by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
FCW : November and December 2015
In order for the controls to be effective, he says, we have to get away from the stove-piped nature of security products and take an integrated platform approach such that the cybersecurity and physical security solutions become an integral part of the industrial systems lifecycle. For the ICS cyber security program to be effective, it is necessary to apply the “defense-in-depth” and “continuous monitoring” solution strategy, layering security solutions such that the impact of a failure in any one mechanism is minimized and the new advanced targeted and zero day attacks can be effectively mitigated. This process has the added benefit of making those organizations do a full inventory of their ICS/SCADA devices. A big problem now is many organizations, particularly larger ones, don’t know how many devices they have and where they are located. Even if they secure those devices of which they are aware, any other devices left unsecured give attackers a way into the interconnected ICS environment. NIST’s approach to securing ICS, the primary resource in this area for both government and the private sector, is detailed in its special publication 800-82—Guide to Industrial Control Systems (ICS) Security. The most recent version of this was released in June 2015. In that guide, NIST stresses that ICS environments more frequently resemble regular IT systems, but there are differences and some cases require new solutions tailored to the ICS environment. “Many of these differences stem from the fact that logic executing in ICS has a direct effect on the physical world,” the guide states. “Some of these characteristics include significant risk to the health and safety of human lives and serious damage to the environment, as well as serious financial issues such as production losses, negative impact to a nation’s economy, and compromise of proprietary information.” The NIST SP 800-82 ICS security guide advises on how to reduce the vulnerability of computer-controlled industrial systems to malicious attacks, equipment failures, errors, inadequate malware protection and other threats. SP 800-53 contains a catalog of security controls that can be tailored for specific needs according to an organization’s mission, operational environment, and specific technologies. ICS also have unique performance and reliability requirements, as well as other factors. They can use operating systems and applications unfamiliar to regular IT personnel, says NIST. Plus the goals of safety and efficiency occasionally conflict with security in control system design and operation. Recommendations for IT security controls are included in NIST’s SP 800-53, Revision 4, published in April 2013. It includes a reference to NIST’s own Risk Management Framework, and how to apply that to ICS security. SP 800-82 also includes overlays of the NIST ICS security guidelines verses SP 800-53, and how to tailor the controls for low, moderate and high impact ICS. The European Union Agency for Network and Information Security (ENISA) also has its own set of ICS security standards, guidelines and policies. These can augment those put out by NIST. In a June 2015 survey, the SANS Institute looked at the current state of ICS security and confirmed the lack of trained and skilled ICS security practitioners. It also found a lack of visibility into ICS equipment and network activity. This situation limits the confidence organizations can have in truly knowing their levels of vulnerability and just how many breaches they are experiencing. On the positive side, the survey says, collaboration between IT and control systems personnel is on the rise. The number of products and services that provide the necessary insight into ICS threats and vulnerabilities is increasing. The SANS Institute survey says it hopes organizations with the most to lose, particularly those built on dependency and reliability of their control systems, “will recognize the rising level of risk and focus their resources on addressing the serious threats to their continued operations.” “The first thing a ll ICS environments should do to improve security is conduct a full risk assessment.” — Prem Jadhwani, chief technology officer, Government Acquisitions, Inc. For information on Juniper Networks federal solutions, please visit www.juniper.net/federal Please contact Government Acquisitions, Inc. (GAI) at 513.721.8700 to learn more about taking the first step in securing your agency with a full risk assessment. For information on GAI’s cyber security solutions please visit http://gov-acq.com/ solutions-capabilities/cyber-security/ SPECIAL REPORT CYBER-THREATS AND INDUSTRIAL SECURITY Sponsored Content