The European Network and Information Security Agency (ENISA), the EU”s cyber security agency, issued the results of a study on Industrial Control Systems (ICS) security that describes the current situation on ICS security and proposes seven recommendations for improving it.
The recommendations call for the creation of national and pan-European ICS security strategies, a Good Practice Guide on ICS security, research activities, the establishment of a common test bed, and ICS-computer emergency response capabilities.
Industrial Control Systems are command and control networks and systems designed to support industrial processes. These systems are used for monitoring and controlling a variety of processes and operation, such as gas and electricity distribution, water, oil refining, and railway transportation.
In the last decade, these systems have faced a notable number of incidents. These include the “Stuxnet” attack, which is believed to have used bespoke malware to target nuclear control systems in Iran, and the recent DuQu variant of this malware. These incidents caused great security concerns among ICS users.
“Stuxnet brought the problem of security of industrial control systems to prominence,” said Prof. Udo Helmbrecht, executive director of ENISA, in a prepared statement. “Our study clearly shows that there is still a lot to be done in this area by all relevant stakeholders. We hope that our seven recommendations will lead to significant improvement.”
In 2011, ENISA worked on the main concerns regarding ICS security, and national, pan European and international initiatives on ICS security to produce this report. The stakeholders involved include ICS security tools and services providers, ICS software/hardware manufacturers, infrastructure operators, public bodies, standardization bodies, academia, and R&D.
To download the full report, Protecting Industrial Control Systems. Recommendations for Europe and Member States, which includes the ENISA’s seven recommendations for improving ICS security, click here.
Look for an article on Stuxnet and Industrial Control System security in the January 2012 issue of Flow Control magazine. To subscribe to Flow Control magazine, click here.