Industrial Control System (ICS) Risk Mitigation Checklist

This checklist provides a high-level overview of ICS and related IT considerations to help organizations self-evaluate their ICS risk aligned to different maturity goals/levels, since many ICS organizations are still working to balance the priorities of cybersecurity in ICS functions. It is intentionally high-level to drive general thinking based on subject matter expertise vs. being a prescriptive answer for all organizations. 

Beginner ICS Maturity 

Build an Asset Inventory 

• Establish a list, preferably in a database using an ICS/IT platform tool of all ICS and relevant assets with a standardized set of characteristics (asset owner, location, asset ID, model number, software version, etc.) 
• Identify baselines (gold images) for configurations and backup equipment (hot/cold swappable)
• Create an IT-ICS common technical architecture
  • TIP: Integrating procurement means your inventory can be automatically populated with a lot of information on acquisition

Start to Perform Risk and Threat Management 

• Identify sources of intelligence/information for risk and threat management, e.g., ISACs, government agencies, vendors (some product vendors include this, plus there is the third-party threat intelligence market) 
• Analyze and share threat intelligence with internal functions as appropriate, and track it on a risk register
• Do tabletop exercises (see this guidance at Ready.gov). These should be:
  • One- to four-hour scenario walk-throughs to identify process gaps and validate assumptions, as well as for training
  • Done at all levels of the organization (executive, engineering, etc.)
  • Cross-functional – bring in as many relevant internal functions as possible to participate
  • Informed by threat management for realism and relevance
  • Include cross-over events, in which a physical issue creates a cybersecurity impact

TIP: This should branch out naturally from continuity planning processes already in place; the key is including cybersecurity elements into these traditional components

Find and Train the Right People 

• Define roles and responsibilities, including knowledge, skills and abilities (KSAs) by position
• Conduct cybersecurity awareness/training
• Establish access controls for those positions by system (should be reflected in the asset inventory)

READ: OT Security Best Practices Checklist 

Intermediate ICS Maturity

Focus on Control Management 

• Conduct periodic audits of the asset inventory to verify accuracy and identify process failures
• Establish a change management process that:
  • Categorizes different levels of changes under consideration
  • Creates an evaluation process tied to the different categories
  • Includes cybersecurity/risk management to understand system-level and system-of-systems level impacts of potential changes

TIP: The Information Technology Infrastructure Library (ITIL) is a great resource for practitioner-level process management

Determine Criticality and Relationships 

• Establish dependencies between assets in the asset Inventory (including external dependencies such as vendors, customers, etc.)
• Identify critical paths with functional dependencies
• Create a workable security services catalog
• Formalize internal service offerings (repairs, security engineering, etc.), and include point of contact, scope, expectations, request process, etc.

Achieve Holistic Risk Management 

• Include cross-functional stakeholders such as finance, business operations, engineering, legal, public/customer relations, etc.
• Establish logging and monitoring to a centralized database
• Perform penetration testing to evaluate initial access methods against controls, detection and response 
• Establish detection engineering, in which logging is validated with risk assessments to determine what is/is not logged compared to expected outcomes and to correlate events for alerts
• Evaluate vendors with security questionnaires during acquisition and include them in the risk register

Conduct Minimal Levels of Training 

• Establish training plans for positions and ensure all personnel are scheduled to achieve the minimal requirements, i.e., gap analysis with remediation
• Include KSAs for new employee hiring and focused retention
  

Expert ICS Maturity 

Evaluate the Supply Chain 

• Evaluate vendor security with technical testing and validation
• Perform post-deployment security testing

Perform Service-Level Management 

• Benchmark, measure and report service catalog offerings against expected service-level agreements (SLAs)
  

Improve Risk Management 

• Put ICS/IT vulnerabilities/risks in organizational context
• Perform adversary emulation
• Using threat intelligence, emulate specific adversarial threats in the areas of both IT (focused on lateral movement to and impact on ICS) and ICS 
• Incorporate supply chain evaluation from above into the risk register
• Get detect-respond-remediate metrics in place, using risk assessment exercises (penetration testing, red teaming, adversary emulation) to measure people, process and technology response times across: 
  • Detection: The time between when an issue was first logged and when it alerted
  • Respond: The time it takes security to respond to the alert and identify the scope of the threat
  • Remediate: The time it takes to effectively remove the threat and restore normal operation

Conduct Expert-Level Training 

• Continually review roles, responsibilities and KSAs
• Include KSAs in formal HR evaluations of performance
  • TIP: Use train-the-trainer initiatives to internally drive training, awareness and improvements

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.