making by managers (and controllers). Simple decisions may involve a few parameters, but complex decision making involves thousands of parameters. Decisions taken invariably affect organizational and production processes, people, economy and the environment. Good data driven decision making presupposes, high quality data made available in a timely fashion in required formats.

Cyber Security Data Collection Services (A Phlebotomist on the Plant floor!)

Collecting samples (data samples) is not a one-time activity in Cyber Security, it is a periodic activity and the periods can be as short as a few microseconds or as long as a few months.  This service is specialized and requires an understanding of the production process, the equipment and lots of planning and collaboration. Further, different data samples are collected for different types of analyses (similar to different blood tests).  This service is typically delivered in two phases. Phase one, the planning phase – preparing a document that models the dataflow within the ICS network, descriptions of the sample dataset(s) to be collected and the collection strategy. Phase two, the execution as per plan and collection of required datasets. (Note: Sometimes this service becomes trivial if reliable logs are available within the ICS)

Cybersecurity Data Analyses Services (A Lab technician on the Plant floor!)

While, a blood sample is sent to a Lab technician for analysis. “Data samples” are sent to a Cyber Security Analyst. The analyst employs various tools and techniques to draw inferences from the sample data provided.  The deliverable from this service is Cyber Security feedback, typically a report, which would contain details of the condition and/or functioning of the system from a Cyber Security perspective. Technically, the steps involve, parsing and analyses. Analyses include, visualization and statistical data analysis.

Faster the better! Since, feedback needs to be provided quickly to help control critical production processes and limit damages. Cyber Security Data Analyses services are provided close to the points of collection. These services are rendered along side DCS (Distributed Control Systems) and SCADA (Supervisory Control And Data Acquisition).

Vulnerability Assessment and Penetration Testing (Health Checkups and Fitness)

Often times, when we feel weak, we are prone to illness. Weaknesses are called, Vulnerabilities in Cyber Security parlance. ICS systems can have weaknesses (vulnerabilities) which can act as points of entry for attackers (much like germs getting into our blood stream through open wounds). A health checkup helps spot vulnerabilities in our body.

Vulnerability Assessment of the ICS helps spot weaknesses. Further, launching an attack to prove that a vulnerability can be exploited is the goal of Penetrating Testing. Vulnerability Assessment may not be a passive exercise like “data sample” collection and analyses mentioned earlier. In terms of our analogy with the human body, it is akin to an injection! Penetration Testing is always an active process and could result in shutting down a production line or worse (similar to stress tests like the treadmill test!). These Cybersecurity services are rendered under controlled conditions and always require precise contractual obligations.

Cyber Security Standards (Avoid the Epidemics and Pandemics)

Public health is important to the community. Governments set standards and provide expert guidance to ensure public health. Cyber Security is an important aspect of the times we live in and ICS Cyber Security incidents can impact entire industry sectors. Much like an epidemic. To avoid Cyber Security incidents of epidemic or pandemic proportions, a number of ICS Cyber Security standards exist. In the past, there have been incidents all over the world that have impacted Nuclear Plants, Electric Grids, manufacturing facilities and other ICS systems.

Cyber Security Standards provide guidance to ensure that “enterprise data” can be protected in a uniform way and protection mechanisms work seamlessly across enterprises. Examples of Cyber Security Standards for ICS include (NIST SP 800-82r2 – National Institute of Standards and Technology Special Publication 800-82 revision 2). The ISA/IEC-62443 is an important global standard for ICS. Following these Cyber Security standards assures stakeholders within and outside the organization including, customers, suppliers and the public. It further enhances the confidence of one and all in having a successful business relationship with the organization.

Further, regulatory standards like NERC-CIP (North American Electric Reliability Corporation – Critical Infrastructure Protection) require mandatory compliance. This ensures ICS systems that fall into the scope of NERC-CIP have an assured level of protection and can guarantee service delivery.

Compliance Testing services, Assessment services and Third Party Security Assessment are Cyber Security services scoped around Cyber Security Standards.

Cyber Security Practice (Your Neighborhood Primary Care)

Cyber Security Services can ensure that data within an ICS System is not lost, modified or mis-located and events occur as anticipated.  These services are packaged in multiple ways and is always dependent on the needs of the ICS system under consideration and the service scope. (In the analogy, a dietitian’s services are quite distinct from a lab technician or phlebotomist)

The study (collection, analyses and reporting) of Events that occur within the enterprise and cyberspace in particular, is the cornerstone of any Cyber Security practice.

Data moves in Cyberspace. The dynamic nature of data is modelled as, Events. We say Events occur; which are evidenced by the flow or movement of data. No events, no data flow and vice-versa! When data moves from location A to location B. There are several Events that are taking place. Each Event is associated with data (an event-dataset). The successful occurrence of a sequence of Events is required for data to move from location A to location B; likewise, if data has moved from location A to location B then it is reasonable to assume that a specific sequence of events have occurred!  The occurrence or non-occurrence of an event can impede the movement of data. Further, data can get lost, modified or reach incorrect locations.

When events are collected and analyzed as Threats (threat events), the services are called, Threat Management Services. A Threat is, any circumstance or event with the potential to adversely impact agency operations (including mission, functions, image, or reputation), agency assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service – NIST SP 800-53 [22]

When the primary consideration is the Risk, they are called, Risk Management Services. Risk is, the level of impact on agency operations (including mission, functions, image, or reputation), agency assets, or individuals resulting from the operation of an information system, given the potential impact of a threat and the likelihood of that threat occurring – NIST SP 800-30 [79]

ICS Cyber Security Program (A Cyber Security Practice for ICS)

Staying healthy and fit requires constant attention and healthy routines. Good Cyber Security requires, Cyber security hygiene – best practices that owners and operators can use to protect ICS data. The ICS Cyber security Program development and deployment service provides a comprehensive solution to manage and monitor ICS Cyber security in a holistic way. This service is akin to having a family practice for your health care needs.


Cyber security, the ability to protect or defend the use of cyberspace from cyber-attacks, can be provided as a suite of services – Cyber security Services. The analogy of a Medical practice providing health care can explain many Cyber security services. Data is the lifeblood of any enterprise and cyber security practices and services ensure protection of that data. Data-sample collection and analyses is analogous to blood sample testing. Vulnerability assessment is a like an annual health checkup. The blog addresses services that can be of use to ICS (Industrial Control System) owners and operators. These services include: Data Collection and Analyses, Vulnerability Assessment, Compliance Assessment, Threat and Risk Management and developing and deploying ICS Cyber security programs.

Balakrishna Subramoney (Balu), Lead Analyst – Cyber Security at Sam Analytic Solutions, in Durham, NC. As a Cyber Security Practitioner he is a staunch supporter of Blue Team practices.

Spread the love