Home

Security: The Difference Between IT and Industrial Control

Nov. 1, 2012

While some computer security processes are far reaching in terms of their use across industries and applications, industrial control systems require additional precautions.

David Greenfield, editor in chief

Industrial Security Differences — On the left is a data center where IT systems are normally housed; on the right is a process industry plant floor where industrial control systems reside. Photo courtesy of Good Health Group.

When your “nail” is computer system security, the “hammer” is often commercial IT security measures. And though a good dose of IT security is essential to industrial control system security, successfully securing a control system requires additional steps.

A recent release from Tofino Security highlighted the unique aspects of industrial control systems that set their security measures apart from most IT systems. Some of these factors included control systems placement on the plant floor, rather than a climate controlled data center; their potential for placement in or close to hazardous environments; plus the fact that the average life span of equipment on the plant floor is measured in decades rather than a few years.

Referencing information from a Belden Industrial Ethernet Infrastructure Design Seminar, the Tofino release boiled down the differences between IT and ICS (industrial control system) security solutions to the fact that each system has different:
• Performance requirements;
• Reliability requirements;
• Operating systems and applications;
• Risk management goals;
• Security architectures; and
• Security goals.

Security goals are an essential difference between the two. For example, the number one goal of IT security is focused on privacy, i.e., protecting the data; whereas the number one goal of ICS security is based on safety, i.e., protecting the process. An image attached to this story highlights the ranking in priority of system concern differences between IT and ICS.

To help clarify the differences in security requirements for ICSs, three major categories of ICS security issues are outlined in the seminar. Those issues are:

Soft Targets. According to Belden, control networks are full of what are known as “soft” targets – devices vulnerable to disruption through their network interface. The PCs in many plants run for weeks or months without any security updates, and some even operate without any anti-virus tools. In addition, many of the controllers in these networks were designed in an era when cyber security was not a concern; as a result, many of these devices can be disrupted by malformed network traffic or even by high volumes of proper traffic.

Multiple Pathways. Many control networks have multiple pathways through which cyber security threats can enter the plant. These pathways often bypass existing security measures in the plant, and some don’t even appear on a network diagram. For example, laptop computers carried in and out of facilities, or USB keys that move from one PC to another. These can easily bring malware into the plant and rapidly spread it from one system to another.

Flat Networks. Many ICS networks are still implemented as large, “flat” networks with no isolation between unrelated subsystems. This means that if a problem occurs in one part of the plant, it can spread very quickly to other unrelated subsystems and even to remote plant sites.

About the Author

David Greenfield, editor in chief | Editor in Chief

David Greenfield joined Automation World in June 2011. Bringing a wealth of industry knowledge and media experience to his position, David’s contributions can be found in AW’s print and online editions and custom projects. Earlier in his career, David was Editorial Director of Design News at UBM Electronics, and prior to joining UBM, he was Editorial Director of Control Engineering at Reed Business Information, where he also worked on Manufacturing Business Technology as Publisher.