Swedish Civil Contingencies Agency (MSB) -Guide to Increased Security in Industrial Information and Control Systems
What’s in the Standard
This document offers detailed guidance in the form of 17 specific recommendations based on industry experience and standardized work methods. The recommendation we found to be most helpful was #13 of 17: “Regularly ensure that any and all connections to industrial information and control systems are secure and relevant.”
It promotes a zone model of network security by implementing defense in depth and zone boundaries and does a very good job of pointing out the flaws in applying IT security updates and technology to an industrial control environment. It states that in an IT environment, security updates are performed multiple times per year, but that in a control environment, this can be highly dangerous to make changes. They display a sound understanding of the risk of remote attacks on industrial control environments and risks concerning cloud services – where the attack surface is increased and costly customizations are required to ensure secure operation in industrial ICS.
The document recommends unidirectional technology within a security architecture to function as an adequate protection in the event information is only permitted to be transported in one direction. The recommendation is – data traffic zone boundaries should be handled with additional restriction and should also be monitored and logged. For certain types of IT environments, it may be useful to use unidirectional technology.
This document, though recommending unidirectional technology, doesn’t display an understanding of the critical uses and benefits they have to security of the network perimeter. The authors, unfortunately, recommend to create an electronic security perimeter (logical perimeter) around the industrial information and control systems and to place administrative systems outside the security perimeter. Unidirectional technology is recommended in an “as needed” way, instead of as a forceful recommendation as a secure protection from the very attacks they have such a good grasp of.
The guide stresses too much that organizations need to continuously monitor and detect intrusion attempts. This is unfortunate, unidirectional technology would ease this burden on organizations dramatically, leaving them to rely on intrusion detection only for physical boundary breeches.