ENISA, the EU’s ‘cyber security’ agency, has today issued the results of a study on Industrial Control Systems (ICS) security. The report describes the current situation on ICS security and proposes seven recommendations for improving it.
Industrial Control Systems (ICS) are command and control networks and systems designed to support industrial processes. These systems are used for monitoring and controlling a variety of processes and operation, such as gas and electricity distribution, water, oil refining and railway transportation.
In the last decade, these systems have faced a notable number of incidents. These include the “Stuxnet” attack, which is believed to have used bespoke malware to target nuclear control systems in Iran, and the recent DuQu-‘upgraded variant’ of this malware. These incidents caused great security concerns among ICS users.
In 2011, ENISA has worked on the main concerns regarding ICS security, and national, pan European and international initiatives on ICS security. The stakeholders involved include ICS security tools and services providers, ICS software/hardware manufacturers, infrastructure operators, public bodies, standardisation bodies, academia and R&D.
This final report proposes seven practical, useful recommendations to public and private sector ICS-actors, as to improve current initiatives and enhance co-operation. The recommendations call for the creation of national and pan-European ICS security strategies, a Good Practice Guide on ICS security, research activities, the establishment of a common test bed and ICS-computer emergency response capabilities.
“Real security for Industrial Control Systems can be only achieved with a common effort, characterised by cooperation, knowledge exchange and mutual understanding of all involved stakeholders,” says Rafal Leszczyna, editor of the report.
Professor Udo Helmbrecht, Executive Director of ENISA added;
“Stuxnet brought the problem of security of industrial control systems to prominence. Our study clearly shows that there is still a lot to be done in this area by all relevant stakeholders. We hope that our seven recommendations will lead to significant improvement.”
Background: To address ICS security, in April 2007, the Council of the European Union adopted a European Programme for Critical Infrastructure Protection (EPCIP). The key element of EPCIP is the Directive on the identification and designation of European Critical Infrastructures. In parallel, the information security issues for vital infrastructures in Europe are addressed by The Digital Agenda for Europe (DAE) and the CIIP Action Plan. The ENISA study results were validated during a workshop in Barcelona, in September, 2011.
Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!