24 | Deloitte | A Middle East Point of View | Summer 2013

Protecting the‘other’ network

ICS:

Deloitte | A Middle East Point of View | Summer 2013 | 25

Industrial Control Systems (ICS), those bigmachines with lights, switches and big knobscommon to manufacturing environments,have long been considered a matter forengineers and Operations. But the recentspate and proliferation of cyber attacks -attacks utilizing technology and the Internet,has brought to light how these systems affectour daily lives and are raising questions abouthow they are being managed and protected.

ICS

Since the advent of the industrial age and the rise ofmanufacturing, large, integrated and highly-complexindustrial sites, even cities around the world, have beenprocessing staggering amounts of raw materials orfeedstock into final products down the chain. At thevery heart of such processes are Industrial ControlSystems (ICS): they are what holds everything togetherand scale to become vastly complex proprietarynetworks. ICS is the common overarching term for otheracronyms such as SCADA (Supervisory Control And DataAcquisition), DCS (Distributed Control Systems), and PCN(Process Control Networks), all types of control systems.For the Gulf Cooperation Council (GCC) countries withsignificant reliance on process industries such as Oil and Gas, complex ICS systems are considered thecornerstone of operations. With Industrial Operationsrepresenting a major portion of the GCC National GDP,1

significant disruption is not an option.

26 | Deloitte | A Middle East Point of View | Summer 2013

For the Gulf Cooperation Councilcountries with significant reliance onprocess industries such as Oil and Gas,complex ICS systems are consideredthe cornerstone of operations. WithIndustrial Operations representing a major portion of the GCC NationalGDP, significant disruption is not an option.

Figure 1: Common industry segments relying on ICS

Industrial Control Systems

Electricity(common

generated anddistribution)

Manufacturing

Food and beverage

(preparationand packaging)

Oil & Gas(production,

storage,transportation,

distribution)

Water & waste(water

treatment anddistribution)

Chemical andPharmaceutical

Transport(traffic and power lines)

Nuclear andrenewable

energy

Source: Deloitte

Figure 2: Industrial sector as % of GDP for GCC Countries1

100%

56.1 %

UAE Qatar Kuwait KSA

77.8 %

42.3 %

66.9 %80%

60%

40%

20%

0%

Source: International Monetary Fund

By common classification, ICS fall under what is termedOperational Technology or Operational Systems, hencedistinguishing ICS from IT (Information Technology)systems. These systems are not built for what is typicallyreferred to as “Security”, namely the protection ofinformation assets from compromise. ICS systems have a fundamentally different premise of operation, havingreal and significant impact on the physical safety ofengineers and operators in the production cycle. Anexample would be the risk of industrial fires andexplosions due to faulty control systems during themanufacturing or refining cycles. Direct access toproduction control is therefore vital to prevent suchincidents, or for responding to them quickly to preventinjury or loss of life.

While information security is founded on three guidingattributes: Confidentiality, Integrity and Availability, ICS reverses these priorities to be more aligned withAvailability first, then Integrity of operations.

The issues with ICS and Information SecurityWith the drive to reduce manufacturing costs andoperational overhead, ICS networks have over the pastdecade opened up to the corporate IT networks. Theidea of leveraging existing networks to manage andmonitor ICS operations reduces dependency on on-siteengineers to monitor and manage the ICS networks and facilitates integrating large, physically-diversemanufacturing operations, from corporate locations.The integration of ICS networks into corporate ITnetworks, however, has presented a new set of securityrisks that have been unaccounted for, such as:• ICS are not designed with Information Security inmind. Reliance on strong physical security and accesscontrols become circumvented when opened up tocorporate IT Networks;

• Exposure of ICS to the threats of attacks from theInternet;

• Exploitations are compounded when IT systems with known (or unknown) risks become an entry point into ICS.

The fact that the key controls of ICS need to be“accessible” is the same reason why there are “weak”security access controls, and with the exposure of suchenvironments to the corporate and IT networks, thedomino effect can now reach all the way to the heart ofproduction. Recently, the exploit dubbed ‘Stuxnet’ wasused as a medium of cyber-attack specifically targetingICS against nation states. Variations of the same exploithave been associated with other regional high-profileattacks.2 According to a popular website tracking cyber-attack incidents,3 the statistics for 2013 (as of March2013) show that the attacks targeting Industry haveaccounted for 11.2 percent of the cyber-attacks trackedglobally, out of which the Oil and Gas Industry rankedfirst with about 22 percent, and the Energy Industryranked third at 11 percent.

The recent and increasing wave of high profile cyber-attacks such as those stated above, have drivenorganizations in the region to elevate informationsecurity to a major board-level agenda item. SeniorManagement has been demanding that business and IT departments overhaul operations to show that theirsystems and networks are adequately protected andthere are plans for recovery from any compromise. Thechallenge related to protecting ICS is the traditionalTwo-Silo approach of management betweenEngineering/Operations and Information Technology.

Deloitte | A Middle East Point of View | Summer 2013 | 27

While information security is foundedon three guiding attributes:Confidentiality, Integrity andAvailability, ICS reverses thesepriorities to be more aligned withAvailability first, then Integrity ofoperations

ICS

28 | Deloitte | A Middle East Point of View | Summer 2013

According to the National Institute of Standards andTechnology (NIST) “ICS have unique performance andreliability requirements[…]considered unconventional totypical IT personnel.”4 It is common in the region to seethat this is evident in Oil and Gas operations where thesensitivity and criticality is such that Operations wouldisolate IT in its entirety from matters related to ICS.However, the IT organization may be much betterequipped to handle and respond to Information Securityand breach threats, whereas Operations typically wouldfocus on physical security and human safety. When itcomes to securing ICS, both engineering and IT need to operate as partners and stakeholders.

Governments also need to look into what controls are in place to ensure the safety of the ICS network ofnational services of which a breach would possiblyaffect national and economic security. Similarly, anydisruption of critical services such as electricity andwater would directly impact citizen wellbeing. Driven bythis, the state of Qatar has recently released guidelinesrelated specifically to ICS Security.5

Protecting Industrial Control Systems: the task at handIn the GCC, the protection of ICS needs to be customizedto the unique regional characteristics of the area andshould adapt to the changing landscape of securityglobally with particular attention to the mutualconvergence of IT and Operational Technology. Theapproach to address these requirements can becategorized into four points:• Increasing awareness: knowing there is a risk is thefirst step to addressing it. Regionally, entities need toexpand the fold of Information Security beyond justthe IT department and address the risks related to ICS.Communication needs to flow top to bottom on the possible risks and what each stakeholder’sresponsibility should be. Tried and true tactics such as workshops including individuals from both IT and Operations should be conducted to facilitateinformation flow and build bridges between thesetraditionally separate functions.

• Build fit-for-purpose controls: ICS vary by industryand type of operations. In the Gulf region, given the importance of industries such as Oil and Gas,operations may be part of a larger turn-key projectsuch as a global partnership, where the managementor maintenance of ICS may be outsourced in part toexternal parties. All these qualifying factors need to betaken into consideration when putting together a planfor the protection of industrial assets controlled by ICS.

• Leverage existing best practices: there exists a widespectrum of guidance documents that address each ofthe layers and components of ICS Security and to suchextent, a number of global initiatives with interest inprotecting ICS have begun consolidating standards,frameworks and policies. Examples of such initiativesare Europe’s enisa6 and the publications of theInformation Technology Laboratory of the NationalInstitute of Standards and Technology (NIST) in theUnited States.

In the GCC, the protection of ICS needsto be customized to the unique regionalcharacteristics of the area and shouldadapt to the changing landscape ofsecurity globally with particularattention to the mutual convergence of IT and Operational Technology

Deloitte | A Middle East Point of View | Summer 2013 | 29

• Involvement of assurance: periodically performindependent assessments of the security of ICS. Teamsthat have sufficient expertise in both ICS security andthe proprietary technology of the ICS being reviewed,should be hired to perform such assessments, asopposed to solely IT-specific assessments byinformation security practitioners.

Achieving ‘Information Security’ is a challenge. AchievingIndustrial control system information security, with itsinnate complexities, becomes a much more difficulttask. The security and safety of Industrial ControlSystems and the environments they manage represent areal and present risk to entities and governments in theregion. The compounded effect of the limited exposureand experience of stakeholders in the topic, theexponential growth of Internet-based security attacksdriven by geopolitical turmoil and the involvement ofnation-states all make this a topic that must find its wayon the agenda of the Boards of Directors. Similarly,government agencies entrusted have a role to play withguiding industries to a set of regulations and guidancedocuments to mitigate the impact of such risks.Organizations should implement measures to ensurethat if such compromises were to happen, there aresufficient processes to mitigate the impact of theseincidents and the time to recover from them. Protectionof Industrial Control Systems also touches upon criticalnational infrastructure, areas that directly affect citizenwellbeing, in addition to national safety and security.

by Raddad Ayoub, principal, Enterprise Risk Services,Deloitte Middle East

Endnotes1 IMF word economic Outlook 2012 2 http://www.symantec.com/connect/blogs/stuxnet-introduces-first-known-rootkit-scada-devices

3 http://paulsparrows.files.wordpress.com/2013/04/march-2013-targets.png

4 NIST National Institute of Standards and Technology/ SpecialPublication 800-82 Guide to Industrial Control Systems Security

5 ictQATAR, Controls for the Security of Critical IndustrialAutomation and Control Systems Guidelines, January 2012

6 European Network and Information Security Agency (enisa),Protecting Industrial Control Systems Annex III

Achieving ‘Information Security’ is achallenge. Achieving Industrial controlsystem information security, with itsinnate complexities, becomes a muchmore difficult task. The security andsafety of Industrial Control Systemsand the environments they managerepresent a real and present risk toentities and governments in the region.

ICS