Outdated energy, water and transport Industrial Control Systems without sufficient cyber security controls require coordinated testing of capability at EU levels, says the EU’s cyber security Agency ENISA
January 2014 by Marc Jacob
Today, the EU’s cyber security Agency ENISA published a new report to give advice regarding the next steps towards coordinated testing of capability of the often outdated Industrial Control Systems (ICS) for European industries. Among the key recommendations is the testing of ICS is a concern for all EU Member States and could be dealt with at EU levels according to ENISA.
Nowadays, IT is being widely used by industrial control systems (e.g. SCADA) for energy, water and transport. This is used to improve efficiency, achieve cost savings, and to enable the automation of processes. Unfortunately, this often comes with poor planning, lack of information, security configurations, as well as with the incorporation of both well-known and new, undiscovered or yet unpatched “zero-day” vulnerabilities into ICS/SCADA systems.
Industrial control Systems (ICS) may have a lifespan of over 20 years. Therefore, they have traditionally been designed as independent systems, without sufficient security requirements.
Consequently, they are not prepared to deal with current threats. Overcoming today’s security gaps requires having a solid understanding of security (i.e. vulnerabilities, their origins, frequency, etc.). Proper security assessment demands specialised tools and methodologies. The Agency emphasises that there is a strong need for a specific strategy to define the objectives, the mission and the vision for a Testing Coordination Capability in the EU.
This study explores how EU actions can be coordinated, so as to reach a level of harmonised, independent and trustworthy ICS testing of capabilities, which would then leverage current initiatives. The methodology includes desktop research, an online survey and in-depth interviews with 27 experts from the EU, the USA, Japan, India and Brazil.
Key findings and recommendations
This research has led to 36 key findings and 7 recommendations for both the public and private sectors, with a special focus on EU bodies:
1. The creation of a Testing Coordination of Capability under public European leadership and strong support from the relevant public, national authorities and the EU’s private sector
2. The establishment of a trusted and functional Executive Board to enforce leadership
3. The creation or involvement of specific working groups
4. Definition of a financial model which is suitable given the European situation
5. Carrying out a feasibility study regarding how testing should be organised.
6. Establish collaboration agreements with other organisations dealing with ICS security
7. Establish a knowledge management programme for ICS testing.
The Executive Director of ENISA, Professor Udo Helmbrecht observed: “There is an evident necessity to increase security in Critical Information Infrastructure and ICS system; the risks are increasing, and highly knowledgeable attackers and natural disasters have shown the weaknesses of the systems. All public and private entities involved are strongly advised to seriously address these security concerns.”